[thirdparty/systemd.git] / src / import / pull-common.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <sys/prctl.h>

#include "btrfs-util.h"
#include "capability.h"
#include "copy.h"
#include "escape.h"
#include "fd-util.h"
#include "io-util.h"
#include "process-util.h"
#include "pull-common.h"
#include "pull-job.h"
#include "rm-rf.h"
#include "signal-util.h"
#include "siphash24.h"
#include "string-util.h"
#include "strv.h"
#include "util.h"

#define FILENAME_ESCAPE "/.#\"\'"
#define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16)

int pull_find_old_etags(
                const char *url,
                const char *image_root,
                int dt,
                const char *prefix,
                const char *suffix,
                char ***etags) {

        _cleanup_free_ char *escaped_url = NULL;
        _cleanup_closedir_ DIR *d = NULL;
        _cleanup_strv_free_ char **l = NULL;
        struct dirent *de;
        int r;

        assert(url);
        assert(etags);

        if (!image_root)
                image_root = "/var/lib/machines";

        escaped_url = xescape(url, FILENAME_ESCAPE);
        if (!escaped_url)
                return -ENOMEM;

        d = opendir(image_root);
        if (!d) {
                if (errno == ENOENT) {
                        *etags = NULL;
                        return 0;
                }

                return -errno;
        }

        FOREACH_DIRENT_ALL(de, d, return -errno) {
                const char *a, *b;
                char *u;

                if (de->d_type != DT_UNKNOWN &&
                    de->d_type != dt)
                        continue;

                if (prefix) {
                        a = startswith(de->d_name, prefix);
                        if (!a)
                                continue;
                } else
                        a = de->d_name;

                a = startswith(a, escaped_url);
                if (!a)
                        continue;

                a = startswith(a, ".");
                if (!a)
                        continue;

                if (suffix) {
                        b = endswith(de->d_name, suffix);
                        if (!b)
                                continue;
                } else
                        b = strchr(de->d_name, 0);

                if (a >= b)
                        continue;

                r = cunescape_length(a, b - a, 0, &u);
                if (r < 0)
                        return r;

                if (!http_etag_is_valid(u)) {
                        free(u);
                        continue;
                }

                r = strv_consume(&l, u);
                if (r < 0)
                        return r;
        }

        *etags = l;
        l = NULL;

        return 0;
}

int pull_make_local_copy(const char *final, const char *image_root, const char *local, bool force_local) {
        const char *p;
        int r;

        assert(final);
        assert(local);

        if (!image_root)
                image_root = "/var/lib/machines";

        p = strjoina(image_root, "/", local);

        if (force_local)
                (void) rm_rf(p, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);

        r = btrfs_subvol_snapshot(final, p, BTRFS_SNAPSHOT_QUOTA);
        if (r == -ENOTTY) {
                r = copy_tree(final, p, false);
                if (r < 0)
                        return log_error_errno(r, "Failed to copy image: %m");
        } else if (r < 0)
                return log_error_errno(r, "Failed to create local image: %m");

        log_info("Created new local image '%s'.", local);

        return 0;
}

static int hash_url(const char *url, char **ret) {
        uint64_t h;
        static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f);

        assert(url);

        siphash24((uint8_t *) &h, url, strlen(url), k.bytes);
        if (asprintf(ret, "%"PRIx64, h) < 0)
                return -ENOMEM;

        return 0;
}

int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) {
        _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL;
        char *path;

        assert(url);
        assert(ret);

        if (!image_root)
                image_root = "/var/lib/machines";

        escaped_url = xescape(url, FILENAME_ESCAPE);
        if (!escaped_url)
                return -ENOMEM;

        if (etag) {
                escaped_etag = xescape(etag, FILENAME_ESCAPE);
                if (!escaped_etag)
                        return -ENOMEM;
        }

        path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "",
                       strempty(escaped_etag), strempty(suffix), NULL);
        if (!path)
                return -ENOMEM;

        /* URLs might make the path longer than the maximum allowed length for a file name.
         * When that happens, a URL hash is used instead. Paths returned by this function
         * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */
        if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) {
                _cleanup_free_ char *hash = NULL;
                int r;

                free(path);

                r = hash_url(url, &hash);
                if (r < 0)
                        return r;

                path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "",
                               strempty(escaped_etag), strempty(suffix), NULL);
                if (!path)
                        return -ENOMEM;
        }

