summaryrefslogtreecommitdiff
path: root/methods
Commit message (Collapse)AuthorAgeFilesLines
* Add 'explicit' to most single argument constructorsJulian Andres Klode2019-04-301-1/+1
| | | | | | | | | | | This prevents implicit conversions that we do not want, such as having a FileFd* being converted to a debListParser. Two cases are not yet handled because they require changes in code using them: 1. The classes in hashes.h 2. The URI class - this one is used quite a lot
* Fix new gcc-9 warning -Wpessimizing-moveDavid Kalnischkies2019-04-161-1/+1
| | | | | | | | warning: moving a local object in a return statement prevents copy elision [-Wpessimizing-move] Reported-By: gcc-9 Gbp-Dch: Ignore
* aptmethod.h: Do not have gcc warning about ignoring write() resultJulian Andres Klode2019-02-051-0/+7
| | | | | This is a special case here, a best effort write, so there's no point in having warnings about it for every method.
* Communicate back which key(s) were used for signingDavid Kalnischkies2019-01-221-19/+60
| | | | | | | Telling the acquire system which keys caused the gpgv method to succeed allows us for now just a casual check if the gpgv method really executed catching bugs like CVE-2018-0501, but we will make use of the information for better features in the following commits.
* Refactor internal Signers information storage in gpgvDavid Kalnischkies2019-01-221-73/+67
| | | | | | | | | Having a method take a bunch of string vectors is bad style, so we change this to a wrapping struct and adapt the rest of the code brushing it up slightly in the process, which results even in a slightly "better" debug output, no practical change otherwise. Gbp-Dch: Ignore
* Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)Julian Andres Klode2018-12-041-11/+36
| | | | | | | | | This allows us to install matching auth files for sources.list.d files, for example; very useful. This converts aptmethod's authfd from one FileFd to a vector of pointers to FileFd, as FileFd cannot be copied, and move operators are hard.
* Fix typo reported by codespell in code commentsDavid Kalnischkies2018-11-251-1/+1
| | | | | | | | No user visible change expect for some years old changelog entries, so we don't really need to add a new one for this… Reported-By: codespell Gbp-Dch: Ignore
* Allow setting Referer header for http methodDavid Kalnischkies2018-11-251-0/+4
| | | | | | Not needed for common interactions, but for some download-file interactions it could be useful to set a specific referer as some servers do not serve requested files otherwise.
* Revert "http: Fix handling of server connection closure"Julian Andres Klode2018-11-131-3/+4
| | | | | | | | This reverts commit fb3f36593563d09a8d1727cc7c6deb0b49823ca2. It caused downloads to hang on long-lived connections on certain servers. Gbp-Dch: full
* http: Fix handling of server connection closureJulian Andres Klode2018-11-121-4/+3
| | | | | | | | | | | | | If the server closed the connection while we're reading data, and we end up not having any data left to write; that is, for example, we received 0 bytes, then we did not exit before, as we only returned success if there was data to write. This is wrong: Obviously, if we have reached our limit, we are done anyway. It's a bit unclear if we actually ever reached this part, but it does make some sense wrt the bug below. LP: #1801338
* Merge branch 'feature/subkeys' into 'master'Julian Andres Klode2018-10-141-18/+64
|\ | | | | | | | | Support subkeys and multiple keyrings in Signed-By options See merge request apt-team/apt!27
| * Support multiple keyrings in sources.list Signed-ByDavid Kalnischkies2018-09-111-11/+29
| | | | | | | | | | | | | | A user can specify multiple fingerprints for a while now, so its seems counter-intuitive to support only one keyring, especially if this isn't really checked or enforced and while unlikely mixtures of both should work properly, too, instead of a kinda random behaviour.
| * Support subkeys properly in Signed-By optionsDavid Kalnischkies2018-09-111-8/+36
| | | | | | | | | | | | | | | | If we limit a file to be signed by a certain key it should usually accept also being signed by any of this keys subkeys instead of requiring each subkey to be listed explicitly. If the later is really wanted we support now also the same syntax as gpg does with appending an exclamation mark at the end of the fingerprint to force no mapping.
* | http: Stop pipeline after close only if it was not filled beforeJulian Andres Klode2018-09-182-6/+21
|/ | | | | | | | | | | | | | It is perfectly valid behavior for a server to respond with Connection: close eventually, even when pipelining. Turning off pipelining due to that is wrong. For example, some Ubuntu mirrors close the connection after 101 requests. If I have more packages to install, only the first 101 would benefit from pipelining. This commit introduces a new check to only turn of pipelining for future connections if the pipeline for this connection did not have 3 successful fetches before, that should work quite well to detect broken server/proxy combinations like in bug 832113.
* Report (soon) worthless keys if gpg uses fpr for GOODSIGDavid Kalnischkies2018-08-191-35/+24
| | | | | | | | | | gpgs DETAILS documentation file declares that GOODSIG could report keyid or fingerprint since gpg2, but for the time being it is still keyid only. Who knows if that will ever change as that feels like an interface break with dangerous security implications, but lets be better safe than sorry especially as the code dealing with signed-by keyids is prepared for this already. This code is rewritten still to have them all use the same code for this type of problem.
