X-Git-Url: https://git.librecmc.org/?p=oweals%2Fopkg-lede.git;a=blobdiff_plain;f=libopkg%2Fopkg_download.c;h=47892499ed6026067b816ae95b3a34c395d1feba;hp=04073cf593f3659acd6749d8c76cd6ac888b2fd7;hb=f4296235e3e302b8729de3fdf92fdd742374c68b;hpb=1f08c9e15caa6377c58f55c0fdaab8f4fab1ad5e diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c index 04073cf..4789249 100644 --- a/libopkg/opkg_download.c +++ b/libopkg/opkg_download.c @@ -17,28 +17,66 @@ General Public License for more details. */ #include "config.h" + +#ifdef HAVE_CURL #include -#ifdef HAVE_GPGME +#endif + +#if defined(HAVE_SSLCURL) || defined(HAVE_OPENSSL) +#include +#include +#include +#include +#endif + +#if defined(HAVE_GPGME) #include +#elif defined(HAVE_OPENSSL) +#include +#include +#include +#include +#include #endif #include "includes.h" #include "opkg_download.h" #include "opkg_message.h" -#include "opkg_state.h" #include "sprintf_alloc.h" #include "xsystem.h" #include "file_util.h" #include "str_util.h" #include "opkg_defines.h" +#include "libbb/libbb.h" + +#ifdef HAVE_PATHFINDER +#include "opkg_pathfinder.h" +#endif + +#if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL) +static void openssl_init(void); +#endif + +#ifdef HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath); +#endif + +#ifdef HAVE_CURL +/* + * Make curl an instance variable so we don't have to instanciate it + * each time + */ +static CURL *curl = NULL; +static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data); +#endif int opkg_download(opkg_conf_t *conf, const char *src, const char *dest_file_name, curl_progress_func cb, void *data) { int err = 0; - char *src_basec = strdup(src); + char *src_basec = xstrdup(src); char *src_base = basename(src_basec); char *tmp_file_location; @@ -77,44 +115,27 @@ int opkg_download(opkg_conf_t *conf, const char *src, setenv("no_proxy", conf->no_proxy, 1); } - CURL *curl; +#ifdef HAVE_CURL CURLcode res; FILE * file = fopen (tmp_file_location, "w"); - curl = curl_easy_init (); + curl = opkg_curl_init (conf, cb, data); if (curl) { curl_easy_setopt (curl, CURLOPT_URL, src); curl_easy_setopt (curl, CURLOPT_WRITEDATA, file); - curl_easy_setopt (curl, CURLOPT_NOPROGRESS, (cb == NULL)); - if (cb) - { - curl_easy_setopt (curl, CURLOPT_PROGRESSDATA, data); - curl_easy_setopt (curl, CURLOPT_PROGRESSFUNCTION, cb); - } - curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1); - curl_easy_setopt (curl, CURLOPT_FAILONERROR, 1); - if (conf->http_proxy || conf->ftp_proxy) - { - char *userpwd; - sprintf_alloc (&userpwd, "%s:%s", conf->proxy_user, - conf->proxy_passwd); - curl_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd); - free (userpwd); - } + res = curl_easy_perform (curl); fclose (file); if (res) { long error_code; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &error_code); - opkg_message(conf, OPKG_ERROR, "Failed to download %s, error %d\n", src, error_code); + opkg_message(conf, OPKG_ERROR, "Failed to download %s. \nerror detail: %s\n", src, curl_easy_strerror(res)); free(tmp_file_location); free(src_basec); - curl_easy_cleanup (curl); return res; } - curl_easy_cleanup (curl); } else @@ -123,6 +144,32 @@ int opkg_download(opkg_conf_t *conf, const char *src, free(src_basec); return -1; } +#else + { + int res; + const char *argv[8]; + int i = 0; + + argv[i++] = "wget"; + argv[i++] = "-q"; + if (conf->http_proxy || conf->ftp_proxy) { + argv[i++] = "-Y"; + argv[i++] = "on"; + } + argv[i++] = "-O"; + argv[i++] = tmp_file_location; + argv[i++] = src; + argv[i++] = NULL; + res = xsystem(argv); + + if (res) { + opkg_message(conf, OPKG_ERROR, "Failed to download %s, error %d\n", src, res); + free(tmp_file_location); + free(src_basec); + return res; + } + } +#endif err = file_move(tmp_file_location, dest_file_name); @@ -139,7 +186,7 @@ int opkg_download(opkg_conf_t *conf, const char *src, static int opkg_download_cache(opkg_conf_t *conf, const char *src, const char *dest_file_name, curl_progress_func cb, void *data) { - char *cache_name = strdup(src); + char *cache_name = xstrdup(src); char *cache_location, *p; int err = 0; @@ -177,7 +224,6 @@ int opkg_download_pkg(opkg_conf_t *conf, pkg_t *pkg, const char *dir) { int err; char *url; - char *pkgid; char *stripped_filename; if (pkg->src == NULL) { @@ -185,10 +231,10 @@ int opkg_download_pkg(opkg_conf_t *conf, pkg_t *pkg, const char *dir) pkg->name, pkg->parent->name); return -1; } - - sprintf_alloc (&pkgid, "%s;%s;%s;", pkg->name, pkg->version, pkg->architecture); - opkg_set_current_state (conf, OPKG_STATE_DOWNLOADING_PKG, pkgid); - free (pkgid); + if (pkg->filename == NULL) { + opkg_message(conf,OPKG_ERROR, "ERROR: Package %s (parent %s) does not have a valid filename field.\n",pkg->name, pkg->parent->name); + return -1; + } sprintf_alloc(&url, "%s/%s", pkg->src->value, pkg->filename); @@ -206,7 +252,6 @@ int opkg_download_pkg(opkg_conf_t *conf, pkg_t *pkg, const char *dir) err = opkg_download_cache(conf, url, pkg->local_filename, NULL, NULL); free(url); - opkg_set_current_state (conf, OPKG_STATE_NONE, NULL); return err; } @@ -217,14 +262,13 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name { int err = 0; pkg_t *pkg; + pkg = pkg_new(); - if (pkg == NULL) - return ENOMEM; if (str_starts_with(url, "http://") || str_starts_with(url, "ftp://")) { char *tmp_file; - char *file_basec = strdup(url); + char *file_basec = xstrdup(url); char *file_base = basename(file_basec); sprintf_alloc(&tmp_file, "%s/%s", conf->tmp_dir, file_base); @@ -232,10 +276,9 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name if (err) return err; - err = pkg_init_from_file(pkg, tmp_file); + err = pkg_init_from_file(conf, pkg, tmp_file); if (err) return err; - pkg->local_filename = strdup(tmp_file); free(tmp_file); free(file_basec); @@ -244,10 +287,9 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name || strcmp(&url[strlen(url) - 4], IPKG_PKG_EXTENSION) == 0 || strcmp(&url[strlen(url) - 4], DPKG_PKG_EXTENSION) == 0) { - err = pkg_init_from_file(pkg, url); + err = pkg_init_from_file(conf, pkg, url); if (err) return err; - pkg->local_filename = strdup(url); opkg_message(conf, OPKG_DEBUG2, "Package %s provided by hand (%s).\n", pkg->name,pkg->local_filename); pkg->provided_by_hand = 1; @@ -266,12 +308,9 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name pkg->state_want = SW_INSTALL; pkg->state_flag |= SF_PREFER; pkg = hash_insert_pkg(&conf->pkg_hash, pkg, 1,conf); - if ( pkg == NULL ){ - fprintf(stderr, "%s : This should never happen. Report this Bug in bugzilla please \n ",__FUNCTION__); - return 0; - } + if (namep) { - *namep = strdup(pkg->name); + *namep = pkg->name; } return 0; } @@ -279,7 +318,9 @@ int opkg_prepare_url_for_install(opkg_conf_t *conf, const char *url, char **name int opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) { -#ifdef HAVE_GPGME +#if defined HAVE_GPGME + if (conf->check_signature == 0 ) + return 0; int status = -1; gpgme_ctx_t ctx; gpgme_data_t sig, text, key; @@ -344,9 +385,270 @@ opkg_verify_file (opkg_conf_t *conf, char *text_file, char *sig_file) gpgme_data_release (text); gpgme_release (ctx); + return status; +#elif defined HAVE_OPENSSL + X509_STORE *store = NULL; + PKCS7 *p7 = NULL; + BIO *in = NULL, *indata = NULL; + + // Sig check failed by default ! + int status = -1; + + openssl_init(); + + // Set-up the key store + if(!(store = setup_verify(conf, conf->signature_ca_file, conf->signature_ca_path))){ + opkg_message(conf, OPKG_ERROR, + "Can't open CA certificates\n"); + goto verify_file_end; + } + + // Open a BIO to read the sig file + if (!(in = BIO_new_file(sig_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open signature file %s\n", sig_file); + goto verify_file_end; + } + + // Read the PKCS7 block contained in the sig file + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + if(!p7){ + opkg_message(conf, OPKG_ERROR, + "Can't read signature file (Corrupted ?)\n"); + goto verify_file_end; + } +#if defined(HAVE_PATHFINDER) + if(conf->check_x509_path){ + if(!pkcs7_pathfinder_verify_signers(p7)){ + opkg_message(conf, OPKG_ERROR, "pkcs7_pathfinder_verify_signers: " + "Path verification failed\n"); + goto verify_file_end; + } + } +#endif + + // Open the Package file to authenticate + if (!(indata = BIO_new_file(text_file, "rb"))){ + opkg_message(conf, OPKG_ERROR, + "Can't open file %s\n", text_file); + goto verify_file_end; + } + + // Let's verify the autenticity ! + if (PKCS7_verify(p7, NULL, store, indata, NULL, PKCS7_BINARY) != 1){ + // Get Off My Lawn! + opkg_message(conf, OPKG_ERROR, + "Verification failure\n"); + }else{ + // Victory ! + status = 0; + } + +verify_file_end: + BIO_free(in); + BIO_free(indata); + PKCS7_free(p7); + X509_STORE_free(store); + return status; #else - opkg_message (conf, OPKG_NOTICE, "Signature check for %s was skipped because GPG support was not enabled in this build\n"); + /* mute `unused variable' warnings. */ + (void) sig_file; + (void) text_file; + (void) conf; return 0; #endif } + + +#if defined(HAVE_OPENSSL) || defined(HAVE_SSLCURL) +static void openssl_init(void){ + static int init = 0; + + if(!init){ + OPENSSL_config(NULL); + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); + init = 1; + } +} + +#endif + + +#if defined HAVE_OPENSSL +static X509_STORE *setup_verify(opkg_conf_t *conf, char *CAfile, char *CApath){ + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + if(!(store = X509_STORE_new())){ + // Something bad is happening... + goto end; + } + + // adds the X509 file lookup method + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL){ + goto end; + } + + // Autenticating against one CA file + if (CAfile) { + if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { + // Invalid CA => Bye bye + opkg_message(conf, OPKG_ERROR, + "Error loading file %s\n", CAfile); + goto end; + } + } else { + X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // Now look into CApath directory if supplied + lookup = X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL){ + goto end; + } + + if (CApath) { + if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { + opkg_message(conf, OPKG_ERROR, + "Error loading directory %s\n", CApath); + goto