xbps/lib/repo.c

742 lines
18 KiB
C

/*-
* Copyright (c) 2012-2015 Juan Romero Pardines.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdio.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <libgen.h>
#include <fcntl.h>
#include <openssl/err.h>
#include <openssl/sha.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/pem.h>
#include "xbps_api_impl.h"
/**
* @file lib/repo.c
* @brief Repository functions
* @defgroup repo Repository functions
*/
char *
xbps_repo_path(struct xbps_handle *xhp, const char *url)
{
return xbps_repo_path_with_name(xhp, url, "repodata");
}
char *
xbps_repo_path_with_name(struct xbps_handle *xhp, const char *url, const char *name)
{
assert(xhp);
assert(url);
assert(strcmp(name, "repodata") == 0 || strcmp(name, "stagedata") == 0);
return xbps_xasprintf("%s/%s-%s",
url, xhp->target_arch ? xhp->target_arch : xhp->native_arch, name);
}
static bool
repo_verify_index(struct xbps_repo *repo, unsigned char *digest) {
bool verified = false;
unsigned char *sig_buf = NULL;
size_t sigfilelen = 0;
struct archive_entry *entry;
if (archive_read_next_header(repo->ar, &entry) != ARCHIVE_OK) {
xbps_dbg_printf(repo->xhp,
"%s: read_next_header %s\n", repo->uri,
archive_error_string(repo->ar));
return false;
}
if (strcmp(archive_entry_pathname(entry), XBPS_REPOIDXMETA_SIG) != 0) {
xbps_dbg_printf(repo->xhp,
"%s: no signature of %s\n", repo->uri, XBPS_REPOIDX_META);
return false;
}
sigfilelen = (size_t)archive_entry_size(entry);
sig_buf = (unsigned char *) xbps_archive_get_file(repo->ar, entry);
if (sig_buf == NULL) {
return false;
}
verified = xbps_verify_digest_signature(repo, sig_buf, sigfilelen, digest);
free(sig_buf);
return verified;
}
static xbps_dictionary_t
repo_get_dict(struct xbps_repo *repo, bool *verified)
{
struct archive_entry *entry;
int rv;
xbps_dictionary_t dict;
char *bytes = NULL;
unsigned char *digest = NULL;
if (verified != NULL)
*verified = false;
if (repo->ar == NULL)
return NULL;
rv = archive_read_next_header(repo->ar, &entry);
if (rv != ARCHIVE_OK) {
xbps_dbg_printf(repo->xhp,
"%s: read_next_header %s\n", repo->uri,
archive_error_string(repo->ar));
return NULL;
}
dict = xbps_archive_get_dictionary(repo->ar, entry, &bytes);
if (verified != NULL &&
bytes != NULL &&
(digest = xbps_buffer_hash_raw(bytes, strlen(bytes))) != NULL &&
repo_verify_index(repo, digest))
*verified = true;
free(digest);
free(bytes);
return dict;
}
bool
xbps_repo_lock(struct xbps_handle *xhp, const char *repodir,
int *lockfd, char **lockfname)
{
char *repofile, *lockfile;
int fd, rv;
assert(repodir);
assert(lockfd);
assert(lockfname);
repofile = xbps_repo_path(xhp, repodir);
assert(repofile);
lockfile = xbps_xasprintf("%s.lock", repofile);
free(repofile);
for (;;) {
fd = open(lockfile, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0660);
rv = errno;
if (fd != -1)
break;
if (rv != EEXIST) {
xbps_dbg_printf(xhp, "[repo] `%s' failed to "
"create lock file %s\n", lockfile, strerror(rv));
free(lockfile);
return false;
} else {
xbps_dbg_printf(xhp, "[repo] `%s' lock file exists,"
"waiting for 1s...\n", lockfile);
sleep(1);
}
}
*lockfname = lockfile;
*lockfd = fd;
return true;
}
void
xbps_repo_unlock(int lockfd, char *lockfname)
{
if (lockfd != -1) {
close(lockfd);
}
if (lockfname) {
unlink(lockfname);
free(lockfname);