* Use steady clock source for bandwidth limitationDavid Kalnischkies2018-05-292-10/+11
| | | | | Using the time of day for this is slightly wrong just like it is for progress, just less visible.
* Remove unused time-tracking from http methodDavid Kalnischkies2018-05-282-20/+0
| | | | | | | The Stats method isn't called anywhere, was partly commented out before, but we keep updating the time for it – lets avoid this pointless busywork. Gbp-Dch: Ignore
* Lower default timeout from 120s to 30sJulian Andres Klode2018-05-244-5/+5
| | | | | 120s is an insanely high default time out, lower it to 30s to make things a bit nicer.
* Handle a missed case of timed out ip addressesJulian Andres Klode2018-05-241-0/+1
| | | | | | | Correctly register timed out IP addresses from a timed out select() call as a bad address so we do not try it again. LP: #1766542
* Reword error for timed out read/write on SOCKS proxyDavid Kalnischkies2018-05-191-1/+6
| | | | Closes: #898886
* use 127.0.0.1 instead of localhost as default Tor proxyDavid Kalnischkies2018-05-111-1/+1
| | | | | | This shouldn't make a practical difference for most people, but for edge cases it avoids DNS lookups and additionally prevents us from perfoming unneeded SRV requests, too.
* Remove obsolete RCS keywordsGuillem Jover2018-05-0713-16/+3
| | | | Prompted-by: Jakub Wilk <jwilk@debian.org>
* Allow restart_syscall() syscall in seccomp sandboxesJulian Andres Klode2018-04-061-0/+1
| | | | Closes: #891644
* Turn off seccomp sandboxing by defaultJulian Andres Klode2018-04-061-1/+1
| | | | | | LP: #1732030 Closes: #890489 Fixes meefik/linuxdeploy#869
* use a more standard approach to disable security for cdrom methodDavid Kalnischkies2018-02-191-2/+8
| | | | | | | | | | | | It is sad that we can't wrap the cdrom method tighter at the moment, but due to its ability to mount drives into arbitrary places via an external suid binary we can't really do a lot better at the moment. What we can do is set the options in the configuration space through as it is standard in the other methods instead of doing it in main() which is assumed to be more boilerplatey than actually doing something. Gbp-Dch: Ignore
* non-local mirrorlists shouldn't redirect to localDavid Kalnischkies2018-01-032-3/+47
| | | | | | | | | A mirror list we get from an non-local source like http shouldn't be able to include e.g. file sources and even with other online sources we need to be careful: They also shouldn't include prefixed methods like 'tor+http'. So apply magic based on how the method is called: mirror+file will be allowed to redirect to any source while tor+mirror+file allows all, but sends them to their tor+ variant.
* add tag-based control over mirror choices from the listDavid Kalnischkies2018-01-031-34/+103
| | | | | | | | | | | The old implementation used to construct a query string including the release(s) the mirrorlist should be for, but that is hard to deal with as this rules out that partial mirrors are included in the list and it turns out that nobody ended up implementing it on the server side. Controlling this on the client side allows partial mirrors to be included and as a bonus prevents that we tell the mirrorlist server (this rather generic) user information.
* require methods to request AuxRequest capability at startupDavid Kalnischkies2018-01-031-1/+1
| | | | | | Allowing a method to request work from other methods is a powerful capability which could be misused or exploited, so to slightly limited the surface let method opt-in into this capability on startup.
* reimplement and simplify mirror:// methodDavid Kalnischkies2018-01-036-478/+251
| | | | | | | | | | Embedding an entire acquire stack and HTTP logic in the mirror method made it rather heavy weight and fragile. This reimplement goes the other way by doing only the bare minimum in the method itself and instead redirect the actual download of files to their proper methods. The reimplementation drops the (in the real world) unused query-string feature as it isn't really implementable in the new architecture.
* Correctly report transient errors againJulian Andres Klode2018-01-031-4/+8
| | | | | | | | | | | | | | Commit 47c0bdc310c8cd62374ca6e6bb456dd183bdfc07 ("report transient errors as transient error") accidentally changed some connection failures to become non-transient, because the result of the error checks where being ignored and then fatal error was returned if an error was pending - even if that error was trivial. After the merge of pu/happy-eyeballs2a this becomes a lot clearer, and easy to fix. Gbp-Dch: ignore Regression-Of: 47c0bdc310c8cd62374ca6e6bb456dd183bdfc07
* Add rapid "happy eyeballs" connection fallback (RFC 8305)Julian Andres Klode2018-01-031-26/+100
| | | | | | | | | | | | | | | | | | | | | | Try establishing connections in alternating address families in rapid intervals of 250 ms, adding more connections to the wait list until one succeeds (RFC 8305, happy eyeballs 2). It is important that WaitAndCheckErrors() waits until it has a successful connection, a time out, or all connections failed - otherwise the timing between tries might be wrong, and the final long wait might exit early because one connection failed without trying the others. Timing wise, this only works correctly on Linux, as select() counts down there. But we rely on that in some other places too, so this is not the time to fix that. Timeouts are only reported in the final long wait - the short inner waits are expected to time out more often, and multiple times, we do not want to report them. Closes: #668948 LP: #1308200 Gbp-Dch: paragraph
* connect: Extract Connection::CheckError() methodJulian Andres Klode2018-01-031-0/+6
| | | | | | | | Extracting the error checking method allows us to reuse it in different places, so we can move the waiting and checking out of DoConnect() eventually. Gbp-Dch: ignore
* connect: Store the IP used when picking a connectionJulian Andres Klode2018-01-031-9/+5
| | | | | | There's no real point in storing the IP address while resolving it - failure messages include the IP address in any case. Do this when picking the connection for actual use instead.