end; + } + } else { + X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + } + + // All right ! + ERR_clear_error(); + return store; + +end: + + X509_STORE_free(store); + return NULL; + +} + +#endif + +#ifdef HAVE_CURL +void opkg_curl_cleanup(void){ + if(curl != NULL){ + curl_easy_cleanup (curl); + curl = NULL; + } +} + +static CURL *opkg_curl_init(opkg_conf_t *conf, curl_progress_func cb, void *data){ + + if(curl == NULL){ + curl = curl_easy_init(); + +#ifdef HAVE_SSLCURL + openssl_init(); + + if (conf->ssl_engine) { + + /* use crypto engine */ + if (curl_easy_setopt(curl, CURLOPT_SSLENGINE, conf->ssl_engine) != CURLE_OK){ + opkg_message(conf, OPKG_ERROR, "can't set crypto engine: '%s'\n", + conf->ssl_engine); + + opkg_curl_cleanup(); + return NULL; + } + /* set the crypto engine as default */ + if (curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L) != CURLE_OK){ + opkg_message(conf, OPKG_ERROR, "can't set crypto engine as default\n"); + + opkg_curl_cleanup(); + return NULL; + } + } + + /* cert & key can only be in PEM case in the same file */ + if(conf->ssl_key_passwd){ + if (curl_easy_setopt(curl, CURLOPT_SSLKEYPASSWD, conf->ssl_key_passwd) != CURLE_OK) + { + opkg_message(conf, OPKG_DEBUG, "Failed to set key password\n"); + } + } + + /* sets the client certificate and its type */ + if(conf->ssl_cert_type){ + if (curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, conf->ssl_cert_type) != CURLE_OK) + { + opkg_message(conf, OPKG_DEBUG, "Failed to set certificate format\n"); + } + } + /* SSL cert name isn't mandatory */ + if(conf->ssl_cert){ + curl_easy_setopt(curl, CURLOPT_SSLCERT, conf->ssl_cert); + } + + /* sets the client key and its type */ + if(conf->ssl_key_type){ + if (curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, conf->ssl_key_type) != CURLE_OK) + { + opkg_message(conf, OPKG_DEBUG, "Failed to set key format\n"); + } + } + if(conf->ssl_key){ + if (curl_easy_setopt(curl, CURLOPT_SSLKEY, conf->ssl_key) != CURLE_OK) + { + opkg_message(conf, OPKG_DEBUG, "Failed to set key\n"); + } + } + + /* Should we verify the peer certificate ? */ + if(conf->ssl_dont_verify_peer){ + /* + * CURLOPT_SSL_VERIFYPEER default is nonzero (curl => 7.10) + */ + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); + }else{ +#ifdef HAVE_PATHFINDER + if(conf->check_x509_path){ + if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_ssl_ctx_function) != CURLE_OK){ + opkg_message(conf, OPKG_DEBUG, "Failed to set ssl path verification callback\n"); + }else{ + curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL); + } + } +#endif + } + + /* certification authority file and/or path */ + if(conf->ssl_ca_file){ + curl_easy_setopt(curl, CURLOPT_CAINFO, conf->ssl_ca_file); + } + if(conf->ssl_ca_path){ + curl_easy_setopt(curl, CURLOPT_CAPATH, conf->ssl_ca_path); + } +#endif + + curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1); + curl_easy_setopt (curl, CURLOPT_FAILONERROR, 1); + if (conf->http_proxy || conf->ftp_proxy) + { + char *userpwd; + sprintf_alloc (&userpwd, "%s:%s", conf->proxy_user, + conf->proxy_passwd); + curl_easy_setopt(curl, CURLOPT_PROXYUSERPWD, userpwd); + free (userpwd); + } + } + + curl_easy_setopt (curl, CURLOPT_NOPROGRESS, (cb == NULL)); + if (cb) + { + curl_easy_setopt (curl, CURLOPT_PROGRESSDATA, data); + curl_easy_setopt (curl, CURLOPT_PROGRESSFUNCTION, cb); + } + + return curl; + +} +#endif