summaryrefslogtreecommitdiffstats
path: root/package/system/apk/patches/0002-mbedtls-support.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/system/apk/patches/0002-mbedtls-support.patch')
-rw-r--r--package/system/apk/patches/0002-mbedtls-support.patch546
1 files changed, 172 insertions, 374 deletions
diff --git a/package/system/apk/patches/0002-mbedtls-support.patch b/package/system/apk/patches/0002-mbedtls-support.patch
index 62b3ab81d3..d06db30f03 100644
--- a/package/system/apk/patches/0002-mbedtls-support.patch
+++ b/package/system/apk/patches/0002-mbedtls-support.patch
@@ -1,51 +1,16 @@
-From 74ea482102e1a7c1845b3eec19cbdb21264836d4 Mon Sep 17 00:00:00 2001
+From 68352e0cb94fe08b220d4befec828171ec871154 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Fri, 5 Apr 2024 12:06:56 +0300
-Subject: [PATCH 1/4] add alternate url wget implementation
+Subject: [PATCH 1/2] add alternate url wget implementation
---
- .gitlab-ci.yml | 16 ++++-
meson.build | 6 +-
meson_options.txt | 1 +
- src/io_url_wget.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++
- src/meson.build | 4 +-
- 5 files changed, 173 insertions(+), 4 deletions(-)
+ src/io_url_wget.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
+ src/meson.build | 8 ++-
+ 4 files changed, 150 insertions(+), 2 deletions(-)
create mode 100644 src/io_url_wget.c
-diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
-index 7fc86563..b7e00008 100644
---- a/.gitlab-ci.yml
-+++ b/.gitlab-ci.yml
-@@ -24,7 +24,19 @@ test:alpine:
- script:
- - apk update
- - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib meson zlib-static zstd-static openssl-libs-static
-- - meson build
-+ - meson setup build -Dstatic_apk=true
-+ - ninja -C build
-+ tags:
-+ - docker-alpine
-+ - x86_64
-+
-+test:alpine-alt-config:
-+ image: alpine
-+ stage: test
-+ script:
-+ - apk update
-+ - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib meson
-+ - meson setup build -Durl_backend=wget -Dzstd=false
- - ninja -C build
- tags:
- - docker-alpine
-@@ -38,7 +50,7 @@ test:debian:
- - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson
- - unlink /bin/sh
- - ln -s /bin/bash /bin/sh
-- - meson build
-+ - meson setup build
- - ninja -C build
- tags:
- - docker-alpine
diff --git a/meson.build b/meson.build
index 1a44c11f..9a14cac0 100644
--- a/meson.build
@@ -63,26 +28,26 @@ index 1a44c11f..9a14cac0 100644
subdir('src')
subdir('tests')
diff --git a/meson_options.txt b/meson_options.txt
-index 693f46ec..940fe9a4 100644
+index 693f46ec..44b88b32 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
-+option('url_backend', description: 'URL backend', type: 'combo', choices: ['libfetch', 'wget'], value: 'libfetch')
++option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
diff --git a/src/io_url_wget.c b/src/io_url_wget.c
new file mode 100644
-index 00000000..9a929222
+index 00000000..d8885a4f
--- /dev/null
+++ b/src/io_url_wget.c
-@@ -0,0 +1,150 @@
+@@ -0,0 +1,137 @@
+/* io_url_wget.c - Alpine Package Keeper (APK)
+ *
+ * Copyright (C) 2005-2008 Natanael Copa <n@tanael.org>
-+ * Copyright (C) 2008-2011 Timo Teräs <timo.teras@iki.fi>
++ * Copyright (C) 2008-2011 Timo Teräs <timo.teras@iki.fi>
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: GPL-2.0-only
@@ -93,9 +58,6 @@ index 00000000..9a929222
+#include <sys/wait.h>
+#include "apk_io.h"
+
-+static char wget_timeout[16];
-+static char wget_no_check_certificate;
-+
+static int wget_translate_status(int status)
+{
+ if (!WIFEXITED(status)) return -EFAULT;
@@ -118,19 +80,11 @@ index 00000000..9a929222
+
+static int wget_spawn(const char *url, pid_t *pid, int *fd)
+{
-+ int i = 0, r, pipefds[2];
++ int r, pipefds[2];
+ posix_spawn_file_actions_t act;
-+ char *argv[16];
-+
-+ argv[i++] = "wget";
-+ argv[i++] = "-q";
-+ argv[i++] = "-T";
-+ argv[i++] = wget_timeout;
-+ if (wget_no_check_certificate) argv[i++] = "--no-check-certificate";