        *ret = path;
        return 0;
}

int pull_make_settings_job(
                PullJob **ret,
                const char *url,
                CurlGlue *glue,
                PullJobFinished on_finished,
                void *userdata) {

        _cleanup_free_ char *last_component = NULL, *ll = NULL, *settings_url = NULL;
        _cleanup_(pull_job_unrefp) PullJob *job = NULL;
        const char *q;
        int r;

        assert(ret);
        assert(url);
        assert(glue);

        r = import_url_last_component(url, &last_component);
        if (r < 0)
                return r;

        r = tar_strip_suffixes(last_component, &ll);
        if (r < 0)
                return r;

        q = strjoina(ll, ".nspawn");

        r = import_url_change_last_component(url, q, &settings_url);
        if (r < 0)
                return r;

        r = pull_job_new(&job, settings_url, glue, userdata);
        if (r < 0)
                return r;

        job->on_finished = on_finished;
        job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL;

        *ret = job;
        job = NULL;

        return 0;
}

int pull_make_verification_jobs(
                PullJob **ret_checksum_job,
                PullJob **ret_signature_job,
                ImportVerify verify,
                const char *url,
                CurlGlue *glue,
                PullJobFinished on_finished,
                void *userdata) {

        _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL;
        int r;

        assert(ret_checksum_job);
        assert(ret_signature_job);
        assert(verify >= 0);
        assert(verify < _IMPORT_VERIFY_MAX);
        assert(url);
        assert(glue);

        if (verify != IMPORT_VERIFY_NO) {
                _cleanup_free_ char *checksum_url = NULL;

                /* Queue job for the SHA256SUMS file for the image */
                r = import_url_change_last_component(url, "SHA256SUMS", &checksum_url);
                if (r < 0)
                        return r;

                r = pull_job_new(&checksum_job, checksum_url, glue, userdata);
                if (r < 0)
                        return r;

                checksum_job->on_finished = on_finished;
                checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
        }

        if (verify == IMPORT_VERIFY_SIGNATURE) {
                _cleanup_free_ char *signature_url = NULL;

                /* Queue job for the SHA256SUMS.gpg file for the image. */
                r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url);
                if (r < 0)
                        return r;

                r = pull_job_new(&signature_job, signature_url, glue, userdata);
                if (r < 0)
                        return r;

                signature_job->on_finished = on_finished;
                signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
        }

        *ret_checksum_job = checksum_job;
        *ret_signature_job = signature_job;

        checksum_job = signature_job = NULL;

        return 0;
}

int pull_verify(PullJob *main_job,
                PullJob *settings_job,
                PullJob *checksum_job,
                PullJob *signature_job) {

        _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 };
        _cleanup_free_ char *fn = NULL;
        _cleanup_close_ int sig_file = -1;
        const char *p, *line;
        char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX";
        _cleanup_sigkill_wait_ pid_t pid = 0;
        bool gpg_home_created = false;
        int r;

        assert(main_job);
        assert(main_job->state == PULL_JOB_DONE);

        if (!checksum_job)
                return 0;

        assert(main_job->calc_checksum);
        assert(main_job->checksum);
        assert(checksum_job->state == PULL_JOB_DONE);

        if (!checksum_job->payload || checksum_job->payload_size <= 0) {
                log_error("Checksum is empty, cannot verify.");
                return -EBADMSG;
        }

        r = import_url_last_component(main_job->url, &fn);
        if (r < 0)
                return log_oom();

        if (!filename_is_valid(fn)) {
                log_error("Cannot verify checksum, could not determine valid server-side file name.");
                return -EBADMSG;
        }

        line = strjoina(main_job->checksum, " *", fn, "\n");

        p = memmem(checksum_job->payload,
                   checksum_job->payload_size,
                   line,
                   strlen(line));

        if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) {
                log_error("DOWNLOAD INVALID: Checksum did not check out, payload has been tampered with.");
                return -EBADMSG;
        }

        log_info("SHA256 checksum of %s is valid.", main_job->url);

        assert(!settings_job || IN_SET(settings_job->state, PULL_JOB_DONE, PULL_JOB_FAILED));

        if (settings_job &&
            settings_job->state == PULL_JOB_DONE &&
            settings_job->error == 0 &&
            !settings_job->etag_exists) {

