src/import/pull-common.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <sys/prctl.h>
   4
   5 #include "alloc-util.h"
   6 #include "btrfs-util.h"
   7 #include "capability-util.h"
   8 #include "copy.h"
   9 #include "dirent-util.h"
  10 #include "escape.h"
  11 #include "fd-util.h"
  12 #include "io-util.h"
  13 #include "path-util.h"
  14 #include "process-util.h"
  15 #include "pull-common.h"
  16 #include "pull-job.h"
  17 #include "rlimit-util.h"
  18 #include "rm-rf.h"
  19 #include "signal-util.h"
  20 #include "siphash24.h"
  21 #include "string-util.h"
  22 #include "strv.h"
  23 #include "util.h"
  24 #include "web-util.h"
  25
  26 #define FILENAME_ESCAPE "/.#\"\'"
  27 #define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16)
  28
  29 int pull_find_old_etags(
  30                 const char *url,
  31                 const char *image_root,
  32                 int dt,
  33                 const char *prefix,
  34                 const char *suffix,
  35                 char ***etags) {
  36
  37         _cleanup_free_ char *escaped_url = NULL;
  38         _cleanup_closedir_ DIR *d = NULL;
  39         _cleanup_strv_free_ char **l = NULL;
  40         struct dirent *de;
  41         int r;
  42
  43         assert(url);
  44         assert(etags);
  45
  46         if (!image_root)
  47                 image_root = "/var/lib/machines";
  48
  49         escaped_url = xescape(url, FILENAME_ESCAPE);
  50         if (!escaped_url)
  51                 return -ENOMEM;
  52
  53         d = opendir(image_root);
  54         if (!d) {
  55                 if (errno == ENOENT) {
  56                         *etags = NULL;
  57                         return 0;
  58                 }
  59
  60                 return -errno;
  61         }
  62
  63         FOREACH_DIRENT_ALL(de, d, return -errno) {
  64                 const char *a, *b;
  65                 char *u;
  66
  67                 if (de->d_type != DT_UNKNOWN &&
  68                     de->d_type != dt)
  69                         continue;
  70
  71                 if (prefix) {
  72                         a = startswith(de->d_name, prefix);
  73                         if (!a)
  74                                 continue;
  75                 } else
  76                         a = de->d_name;
  77
  78                 a = startswith(a, escaped_url);
  79                 if (!a)
  80                         continue;
  81
  82                 a = startswith(a, ".");
  83                 if (!a)
  84                         continue;
  85
  86                 if (suffix) {
  87                         b = endswith(de->d_name, suffix);
  88                         if (!b)
  89                                 continue;
  90                 } else
  91                         b = strchr(de->d_name, 0);
  92
  93                 if (a >= b)
  94                         continue;
  95
  96                 r = cunescape_length(a, b - a, 0, &u);
  97                 if (r < 0)
  98                         return r;
  99
 100                 if (!http_etag_is_valid(u)) {
 101                         free(u);
 102                         continue;
 103                 }
 104
 105                 r = strv_consume(&l, u);
 106                 if (r < 0)
 107                         return r;
 108         }
 109
 110         *etags = TAKE_PTR(l);
 111
 112         return 0;
 113 }
 114
 115 int pull_make_local_copy(const char *final, const char *image_root, const char *local, bool force_local) {
 116         const char *p;
 117         int r;
 118
 119         assert(final);
 120         assert(local);
 121
 122         if (!image_root)
 123                 image_root = "/var/lib/machines";
 124
 125         p = strjoina(image_root, "/", local);
 126
 127         if (force_local)
 128                 (void) rm_rf(p, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
 129
 130         r = btrfs_subvol_snapshot(final, p,
 131                                   BTRFS_SNAPSHOT_QUOTA|
 132                                   BTRFS_SNAPSHOT_FALLBACK_COPY|
 133                                   BTRFS_SNAPSHOT_FALLBACK_DIRECTORY|
 134                                   BTRFS_SNAPSHOT_RECURSIVE);
 135         if (r < 0)
 136                 return log_error_errno(r, "Failed to create local image: %m");
 137
 138         log_info("Created new local image '%s'.", local);
 139
 140         return 0;
 141 }
 142
 143 static int hash_url(const char *url, char **ret) {
 144         uint64_t h;
 145         static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f);
 146
 147         assert(url);
 148
 149         h = siphash24(url, strlen(url), k.bytes);
 150         if (asprintf(ret, "%"PRIx64, h) < 0)
 151                 return -ENOMEM;
 152
 153         return 0;
 154 }
 155
 156 int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) {
 157         _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL;
 158         char *path;
 159
 160         assert(url);
 161         assert(ret);
 162
 163         if (!image_root)
 164                 image_root = "/var/lib/machines";
 165
 166         escaped_url = xescape(url, FILENAME_ESCAPE);
 167         if (!escaped_url)
 168                 return -ENOMEM;
 169
 170         if (etag) {
 171                 escaped_etag = xescape(etag, FILENAME_ESCAPE);
 172                 if (!escaped_etag)
 173                         return -ENOMEM;
 174         }
 175
 176         path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "",
 177                        strempty(escaped_etag), strempty(suffix));
 178         if (!path)
 179                 return -ENOMEM;
 180
 181         /* URLs might make the path longer than the maximum allowed length for a file name.