-+ argv[i++] = (char *) url;
-+ argv[i++] = "-O";
-+ argv[i++] = "-";
-+ argv[i++] = 0;
++ char *argv[] = {
++ (char*)"wget", "-q", (char*) url, "-O", "-", 0
++ };
+
+ if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno;
+
@@ -214,12 +168,10 @@ index 00000000..9a929222
+
+void apk_io_url_no_check_certificate(void)
+{
-+ wget_no_check_certificate = 1;
+}
+
+void apk_io_url_set_timeout(int timeout)
+{
-+ snprintf(wget_timeout, sizeof wget_timeout, "%d", timeout);
+}
+
+void apk_io_url_set_redirect_callback(void (*cb)(int, const char *))
@@ -230,97 +182,39 @@ index 00000000..9a929222
+{
+}
diff --git a/src/meson.build b/src/meson.build
-index c1aae550..38e9d3b0 100644
+index c1aae550..28bfce7e 100644
--- a/src/meson.build
+++ b/src/meson.build
-@@ -1,3 +1,5 @@
-+url_backend = get_option('url_backend')
-+
- libapk_so_version = '2.99.0'
- libapk_src = [
- 'adb.c',
-@@ -22,8 +24,8 @@ libapk_src = [
+@@ -22,7 +22,6 @@ libapk_src = [
'fs_uvol.c',
'hash.c',
'io.c',
- 'io_url_libfetch.c',
'io_gunzip.c',
-+ 'io_url_@0@.c'.format(url_backend),
'package.c',
'pathbuilder.c',
- 'print.c',
---
-GitLab
-
-
-From b9fe78fbf19bb10e1d0b8eb1cb1de123bee2ed7e Mon Sep 17 00:00:00 2001
-From: Christian Marangi <ansuelsmth@gmail.com>
-Date: Tue, 16 Apr 2024 17:55:15 +0200
-Subject: [PATCH 2/4] add option to configure url backend in legacy make build
- system
-
-Can be configured by setting URL_BACKEND. If not set libfetch is
-selected by default.
-
-Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
----
- src/Makefile | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index f7873cb1..efdc68df 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -9,8 +9,8 @@ else
- $(error Lua interpreter not found. Please specify LUA interpreter, or use LUA=no to build without help.)
- endif
-
--OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl)
--OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
-+OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl)
-+OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
-
- ZLIB_CFLAGS := $(shell $(PKG_CONFIG) --cflags zlib)
- ZLIB_LIBS := $(shell $(PKG_CONFIG) --libs zlib)
-@@ -21,10 +21,18 @@ libapk_so := $(obj)/libapk.so.$(libapk_soname)
- libapk.so.$(libapk_soname)-objs := \
- adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
- atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
-- extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o io_url_libfetch.o \
-- tar.o package.o pathbuilder.o print.o solver.o trust.o version.o
-+ extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
-+ print.o solver.o trust.o version.o
+@@ -87,6 +86,13 @@ apk_src = [
+ 'applet.c',
+ ]
--libapk.so.$(libapk_soname)-libs := libfetch/libfetch.a
-+libapk.so.$(libapk_soname)-libs :=
-+
-+ifeq ($(URL_BACKEND),wget)
-+libapk.so.$(libapk_soname)-objs += io_url_wget.o
-+else
-+CFLAGS_ALL += -Ilibfetch
-+libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
-+libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
++url_backend = get_option('url_backend')
++if url_backend == 'libfetch'
++ libapk_src += [ 'io_url_libfetch.c' ]
++elif url_backend == 'wget'
++ libapk_src += [ 'io_url_wget.c' ]
+endif
-
- # ZSTD support can be disabled
- ifneq ($(ZSTD),no)
-@@ -79,7 +87,7 @@ LIBS_apk := -lapk
- LIBS_apk-test := -lapk
- LIBS_apk.so := -L$(obj) -lapk
-
--CFLAGS_ALL += -D_ATFILE_SOURCE -Ilibfetch -Iportability
-+CFLAGS_ALL += -D_ATFILE_SOURCE -Iportability
- CFLAGS_apk.o := -DAPK_VERSION=\"$(VERSION)\"
- CFLAGS_apk-static.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE
- CFLAGS_apk-test.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE -DTEST_MODE
++
+ if lua_bin.found()
+ genhelp_script = files('genhelp.lua')
+ genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
--
GitLab
-From 0418b684898403c49905c1f0e4b7c5ca522b2d50 Mon Sep 17 00:00:00 2001