                _cleanup_free_ char *settings_fn = NULL;

                assert(settings_job->calc_checksum);
                assert(settings_job->checksum);

                r = import_url_last_component(settings_job->url, &settings_fn);
                if (r < 0)
                        return log_oom();

                if (!filename_is_valid(settings_fn)) {
                        log_error("Cannot verify checksum, could not determine server-side settings file name.");
                        return -EBADMSG;
                }

                line = strjoina(settings_job->checksum, " *", settings_fn, "\n");

                p = memmem(checksum_job->payload,
                           checksum_job->payload_size,
                           line,
                           strlen(line));

                if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) {
                        log_error("DOWNLOAD INVALID: Checksum of settings file did not checkout, settings file has been tampered with.");
                        return -EBADMSG;
                }

                log_info("SHA256 checksum of %s is valid.", settings_job->url);
        }

        if (!signature_job)
                return 0;

        assert(signature_job->state == PULL_JOB_DONE);

        if (!signature_job->payload || signature_job->payload_size <= 0) {
                log_error("Signature is empty, cannot verify.");
                return -EBADMSG;
        }

        r = pipe2(gpg_pipe, O_CLOEXEC);
        if (r < 0)
                return log_error_errno(errno, "Failed to create pipe for gpg: %m");

        sig_file = mkostemp(sig_file_path, O_RDWR);
        if (sig_file < 0)
                return log_error_errno(errno, "Failed to create temporary file: %m");

        r = loop_write(sig_file, signature_job->payload, signature_job->payload_size, false);
        if (r < 0) {
                log_error_errno(r, "Failed to write to temporary file: %m");
                goto finish;
        }

        if (!mkdtemp(gpg_home)) {
                r = log_error_errno(errno, "Failed to create tempory home for gpg: %m");
                goto finish;
        }

        gpg_home_created = true;

        pid = fork();
        if (pid < 0)
                return log_error_errno(errno, "Failed to fork off gpg: %m");
        if (pid == 0) {
                const char *cmd[] = {
                        "gpg",
                        "--no-options",
                        "--no-default-keyring",
                        "--no-auto-key-locate",
                        "--no-auto-check-trustdb",
                        "--batch",
                        "--trust-model=always",
                        NULL, /* --homedir=  */
                        NULL, /* --keyring= */
                        NULL, /* --verify */
                        NULL, /* signature file */
                        NULL, /* dash */
                        NULL  /* trailing NULL */
                };
                unsigned k = ELEMENTSOF(cmd) - 6;
                int null_fd;

                /* Child */

                (void) reset_all_signal_handlers();
                (void) reset_signal_mask();
                assert_se(prctl(PR_SET_PDEATHSIG, SIGTERM) == 0);

                gpg_pipe[1] = safe_close(gpg_pipe[1]);

                if (dup2(gpg_pipe[0], STDIN_FILENO) != STDIN_FILENO) {
                        log_error_errno(errno, "Failed to dup2() fd: %m");
                        _exit(EXIT_FAILURE);
                }

                if (gpg_pipe[0] != STDIN_FILENO)
                        gpg_pipe[0] = safe_close(gpg_pipe[0]);

                null_fd = open("/dev/null", O_WRONLY|O_NOCTTY);
                if (null_fd < 0) {
                        log_error_errno(errno, "Failed to open /dev/null: %m");
                        _exit(EXIT_FAILURE);
                }

                if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) {
                        log_error_errno(errno, "Failed to dup2() fd: %m");
                        _exit(EXIT_FAILURE);
                }

                if (null_fd != STDOUT_FILENO)
                        null_fd = safe_close(null_fd);

                cmd[k++] = strjoina("--homedir=", gpg_home);