}
}
static bool
repo_open_local(struct xbps_repo *repo, const char *repofile)
{
struct stat st;
int rv = 0;
bool verified = false;
const char *signature_type = NULL;
if (fstat(repo->fd, &st) == -1) {
rv = errno;
xbps_dbg_printf(repo->xhp, "[repo] `%s' fstat repodata %s\n",
repofile, strerror(rv));
return false;
}
repo->ar = archive_read_new();
archive_read_support_filter_gzip(repo->ar);
archive_read_support_filter_bzip2(repo->ar);
archive_read_support_filter_xz(repo->ar);
archive_read_support_filter_lz4(repo->ar);
archive_read_support_filter_zstd(repo->ar);
archive_read_support_format_tar(repo->ar);
if (archive_read_open_fd(repo->ar, repo->fd, st.st_blksize) == ARCHIVE_FATAL) {
rv = archive_errno(repo->ar);
xbps_dbg_printf(repo->xhp,
"[repo] `%s' failed to open repodata archive %s\n",
repofile, strerror(rv));
return false;
}
if ((repo->idx = repo_get_dict(repo, NULL)) == NULL) {
xbps_dbg_printf(repo->xhp, "[repo] `%s' failed to internalize "
" index on archive, removing file.\n", repofile);
/* broken archive, remove it */
(void)unlink(repofile);
return false;
}
xbps_dictionary_make_immutable(repo->idx);
repo->idxmeta = repo_get_dict(repo, NULL);
if (repo->idxmeta != NULL) {
if (xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-type", &signature_type))
repo->is_signed = true;
xbps_dictionary_make_immutable(repo->idxmeta);
}
return verified || (!repo->is_remote && !repo->is_signed);
}
static bool
repo_open_remote(struct xbps_repo *repo)
{
char *rpath;
bool rv;
rpath = xbps_repo_path(repo->xhp, repo->uri);
rv = xbps_repo_fetch_remote(repo, rpath);
free(rpath);
if (rv) {
xbps_dbg_printf(repo->xhp, "[repo] `%s' used remotely (kept in memory).\n", repo->uri);
if (repo->xhp->state_cb && xbps_repo_key_import(repo) != 0)
rv = false;
}
return rv;
}
static struct xbps_repo *
repo_open_with_type(struct xbps_handle *xhp, const char *url, const char *name)
{
struct xbps_repo *repo;
const char *arch;
char *repofile;
assert(xhp);
assert(url);
if (xhp->target_arch)
arch = xhp->target_arch;
else
arch = xhp->native_arch;
repo = calloc(1, sizeof(struct xbps_repo));
assert(repo);
repo->fd = -1;
repo->xhp = xhp;
repo->uri = url;
if (xbps_repository_is_remote(url)) {
/* remote repository */
char *rpath;
if ((rpath = xbps_get_remote_repo_string(url)) == NULL) {
free(repo);
return NULL;
}
repofile = xbps_xasprintf("%s/%s/%s-%s", xhp->metadir, rpath, arch, name);
free(rpath);
repo->is_remote = true;
} else {
/* local repository */
repofile = xbps_repo_path_with_name(xhp, url, name);
}
/*
* In memory repo sync.
*/
if (repo->is_remote && (xhp->flags & XBPS_FLAG_REPOS_MEMSYNC)) {
if (repo_open_remote(repo))
return repo;
goto out;
}
/*
* Open the repository archive.
*/
repo->fd = open(repofile, O_RDONLY|O_CLOEXEC);
if (repo->fd == -1) {
int rv = errno;
xbps_dbg_printf(xhp, "[repo] `%s' open %s %s\n",
repofile, name, strerror(rv));
goto out;
}
if (repo_open_local(repo, repofile)) {
free(repofile);
return repo;
}
out:
free(repofile);
xbps_repo_close(repo);
return NULL;
}
bool
xbps_repo_store(struct xbps_handle *xhp, const char *repo)
{
char *url = NULL;
assert(xhp);
assert(repo);
if (xhp->repositories == NULL) {
xhp->repositories = xbps_array_create();
assert(xhp->repositories);
}
/*
* If it's a local repo and path is relative, make it absolute.