+From dc7ff789a45522eb847118a29b60b896de55d083 Mon Sep 17 00:00:00 2001
From: Jonas Jelonek <jelonek.jonas@gmail.com>
Date: Sun, 14 Apr 2024 00:20:14 +0200
-Subject: [PATCH 3/4] crypto: add support for mbedtls as backend
+Subject: [PATCH 2/2] crypto: add support for mbedtls as backend
backend is selected at compile-time with crypto_backend option
@@ -331,16 +225,11 @@ Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
libfetch/meson.build | 2 +-
meson.build | 14 +-
meson_options.txt | 1 +
- portability/getrandom.c | 19 +++
- portability/meson.build | 3 +-
- portability/sys/random.h | 6 +
src/apk_crypto.h | 5 +
- src/apk_crypto_mbedtls.h | 30 +++++
- src/crypto_mbedtls.c | 285 +++++++++++++++++++++++++++++++++++++++
- src/meson.build | 21 ++-
- 10 files changed, 373 insertions(+), 13 deletions(-)
- create mode 100644 portability/getrandom.c
- create mode 100644 portability/sys/random.h
+ src/apk_crypto_mbedtls.h | 26 ++++
+ src/crypto_mbedtls.c | 305 +++++++++++++++++++++++++++++++++++++++
+ src/meson.build | 23 ++-
+ 7 files changed, 364 insertions(+), 12 deletions(-)
create mode 100644 src/apk_crypto_mbedtls.h
create mode 100644 src/crypto_mbedtls.c
@@ -388,66 +277,17 @@ index 9a14cac0..3a83f4e1 100644
add_project_arguments('-D_GNU_SOURCE', language: 'c')
diff --git a/meson_options.txt b/meson_options.txt
-index 940fe9a4..df0b07dc 100644
+index 44b88b32..2b1d24ce 100644
--- a/meson_options.txt
+++ b/meson_options.txt
-@@ -1,4 +1,5 @@
- option('arch_prefix', description: 'Define a custom arch prefix for default arch', type: 'string')
-+option('crypto_backend', description: 'Crypto backend', type: 'combo', choices: ['openssl', 'mbedtls'], value: 'openssl')
- option('compressed-help', description: 'Compress help database, needs lua-zlib', type: 'boolean', value: true)
- option('docs', description: 'Build manpages with scdoc', type: 'feature', value: 'auto')
- option('help', description: 'Build help into apk binaries, needs lua', type: 'feature', value: 'auto')
-diff --git a/portability/getrandom.c b/portability/getrandom.c
-new file mode 100644
-index 00000000..b2f4a07c
---- /dev/null
-+++ b/portability/getrandom.c
-@@ -0,0 +1,19 @@
-+#include <sys/random.h>
-+#include <sys/types.h>
-+#include <unistd.h>
-+#include <fcntl.h>
-+
-+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
-+{
-+ int fd;
-+ ssize_t ret;
-+
-+ fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
-+ if (fd < 0)
-+ return -1;
-+
-+ ret = read(fd, buf, buflen);
-+ close(fd);
-+ return ret;
-+}
-+
-diff --git a/portability/meson.build b/portability/meson.build
-index 89957c3c..3172044e 100644
---- a/portability/meson.build
-+++ b/portability/meson.build
-@@ -3,7 +3,8 @@ cc = meson.get_compiler('c')
- libportability_src = []
-
- check_symbols = [
-- ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
-+ ['getrandom', 'getrandom.c', 'NEED_GETRANDOM', 'sys/random.h'],
-+ ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
- ['mknodat', 'mknodat.c', 'NEED_MKNODAT', 'sys/stat.h'],
- ['pipe2', 'pipe2.c', 'NEED_PIPE2', 'unistd.h'],
- ['qsort_r', 'qsort_r.c', 'NEED_QSORT_R', 'stdlib.h'],
-diff --git a/portability/sys/random.h b/portability/sys/random.h
-new file mode 100644
-index 00000000..02d5b1ca
---- /dev/null
-+++ b/portability/sys/random.h
-@@ -0,0 +1,6 @@
-+#include_next <sys/random.h>
-+#include <sys/types.h>
-+
-+#ifdef NEED_GETRANDOM
-+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
-+#endif
+@@ -5,6 +5,7 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
+ option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
+ option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
+ option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
++option('crypto_backend', description: 'SSL backend', type: 'string', value: 'openssl')
+ option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