                /* We add the user keyring only to the command line
                 * arguments, if it's around since gpg fails
                 * otherwise. */
                if (access(USER_KEYRING_PATH, F_OK) >= 0)
                        cmd[k++] = "--keyring=" USER_KEYRING_PATH;
                else
                        cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH;

                cmd[k++] = "--verify";
                cmd[k++] = sig_file_path;
                cmd[k++] = "-";
                cmd[k++] = NULL;

                fd_cloexec(STDIN_FILENO, false);
                fd_cloexec(STDOUT_FILENO, false);
                fd_cloexec(STDERR_FILENO, false);

                execvp("gpg2", (char * const *) cmd);
                execvp("gpg", (char * const *) cmd);
                log_error_errno(errno, "Failed to execute gpg: %m");
                _exit(EXIT_FAILURE);
        }

        gpg_pipe[0] = safe_close(gpg_pipe[0]);

        r = loop_write(gpg_pipe[1], checksum_job->payload, checksum_job->payload_size, false);
        if (r < 0) {
                log_error_errno(r, "Failed to write to pipe: %m");
                goto finish;
        }

        gpg_pipe[1] = safe_close(gpg_pipe[1]);

        r = wait_for_terminate_and_warn("gpg", pid, true);
        pid = 0;
        if (r < 0)
                goto finish;
        if (r > 0) {
                log_error("DOWNLOAD INVALID: Signature verification failed.");
                r = -EBADMSG;
        } else {
                log_info("Signature verification succeeded.");
                r = 0;
        }

finish:
        if (sig_file >= 0)
                (void) unlink(sig_file_path);

        if (gpg_home_created)
                (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL);