*/
if (!xbps_repository_is_remote(repo)) {
if (repo[0] != '/' && repo[0] != '\0') {
if ((url = realpath(repo, NULL)) == NULL)
xbps_dbg_printf(xhp, "[repo] %s: realpath %s\n", __func__, repo);
}
}
if (xbps_match_string_in_array(xhp->repositories, url ? url : repo)) {
xbps_dbg_printf(xhp, "[repo] `%s' already stored\n", url ? url : repo);
if (url)
free(url);
return false;
}
if (xbps_array_add_cstring(xhp->repositories, url ? url : repo)) {
xbps_dbg_printf(xhp, "[repo] `%s' stored successfully\n", url ? url : repo);
if (url)
free(url);
return true;
}
if (url)
free(url);
return false;
}
bool
xbps_repo_remove(struct xbps_handle *xhp, const char *repo)
{
char *url;
bool rv = false;
assert(xhp);
assert(repo);
if (xhp->repositories == NULL)
return false;
url = strdup(repo);
if (xbps_remove_string_from_array(xhp->repositories, repo)) {
if (url)
xbps_dbg_printf(xhp, "[repo] `%s' removed\n", url);
rv = true;
}
free(url);
return rv;
}
struct xbps_repo *
xbps_repo_stage_open(struct xbps_handle *xhp, const char *url)
{
return repo_open_with_type(xhp, url, "stagedata");
}
struct xbps_repo *
xbps_repo_public_open(struct xbps_handle *xhp, const char *url) {
return repo_open_with_type(xhp, url, "repodata");
}
struct xbps_repo *
xbps_repo_open(struct xbps_handle *xhp, const char *url)
{
struct xbps_repo *repo = xbps_repo_public_open(xhp, url);
struct xbps_repo *stage = NULL;
xbps_dictionary_t idx;
const char *pkgname;
xbps_object_t keysym;
xbps_object_iterator_t iter;
/*
* Load and merge staging repository if the repository is local.
*/
if (repo && !repo->is_remote) {
stage = xbps_repo_stage_open(xhp, url);
if (stage == NULL)
return repo;
idx = xbps_dictionary_copy_mutable(repo->idx);
iter = xbps_dictionary_iterator(stage->idx);
while ((keysym = xbps_object_iterator_next(iter))) {
pkgname = xbps_dictionary_keysym_cstring_nocopy(keysym);
xbps_dictionary_set(idx, pkgname,
xbps_dictionary_get_keysym(stage->idx, keysym));
}
xbps_object_iterator_release(iter);
xbps_object_release(repo->idx);
xbps_repo_close(stage);
repo->idx = idx;
return repo;
}
return repo;
}
void
xbps_repo_close(struct xbps_repo *repo)
{
assert(repo);
if (repo->ar != NULL)
archive_read_finish(repo->ar);
if (repo->idx != NULL) {
xbps_object_release(repo->idx);
repo->idx = NULL;
}
if (repo->idxmeta != NULL) {
xbps_object_release(repo->idxmeta);
repo->idxmeta = NULL;
}
if (repo->fd != -1)
close(repo->fd);
free(repo);
}
xbps_dictionary_t
xbps_repo_get_virtualpkg(struct xbps_repo *repo, const char *pkg)
{
xbps_dictionary_t pkgd;
assert(repo);
assert(pkg);
if (repo->idx == NULL)
return NULL;
pkgd = xbps_find_virtualpkg_in_dict(repo->xhp, repo->idx, pkg);
if (pkgd) {
xbps_dictionary_set_cstring_nocopy(pkgd,
"repository", repo->uri);
return pkgd;
}
return NULL;
}
xbps_dictionary_t
xbps_repo_get_pkg(struct xbps_repo *repo, const char *pkg)
{
xbps_dictionary_t pkgd;
assert(repo);
assert(pkg);
if (repo->idx == NULL)
return NULL;
/* Try matching vpkg from configuration files */
if ((pkgd = xbps_find_virtualpkg_in_conf(repo->xhp, repo->idx, pkg)))
return pkgd;
/* ... otherwise match a real pkg */
pkgd = xbps_find_pkg_in_dict(repo->idx, pkg);
if (pkgd) {
xbps_dictionary_set_cstring_nocopy(pkgd,
"repository", repo->uri);
return pkgd;
}
return NULL;
}
xbps_dictionary_t
xbps_repo_get_pkg_plist(struct xbps_handle *xhp, xbps_dictionary_t pkgd,
const char *plist)
{
xbps_dictionary_t bpkgd;
char *url;
url = xbps_repository_pkg_path(xhp, pkgd);
if (url == NULL)
return NULL;
bpkgd = xbps_archive_fetch_plist(url, plist);
free(url);
return bpkgd;
}
static xbps_array_t
revdeps_match(struct xbps_repo *repo, xbps_dictionary_t tpkgd, const char *str)
{
xbps_dictionary_t pkgd;
xbps_array_t revdeps = NULL, pkgdeps, provides;
xbps_object_iterator_t iter;
xbps_object_t obj;
const char *pkgver = NULL, *tpkgver = NULL, *arch = NULL, *vpkg = NULL;
iter = xbps_dictionary_iterator(repo->idx);
assert(iter);
while ((obj = xbps_object_iterator_next(iter))) {
pkgd = xbps_dictionary_get_keysym(repo->idx, obj);
if (xbps_dictionary_equals(pkgd, tpkgd))
continue;
pkgdeps = xbps_dictionary_get(pkgd, "run_depends");
if (!xbps_array_count(pkgdeps))
continue;
/*
* Try to match passed in string.