 182          * When that happens, a URL hash is used instead. Paths returned by this function
 183          * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */
 184         if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) {
 185                 _cleanup_free_ char *hash = NULL;
 186                 int r;
 187
 188                 free(path);
 189
 190                 r = hash_url(url, &hash);
 191                 if (r < 0)
 192                         return r;
 193
 194                 path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "",
 195                                strempty(escaped_etag), strempty(suffix));
 196                 if (!path)
 197                         return -ENOMEM;
 198         }
 199
 200         *ret = path;
 201         return 0;
 202 }
 203
 204 int pull_make_auxiliary_job(
 205                 PullJob **ret,
 206                 const char *url,
 207                 int (*strip_suffixes)(const char *name, char **ret),
 208                 const char *suffix,
 209                 CurlGlue *glue,
 210                 PullJobFinished on_finished,
 211                 void *userdata) {
 212
 213         _cleanup_free_ char *last_component = NULL, *ll = NULL, *auxiliary_url = NULL;
 214         _cleanup_(pull_job_unrefp) PullJob *job = NULL;
 215         const char *q;
 216         int r;
 217
 218         assert(ret);
 219         assert(url);
 220         assert(strip_suffixes);
 221         assert(glue);
 222
 223         r = import_url_last_component(url, &last_component);
 224         if (r < 0)
 225                 return r;
 226
 227         r = strip_suffixes(last_component, &ll);
 228         if (r < 0)
 229                 return r;
 230
 231         q = strjoina(ll, suffix);
 232
 233         r = import_url_change_last_component(url, q, &auxiliary_url);
 234         if (r < 0)
 235                 return r;
 236
 237         r = pull_job_new(&job, auxiliary_url, glue, userdata);
 238         if (r < 0)
 239                 return r;
 240
 241         job->on_finished = on_finished;
 242         job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL;
 243
 244         *ret = TAKE_PTR(job);
 245
 246         return 0;
 247 }
 248
 249 int pull_make_verification_jobs(
 250                 PullJob **ret_checksum_job,
 251                 PullJob **ret_signature_job,
 252                 ImportVerify verify,
 253                 const char *url,
 254                 CurlGlue *glue,
 255                 PullJobFinished on_finished,
 256                 void *userdata) {
 257
 258         _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL;
 259         int r;
 260         const char *chksums = NULL;
 261
 262         assert(ret_checksum_job);
 263         assert(ret_signature_job);
 264         assert(verify >= 0);
 265         assert(verify < _IMPORT_VERIFY_MAX);
 266         assert(url);
 267         assert(glue);
 268
 269         if (verify != IMPORT_VERIFY_NO) {
 270                 _cleanup_free_ char *checksum_url = NULL, *fn = NULL;
 271
 272                 /* Queue jobs for the checksum file for the image. */
 273                 r = import_url_last_component(url, &fn);
 274                 if (r < 0)
 275                         return r;
 276
 277                 chksums = strjoina(fn, ".sha256");
 278
 279                 r = import_url_change_last_component(url, chksums, &checksum_url);
 280                 if (r < 0)
 281                         return r;
 282
 283                 r = pull_job_new(&checksum_job, checksum_url, glue, userdata);
 284                 if (r < 0)
 285                         return r;
 286
 287                 checksum_job->on_finished = on_finished;
 288                 checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
 289         }
 290
 291         if (verify == IMPORT_VERIFY_SIGNATURE) {
 292                 _cleanup_free_ char *signature_url = NULL;
 293
 294                 /* Queue job for the SHA256SUMS.gpg file for the image. */
 295                 r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url);
 296                 if (r < 0)
 297                         return r;
 298
 299                 r = pull_job_new(&signature_job, signature_url, glue, userdata);
 300                 if (r < 0)