        return r;
}
Commit	Line	Data
56ebfaf1 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2015 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
98c38001 LP	22	#include <sys/prctl.h>
98c38001 LP	23
56ebfaf1	24	#include "btrfs-util.h"
2c140ded	25	#include "capability.h"
4f5dd394 LP	26	#include "copy.h"
4f5dd394 LP	27	#include "escape.h"
3ffd4af2	28	#include "fd-util.h"
c004493c	29	#include "io-util.h"
0b452006	30	#include "process-util.h"
3ffd4af2	31	#include "pull-common.h"
4f5dd394 LP	32	#include "pull-job.h"
4f5dd394 LP	33	#include "rm-rf.h"
24882e06	34	#include "signal-util.h"
9818005d	35	#include "siphash24.h"
07630cea	36	#include "string-util.h"
4f5dd394 LP	37	#include "strv.h"
4f5dd394 LP	38	#include "util.h"
56ebfaf1 LP	39
56ebfaf1 LP	40	#define FILENAME_ESCAPE "/.#\"\'"
9818005d	41	#define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16)
56ebfaf1	42
9854730b LP	43	int pull_find_old_etags(
	44	const char *url,
	45	const char *image_root,
	46	int dt,
	47	const char *prefix,
	48	const char *suffix,
	49	char ***etags) {
	50
56ebfaf1 LP	51	_cleanup_free_ char *escaped_url = NULL;
	52	_cleanup_closedir_ DIR *d = NULL;
	53	_cleanup_strv_free_ char **l = NULL;
	54	struct dirent *de;
	55	int r;
	56
	57	assert(url);
	58	assert(etags);
	59
	60	if (!image_root)
	61	image_root = "/var/lib/machines";
	62
	63	escaped_url = xescape(url, FILENAME_ESCAPE);
	64	if (!escaped_url)
	65	return -ENOMEM;
	66
	67	d = opendir(image_root);
	68	if (!d) {
	69	if (errno == ENOENT) {
	70	*etags = NULL;
	71	return 0;
	72	}
	73
	74	return -errno;
	75	}
	76
	77	FOREACH_DIRENT_ALL(de, d, return -errno) {
	78	const char a, b;
	79	char *u;
	80
	81	if (de->d_type != DT_UNKNOWN &&
	82	de->d_type != dt)
	83	continue;
	84
	85	if (prefix) {
	86	a = startswith(de->d_name, prefix);
	87	if (!a)
	88	continue;
	89	} else
	90	a = de->d_name;
	91
	92	a = startswith(a, escaped_url);
	93	if (!a)
	94	continue;
	95
	96	a = startswith(a, ".");
	97	if (!a)
	98	continue;
	99
	100	if (suffix) {
	101	b = endswith(de->d_name, suffix);
	102	if (!b)
	103	continue;
	104	} else
	105	b = strchr(de->d_name, 0);
	106
	107	if (a >= b)
	108	continue;
	109
527b7a42 LP	110	r = cunescape_length(a, b - a, 0, &u);
	111	if (r < 0)
	112	return r;
56ebfaf1 LP	113
	114	if (!http_etag_is_valid(u)) {
	115	free(u);
	116	continue;
	117	}
	118
	119	r = strv_consume(&l, u);
	120	if (r < 0)
	121	return r;
	122	}
	123
	124	*etags = l;
	125	l = NULL;
	126
	127	return 0;
	128	}
	129
dc2c282b	130	int pull_make_local_copy(const char final, const char image_root, const char *local, bool force_local) {
56ebfaf1 LP	131	const char *p;
	132	int r;
	133
	134	assert(final);
	135	assert(local);
	136
	137	if (!image_root)
	138	image_root = "/var/lib/machines";
	139
63c372cb	140	p = strjoina(image_root, "/", local);
56ebfaf1	141
d9e2daaf LP	142	if (force_local)
d9e2daaf LP	143	(void) rm_rf(p, REMOVE_ROOT\|REMOVE_PHYSICAL\|REMOVE_SUBVOLUME);
56ebfaf1	144
5bcd08db	145	r = btrfs_subvol_snapshot(final, p, BTRFS_SNAPSHOT_QUOTA);
56ebfaf1 LP	146	if (r == -ENOTTY) {
	147	r = copy_tree(final, p, false);
	148	if (r < 0)
	149	return log_error_errno(r, "Failed to copy image: %m");
	150	} else if (r < 0)
	151	return log_error_errno(r, "Failed to create local image: %m");
	152
	153	log_info("Created new local image '%s'.", local);
	154
	155	return 0;
	156	}
	157
9818005d JS	158	static int hash_url(const char url, char *ret) {
	159	uint64_t h;
	160	static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f);
	161
	162	assert(url);
	163
	164	siphash24((uint8_t *) &h, url, strlen(url), k.bytes);
	165	if (asprintf(ret, "%"PRIx64, h) < 0)
	166	return -ENOMEM;
	167
	168	return 0;
	169	}
	170
dc2c282b	171	int pull_make_path(const char url, const char etag, const char image_root, const char prefix, const char suffix, char *ret) {
