1 From 74ea482102e1a7c1845b3eec19cbdb21264836d4 Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
3 Date: Fri, 5 Apr 2024 12:06:56 +0300
4 Subject: [PATCH 1/4] add alternate url wget implementation
7 .gitlab-ci.yml | 16 ++++-
9 meson_options.txt | 1 +
10 src/io_url_wget.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++
11 src/meson.build | 4 +-
12 5 files changed, 173 insertions(+), 4 deletions(-)
13 create mode 100644 src/io_url_wget.c
15 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
16 index 7fc86563..b7e00008 100644
19 @@ -24,7 +24,19 @@ test:alpine:
22 - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev zstd-dev lua5.3-dev lua5.3-lzlib meson zlib-static zstd-static openssl-libs-static
24 + - meson setup build -Dstatic_apk=true
30 +test:alpine-alt-config:
35 + - apk add make gcc git musl-dev openssl-dev linux-headers zlib-dev lua5.3-dev lua5.3-lzlib meson
36 + - meson setup build -Durl_backend=wget -Dzstd=false
40 @@ -38,7 +50,7 @@ test:debian:
41 - apt-get install -y make gcc git libssl-dev zlib1g-dev libzstd-dev lua5.3-dev lua5.2 lua-zlib-dev sudo meson
43 - ln -s /bin/bash /bin/sh
49 diff --git a/meson.build b/meson.build
50 index 1a44c11f..9a14cac0 100644
53 @@ -33,6 +33,10 @@ subproject = meson.is_subproject()
58 +if get_option('url_backend') == 'libfetch'
61 + libfetch_dep = dependency('', required: false)
65 diff --git a/meson_options.txt b/meson_options.txt
66 index 693f46ec..940fe9a4 100644
67 --- a/meson_options.txt
68 +++ b/meson_options.txt
69 @@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
70 option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
71 option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
72 option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
73 +option('url_backend', description: 'URL backend', type: 'combo', choices: ['libfetch', 'wget'], value: 'libfetch')
74 option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
75 option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
76 diff --git a/src/io_url_wget.c b/src/io_url_wget.c
78 index 00000000..9a929222
80 +++ b/src/io_url_wget.c
82 +/* io_url_wget.c - Alpine Package Keeper (APK)
84 + * Copyright (C) 2005-2008 Natanael Copa <n@tanael.org>
85 + * Copyright (C) 2008-2011 Timo Teräs <timo.teras@iki.fi>
86 + * All rights reserved.
88 + * SPDX-License-Identifier: GPL-2.0-only
93 +#include <sys/wait.h>
96 +static char wget_timeout[16];
97 +static char wget_no_check_certificate;
99 +static int wget_translate_status(int status)
101 + if (!WIFEXITED(status)) return -EFAULT;
102 + switch (WEXITSTATUS(status)) {
104 + case 3: return -EIO;
105 + case 4: return -ENETUNREACH;
106 + case 5: return -EACCES;
107 + case 6: return -EACCES;
108 + case 7: return -EPROTO;
109 + default: return -APKE_REMOTE_IO;
113 +struct apk_wget_istream {
114 + struct apk_istream is;
119 +static int wget_spawn(const char *url, pid_t *pid, int *fd)
121 + int i = 0, r, pipefds[2];
122 + posix_spawn_file_actions_t act;
125 + argv[i++] = "wget";
128 + argv[i++] = wget_timeout;
