diff options
Diffstat (limited to 'package/system/apk/patches/0002-mbedtls-support.patch')
-rw-r--r-- | package/system/apk/patches/0002-mbedtls-support.patch | 546 |
1 files changed, 172 insertions, 374 deletions
diff --git a/package/system/apk/patches/0002-mbedtls-support.patch b/package/system/apk/patches/0002-mbedtls-support.patch index 62b3ab81d3..d06db30f03 100644 --- a/package/system/apk/patches/0002-mbedtls-support.patch +++ b/package/system/apk/patches/0002-mbedtls-support.patch @@ -1,51 +1,16 @@ -From 74ea482102e1a7c1845b3eec19cbdb21264836d4 Mon Sep 17 00:00:00 2001 +From 68352e0cb94fe08b220d4befec828171ec871154 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> Date: Fri, 5 Apr 2024 12:06:56 +0300 -Subject: [PATCH 1/4] add alternate url wget implementation +Subject: [PATCH 1/2] add alternate url wget implementation --- - .gitlab-ci.yml | 16 ++++- meson.build | 6 +- meson_options.txt | 1 + - src/io_url_wget.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++ - src/meson.build | 4 +- - 5 files changed, 173 insertions(+), 4 deletions(-) + src/io_url_wget.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ + src/meson.build | 8 ++- + 4 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 src/io_url_wget.c -diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml -index 7fc86563..b7e00008 100644 ---- a/.gitlab-ci.yml -+++ b/.gitlab-ci.yml -@@ -24,7 +24,19 @@ test:alpine: - script: - - apk update - - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib meson zlib-static zstd-static openssl-libs-static -- - meson build -+ - meson setup build -Dstatic_apk=true -+ - ninja -C build -+ tags: -+ - docker-alpine -+ - x86_64 -+ -+test:alpine-alt-config: -+ image: alpine -+ stage: test -+ script: -+ - apk update -+ - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib meson -+ - meson setup build -Durl_backend=wget -Dzstd=false - - ninja -C build - tags: - - docker-alpine -@@ -38,7 +50,7 @@ test:debian: - - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson - - unlink /bin/sh - - ln -s /bin/bash /bin/sh -- - meson build -+ - meson setup build - - ninja -C build - tags: - - docker-alpine diff --git a/meson.build b/meson.build index 1a44c11f..9a14cac0 100644 --- a/meson.build @@ -63,26 +28,26 @@ index 1a44c11f..9a14cac0 100644 subdir('src') subdir('tests') diff --git a/meson_options.txt b/meson_options.txt -index 693f46ec..940fe9a4 100644 +index 693f46ec..44b88b32 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto') option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3') option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false) -+option('url_backend', description: 'URL backend', type: 'combo', choices: ['libfetch', 'wget'], value: 'libfetch') ++option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch') option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string') option('zstd', description: 'Build with zstd support', type: 'boolean', value: true) diff --git a/src/io_url_wget.c b/src/io_url_wget.c new file mode 100644 -index 00000000..9a929222 +index 00000000..d8885a4f --- /dev/null +++ b/src/io_url_wget.c -@@ -0,0 +1,150 @@ +@@ -0,0 +1,137 @@ +/* io_url_wget.c - Alpine Package Keeper (APK) + * + * Copyright (C) 2005-2008 Natanael Copa <n@tanael.org> -+ * Copyright (C) 2008-2011 Timo Teräs <timo.teras@iki.fi> ++ * Copyright (C) 2008-2011 Timo Teräs <timo.teras@iki.fi> + * All rights reserved. + * + * SPDX-License-Identifier: GPL-2.0-only @@ -93,9 +58,6 @@ index 00000000..9a929222 +#include <sys/wait.h> +#include "apk_io.h" + -+static char wget_timeout[16]; -+static char wget_no_check_certificate; -+ +static int wget_translate_status(int status) +{ + if (!WIFEXITED(status)) return -EFAULT; @@ -118,19 +80,11 @@ index 