9818005d	172	_cleanup_free_ char escaped_url = NULL, escaped_etag = NULL;
56ebfaf1 LP	173	char *path;
	174
	175	assert(url);
	176	assert(ret);
	177
	178	if (!image_root)
	179	image_root = "/var/lib/machines";
	180
	181	escaped_url = xescape(url, FILENAME_ESCAPE);
	182	if (!escaped_url)
	183	return -ENOMEM;
	184
	185	if (etag) {
56ebfaf1 LP	186	escaped_etag = xescape(etag, FILENAME_ESCAPE);
	187	if (!escaped_etag)
	188	return -ENOMEM;
9818005d	189	}
56ebfaf1	190
9818005d JS	191	path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "",
9818005d JS	192	strempty(escaped_etag), strempty(suffix), NULL);
56ebfaf1 LP	193	if (!path)
	194	return -ENOMEM;
	195
9818005d JS	196	/* URLs might make the path longer than the maximum allowed length for a file name.
	197	* When that happens, a URL hash is used instead. Paths returned by this function
	198	* can be later used with tempfn_random() which adds 16 bytes to the resulting name. */
	199	if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) {
	200	_cleanup_free_ char *hash = NULL;
	201	int r;
	202
	203	free(path);
	204
	205	r = hash_url(url, &hash);
	206	if (r < 0)
	207	return r;
	208
	209	path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "",
	210	strempty(escaped_etag), strempty(suffix), NULL);
	211	if (!path)
	212	return -ENOMEM;
	213	}
	214
56ebfaf1 LP	215	*ret = path;
	216	return 0;
	217	}
85dbc41d	218
9854730b LP	219	int pull_make_settings_job(
	220	PullJob **ret,
	221	const char *url,
	222	CurlGlue *glue,
	223	PullJobFinished on_finished,
	224	void *userdata) {
	225
	226	_cleanup_free_ char last_component = NULL, ll = NULL, *settings_url = NULL;
	227	_cleanup_(pull_job_unrefp) PullJob *job = NULL;
	228	const char *q;
	229	int r;
	230
	231	assert(ret);
	232	assert(url);
	233	assert(glue);
	234
	235	r = import_url_last_component(url, &last_component);
	236	if (r < 0)
	237	return r;
	238
	239	r = tar_strip_suffixes(last_component, &ll);
	240	if (r < 0)
	241	return r;
	242
	243	q = strjoina(ll, ".nspawn");
	244
	245	r = import_url_change_last_component(url, q, &settings_url);
	246	if (r < 0)
	247	return r;
	248
	249	r = pull_job_new(&job, settings_url, glue, userdata);
	250	if (r < 0)
	251	return r;
	252
	253	job->on_finished = on_finished;
	254	job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL;
	255
	256	*ret = job;
	257	job = NULL;
	258
	259	return 0;
	260	}
	261
dc2c282b LP	262	int pull_make_verification_jobs(
	263	PullJob **ret_checksum_job,
	264	PullJob **ret_signature_job,
98c38001 LP	265	ImportVerify verify,
	266	const char *url,
	267	CurlGlue *glue,
dc2c282b	268	PullJobFinished on_finished,
98c38001 LP	269	void *userdata) {
98c38001 LP	270
dc2c282b	271	_cleanup_(pull_job_unrefp) PullJob checksum_job = NULL, signature_job = NULL;
98c38001 LP	272	int r;
	273
	274	assert(ret_checksum_job);
	275	assert(ret_signature_job);
	276	assert(verify >= 0);
	277	assert(verify < _IMPORT_VERIFY_MAX);
	278	assert(url);
	279	assert(glue);
	280
	281	if (verify != IMPORT_VERIFY_NO) {
	282	_cleanup_free_ char *checksum_url = NULL;
	283
	284	/* Queue job for the SHA256SUMS file for the image */
	285	r = import_url_change_last_component(url, "SHA256SUMS", &checksum_url);
	286	if (r < 0)
	287	return r;
	288
dc2c282b	289	r = pull_job_new(&checksum_job, checksum_url, glue, userdata);
98c38001 LP	290	if (r < 0)
	291	return r;
	292
	293	checksum_job->on_finished = on_finished;
	294	checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
	295	}
	296
	297	if (verify == IMPORT_VERIFY_SIGNATURE) {
	298	_cleanup_free_ char *signature_url = NULL;
	299
	300	/* Queue job for the SHA256SUMS.gpg file for the image. */
	301	r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url);
	302	if (r < 0)
	303	return r;
	304