129 + if (wget_no_check_certificate) argv[i++] = "--no-check-certificate";
130 + argv[i++] = (char *) url;
135 + if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno;
137 + posix_spawn_file_actions_init(&act);
138 + posix_spawn_file_actions_adddup2(&act, pipefds[1], STDOUT_FILENO);
139 + r = posix_spawnp(pid, "wget", &act, 0, argv, environ);
140 + posix_spawn_file_actions_destroy(&act);
141 + if (r != 0) return -r;
147 +static int wget_check_exit(struct apk_wget_istream *wis)
151 + if (wis->pid == 0) return apk_istream_error(&wis->is, 0);
152 + if (waitpid(wis->pid, &status, 0) == wis->pid) {
154 + return apk_istream_error(&wis->is, wget_translate_status(status));
159 +static void wget_get_meta(struct apk_istream *is, struct apk_file_meta *meta)
163 +static ssize_t wget_read(struct apk_istream *is, void *ptr, size_t size)
165 + struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is);
168 + r = read(wis->fd, ptr, size);
169 + if (r < 0) return -errno;
170 + if (r == 0) return wget_check_exit(wis);
174 +static int wget_close(struct apk_istream *is)
177 + struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is);
179 + while (wis->pid != 0)
180 + wget_check_exit(wis);
184 + return r < 0 ? r : 0;
187 +static const struct apk_istream_ops wget_istream_ops = {
188 + .get_meta = wget_get_meta,
190 + .close = wget_close,
193 +struct apk_istream *apk_io_url_istream(const char *url, time_t since)
195 + struct apk_wget_istream *wis;
198 + wis = malloc(sizeof(*wis) + apk_io_bufsize);
199 + if (wis == NULL) return ERR_PTR(-ENOMEM);
201 + *wis = (struct apk_wget_istream) {
202 + .is.ops = &wget_istream_ops,
203 + .is.buf = (uint8_t *)(wis + 1),
204 + .is.buf_size = apk_io_bufsize,
206 + r = wget_spawn(url, &wis->pid, &wis->fd);
215 +void apk_io_url_no_check_certificate(void)
217 + wget_no_check_certificate = 1;
220 +void apk_io_url_set_timeout(int timeout)
222 + snprintf(wget_timeout, sizeof wget_timeout, "%d", timeout);
225 +void apk_io_url_set_redirect_callback(void (*cb)(int, const char *))
229 +void apk_io_url_init(void)
232 diff --git a/src/meson.build b/src/meson.build
233 index c1aae550..38e9d3b0 100644
234 --- a/src/meson.build
235 +++ b/src/meson.build
237 +url_backend = get_option('url_backend')
239 libapk_so_version = '2.99.0'
242 @@ -22,8 +24,8 @@ libapk_src = [
246 - 'io_url_libfetch.c',
248 + 'io_url_@0@.c'.format(url_backend),
256 From b9fe78fbf19bb10e1d0b8eb1cb1de123bee2ed7e Mon Sep 17 00:00:00 2001
257 From: Christian Marangi <ansuelsmth@gmail.com>
258 Date: Tue, 16 Apr 2024 17:55:15 +0200
259 Subject: [PATCH 2/4] add option to configure url backend in legacy make build
262 Can be configured by setting URL_BACKEND. If not set libfetch is
265 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
267 src/Makefile | 20 ++++++++++++++------
268 1 file changed, 14 insertions(+), 6 deletions(-)
270 diff --git a/src/Makefile b/src/Makefile
271 index f7873cb1..efdc68df 100644
275 $(error Lua interpreter not found. Please specify LUA interpreter, or use LUA=no to build without help.)