 301                         return r;
 302
 303                 signature_job->on_finished = on_finished;
 304                 signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
 305         }
 306
 307         *ret_checksum_job = checksum_job;
 308         *ret_signature_job = signature_job;
 309
 310         checksum_job = signature_job = NULL;
 311
 312         return 0;
 313 }
 314
 315 static int verify_one(PullJob *checksum_job, PullJob *job) {
 316         _cleanup_free_ char *fn = NULL;
 317         const char *line, *p;
 318         int r;
 319
 320         assert(checksum_job);
 321
 322         if (!job)
 323                 return 0;
 324
 325         assert(IN_SET(job->state, PULL_JOB_DONE, PULL_JOB_FAILED));
 326
 327         /* Don't verify the checksum if we didn't actually successfully download something new */
 328         if (job->state != PULL_JOB_DONE)
 329                 return 0;
 330         if (job->error != 0)
 331                 return 0;
 332         if (job->etag_exists)
 333                 return 0;
 334
 335         assert(job->calc_checksum);
 336         assert(job->checksum);
 337
 338         r = import_url_last_component(job->url, &fn);
 339         if (r < 0)
 340                 return log_oom();
 341
 342         if (!filename_is_valid(fn))
 343                 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
 344                                        "Cannot verify checksum, could not determine server-side file name.");
 345
 346         line = strjoina(job->checksum, " *", fn, "\n");
 347
 348         p = memmem(checksum_job->payload,
 349                    checksum_job->payload_size,
 350                    line,
 351                    strlen(line));
 352
 353         if (!p) {
 354                 line = strjoina(job->checksum, "  ", fn, "\n");
 355
 356                 p = memmem(checksum_job->payload,
 357                         checksum_job->payload_size,
 358                         line,
 359                         strlen(line));
 360         }
 361
 362         if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n'))
 363                 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
 364                                        "DOWNLOAD INVALID: Checksum of %s file did not checkout, file has been tampered with.", fn);
 365
 366         log_info("SHA256 checksum of %s is valid.", job->url);
 367         return 1;
 368 }
 369
 370 int pull_verify(PullJob *main_job,
 371                 PullJob *roothash_job,
 372                 PullJob *settings_job,
 373                 PullJob *checksum_job,
 374                 PullJob *signature_job) {
 375
 376         _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 };
 377         _cleanup_close_ int sig_file = -1;
 378         char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX";
 379         _cleanup_(sigkill_waitp) pid_t pid = 0;
 380         bool gpg_home_created = false;
 381         int r;
 382
 383         assert(main_job);
 384         assert(main_job->state == PULL_JOB_DONE);
 385
 386         if (!checksum_job)
 387                 return 0;
 388
 389         assert(main_job->calc_checksum);
 390         assert(main_job->checksum);
 391
 392         assert(checksum_job->state == PULL_JOB_DONE);
 393
 394         if (!checksum_job->payload || checksum_job->payload_size <= 0) {
 395                 log_error("Checksum is empty, cannot verify.");
 396                 return -EBADMSG;
 397         }
 398
 399         r = verify_one(checksum_job, main_job);
 400         if (r < 0)
 401                 return r;
 402
 403         r = verify_one(checksum_job, roothash_job);
 404         if (r < 0)
 405                 return r;
 406
 407         r = verify_one(checksum_job, settings_job);
 408         if (r < 0)
 409                 return r;
 410
 411         if (!signature_job)
 412                 return 0;
 413
 414         if (checksum_job->style == VERIFICATION_PER_FILE)
 415                 signature_job = checksum_job;
 416
 417         assert(signature_job->state == PULL_JOB_DONE);
 418
 419         if (!signature_job->payload || signature_job->payload_size <= 0) {
 420                 log_error("Signature is empty, cannot verify.");
 421                 return -EBADMSG;