+ option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
+ option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
diff --git a/src/apk_crypto.h b/src/apk_crypto.h
index 7de88dfc..5cae3bfe 100644
--- a/src/apk_crypto.h
@@ -467,10 +307,10 @@ index 7de88dfc..5cae3bfe 100644
diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h
new file mode 100644
-index 00000000..5481d149
+index 00000000..e379535b
--- /dev/null
+++ b/src/apk_crypto_mbedtls.h
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,26 @@
+/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK)
+ *
+ * Copyright (C) 2024
@@ -484,45 +324,36 @@ index 00000000..5481d149
+
+#include <mbedtls/md.h>
+#include <mbedtls/pk.h>
-+#include <mbedtls/bignum.h>
+
+struct apk_pkey {
+ uint8_t id[16];
-+ mbedtls_pk_context key;
++ mbedtls_pk_context *key;
+};
+
+struct apk_digest_ctx {
-+ mbedtls_md_context_t mdctx;
++ mbedtls_md_context_t *mdctx;
+ struct apk_pkey *sigver_key;
+ uint8_t alg;
+};
+
-+/* based on mbedtls' internal pkwrite.h calculations */
-+#define APK_ENC_KEY_MAX_LENGTH (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
-+
+#endif
diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c
new file mode 100644
-index 00000000..73d60e9d
+index 00000000..9ce148b5
--- /dev/null
+++ b/src/crypto_mbedtls.c
-@@ -0,0 +1,285 @@
+@@ -0,0 +1,305 @@
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/random.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
+
+#include <mbedtls/platform.h>
+#include <mbedtls/md.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/entropy.h>
-+
-+#ifdef MBEDTLS_PSA_CRYPTO_C
+#include <psa/crypto.h>
-+#endif
+
+#include "apk_crypto.h"
+
@@ -559,11 +390,14 @@ index 00000000..73d60e9d
+int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg)
+{
+ dctx->alg = alg;
++ dctx->mdctx = malloc(sizeof(mbedtls_md_context_t));
++
++ if (!dctx->mdctx) return -ENOMEM;
+
-+ mbedtls_md_init(&dctx->mdctx);
++ mbedtls_md_init(dctx->mdctx);
+ if (alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+ mbedtls_md_starts(&dctx->mdctx))
++ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
++ mbedtls_md_starts(dctx->mdctx))
+ return -APKE_CRYPTO_ERROR;
+
+ return 0;
@@ -572,77 +406,105 @@ index 00000000..73d60e9d
+int apk_digest_ctx_reset(struct apk_digest_ctx *dctx)
+{
+ if (dctx->alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_starts(&dctx->mdctx)) return -APKE_CRYPTO_ERROR;
++ if (mbedtls_md_starts(dctx->mdctx)) return -APKE_CRYPTO_ERROR;
+ return 0;
+}
+
+int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg)
+{
-+ mbedtls_md_free(&dctx->mdctx);
++ mbedtls_md_free(dctx->mdctx);
+
+ dctx->alg = alg;
+ if (alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+ mbedtls_md_starts(&dctx->mdctx))
++ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
++ mbedtls_md_starts(dctx->mdctx))
+ return -APKE_CRYPTO_ERROR;
-+
++
+ return 0;
+}
+
+void apk_digest_ctx_free(struct apk_digest_ctx *dctx)
+{
-+ mbedtls_md_free(&dctx->mdctx);
++ free(dctx->mdctx);
++ dctx->mdctx = 0;
+}
+
+int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz)
+{
+ if (dctx->alg == APK_DIGEST_NONE) return 0;
-+ return mbedtls_md_update(&dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
++ return mbedtls_md_update(dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
+}
+
+int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d)
+{
-+ if (mbedtls_md_finish(&dctx->mdctx, d->data)) {
++ if (mbedtls_md_finish(dctx->mdctx, d->data)) {
+ apk_digest_reset(d);
+ return -APKE_CRYPTO_ERROR;
+ }
+
++ mbedtls_md_free(dctx->mdctx);
++
+ d->alg = dctx->alg;
+ d->len = apk_digest_alg_len(d->alg);
+ return 0;
+}
+
-+static int apk_load_file_at(int dirfd, const char *fn, unsigned char **buf, size_t *n)
++// Entropy function adopted from ustream-ssl to avoid using the bloated mbedtls'
++// mbedtls_entropy_context and mbedtls_ctr_drbg_context.