278 -OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl)
279 -OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
280 +OPENSSL_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl)
281 +OPENSSL_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
283 ZLIB_CFLAGS := $(shell $(PKG_CONFIG) --cflags zlib)
284 ZLIB_LIBS := $(shell $(PKG_CONFIG) --libs zlib)
285 @@ -21,10 +21,18 @@ libapk_so := $(obj)/libapk.so.$(libapk_soname)
286 libapk.so.$(libapk_soname)-objs := \
287 adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
288 atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
289 - extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o io_url_libfetch.o \
290 - tar.o package.o pathbuilder.o print.o solver.o trust.o version.o
291 + extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
292 + print.o solver.o trust.o version.o
294 -libapk.so.$(libapk_soname)-libs := libfetch/libfetch.a
295 +libapk.so.$(libapk_soname)-libs :=
297 +ifeq ($(URL_BACKEND),wget)
298 +libapk.so.$(libapk_soname)-objs += io_url_wget.o
300 +CFLAGS_ALL += -Ilibfetch
301 +libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
302 +libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
305 # ZSTD support can be disabled
307 @@ -79,7 +87,7 @@ LIBS_apk := -lapk
308 LIBS_apk-test := -lapk
309 LIBS_apk.so := -L$(obj) -lapk
311 -CFLAGS_ALL += -D_ATFILE_SOURCE -Ilibfetch -Iportability
312 +CFLAGS_ALL += -D_ATFILE_SOURCE -Iportability
313 CFLAGS_apk.o := -DAPK_VERSION=\"$(VERSION)\"
314 CFLAGS_apk-static.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE
315 CFLAGS_apk-test.o := -DAPK_VERSION=\"$(VERSION)\" -DOPENSSL_NO_ENGINE -DTEST_MODE
320 From 0418b684898403c49905c1f0e4b7c5ca522b2d50 Mon Sep 17 00:00:00 2001
321 From: Jonas Jelonek <jelonek.jonas@gmail.com>
322 Date: Sun, 14 Apr 2024 00:20:14 +0200
323 Subject: [PATCH 3/4] crypto: add support for mbedtls as backend
325 backend is selected at compile-time with crypto_backend option
327 Co-developed-by: Christian Marangi <ansuelsmth@gmail.com>
328 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
329 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
331 libfetch/meson.build | 2 +-
333 meson_options.txt | 1 +
334 portability/getrandom.c | 19 +++
335 portability/meson.build | 3 +-
336 portability/sys/random.h | 6 +
337 src/apk_crypto.h | 5 +
338 src/apk_crypto_mbedtls.h | 30 +++++
339 src/crypto_mbedtls.c | 285 +++++++++++++++++++++++++++++++++++++++
340 src/meson.build | 21 ++-
341 10 files changed, 373 insertions(+), 13 deletions(-)
342 create mode 100644 portability/getrandom.c
343 create mode 100644 portability/sys/random.h
344 create mode 100644 src/apk_crypto_mbedtls.h
345 create mode 100644 src/crypto_mbedtls.c
347 diff --git a/libfetch/meson.build b/libfetch/meson.build
348 index 431ba197..e24f95eb 100644
349 --- a/libfetch/meson.build
350 +++ b/libfetch/meson.build
351 @@ -40,7 +40,7 @@ libfetch = static_library(
352 c_args: libfetch_cargs,
354 libportability_dep.partial_dependency(compile_args: true, includes: true),
355 - openssl_dep.partial_dependency(compile_args: true, includes: true)
356 + crypto_dep.partial_dependency(compile_args: true, includes: true)
360 diff --git a/meson.build b/meson.build
361 index 9a14cac0..3a83f4e1 100644
364 @@ -13,15 +13,21 @@ apk_libdir = get_option('libdir')
365 lua_bin = find_program('lua' + get_option('lua_version'), required: get_option('help'))
366 lua_dep = dependency('lua' + get_option('lua_version'), required: get_option('lua'))
367 scdoc_dep = dependency('scdoc', version: '>=1.10', required: get_option('docs'))