 422         }
 423
 424         r = pipe2(gpg_pipe, O_CLOEXEC);
 425         if (r < 0)
 426                 return log_error_errno(errno, "Failed to create pipe for gpg: %m");
 427
 428         sig_file = mkostemp(sig_file_path, O_RDWR);
 429         if (sig_file < 0)
 430                 return log_error_errno(errno, "Failed to create temporary file: %m");
 431
 432         r = loop_write(sig_file, signature_job->payload, signature_job->payload_size, false);
 433         if (r < 0) {
 434                 log_error_errno(r, "Failed to write to temporary file: %m");
 435                 goto finish;
 436         }
 437
 438         if (!mkdtemp(gpg_home)) {
 439                 r = log_error_errno(errno, "Failed to create tempory home for gpg: %m");
 440                 goto finish;
 441         }
 442
 443         gpg_home_created = true;
 444
 445         r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid);
 446         if (r < 0)
 447                 return r;
 448         if (r == 0) {
 449                 const char *cmd[] = {
 450                         "gpg",
 451                         "--no-options",
 452                         "--no-default-keyring",
 453                         "--no-auto-key-locate",
 454                         "--no-auto-check-trustdb",
 455                         "--batch",
 456                         "--trust-model=always",
 457                         NULL, /* --homedir=  */
 458                         NULL, /* --keyring= */
 459                         NULL, /* --verify */
 460                         NULL, /* signature file */
 461                         NULL, /* dash */
 462                         NULL  /* trailing NULL */
 463                 };
 464                 unsigned k = ELEMENTSOF(cmd) - 6;
 465
 466                 /* Child */
 467
 468                 gpg_pipe[1] = safe_close(gpg_pipe[1]);
 469
 470                 r = rearrange_stdio(gpg_pipe[0], -1, STDERR_FILENO);
 471                 if (r < 0) {
 472                         log_error_errno(r, "Failed to rearrange stdin/stdout: %m");
 473                         _exit(EXIT_FAILURE);
 474                 }
 475
 476                 (void) rlimit_nofile_safe();
 477
 478                 cmd[k++] = strjoina("--homedir=", gpg_home);
 479
 480                 /* We add the user keyring only to the command line
 481                  * arguments, if it's around since gpg fails
 482                  * otherwise. */
 483                 if (access(USER_KEYRING_PATH, F_OK) >= 0)
 484                         cmd[k++] = "--keyring=" USER_KEYRING_PATH;
 485                 else
 486                         cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH;
 487
 488                 cmd[k++] = "--verify";
 489                 if (checksum_job->style == VERIFICATION_PER_DIRECTORY) {
 490                         cmd[k++] = sig_file_path;
 491                         cmd[k++] = "-";
 492                         cmd[k++] = NULL;
 493                 }
 494
 495                 execvp("gpg2", (char * const *) cmd);
 496                 execvp("gpg", (char * const *) cmd);
 497                 log_error_errno(errno, "Failed to execute gpg: %m");
 498                 _exit(EXIT_FAILURE);
 499         }
 500
 501         gpg_pipe[0] = safe_close(gpg_pipe[0]);
 502
 503         r = loop_write(gpg_pipe[1], checksum_job->payload, checksum_job->payload_size, false);
 504         if (r < 0) {
 505                 log_error_errno(r, "Failed to write to pipe: %m");
 506                 goto finish;
 507         }
 508
 509         gpg_pipe[1] = safe_close(gpg_pipe[1]);
 510
 511         r = wait_for_terminate_and_check("gpg", pid, WAIT_LOG_ABNORMAL);
 512         pid = 0;
 513         if (r < 0)
 514                 goto finish;
 515         if (r != EXIT_SUCCESS) {
 516                 log_error("DOWNLOAD INVALID: Signature verification failed.");
 517                 r = -EBADMSG;
 518         } else {
 519                 log_info("Signature verification succeeded.");
 520                 r = 0;
 521         }
 522
 523 finish:
 524         (void) unlink(sig_file_path);
 525
 526         if (gpg_home_created)
 527                 (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL);
 528
 529         return r;
 530 }