dc2c282b	305	r = pull_job_new(&signature_job, signature_url, glue, userdata);
98c38001 LP	306	if (r < 0)
	307	return r;
	308
	309	signature_job->on_finished = on_finished;
	310	signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
	311	}
	312
	313	*ret_checksum_job = checksum_job;
	314	*ret_signature_job = signature_job;
	315
	316	checksum_job = signature_job = NULL;
	317
	318	return 0;
	319	}
	320
9854730b LP	321	int pull_verify(PullJob *main_job,
9854730b LP	322	PullJob *settings_job,
dc2c282b LP	323	PullJob *checksum_job,
dc2c282b LP	324	PullJob *signature_job) {
98c38001 LP	325
	326	_cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 };
	327	_cleanup_free_ char *fn = NULL;
	328	_cleanup_close_ int sig_file = -1;
	329	const char p, line;
0acfdffe	330	char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX";
98c38001	331	_cleanup_sigkill_wait_ pid_t pid = 0;
0acfdffe	332	bool gpg_home_created = false;
98c38001 LP	333	int r;
	334
	335	assert(main_job);
dc2c282b	336	assert(main_job->state == PULL_JOB_DONE);
98c38001 LP	337
	338	if (!checksum_job)
	339	return 0;
	340
	341	assert(main_job->calc_checksum);
	342	assert(main_job->checksum);
dc2c282b	343	assert(checksum_job->state == PULL_JOB_DONE);
98c38001 LP	344
	345	if (!checksum_job->payload \|\| checksum_job->payload_size <= 0) {
	346	log_error("Checksum is empty, cannot verify.");
	347	return -EBADMSG;
	348	}
	349
	350	r = import_url_last_component(main_job->url, &fn);
	351	if (r < 0)
	352	return log_oom();
	353
	354	if (!filename_is_valid(fn)) {
	355	log_error("Cannot verify checksum, could not determine valid server-side file name.");
	356	return -EBADMSG;
	357	}
	358
63c372cb	359	line = strjoina(main_job->checksum, " *", fn, "\n");
98c38001 LP	360
	361	p = memmem(checksum_job->payload,
	362	checksum_job->payload_size,
	363	line,
	364	strlen(line));
	365
	366	if (!p \|\| (p != (char*) checksum_job->payload && p[-1] != '\n')) {
9c00a6ad	367	log_error("DOWNLOAD INVALID: Checksum did not check out, payload has been tampered with.");
98c38001 LP	368	return -EBADMSG;
	369	}
	370
	371	log_info("SHA256 checksum of %s is valid.", main_job->url);
	372
1f9aa80a	373	assert(!settings_job \|\| IN_SET(settings_job->state, PULL_JOB_DONE, PULL_JOB_FAILED));
9854730b LP	374
9854730b LP	375	if (settings_job &&
1f9aa80a	376	settings_job->state == PULL_JOB_DONE &&
9854730b LP	377	settings_job->error == 0 &&
	378	!settings_job->etag_exists) {
	379
	380	_cleanup_free_ char *settings_fn = NULL;
	381
	382	assert(settings_job->calc_checksum);
	383	assert(settings_job->checksum);
	384
	385	r = import_url_last_component(settings_job->url, &settings_fn);
	386	if (r < 0)
	387	return log_oom();
	388
	389	if (!filename_is_valid(settings_fn)) {
	390	log_error("Cannot verify checksum, could not determine server-side settings file name.");
	391	return -EBADMSG;
	392	}
	393
	394	line = strjoina(settings_job->checksum, " *", settings_fn, "\n");
	395
	396	p = memmem(checksum_job->payload,
	397	checksum_job->payload_size,
	398	line,
	399	strlen(line));
	400
	401	if (!p \|\| (p != (char*) checksum_job->payload && p[-1] != '\n')) {
9c00a6ad	402	log_error("DOWNLOAD INVALID: Checksum of settings file did not checkout, settings file has been tampered with.");
9854730b LP	403	return -EBADMSG;
	404	}
	405
	406	log_info("SHA256 checksum of %s is valid.", settings_job->url);
	407	}
	408
98c38001 LP	409	if (!signature_job)
	410	return 0;
	411
dc2c282b	412	assert(signature_job->state == PULL_JOB_DONE);
98c38001 LP	413
	414	if (!signature_job->payload \|\| signature_job->payload_size <= 0) {
	415	log_error("Signature is empty, cannot verify.");
	416	return -EBADMSG;
	417	}
	418
	419	r = pipe2(gpg_pipe, O_CLOEXEC);
	420	if (r < 0)
0100b6e1	421	return log_error_errno(errno, "Failed to create pipe for gpg: %m");
98c38001 LP	422