368 -openssl_dep = dependency('openssl')
369 -openssl_static_dep = dependency('openssl', static: true)
370 zlib_dep = dependency('zlib')
371 zlib_static_dep = dependency('zlib', static: true)
372 libzstd_dep = dependency('libzstd', required: get_option('zstd'))
373 libzstd_static_dep = dependency('libzstd', required: get_option('zstd'), static: true)
375 -shared_deps = [ openssl_dep, zlib_dep, libzstd_dep ]
376 -static_deps = [ openssl_static_dep, zlib_static_dep, libzstd_static_dep ]
377 +if get_option('crypto_backend') == 'openssl'
378 + crypto_dep = dependency('openssl')
379 + crypto_static_dep = dependency('openssl', static: true)
380 +elif get_option('crypto_backend') == 'mbedtls'
381 + crypto_dep = [ dependency('mbedtls'), dependency('mbedcrypto') ]
382 + crypto_static_dep = [ dependency('mbedtls', static: true), dependency('mbedcrypto', static: true) ]
385 +shared_deps = [ crypto_dep, zlib_dep, libzstd_dep ]
386 +static_deps = [ crypto_static_dep, zlib_static_dep, libzstd_static_dep ]
388 add_project_arguments('-D_GNU_SOURCE', language: 'c')
390 diff --git a/meson_options.txt b/meson_options.txt
391 index 940fe9a4..df0b07dc 100644
392 --- a/meson_options.txt
393 +++ b/meson_options.txt
395 option('arch_prefix', description: 'Define a custom arch prefix for default arch', type: 'string')
396 +option('crypto_backend', description: 'Crypto backend', type: 'combo', choices: ['openssl', 'mbedtls'], value: 'openssl')
397 option('compressed-help', description: 'Compress help database, needs lua-zlib', type: 'boolean', value: true)
398 option('docs', description: 'Build manpages with scdoc', type: 'feature', value: 'auto')
399 option('help', description: 'Build help into apk binaries, needs lua', type: 'feature', value: 'auto')
400 diff --git a/portability/getrandom.c b/portability/getrandom.c
402 index 00000000..b2f4a07c
404 +++ b/portability/getrandom.c
406 +#include <sys/random.h>
407 +#include <sys/types.h>
411 +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
416 + fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC);
420 + ret = read(fd, buf, buflen);
425 diff --git a/portability/meson.build b/portability/meson.build
426 index 89957c3c..3172044e 100644
427 --- a/portability/meson.build
428 +++ b/portability/meson.build
429 @@ -3,7 +3,8 @@ cc = meson.get_compiler('c')
430 libportability_src = []
433 - ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
434 + ['getrandom', 'getrandom.c', 'NEED_GETRANDOM', 'sys/random.h'],
435 + ['memrchr', 'memrchr.c', 'NEED_MEMRCHR', 'string.h'],
436 ['mknodat', 'mknodat.c', 'NEED_MKNODAT', 'sys/stat.h'],
437 ['pipe2', 'pipe2.c', 'NEED_PIPE2', 'unistd.h'],
438 ['qsort_r', 'qsort_r.c', 'NEED_QSORT_R', 'stdlib.h'],
439 diff --git a/portability/sys/random.h b/portability/sys/random.h
441 index 00000000..02d5b1ca
443 +++ b/portability/sys/random.h
445 +#include_next <sys/random.h>
446 +#include <sys/types.h>
448 +#ifdef NEED_GETRANDOM
449 +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
451 diff --git a/src/apk_crypto.h b/src/apk_crypto.h
452 index 7de88dfc..5cae3bfe 100644
453 --- a/src/apk_crypto.h
454 +++ b/src/apk_crypto.h
457 #include "apk_defines.h"
458 #include "apk_blob.h"
460 +#if defined(CRYPTO_USE_OPENSSL)
461 #include "apk_crypto_openssl.h"
462 +#elif defined(CRYPTO_USE_MBEDTLS)
463 +#include "apk_crypto_mbedtls.h"
468 diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h
470 index 00000000..5481d149
472 +++ b/src/apk_crypto_mbedtls.h
474 +/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK)
476 + * Copyright (C) 2024
477 + * All rights reserved.