++static int _apk_random(void *ctx, unsigned char *out, size_t len)
+{
-+ struct stat stats;
-+ size_t size;
-+ int fd;
++ static FILE *f;
+
-+ if ((fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC)) < 0)
-+ return -errno;
++ if (!f)
++ f = fopen("/dev/urandom", "r");
++ if (fread(out, len, 1, f) != 1)
++ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+
-+ if (fstat(fd, &stats)) {
-+ close(fd);
-+ return -errno;
++ return 0;
++}
++
++// adopted from mbedtls_pk_load_file
++static int apk_load_file_fd(int fd, unsigned char **buf, size_t *n)
++{
++ FILE *f;
++ long size;
++
++ if ((f = fdopen(fd, "rb")) == NULL) {
++ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
++ }
++
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
++ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
++ mbedtls_setbuf(f, NULL);
++#endif
++
++ fseek(f, 0, SEEK_END);
++ if ((size = ftell(f)) == -1) {
++ fclose(f);
++ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ }
++ fseek(f, 0, SEEK_SET);
+
-+ size = (size_t)stats.st_size;
-+ *n = size;
++ *n = (size_t) size;
+
-+ if (size == 0 || (*buf = mbedtls_calloc(1, size + 1)) == NULL)
++ if (*n + 1 == 0 ||
++ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
++ fclose(f);
+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
++ }
+
-+ if (read(fd, *buf, size) != size) {
-+ close(fd);
++ if (fread(*buf, 1, *n, f) != *n) {
++ fclose(f);
+
-+ mbedtls_platform_zeroize(*buf, size);
++ mbedtls_platform_zeroize(*buf, *n);
+ mbedtls_free(*buf);
+
+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
+ }
-+ close(fd);
+
-+ (*buf)[size] = '\0';
++ fclose(f);
++
++ (*buf)[*n] = '\0';
+
+ if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
+ ++*n;
@@ -651,79 +513,68 @@ index 00000000..73d60e9d
+ return 0;
+}
+
-+static int apk_pkey_init(struct apk_pkey *pkey)
++static int apk_pkey_init(struct apk_pkey *pkey, mbedtls_pk_context *key)
+{
-+ unsigned char dig[APK_DIGEST_MAX_LENGTH];
-+ unsigned char pub[APK_ENC_KEY_MAX_LENGTH] = {};
++ unsigned char dig[APK_DIGEST_MAX_LENGTH], *pub = NULL;
+ unsigned char *c;
-+ int len, r = -APKE_CRYPTO_ERROR;
++ int len, publen, r = -APKE_CRYPTO_ERROR;
+
-+ c = pub + APK_ENC_KEY_MAX_LENGTH;
++ // Assume byte len is always * 2 + NULL terminated
++ publen = mbedtls_pk_get_len(key) * 2 + 1;
++ pub = malloc(publen);
++ if (!pub)
++ return -ENOMEM;
++ c = pub + publen;
+
-+ // key is written backwards into pub starting at c!
