PullJob **ret_checksum_job,
PullJob **ret_signature_job,
ImportVerify verify,
- const struct iovec *checksum, /* set if literal checksum verification is requested, in which case 'verify' is set to _IMPORT_VERIFY_INVALID */
const char *url,
CurlGlue *glue,
PullJobFinished on_finished,
assert(ret_signature_job);
assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX);
assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0);
- assert((verify < 0) || !checksum);
assert(url);
assert(glue);
/* If verification is turned off, or if the checksum to validate is already specified we don't need
* to download a checksum file or signature, hence shortcut things */
- if (verify == IMPORT_VERIFY_NO || iovec_is_set(checksum)) {
+ if (verify < 0 || /* verification already done (via literal checksum) */
+ verify == IMPORT_VERIFY_NO) { /* verification turned off */
*ret_checksum_job = *ret_signature_job = NULL;
return 0;
}
}
int pull_verify(ImportVerify verify,
- const struct iovec *checksum, /* Verify with literal checksum */
PullJob *main_job,
PullJob *checksum_job,
PullJob *signature_job,
assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX);
assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0);
- assert((verify < 0) || !checksum);
assert(main_job);
assert(main_job->state == PULL_JOB_DONE);
- if (verify == IMPORT_VERIFY_NO) /* verification turned off */
+ if (verify < 0 || /* verification already done (via literal checksum) */
+ verify == IMPORT_VERIFY_NO) /* verification turned off */
return 0;
- if (checksum) {
- /* Verification by literal checksum */
- assert(!checksum_job);
- assert(!signature_job);
- assert(!settings_job);
- assert(!roothash_job);
- assert(!roothash_signature_job);
- assert(!verity_job);
-
- assert(main_job->calc_checksum);
- assert(iovec_is_set(&main_job->checksum));
-
- if (iovec_memcmp(checksum, &main_job->checksum) != 0)
- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
- "DOWNLOAD INVALID: Checksum of %s file did not check out, file has been tampered with.",
- main_job->url);
-
- return 0;
- }
-
r = import_url_last_component(main_job->url, &fn);
if (r < 0)
return log_error_errno(r, "Failed to extract filename from URL '%s': %m", main_job->url);
int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret);
int pull_make_auxiliary_job(PullJob **ret, const char *url, int (*strip_suffixes)(const char *name, char **ret), const char *suffix, ImportVerify verify, CurlGlue *glue, PullJobOpenDisk on_open_disk, PullJobFinished on_finished, void *userdata);
-int pull_make_verification_jobs(PullJob **ret_checksum_job, PullJob **ret_signature_job, ImportVerify verify, const struct iovec *checksum, const char *url, CurlGlue *glue, PullJobFinished on_finished, void *userdata);
+int pull_make_verification_jobs(PullJob **ret_checksum_job, PullJob **ret_signature_job, ImportVerify verify, const char *url, CurlGlue *glue, PullJobFinished on_finished, void *userdata);
-int pull_verify(ImportVerify verify, const struct iovec *checksum, PullJob *main_job, PullJob *checksum_job, PullJob *signature_job, PullJob *settings_job, PullJob *roothash_job, PullJob *roothash_signature_job, PullJob *verity_job);
+int pull_verify(ImportVerify verify, PullJob *main_job, PullJob *checksum_job, PullJob *signature_job, PullJob *settings_job, PullJob *roothash_job, PullJob *roothash_signature_job, PullJob *verity_job);
typedef enum VerificationStyle {
VERIFICATION_PER_FILE, /* SUSE-style ".sha256" files with detached gpg signature */
char *verity_path;
char *verity_temp_path;
-
- struct iovec checksum;
} RawPull;
RawPull* raw_pull_unref(RawPull *i) {
free(i->verity_path);
free(i->image_root);
free(i->local);
- iovec_done(&i->checksum);
return mfree(i);
}
raw_pull_report_progress(i, RAW_VERIFYING);
r = pull_verify(i->verify,
- &i->checksum,
i->raw_job,
i->checksum_job,
i->signature_job,
if (r < 0)
return r;
- if (!iovec_memdup(checksum, &i->checksum))
- return -ENOMEM;
-
i->flags = flags;
i->verify = verify;
i->raw_job->on_finished = raw_pull_job_on_finished;
i->raw_job->on_open_disk = raw_pull_job_on_open_disk_raw;
- if (iovec_is_set(checksum))
+ if (iovec_is_set(checksum)) {
+ if (!iovec_memdup(checksum, &i->raw_job->expected_checksum))
+ return -ENOMEM;
+
i->raw_job->calc_checksum = true;
- else if (verify != IMPORT_VERIFY_NO) {
+ } else if (verify != IMPORT_VERIFY_NO) {
/* Calculate checksum of the main download unless the users asks for a SHA256SUM file or its
* signature, which we let gpg verify instead. */
&i->checksum_job,
&i->signature_job,
verify,
- &i->checksum,
url,
i->glue,
raw_pull_job_on_finished,
char *settings_path;
char *settings_temp_path;
- struct iovec checksum;
-
int tree_fd;
int userns_fd;
free(i->settings_path);
free(i->image_root);
free(i->local);
- iovec_done(&i->checksum);
safe_close(i->tree_fd);
safe_close(i->userns_fd);
clear_progress_bar(/* prefix= */ NULL);
r = pull_verify(i->verify,
- &i->checksum,
i->tar_job,
i->checksum_job,
i->signature_job,
if (r < 0)
return r;
- if (!iovec_memdup(checksum, &i->checksum))
- return -ENOMEM;
-
i->flags = flags;
i->verify = verify;
i->tar_job->on_finished = tar_pull_job_on_finished;
i->tar_job->on_open_disk = tar_pull_job_on_open_disk_tar;
- i->tar_job->calc_checksum = checksum || IN_SET(verify, IMPORT_VERIFY_CHECKSUM, IMPORT_VERIFY_SIGNATURE);
+
+ if (iovec_is_set(checksum)) {
+ if (!iovec_memdup(checksum, &i->tar_job->expected_checksum))
+ return -ENOMEM;
+
+ i->tar_job->calc_checksum = true;
+ } else
+ i->tar_job->calc_checksum = verify != IMPORT_VERIFY_NO;
if (!FLAGS_SET(flags, IMPORT_DIRECT)) {
r = pull_find_old_etags(url, i->image_root, DT_DIR, ".tar-", NULL, &i->tar_job->old_etags);
&i->checksum_job,
&i->signature_job,
verify,
- checksum,
url,
i->glue,
tar_pull_job_on_finished,
projects / thirdparty / systemd.git / commitdiff