479 + * SPDX-License-Identifier: GPL-2.0-only
482 +#ifndef APK_CRYPTO_MBEDTLS_H
483 +#define APK_CRYPTO_MBEDTLS_H
485 +#include <mbedtls/md.h>
486 +#include <mbedtls/pk.h>
487 +#include <mbedtls/bignum.h>
491 + mbedtls_pk_context key;
494 +struct apk_digest_ctx {
495 + mbedtls_md_context_t mdctx;
496 + struct apk_pkey *sigver_key;
500 +/* based on mbedtls' internal pkwrite.h calculations */
501 +#define APK_ENC_KEY_MAX_LENGTH (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
504 diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c
506 index 00000000..73d60e9d
508 +++ b/src/crypto_mbedtls.c
514 +#include <sys/random.h>
515 +#include <sys/stat.h>
518 +#include <mbedtls/platform.h>
519 +#include <mbedtls/md.h>
520 +#include <mbedtls/pk.h>
521 +#include <mbedtls/entropy.h>
523 +#ifdef MBEDTLS_PSA_CRYPTO_C
524 +#include <psa/crypto.h>
527 +#include "apk_crypto.h"
529 +static inline const mbedtls_md_type_t apk_digest_alg_to_mbedtls_type(uint8_t alg) {
531 + case APK_DIGEST_NONE: return MBEDTLS_MD_NONE;
532 + case APK_DIGEST_MD5: return MBEDTLS_MD_MD5;
533 + case APK_DIGEST_SHA1: return MBEDTLS_MD_SHA1;
534 + case APK_DIGEST_SHA256_160:
535 + case APK_DIGEST_SHA256: return MBEDTLS_MD_SHA256;
536 + case APK_DIGEST_SHA512: return MBEDTLS_MD_SHA512;
539 + return MBEDTLS_MD_NONE;
543 +static inline const mbedtls_md_info_t *apk_digest_alg_to_mdinfo(uint8_t alg)
545 + return mbedtls_md_info_from_type(
546 + apk_digest_alg_to_mbedtls_type(alg)
550 +int apk_digest_calc(struct apk_digest *d, uint8_t alg, const void *ptr, size_t sz)
552 + if (mbedtls_md(apk_digest_alg_to_mdinfo(alg), ptr, sz, d->data))
553 + return -APKE_CRYPTO_ERROR;
555 + apk_digest_set(d, alg);
559 +int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg)
563 + mbedtls_md_init(&dctx->mdctx);
564 + if (alg == APK_DIGEST_NONE) return 0;
565 + if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
566 + mbedtls_md_starts(&dctx->mdctx))
567 + return -APKE_CRYPTO_ERROR;
572 +int apk_digest_ctx_reset(struct apk_digest_ctx *dctx)
574 + if (dctx->alg == APK_DIGEST_NONE) return 0;
575 + if (mbedtls_md_starts(&dctx->mdctx)) return -APKE_CRYPTO_ERROR;
579 +int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg)
581 + mbedtls_md_free(&dctx->mdctx);
584 + if (alg == APK_DIGEST_NONE) return 0;
585 + if (mbedtls_md_setup(&dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
586 + mbedtls_md_starts(&dctx->mdctx))
587 + return -APKE_CRYPTO_ERROR;
592 +void apk_digest_ctx_free(struct apk_digest_ctx *dctx)
594 + mbedtls_md_free(&dctx->mdctx);
597 +int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz)
599 + if (dctx->alg == APK_DIGEST_NONE) return 0;
600 + return mbedtls_md_update(&dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
603 +int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d)
605 + if (mbedtls_md_finish(&dctx->mdctx, d->data)) {
606 + apk_digest_reset(d);
607 + return -APKE_CRYPTO_ERROR;
610 + d->alg = dctx->alg;
611 + d->len = apk_digest_alg_len(d->alg);
615 +static int apk_load_file_at(int dirfd, const char *fn, unsigned char **buf, size_t *n)
621 + if ((fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC)) < 0)
624 + if (fstat(fd, &stats)) {
629 + size = (size_t)stats.st_size;
632 + if (size == 0 || (*buf = mbedtls_calloc(1, size + 1)) == NULL)
633 + return MBEDTLS_ERR_PK_ALLOC_FAILED;
635 + if (read(fd, *buf, size) != size) {
638 + mbedtls_platform_zeroize(*buf, size);
639 + mbedtls_free(*buf);
641 + return MBEDTLS_ERR_PK_FILE_IO_ERROR;
645 + (*buf)[size] = '\0';
647 + if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
654 +static int apk_pkey_init(struct apk_pkey *pkey)
656 + unsigned char dig[APK_DIGEST_MAX_LENGTH];
657 + unsigned char pub[APK_ENC_KEY_MAX_LENGTH] = {};
659 + int len, r = -APKE_CRYPTO_ERROR;
661 + c = pub + APK_ENC_KEY_MAX_LENGTH;
663 + // key is written backwards into pub starting at c!