*/
if (str) {
if (!xbps_match_pkgdep_in_array(pkgdeps, str))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd,
"architecture", &arch);
if (!xbps_pkg_arch_match(repo->xhp, arch, NULL))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd,
"pkgver", &tpkgver);
/* match */
if (revdeps == NULL)
revdeps = xbps_array_create();
if (!xbps_match_string_in_array(revdeps, tpkgver))
xbps_array_add_cstring_nocopy(revdeps, tpkgver);
continue;
}
/*
* Try to match any virtual package.
*/
provides = xbps_dictionary_get(tpkgd, "provides");
for (unsigned int i = 0; i < xbps_array_count(provides); i++) {
xbps_array_get_cstring_nocopy(provides, i, &vpkg);
if (!xbps_match_pkgdep_in_array(pkgdeps, vpkg))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd,
"architecture", &arch);
if (!xbps_pkg_arch_match(repo->xhp, arch, NULL))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd, "pkgver",
&tpkgver);
/* match */
if (revdeps == NULL)
revdeps = xbps_array_create();
if (!xbps_match_string_in_array(revdeps, tpkgver))
xbps_array_add_cstring_nocopy(revdeps, tpkgver);
}
/*
* Try to match by pkgver.
*/
xbps_dictionary_get_cstring_nocopy(tpkgd, "pkgver", &pkgver);
if (!xbps_match_pkgdep_in_array(pkgdeps, pkgver))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd,
"architecture", &arch);
if (!xbps_pkg_arch_match(repo->xhp, arch, NULL))
continue;
xbps_dictionary_get_cstring_nocopy(pkgd, "pkgver", &tpkgver);
/* match */
if (revdeps == NULL)
revdeps = xbps_array_create();
if (!xbps_match_string_in_array(revdeps, tpkgver))
xbps_array_add_cstring_nocopy(revdeps, tpkgver);
}
xbps_object_iterator_release(iter);
return revdeps;
}
xbps_array_t
xbps_repo_get_pkg_revdeps(struct xbps_repo *repo, const char *pkg)
{
xbps_array_t revdeps = NULL, vdeps = NULL;
xbps_dictionary_t pkgd;
const char *vpkg;
bool match = false;
if (repo->idx == NULL)
return NULL;
if (((pkgd = xbps_repo_get_pkg(repo, pkg)) == NULL) &&
((pkgd = xbps_repo_get_virtualpkg(repo, pkg)) == NULL)) {
errno = ENOENT;
return NULL;
}
/*
* If pkg is a virtual pkg let's match it instead of the real pkgver.