-+ if ((len = mbedtls_pk_write_pubkey(&c, pub, &pkey->key)) < 0) return -APKE_CRYPTO_ERROR;
-+ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), c, len, dig)) {
++ if ((len = mbedtls_pk_write_pubkey(&c, pub, key)) < 0) return -APKE_CRYPTO_ERROR;
++ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), pub, len, dig)) {
+ memcpy(pkey->id, dig, sizeof pkey->id);
+ r = 0;
+ }
-+
++
++ free(pub);
++ pkey->key = key;
++
+ return r;
+}
+
+void apk_pkey_free(struct apk_pkey *pkey)
+{
-+ mbedtls_pk_free(&pkey->key);
-+}
-+
-+static int apk_random(void *ctx, unsigned char *out, size_t len)
-+{
-+ return (int)getrandom(out, len, 0);
++ mbedtls_pk_free(pkey->key);
+}
+
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
-+{
-+ return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0, apk_random, NULL);
-+}
-+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
-+ unsigned char *sig, size_t *sig_len)
-+{
-+ return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+ (const unsigned char *)&dig->data, dig->len, sig, sizeof *sig, sig_len,
-+ apk_random, NULL);
-+}
-+#else
-+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
-+{
-+ return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0);
-+}
-+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
-+ unsigned char *sig, size_t *sig_len)
-+{
-+ return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+ (const unsigned char *)&dig->data, dig->len, sig, sig_len, apk_random, NULL);
-+}
-+#endif
-+
+int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn)
+{
-+ unsigned char *buf = NULL;
-+ size_t blen = 0;
-+ int ret;
++ mbedtls_pk_context *key;
++ unsigned char *buf;
++ size_t blen;
++ int ret, fd;
+
-+ if (apk_load_file_at(dirfd, fn, &buf, &blen))
-+ return -APKE_CRYPTO_ERROR;
++ fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC);
++ if (fd < 0)
++ return -errno;
+
-+ mbedtls_pk_init(&pkey->key);
-+ if ((ret = mbedtls_pk_parse_public_key(&pkey->key, buf, blen)) != 0)
-+ ret = apk_mbedtls_parse_privkey(pkey, buf, blen);
++ key = malloc(sizeof *key);
++ if (!key)
++ return -ENOMEM;
++
++ mbedtls_pk_init(key);
++ if (apk_load_file_fd(fd, &buf, &blen))
++ return -APKE_CRYPTO_ERROR;
+
++ if ((ret = mbedtls_pk_parse_public_key(key, buf, blen)) != 0) {
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
++ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0, _apk_random, NULL);
++#else
++ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0);
++#endif
++ }
+ mbedtls_platform_zeroize(buf, blen);
+ mbedtls_free(buf);
+ if (ret != 0)
+ return -APKE_CRYPTO_KEY_FORMAT;
+
-+ return apk_pkey_init(pkey);
++ return apk_pkey_init(pkey, key);
+}
+
+int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
@@ -743,10 +594,16 @@ index 00000000..73d60e9d
+
+ if (apk_digest_ctx_final(dctx, &dig))
+ return -APKE_SIGNATURE_GEN_FAILURE;
-+
-+ if (apk_mbedtls_sign(dctx, &dig, sig, len))
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
++ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
++ &dig.data, dig.len, sig, sizeof *sig, len, _apk_random, NULL))
++#else
++ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
++ &dig.data, dig.len, sig, len, _apk_random, NULL))
++#endif
+ r = -APKE_SIGNATURE_GEN_FAILURE;
+
++
+ dctx->sigver_key = NULL;
+ return r;
+}
@@ -769,8 +626,7 @@ index 00000000..73d60e9d
+ if (apk_digest_ctx_final(dctx, &dig))
+ return -APKE_SIGNATURE_GEN_FAILURE;
+
-+ if (mbedtls_pk_verify(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+ (const unsigned char *)&dig.data, dig.len, sig, len))
++ if (mbedtls_pk_verify(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), &dig.data, dig.len, sig, len))
+ r = -APKE_SIGNATURE_INVALID;
+
+ dctx->sigver_key = NULL;
@@ -793,33 +649,26 @@ index 00000000..73d60e9d
+#endif
+}
diff --git a/src/meson.build b/src/meson.build
-index 38e9d3b0..e1204fc0 100644
+index 28bfce7e..4eab6e0d 100644
--- a/src/meson.build
+++ b/src/meson.build
-@@ -1,3 +1,4 @@
-+crypto_backend = get_option('crypto_backend')