664 + if ((len = mbedtls_pk_write_pubkey(&c, pub, &pkey->key)) < 0) return -APKE_CRYPTO_ERROR;
665 + if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), c, len, dig)) {
666 + memcpy(pkey->id, dig, sizeof pkey->id);
673 +void apk_pkey_free(struct apk_pkey *pkey)
675 + mbedtls_pk_free(&pkey->key);
678 +static int apk_random(void *ctx, unsigned char *out, size_t len)
680 + return (int)getrandom(out, len, 0);
683 +#if MBEDTLS_VERSION_NUMBER >= 0x03000000
684 +static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
686 + return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0, apk_random, NULL);
688 +static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
689 + unsigned char *sig, size_t *sig_len)
691 + return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
692 + (const unsigned char *)&dig->data, dig->len, sig, sizeof *sig, sig_len,
696 +static inline int apk_mbedtls_parse_privkey(struct apk_pkey *pkey, const unsigned char *buf, size_t blen)
698 + return mbedtls_pk_parse_key(&pkey->key, buf, blen, NULL, 0);
700 +static inline int apk_mbedtls_sign(struct apk_digest_ctx *dctx, struct apk_digest *dig,
701 + unsigned char *sig, size_t *sig_len)
703 + return mbedtls_pk_sign(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
704 + (const unsigned char *)&dig->data, dig->len, sig, sig_len, apk_random, NULL);
708 +int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn)
710 + unsigned char *buf = NULL;
714 + if (apk_load_file_at(dirfd, fn, &buf, &blen))
715 + return -APKE_CRYPTO_ERROR;
717 + mbedtls_pk_init(&pkey->key);
718 + if ((ret = mbedtls_pk_parse_public_key(&pkey->key, buf, blen)) != 0)
719 + ret = apk_mbedtls_parse_privkey(pkey, buf, blen);
721 + mbedtls_platform_zeroize(buf, blen);
724 + return -APKE_CRYPTO_KEY_FORMAT;
726 + return apk_pkey_init(pkey);
729 +int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
731 + if (apk_digest_ctx_reset_alg(dctx, alg))
732 + return -APKE_CRYPTO_ERROR;
734 + dctx->sigver_key = pkey;
739 +int apk_sign(struct apk_digest_ctx *dctx, void *sig, size_t *len)
741 + struct apk_digest dig;
744 + if (apk_digest_ctx_final(dctx, &dig))
745 + return -APKE_SIGNATURE_GEN_FAILURE;
747 + if (apk_mbedtls_sign(dctx, &dig, sig, len))
748 + r = -APKE_SIGNATURE_GEN_FAILURE;
750 + dctx->sigver_key = NULL;
754 +int apk_verify_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
756 + if (apk_digest_ctx_reset_alg(dctx, alg))
757 + return -APKE_CRYPTO_ERROR;
759 + dctx->sigver_key = pkey;
764 +int apk_verify(struct apk_digest_ctx *dctx, void *sig, size_t len)
766 + struct apk_digest dig;
769 + if (apk_digest_ctx_final(dctx, &dig))
770 + return -APKE_SIGNATURE_GEN_FAILURE;
772 + if (mbedtls_pk_verify(&dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
773 + (const unsigned char *)&dig.data, dig.len, sig, len))
774 + r = -APKE_SIGNATURE_INVALID;
776 + dctx->sigver_key = NULL;
780 +static void apk_crypto_cleanup(void)
782 +#ifdef MBEDTLS_PSA_CRYPTO_C
783 + mbedtls_psa_crypto_free();
787 +void apk_crypto_init(void)
789 + atexit(apk_crypto_cleanup);
791 +#ifdef MBEDTLS_PSA_CRYPTO_C
795 diff --git a/src/meson.build b/src/meson.build
796 index 38e9d3b0..e1204fc0 100644
797 --- a/src/meson.build
798 +++ b/src/meson.build
800 +crypto_backend = get_option('crypto_backend')
801 url_backend = get_option('url_backend')
803 libapk_so_version = '2.99.0'
804 @@ -15,7 +16,7 @@ libapk_src = [