00000000..9a929222 + +static int wget_spawn(const char *url, pid_t *pid, int *fd) +{ -+ int i = 0, r, pipefds[2]; ++ int r, pipefds[2]; + posix_spawn_file_actions_t act; -+ char *argv[16]; -+ -+ argv[i++] = "wget"; -+ argv[i++] = "-q"; -+ argv[i++] = "-T"; -+ argv[i++] = wget_timeout; -+ if (wget_no_check_certificate) argv[i++] = "--no-check-certificate"; -+ argv[i++] = (char *) url; -+ argv[i++] = "-O"; -+ argv[i++] = "-"; -+ argv[i++] = 0; ++ char *argv[] = { ++ (char*)"wget", "-q", (char*) url, "-O", "-", 0 ++ }; + + if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno; + @@ -214,12 +168,10 @@ index 00000000..9a929222 + +void apk_io_url_no_check_certificate(void) +{ -+ wget_no_check_certificate = 1; +} + +void apk_io_url_set_timeout(int timeout) +{ -+ snprintf(wget_timeout, sizeof wget_timeout, "%d", timeout); +} + +void apk_io_url_set_redirect_callback(void (*cb)(int, const char *)) @@ -230,97 +182,39 @@ index 00000000..9a929222 +{ +} diff --git a/src/meson.build b/src/meson.build -index c1aae550..38e9d3b0 100644 +index c1aae550..28bfce7e 100644 --- a/src/meson.build +++ b/src/meson.build -@@ -1,3 +1,5 @@ -+url_backend = get_option('url_backend') -+ - libapk_so_version = '2.99.0' - libapk_src = [ - 'adb.c', -@@ -22,8 +24,8 @@ libapk_src = [ +@@ -22,7 +22,6 @@ libapk_src = [ 'fs_uvol.c', 'hash.c', 'io.c', - 'io_url_libfetch.c', 'io_gunzip.c', -+ 'io_url_@0@.c'.format(url_backend), 'package.c', 'pathbuilder.c', - 'print.c', --- -GitLab - - -From b9fe78fbf19bb10e1d0b8eb1cb1de123bee2ed7e Mon Sep 17 00:00:00 2001 -From: Christian Marangi <ansuelsmth@gmail.com> -Date: Tue, 16 Apr 2024 17:55:15 +0200 -Subject: [PATCH 2/4] add option to configure url backend in legacy make build - system - -Can be configured by setting URL_BACKEND. If not set libfetch is -selected by default. - -Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> ---- - src/Makefile | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/src/Makefile b/src/Makefile -index f7873cb1..efdc68df 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -9,8 +9,8 @@ else - $(error Lua interpreter not found. Please specify LUA interpreter, or use LUA=no to build without help.) - endif - --OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl) --OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl) -+OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl) -+OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl) - - ZLIB_CFLAGS := $(shell $(PKG_CONFIG) --cflags zlib) - ZLIB_LIBS := $(shell $(PKG_CONFIG) --libs zlib) -@@ -21,10 +21,18 @@ libapk_so := $(obj)/libapk.so.$(libapk_soname) - libapk.so.$(libapk_soname)-objs := \ - adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \ - atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \ -- extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o io_url_libfetch.o \ -- tar.o package.o pathbuilder.o print.o solver.o trust.o version.o -+ extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \ -+ print.o solver.o trust.o version.o +@@ -87,6 +86,13 @@ apk_src = [ + 'applet.c', + ] --libapk.so.$(libapk_soname)-libs := libfetch/libfetch.a -+libapk.so.$(libapk_soname)-libs := -+ -+ifeq ($(URL_BACKEND),wget) -+libapk.so.$(libapk_soname)-objs += io_url_wget.o -+else -+CFLAGS_ALL += -Ilibfetch -+libapk.so.$(libapk_soname)-objs += io_url_libfetch.o -+libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a ++url_backend = get_option('url_backend') ++if url_backend == 'libfetch' ++ libapk_src += [ 'io_url_libfetch.c' ] ++elif url_backend == 'wget' ++ libapk_src += [ 'io_url_wget.c' ] +endif - - # ZSTD support can be disabled - ifneq ($(ZSTD),no) -@@ -79,7 +87,7 @@ LIBS_apk := -lapk - LIBS_apk-test := -lapk - LIBS_apk.so := -L$(obj) -lapk - --CFLAGS_ALL += -D_ATFILE_SOURCE -Ilibfetch -Iportability -+CFLAGS_ALL += -D_ATFILE_SOURCE -Iportability - CFLAGS_apk.o := -DAPK_VERSION=\"$(VERSION)\" - CFLAGS_apk-static.