- url_backend = get_option('url_backend')
-
- libapk_so_version = '2.99.0'
-@@ -15,7 +16,7 @@ libapk_src = [
+@@ -13,7 +13,6 @@ libapk_src = [
'common.c',
'context.c',
'crypto.c',
- 'crypto_openssl.c',
-+ 'crypto_@0@.c'.format(crypto_backend),
'ctype.c',
'database.c',
'extract_v2.c',
-@@ -40,7 +41,7 @@ libapk_headers = [
+@@ -37,7 +36,6 @@ libapk_headers = [
'apk_atom.h',
'apk_blob.h',
'apk_crypto.h',
- 'apk_crypto_openssl.h',
-+ 'apk_crypto_@0@.h'.format(crypto_backend),
'apk_ctype.h',
'apk_database.h',
'apk_defines.h',
-@@ -89,6 +90,17 @@ apk_src = [
+@@ -86,6 +84,11 @@ apk_src = [
'applet.c',
]
@@ -828,16 +677,28 @@ index 38e9d3b0..e1204fc0 100644
+ '-D_ATFILE_SOURCE',
+]
+
+ url_backend = get_option('url_backend')
+ if url_backend == 'libfetch'
+ libapk_src += [ 'io_url_libfetch.c' ]
+@@ -93,6 +96,17 @@ elif url_backend == 'wget'
+ libapk_src += [ 'io_url_wget.c' ]
+ endif
+
++crypto_backend = get_option('crypto_backend')
+if crypto_backend == 'openssl'
+ apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ]
++ libapk_src += [ 'crypto_openssl.c' ]
++ libapk_headers += [ 'apk_crypto_openssl.h' ]
+elif crypto_backend == 'mbedtls'
+ apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ]
++ libapk_src += [ 'crypto_mbedtls.c' ]
++ libapk_headers += [ 'apk_crypto_mbedtls.h' ]
+endif
+
if lua_bin.found()
genhelp_script = files('genhelp.lua')
genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
-@@ -115,11 +127,6 @@ endif
+@@ -119,11 +133,6 @@ endif
apk_src += [ generated_help ]
@@ -852,66 +713,3 @@ index 38e9d3b0..e1204fc0 100644
--
GitLab
-
-From 34bb1021284dccbf97f02b0a0bb9e751b8887cad Mon Sep 17 00:00:00 2001
-From: Christian Marangi <ansuelsmth@gmail.com>
-Date: Tue, 16 Apr 2024 17:56:45 +0200
-Subject: [PATCH 4/4] add option to configure crypto backend in legacy make
- build system
-
-Define CRYPTO to select mbedtls as alternative crypto backend. By
-default openssl is used.
-
-Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
----
- src/Makefile | 20 +++++++++++++++-----
- 1 file changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index efdc68df..97db0e72 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -20,9 +20,9 @@ libapk_soname := 2.99.0
- libapk_so := $(obj)/libapk.so.$(libapk_soname)
- libapk.so.$(libapk_soname)-objs := \
- adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
-- atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
-- extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
-- print.o solver.o trust.o version.o
-+ atom.o blob.o commit.o common.o context.o crypto.o ctype.o database.o hash.o extract_v2.o \
-+ extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o print.o \
-+ solver.o trust.o version.o
-
- libapk.so.$(libapk_soname)-libs :=
-
-@@ -34,6 +34,16 @@ libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
- libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
- endif
-
-+ifeq ($(CRYPTO),mbedtls)
-+CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags mbedtls mbedcrypto) -DCRYPTO_USE_MBEDTLS
-+CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs mbedtls mbedcrypto)
-+libapk.so.$(libapk_soname)-objs += crypto_mbedtls.o
-+else
-+CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl) -DCRYPTO_USE_OPENSSL
-+CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
-+libapk.so.$(libapk_soname)-objs += crypto_openssl.o
-+endif
-+
- # ZSTD support can be disabled
- ifneq ($(ZSTD),no)
- ZSTD_CFLAGS := $(shell $(PKG_CONFIG) --cflags libzstd)
-@@ -100,9 +110,9 @@ LIBS_apk.static := -Wl,--as-needed -ldl -Wl,--no-as-needed
- LDFLAGS_apk += -L$(obj)
- LDFLAGS_apk-test += -L$(obj)
-
--CFLAGS_ALL += $(OPENSSL_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
-+CFLAGS_ALL += $(CRYPTO_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
- LIBS := -Wl,--as-needed \
-- $(OPENSSL_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \
-+ $(CRYPTO_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \
- -Wl,--no-as-needed
-
- # Help generation
---
-GitLab