	423	sig_file = mkostemp(sig_file_path, O_RDWR);
	424	if (sig_file < 0)
	425	return log_error_errno(errno, "Failed to create temporary file: %m");
	426
	427	r = loop_write(sig_file, signature_job->payload, signature_job->payload_size, false);
	428	if (r < 0) {
	429	log_error_errno(r, "Failed to write to temporary file: %m");
	430	goto finish;
	431	}
	432
0acfdffe LP	433	if (!mkdtemp(gpg_home)) {
	434	r = log_error_errno(errno, "Failed to create tempory home for gpg: %m");
	435	goto finish;
	436	}
	437
	438	gpg_home_created = true;
	439
98c38001 LP	440	pid = fork();
	441	if (pid < 0)
	442	return log_error_errno(errno, "Failed to fork off gpg: %m");
	443	if (pid == 0) {
	444	const char *cmd[] = {
	445	"gpg",
	446	"--no-options",
	447	"--no-default-keyring",
	448	"--no-auto-key-locate",
	449	"--no-auto-check-trustdb",
	450	"--batch",
	451	"--trust-model=always",
0acfdffe LP	452	NULL, /* --homedir= */
0acfdffe LP	453	NULL, /* --keyring= */
98c38001 LP	454	NULL, /* --verify */
	455	NULL, /* signature file */
	456	NULL, /* dash */
	457	NULL /* trailing NULL */
	458	};
0acfdffe	459	unsigned k = ELEMENTSOF(cmd) - 6;
98c38001 LP	460	int null_fd;
	461
	462	/* Child */
	463
ce30c8dc LP	464	(void) reset_all_signal_handlers();
ce30c8dc LP	465	(void) reset_signal_mask();
98c38001 LP	466	assert_se(prctl(PR_SET_PDEATHSIG, SIGTERM) == 0);
	467
	468	gpg_pipe[1] = safe_close(gpg_pipe[1]);
	469
	470	if (dup2(gpg_pipe[0], STDIN_FILENO) != STDIN_FILENO) {
	471	log_error_errno(errno, "Failed to dup2() fd: %m");
	472	_exit(EXIT_FAILURE);
	473	}
	474
	475	if (gpg_pipe[0] != STDIN_FILENO)
	476	gpg_pipe[0] = safe_close(gpg_pipe[0]);
	477
	478	null_fd = open("/dev/null", O_WRONLY\|O_NOCTTY);
	479	if (null_fd < 0) {
	480	log_error_errno(errno, "Failed to open /dev/null: %m");
	481	_exit(EXIT_FAILURE);
	482	}
	483
	484	if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) {
	485	log_error_errno(errno, "Failed to dup2() fd: %m");
	486	_exit(EXIT_FAILURE);
	487	}
	488
	489	if (null_fd != STDOUT_FILENO)
	490	null_fd = safe_close(null_fd);
	491
0acfdffe LP	492	cmd[k++] = strjoina("--homedir=", gpg_home);
0acfdffe LP	493
98c38001 LP	494	/* We add the user keyring only to the command line
	495	* arguments, if it's around since gpg fails
	496	* otherwise. */
	497	if (access(USER_KEYRING_PATH, F_OK) >= 0)
	498	cmd[k++] = "--keyring=" USER_KEYRING_PATH;
1c49d1ba LP	499	else
1c49d1ba LP	500	cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH;
98c38001 LP	501
	502	cmd[k++] = "--verify";
	503	cmd[k++] = sig_file_path;
	504	cmd[k++] = "-";
	505	cmd[k++] = NULL;
	506
3d7415f4 LP	507	fd_cloexec(STDIN_FILENO, false);
	508	fd_cloexec(STDOUT_FILENO, false);
	509	fd_cloexec(STDERR_FILENO, false);
	510
0acfdffe	511	execvp("gpg2", (char * const *) cmd);
98c38001 LP	512	execvp("gpg", (char * const *) cmd);
	513	log_error_errno(errno, "Failed to execute gpg: %m");
	514	_exit(EXIT_FAILURE);
	515	}
	516
	517	gpg_pipe[0] = safe_close(gpg_pipe[0]);
	518
	519	r = loop_write(gpg_pipe[1], checksum_job->payload, checksum_job->payload_size, false);
	520	if (r < 0) {
	521	log_error_errno(r, "Failed to write to pipe: %m");
	522	goto finish;
	523	}
	524
	525	gpg_pipe[1] = safe_close(gpg_pipe[1]);
	526
	527	r = wait_for_terminate_and_warn("gpg", pid, true);
	528	pid = 0;
	529	if (r < 0)
	530	goto finish;
	531	if (r > 0) {
9854730b	532	log_error("DOWNLOAD INVALID: Signature verification failed.");
98c38001 LP	533	r = -EBADMSG;
	534	} else {
	535	log_info("Signature verification succeeded.");
	536	r = 0;
	537	}
	538
	539	finish:
	540	if (sig_file >= 0)
9854730b	541	(void) unlink(sig_file_path);
98c38001	542
0acfdffe	543	if (gpg_home_created)
c6878637	544	(void) rm_rf(gpg_home, REMOVE_ROOT\|REMOVE_PHYSICAL);
0acfdffe	545
98c38001 LP	546	return r;
98c38001 LP	547	}