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE - CFLAGS_apk-test.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE -DTEST_MODE ++ + if lua_bin.found() + genhelp_script = files('genhelp.lua') + genhelp_args = [lua_bin, genhelp_script, '@INPUT@'] -- GitLab -From 0418b684898403c49905c1f0e4b7c5ca522b2d50 Mon Sep 17 00:00:00 2001 +From dc7ff789a45522eb847118a29b60b896de55d083 Mon Sep 17 00:00:00 2001 From: Jonas Jelonek <jelonek.jonas@gmail.com> Date: Sun, 14 Apr 2024 00:20:14 +0200 -Subject: [PATCH 3/4] crypto: add support for mbedtls as backend +Subject: [PATCH 2/2] crypto: add support for mbedtls as backend backend is selected at compile-time with crypto_backend option @@ -331,16 +225,11 @@ Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com> libfetch/meson.build | 2 +- meson.build | 14 +- meson_options.txt | 1 + - portability/getrandom.c | 19 +++ - portability/meson.build | 3 +- - portability/sys/random.h | 6 + src/apk_crypto.h | 5 + - src/apk_crypto_mbedtls.h | 30 +++++ - src/crypto_mbedtls.c | 285 +++++++++++++++++++++++++++++++++++++++ - src/meson.build | 21 ++- - 10 files changed, 373 insertions(+), 13 deletions(-) - create mode 100644 portability/getrandom.c - create mode 100644 portability/sys/random.h + src/apk_crypto_mbedtls.h | 26 ++++ + src/crypto_mbedtls.c | 305 +++++++++++++++++++++++++++++++++++++++ + src/meson.build | 23 ++- + 7 files changed, 364 insertions(+), 12 deletions(-) create mode 100644 src/apk_crypto_mbedtls.h create mode 100644 src/crypto_mbedtls.c @@ -388,66 +277,17 @@ index 9a14cac0..3a83f4e1 100644 add_project_arguments('-D_GNU_SOURCE', language: 'c') diff --git a/meson_options.txt b/meson_options.txt -index 940fe9a4..df0b07dc 100644 +index 44b88b32..2b1d24ce 100644 --- a/meson_options.txt +++ b/meson_options.txt -@@ -1,4 +1,5 @@ - option('arch_prefix', description: 'Define a custom arch prefix for default arch', type: 'string') -+option('crypto_backend', description: 'Crypto backend', type: 'combo', choices: ['openssl', 'mbedtls'], value: 'openssl') - option('compressed-help', description: 'Compress help database, needs lua-zlib', type: 'boolean', value: true) - option('docs', description: 'Build manpages with scdoc', type: 'feature', value: 'auto') - option('help', description: 'Build help into apk binaries, needs lua', type: 'feature', value: 'auto') -diff --git a/portability/getrandom.c b/portability/getrandom.c -new file mode 100644 -index 00000000..b2f4a07c ---- /dev/null -+++ b/portability/getrandom.c -@@ -0,0 +1,19 @@ -+#include <sys/random.h> -+#include <sys/types.h> -+#include <unistd.h> -+#include <fcntl.h> -+ -+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags) -+{ -+ int fd; -+ ssize_t ret; -+ -+ fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -1; -+ -+ ret = read(fd, buf, buflen); -+ close(fd); -+ return ret; -+} -+ -diff --git a/portability/meson.build b/portability/meson.build -index 89957c3c..3172044e 100644 ---- a/portability/meson.build -+++ b/portability/meson.build -@@ -3,7 +3,8 @@ cc = meson.get_compiler('c') - libportability_src = [] - - check_symbols = [ -- ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'], -+ ['getrandom', 'getrandom.c', 'NEED_GETRANDOM', 'sys/random.h'], -+ ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'], - ['mknodat', 'mknodat.c', 'NEED_MKNODAT', 'sys/stat.h'], - ['pipe2', 'pipe2.c', 'NEED_PIPE2', 'unistd.h'], - ['qsort_r', 'qsort_r.c', 'NEED_QSORT_R', 'stdlib.h'], -diff --git a/portability/sys/random.h b/portability/sys/random.h -new file mode 100644 -index 00000000..02d5b1ca ---- /dev/null -+++ b/portability/sys/random.h -@@ -0,0 +1,6 @@ -+#include_next <sys/random.h> -+#include <sys/types.h> -+ -+#ifdef NEED_GETRANDOM -+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags); -+#endif +@@ -5,6 +5,7 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe + option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto') + option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3') + option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false) ++option('crypto_backend', description: 'SSL backend', type: 'string', value: 'openssl') + option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch') + option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string') + option('zstd', description: 'Build with zstd support', type: 'boolean', value: true) diff --git a/src/apk_crypto.h b/src/apk_crypto.h index 7de88dfc..5cae3bfe 100644 --- a/src/apk_crypto.h @@ -467,10 +307,10 @@ index 7de88dfc..5cae3bfe 100644 diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h new file mode 100644 -index 00000000..5481d149 +index 00000000..e379535b --- /dev/null +++ b/src/apk_crypto_mbedtls.h -@@ -0,0 +1,30 @@ +@@ -0,0 +1,26 @@ +/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK) + * + * Copyright (C) 2024 @@ -484,45 +324,36 @@ index 00000000..5481d149 + +#include <mbedtls/md.h> +#include <mbedtls/pk.h> -+#include <mbedtls/bignum.h> + +struct apk_pkey { + uint8_t id[16]; -+ mbedtls_pk_context key; ++ mbedtls_pk_context *key; +}; + +struct apk_digest_ctx { -+ mbedtls_md_context_t mdctx; ++ mbedtls_md_context_t *mdctx; + struct apk_pkey *sigver_key; + uint8_t alg; +}; + -+/* based on mbedtls' internal pkwrite.h calculations */ -+#define APK_ENC_KEY_MAX_LENGTH (38 + 2 * MBEDTLS_MPI_MAX_SIZE) -+ +#endif diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c new file mode 100644 -index 00000000..73d60e9d +index 00000000..9ce148b5 --- /dev/null +++ b/src/crypto_mbedtls.c -@@ -0,0 +1,285 @@ +@@ -0,0 +1,305 @@ +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <sys/random.h> -+#include <sys/stat.h> -+#include <unistd.h> + +#include <mbedtls/platform.h> +#include <mbedtls/md.h> +#include <mbedtls/pk.h> +#include <mbedtls/entropy.h> -+ -+#ifdef MBEDTLS_PSA_CRYPTO_C +#include <psa/crypto.h> -+#endif + +#include "apk_crypto.h" + @@ -559,11 +390,14 @@ index 00000000..73d60e9d +int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg) +{ + dctx->alg = alg; ++ dctx->mdctx = malloc(sizeof(mbedtls_md_context_t)); ++ ++ if (!dctx->mdctx) return -ENOMEM; + -+ mbedtls_md_init(&dctx->mdctx); ++ mbedtls_md_init(dctx->mdctx); + if (alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || -+ mbedtls_md_starts(&dctx->mdctx)) ++ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || ++ mbedtls_md_starts(dctx->mdctx)) + return -APKE_CRYPTO_ERROR; + + return 0; @@ -572,77 +406,105 @@ index 00000000..73d60e9d +int apk_digest_ctx_reset(struct apk_digest_ctx *dctx) +{ + if (dctx->alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_starts(&dctx->mdctx)) return -APKE_CRYPTO_ERROR; ++ if (mbedtls_md_starts(dctx->mdctx)) return -APKE_CRYPTO_ERROR; + return 0; +} + +int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg) +{ -+ mbedtls_md_free(&dctx->mdctx); ++ mbedtls_md_free(dctx->mdctx); + + dctx->alg = alg; + if (alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || -+ mbedtls_md_starts(&dctx->mdctx)) ++ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || ++ mbedtls_md_starts(dctx->mdctx)) + return -APKE_CRYPTO_ERROR; -+ ++ + return 0; +} + +void apk_digest_ctx_free(struct apk_digest_ctx *dctx) +{ -+ mbedtls_md_free(&dctx->mdctx); ++ free(dctx->mdctx); ++ dctx->mdctx = 0; +} + +int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz) +{ + if (dctx->alg == APK_DIGEST_NONE) return 0; -+ return mbedtls_md_update(&dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR; ++ return mbedtls_md_update(dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR; +} + +int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d) +{ -+ if (mbedtls_md_finish(&dctx->mdctx, d->data)) { ++ if (mbedtls_md_finish(dctx->mdctx, d->data)) { + apk_digest_reset(d); + return -APKE_CRYPTO_ERROR; + } + ++ mbedtls_md_free(dctx->mdctx); ++ + d->alg = dctx->alg; + d->len = apk_digest_alg_len(d->alg); + return 0; +} + -+static int apk_load_file_at(int dirfd, const char *fn, unsigned char **buf, size_t *n) ++// Entropy function adopted from ustream-ssl to avoid using the bloated mbedtls' ++// mbedtls_entropy_context and mbedtls_ctr_drbg_context. ++static int _apk_random(void *ctx, unsigned char *out, size_t len) +{ -+ struct stat stats; -+ size_t size; -+ int fd; ++ static FILE *f; + -+ if ((fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC)) < 0) -+ return -errno; ++ if (!f) ++ f = fopen("/dev/urandom", "r"); ++ if (fread(out, len, 1, f) != 1) ++ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; + -+ if (fstat(fd, &stats)) { -+ close(fd); -+ return -errno; ++ return 0; ++} ++ ++// adopted from mbedtls_pk_load_file ++static int apk_load_file_fd(int fd, unsigned char **buf, size_t *n) ++{ ++ FILE *f; ++ long size; ++ ++ if ((f = fdopen(fd, "rb")) == NULL) { ++ return MBEDTLS_ERR_PK_FILE_IO_ERROR; ++ } ++ ++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) ++ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */ ++ mbedtls_setbuf(f, NULL); ++#endif ++ ++ fseek(f, 0, SEEK_END); ++ if ((size = ftell(f)) == -1) { ++ fclose(f); ++ return MBEDTLS_ERR_PK_FILE_IO_ERROR; + } ++ fseek(f, 0, SEEK_SET); + -+ size = (size_t)stats.st_size; -+ *n = size; ++ *n = (size_t) size; + -+ if (size == 0 || (*buf = mbedtls_calloc(1, size + 1)) == NULL) ++ if (*n + 1 == 0 || ++ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { ++ fclose(f); + return MBEDTLS_ERR_PK_ALLOC_FAILED; ++ } + -+ if (read(fd, *buf, size) != size) { -+ close(fd); ++ if (fread(*buf, 1, *n, f) != *n) { ++ fclose(f); + -+ mbedtls_platform_zeroize(*buf, size); ++ mbedtls_platform_zeroize(*buf, *n); + mbedtls_free(*buf); + + return MBEDTLS_ERR_PK_FILE_IO_ERROR; + } -+ close(fd); + -+ (*buf)[size] = '\0'; ++ fclose(f); ++ ++ (*buf)[*n] = '\0'; + + if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { + ++*n; @@ -651,79 +513,68 @@ index 00000000..73d60e9d + return 0; +} + -+static int apk_pkey_init(struct apk_pkey *pkey) ++static int apk_pkey_init(struct apk_pkey *pkey, mbedtls_pk_context *key) +{ -+ unsigned char dig[APK_DIGEST_MAX_LENGTH]; -+ unsigned char pub[APK_ENC_KEY_MAX_LENGTH] = {}; ++ unsigned char dig[APK_DIGEST_MAX_LENGTH], *pub = NULL; + unsigned char *c; -+ int len, r = -APKE_CRYPTO_ERROR; ++ int len, publen, r = -APKE_CRYPTO_ERROR; + -+ c = pub + APK_ENC_KEY_MAX_LENGTH; ++ // Assume byte len is always * 2 + NULL terminated ++ publen = mbedtls_pk_get_len(key) * 2 + 1; ++ pub = malloc(publen); ++ if (!pub) ++ return -ENOMEM; ++ c = pub + publen; + -+ // key is written backwards into pub starting at c! -+ if ((len = mbedtls_pk_write_pubkey(&c, pub, &pkey->key)) < 0) return -APKE_CRYPTO_ERROR; -+ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), c, len, dig)) { ++ if ((len = mbedtls_pk_write_pubkey(&c, pub, key)) < 0) return -APKE_CRYPTO_ERROR; ++ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), pub, len, dig)) { + memcpy(pkey->id, dig, sizeof pkey->id); + r = 0; + } -+ ++ ++ free(pub); ++ pkey->key = key; ++ + return r; +} + +void apk_pkey_free(struct apk_pkey *pkey) +{ -+ mbedtls_pk_free(&pkey->key); -+} -+ -+static int apk_random(void *ctx, unsigned char *out, size_t len) -+{ -+ return (int)getrandom(out, len, 0); ++ mbedtls_pk_free(pkey->key); +} + -+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen) -+{ -+ return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0, apk_random, NULL); -+} -+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig, -+ unsigned char *sig, size_t *sig_len) -+{ -+ return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), -+ (const unsigned char *)&dig->data, dig->len, sig, sizeof *sig, sig_len, -+ apk_random, NULL); -+} -+#else -+static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen) -+{ -+ return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0); -+} -+static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig, -+ unsigned char *sig, size_t *sig_len) -+{ -+ return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), -+ (const unsigned char *)&dig->data, dig->len, sig, sig_len, apk_random, NULL); -+} -+#endif -+ +int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn) +{ -+ unsigned char *buf = NULL; -+ size_t blen = 0; -+ int ret; ++ mbedtls_pk_context *key; ++ unsigned char *buf; ++ size_t blen; ++ int ret, fd; + -+ if (apk_load_file_at(dirfd, fn, &buf, &blen)) -+ return -APKE_CRYPTO_ERROR; ++ fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -errno; + -+ mbedtls_pk_init(&pkey->key); -+ if ((ret = mbedtls_pk_parse_public_key(&pkey->key, buf, blen)) != 0) -+ ret = apk_mbedtls_parse_privkey(pkey, buf, blen); ++ key = malloc(sizeof *key); ++ if (!key) ++ return -ENOMEM; ++ ++ mbedtls_pk_init(key); ++ if (apk_load_file_fd(fd, &buf, &blen)) ++ return -APKE_CRYPTO_ERROR; + ++ if ((ret = mbedtls_pk_parse_public_key(key, buf, blen)) != 0) { ++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) ++ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0, _apk_random, NULL); ++#else ++ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0); ++#endif ++ } + mbedtls_platform_zeroize(buf, blen); + mbedtls_free(buf); + if (ret != 0) + return -APKE_CRYPTO_KEY_FORMAT; + -+ return apk_pkey_init(pkey); ++ return apk_pkey_init(pkey, key); +} + +int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey) @@ -743,10 +594,16 @@ index 00000000..73d60e9d + + if (apk_digest_ctx_final(dctx, &dig)) + return -APKE_SIGNATURE_GEN_FAILURE; -+ -+ if (apk_mbedtls_sign(dctx, &dig, sig, len)) ++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) ++ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), ++ &dig.data, dig.len, sig, sizeof *sig, len, _apk_random, NULL)) ++#else ++ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), ++ &dig.data, dig.len, sig, len, _apk_random, NULL)) ++#endif + r = -APKE_SIGNATURE_GEN_FAILURE; + ++ + dctx->sigver_key = NULL; + return r; +} @@ -769,8 +626,7 @@ index 00000000..73d60e9d + if (apk_digest_ctx_final(dctx, &dig)) + return -APKE_SIGNATURE_GEN_FAILURE; + -+ if (mbedtls_pk_verify(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), -+ (const unsigned char *)&dig.data, dig.len, sig, len)) ++ if (mbedtls_pk_verify(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), &dig.data, dig.len, sig, len)) + r = -APKE_SIGNATURE_INVALID; + + dctx->sigver_key = NULL; @@ -793,33 +649,26 @@ index 00000000..73d60e9d +#endif +} diff --git a/src/meson.build b/src/meson.build -index 38e9d3b0..e1204fc0 100644 +index 28bfce7e..4eab6e0d 100644 --- a/src/meson.build +++ b/src/meson.build -@@ -1,3 +1,4 @@ -+crypto_backend = get_option('crypto_backend') - url_backend = get_option('url_backend') - - libapk_so_version = '2.99.0' -@@ -15,7 +16,7 @@ libapk_src = [ +@@ -13,7 +13,6 @@ libapk_src = [ 'common.c', 'context.c', 'crypto.c', - 'crypto_openssl.c', -+ 'crypto_@0@.c'.format(crypto_backend), 'ctype.c', 'database.c', 'extract_v2.c', -@@ -40,7 +41,7 @@ libapk_headers = [ +@@ -37,7 +36,6 @@ libapk_headers = [ 'apk_atom.h', 'apk_blob.h', 'apk_crypto.h', - 'apk_crypto_openssl.h', -+ 'apk_crypto_@0@.h'.format(crypto_backend), 'apk_ctype.h', 'apk_database.h', 'apk_defines.h', -@@ -89,6 +90,17 @@ apk_src = [ +@@ -86,6 +84,11 @@ apk_src = [ 'applet.c', ] @@ -828,16 +677,28 @@ index 38e9d3b0..e1204fc0 100644 + '-D_ATFILE_SOURCE', +] + + url_backend = get_option('url_backend') + if url_backend == 'libfetch' + libapk_src += [ 'io_url_libfetch.c' ] +@@ -93,6 +96,17 @@ elif url_backend == 'wget' + libapk_src += [ 'io_url_wget.c' ] + endif + ++crypto_backend = get_option('crypto_backend') +if crypto_backend == 'openssl' + apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ] ++ libapk_src += [ 'crypto_openssl.c' ] ++ libapk_headers += [ 'apk_crypto_openssl.h' ] +elif crypto_backend == 'mbedtls' + apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ] ++ libapk_src += [ 'crypto_mbedtls.c' ] ++ libapk_headers += [ 'apk_crypto_mbedtls.h' ] +endif + if lua_bin.found() genhelp_script = files('genhelp.lua') genhelp_args = [lua_bin, genhelp_script, '@INPUT@'] -@@ -115,11 +127,6 @@ endif +@@ -119,11 +133,6 @@ endif apk_src += [ generated_help ] @@ -852,66 +713,3 @@ index 38e9d3b0..e1204fc0 100644 -- GitLab - -From 34bb1021284dccbf97f02b0a0bb9e751b8887cad Mon Sep 17 00:00:00 2001 -From: Christian Marangi <ansuelsmth@gmail.com> -Date: Tue, 16 Apr 2024 17:56:45 +0200 -Subject: [PATCH 4/4] add option to configure crypto backend in legacy make - build system - -Define CRYPTO to select mbedtls as alternative crypto backend. By -default openssl is used. - -Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> ---- - src/Makefile | 20 +++++++++++++++----- - 1 file changed, 15 insertions(+), 5 deletions(-) - -diff --git a/src/Makefile b/src/Makefile -index efdc68df..97db0e72 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -20,9 +20,9 @@ libapk_soname := 2.99.0 - libapk_so := $(obj)/libapk.so.$(libapk_soname) - libapk.so.$(libapk_soname)-objs := \ - adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \ -- atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \ -- extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \ -- print.o solver.o trust.o version.o -+ atom.o blob.o commit.o common.o context.o crypto.o ctype.o database.o hash.o extract_v2.o \ -+ extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o print.o \ -+ solver.o trust.o version.o - - libapk.so.$(libapk_soname)-libs := - -@@ -34,6 +34,16 @@ libapk.so.$(libapk_soname)-objs += io_url_libfetch.o - libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a - endif - -+ifeq ($(CRYPTO),mbedtls) -+CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags mbedtls mbedcrypto) -DCRYPTO_USE_MBEDTLS -+CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs mbedtls mbedcrypto) -+libapk.so.$(libapk_soname)-objs += crypto_mbedtls.o -+else -+CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl) -DCRYPTO_USE_OPENSSL -+CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs openssl) -+libapk.so.$(libapk_soname)-objs += crypto_openssl.o -+endif -+ - # ZSTD support can be disabled - ifneq ($(ZSTD),no) - ZSTD_CFLAGS := $(shell $(PKG_CONFIG) --cflags libzstd) -@@ -100,9 +110,9 @@ LIBS_apk.static := -Wl,--as-needed -ldl -Wl,--no-as-needed - LDFLAGS_apk += -L$(obj) - LDFLAGS_apk-test += -L$(obj) - --CFLAGS_ALL += $(OPENSSL_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS) -+CFLAGS_ALL += $(CRYPTO_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS) - LIBS := -Wl,--as-needed \ -- $(OPENSSL_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \ -+ $(CRYPTO_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \ - -Wl,--no-as-needed - - # Help generation --- -GitLab |