*/
if ((vdeps = xbps_dictionary_get(pkgd, "provides"))) {
for (unsigned int i = 0; i < xbps_array_count(vdeps); i++) {
char *vpkgn;
xbps_array_get_cstring_nocopy(vdeps, i, &vpkg);
vpkgn = xbps_pkg_name(vpkg);
assert(vpkgn);
if (strcmp(vpkgn, pkg) == 0) {
free(vpkgn);
match = true;
break;
}
free(vpkgn);
vpkg = NULL;
}
if (match)
revdeps = revdeps_match(repo, pkgd, vpkg);
}
if (!match)
revdeps = revdeps_match(repo, pkgd, NULL);
return revdeps;
}
int
xbps_repo_key_import(struct xbps_repo *repo)
{
xbps_dictionary_t repokeyd = NULL;
xbps_data_t pubkey = NULL;
uint16_t pubkey_size = 0;
const char *signedby = NULL;
char *hexfp = NULL;
char *p, *dbkeyd, *rkeyfile = NULL;
int import, rv = 0;
bool has_signedby, has_pubkey_size, has_pubkey;
assert(repo);
/*
* If repository does not have required metadata plist, ignore it.
*/
if (!xbps_dictionary_count(repo->idxmeta)) {
xbps_dbg_printf(repo->xhp,
"[repo] `%s' unsigned repository!\n", repo->uri);
return 0;
}
/*
* Check for required objects in index-meta:
* - signature-by (string)
* - public-key (data)
* - public-key-size (number)
*/
xbps_dictionary_get_cstring_nocopy(repo->idxmeta, "signature-by", &signedby);
xbps_dictionary_get_uint16(repo->idxmeta, "public-key-size", &pubkey_size);
pubkey = xbps_dictionary_get(repo->idxmeta, "public-key");
has_signedby = (signedby != NULL);
has_pubkey_size = (pubkey_size > 0);
has_pubkey = (xbps_object_type(pubkey) == XBPS_TYPE_DATA);
if (!has_signedby && !has_pubkey_size && !has_pubkey)
{
xbps_dbg_printf(repo->xhp,
"[repo] `%s' unsigned repository with meta!\n", repo->uri);
return 0;
}
else if (!has_signedby || !has_pubkey_size || !has_pubkey)
{
xbps_dbg_printf(repo->xhp,
"[repo] `%s': incomplete signed repository "
"(missing objs)\n", repo->uri);
rv = EINVAL;
goto out;
}
hexfp = xbps_pubkey2fp(repo->xhp, pubkey);
/*
* Check if the public key is alredy stored.
*/
rkeyfile = xbps_xasprintf("%s/keys/%s.plist", repo->xhp->metadir, hexfp);
repokeyd = xbps_plist_dictionary_from_file(repo->xhp, rkeyfile);
if (xbps_object_type(repokeyd) == XBPS_TYPE_DICTIONARY) {
xbps_dbg_printf(repo->xhp,
"[repo] `%s' public key already stored.\n", repo->uri);
goto out;
}
/*
* Notify the client and take appropiate action to import
* the repository public key. Pass back the public key openssh fingerprint
* to the client.
*/
import = xbps_set_cb_state(repo->xhp, XBPS_STATE_REPO_KEY_IMPORT, 0,
hexfp, "`%s' repository has been RSA signed by \"%s\"",
repo->uri, signedby);
if (import <= 0) {
rv = EAGAIN;
goto out;
}
p = strdup(rkeyfile);
dbkeyd = dirname(p);
assert(dbkeyd);
if (access(dbkeyd, R_OK|W_OK) == -1) {
rv = errno;
if (rv == ENOENT)
rv = xbps_mkpath(dbkeyd, 0755);
if (rv != 0) {
rv = errno;
xbps_dbg_printf(repo->xhp,
"[repo] `%s' cannot create %s: %s\n",
repo->uri, dbkeyd, strerror(errno));
free(p);
goto out;
}
}
free(p);
repokeyd = xbps_dictionary_create();
xbps_dictionary_set(repokeyd, "public-key", pubkey);
xbps_dictionary_set_uint16(repokeyd, "public-key-size", pubkey_size);
xbps_dictionary_set_cstring_nocopy(repokeyd, "signature-by", signedby);
if (!xbps_dictionary_externalize_to_file(repokeyd, rkeyfile)) {
rv = errno;
xbps_dbg_printf(repo->xhp,
"[repo] `%s' failed to externalize %s: %s\n",
repo->uri, rkeyfile, strerror(rv));
}
out:
if (hexfp)
free(hexfp);
if (repokeyd)
xbps_object_release(repokeyd);
if (rkeyfile)
free(rkeyfile);
return rv;
}