808 - 'crypto_openssl.c',
809 + 'crypto_@0@.c'.format(crypto_backend),
813 @@ -40,7 +41,7 @@ libapk_headers = [
817 - 'apk_crypto_openssl.h',
818 + 'apk_crypto_@0@.h'.format(crypto_backend),
822 @@ -89,6 +90,17 @@ apk_src = [
827 + '-DAPK_VERSION="' + meson.project_version() + '"',
828 + '-D_ATFILE_SOURCE',
831 +if crypto_backend == 'openssl'
832 + apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ]
833 +elif crypto_backend == 'mbedtls'
834 + apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ]
838 genhelp_script = files('genhelp.lua')
839 genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
840 @@ -115,11 +127,6 @@ endif
842 apk_src += [ generated_help ]
845 - '-DAPK_VERSION="' + meson.project_version() + '"',
846 - '-D_ATFILE_SOURCE',
849 apk_arch_prefix = get_option('arch_prefix')
850 if apk_arch_prefix != ''
851 apk_cargs += ['-DAPK_ARCH_PREFIX="@0@"'.format(apk_arch_prefix)]
856 From 34bb1021284dccbf97f02b0a0bb9e751b8887cad Mon Sep 17 00:00:00 2001
857 From: Christian Marangi <ansuelsmth@gmail.com>
858 Date: Tue, 16 Apr 2024 17:56:45 +0200
859 Subject: [PATCH 4/4] add option to configure crypto backend in legacy make
862 Define CRYPTO to select mbedtls as alternative crypto backend. By
863 default openssl is used.
865 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
867 src/Makefile | 20 +++++++++++++++-----
868 1 file changed, 15 insertions(+), 5 deletions(-)
870 diff --git a/src/Makefile b/src/Makefile
871 index efdc68df..97db0e72 100644
874 @@ -20,9 +20,9 @@ libapk_soname := 2.99.0
875 libapk_so := $(obj)/libapk.so.$(libapk_soname)
876 libapk.so.$(libapk_soname)-objs := \
877 adb.o adb_comp.o adb_walk_adb.o adb_walk_genadb.o adb_walk_gentext.o adb_walk_text.o apk_adb.o \
878 - atom.o blob.o commit.o common.o context.o crypto.o crypto_openssl.o ctype.o database.o hash.o \
879 - extract_v2.o extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o \
880 - print.o solver.o trust.o version.o
881 + atom.o blob.o commit.o common.o context.o crypto.o ctype.o database.o hash.o extract_v2.o \
882 + extract_v3.o fs_fsys.o fs_uvol.o io.o io_gunzip.o tar.o package.o pathbuilder.o print.o \
883 + solver.o trust.o version.o
885 libapk.so.$(libapk_soname)-libs :=
887 @@ -34,6 +34,16 @@ libapk.so.$(libapk_soname)-objs += io_url_libfetch.o
888 libapk.so.$(libapk_soname)-libs += libfetch/libfetch.a
891 +ifeq ($(CRYPTO),mbedtls)
892 +CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags mbedtls mbedcrypto) -DCRYPTO_USE_MBEDTLS
893 +CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs mbedtls mbedcrypto)
894 +libapk.so.$(libapk_soname)-objs += crypto_mbedtls.o
896 +CRYPTO_CFLAGS := $(shell $(PKG_CONFIG) --cflags openssl) -DCRYPTO_USE_OPENSSL
897 +CRYPTO_LIBS := $(shell $(PKG_CONFIG) --libs openssl)
898 +libapk.so.$(libapk_soname)-objs += crypto_openssl.o
901 # ZSTD support can be disabled
903 ZSTD_CFLAGS := $(shell $(PKG_CONFIG) --cflags libzstd)
904 @@ -100,9 +110,9 @@ LIBS_apk.static := -Wl,--as-needed -ldl -Wl,--no-as-needed
905 LDFLAGS_apk += -L$(obj)
906 LDFLAGS_apk-test += -L$(obj)
908 -CFLAGS_ALL += $(OPENSSL_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
909 +CFLAGS_ALL += $(CRYPTO_CFLAGS) $(ZLIB_CFLAGS) $(ZSTD_CFLAGS)
910 LIBS := -Wl,--as-needed \
911 - $(OPENSSL_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \
912 + $(CRYPTO_LIBS) $(ZLIB_LIBS) $(ZSTD_LIBS) \