* connect: Extract a Connection structJulian Andres Klode2018-01-031-8/+36
| | | | | | | | This struct holds information about a connection attempt, like the addrinfo, the resolved address, the fd for the connection, and so on. Gbp-Dch: ignore
* connect: Alternate address families for addressesJulian Andres Klode2018-01-031-24/+48
| | | | | | | | | As a first step to implementing Happy Eyeballs version 2, we need to order the list of hosts getaddrinfo() gave us so it alternates between preferred and other address families. RFC: https://tools.ietf.org/html/rfc8305 Gbp-Dch: ignore
* report transient errors as transient errorsDavid Kalnischkies2017-12-139-232/+433
| | | | | | | | | | | | The Fail method for acquire methods has a boolean parameter indicating the transient-nature of a reported error. The problem with this is that Fail is called very late at a point where it is no longer easily identifiable if an error is indeed transient or not, so some calls were and some weren't and the acquire system would later mostly ignore the transient flag and guess by using the FailReason instead. Introducing a tri-state enum we can pass the information about fatal or transient errors through the callstack to generate the correct fails.
* mark some 500 HTTP codes as transient acquire errorsDavid Kalnischkies2017-12-131-1/+13
| | | | | | | If retries are enabled only transient errors are retried, which are very few errors. At least for some HTTP codes it could be beneficial to retry them through so adding them seems like a good idea if only to be more consistent in what we report.
* avoid some useless casts reported by -Wuseless-castDavid Kalnischkies2017-12-131-1/+1
| | | | | | | | | The casts are useless, but the reports show some where we can actually improve the code by replacing them with better alternatives like converting whatever int type into a string instead of casting to a specific one which might in the future be too small. Reported-By: gcc -Wuseless-cast
* Also look at https_proxy for https URLsJulian Andres Klode2017-11-191-4/+13
| | | | | We accidentally regressed here in 1.5 when replacing the https method.
* Do not attempt seccomp under qemu-user and drop EFAULT workaroundJulian Andres Klode2017-11-121-1/+37
| | | | | | | | | | | | | | | | | | | qemu-user passes prctl()-based seccomp through to the kernel, umodified. That's bad, as it blocks the wrong syscalls. We ignored EFAULT which fixed the problem for targets with different pointer sizes from the host, but was a bad hack. In order to identify qemu we can rely on the fact that qemu-user prints its version and exits with 0 if QEMU_VERSION is set to an unsupported value. If we run a command that should fail in such an environment, and it exits with 0, then we are running in qemu-user. apt-helper is an obvious command to run. The tests ensure it exits with 1, and it only prints usage information. We also could not use /bin/false because apt might just as well be from a foreign arch while /bin/false is not. Closes: #881519
* seccomp: Allow clock_nanosleep() and nanosleep() syscallsJulian Andres Klode2017-10-271-0/+2
| | | | We sleep in http.cc, so we should allow the sleeping syscalls.
* Drop unused gzip, lzma, bzip2, and xz symlinks of storeJulian Andres Klode2017-10-261-1/+1
| | | | | | The store method replaced them all, the symlinks where mostly for partial upgrades or whatever, they should not be needed any longer.
* seccomp: Allow ipc() for fakeroot, and allow sysinfo() for sortJulian Andres Klode2017-10-261-0/+2
| | | | | | | Sorting apparently calls sysconf() which calls sysinfo() to get free pages or whatever. Closes: #879814, #879826
* Print syscall number and arch to stderr when trapped by seccompJulian Andres Klode2017-10-261-0/+33
| | | | | | This should help debugging crashes. The signal handler is a C++11 lambda, yay! Special care has been taken to only use signal handler -safe functions inside there.
* Only warn about seccomp() EINVAL (normal) and EFAULT (qemu) errorsJulian Andres Klode2017-10-251-3/+5
| | | | | | | | | | If seccomp is disabled, we fallback to running without it. Qemu fails in the seccomp() call, returning ENOSYS and libseccomp falls back to prctl() without adjusting the pointer, causing the EFAULT. I hope qemu gets fixed at some point to return EINVAL for seccomp via prctl. Bug-Qemu: https://bugs.launchpad.net/qemu/+bug/1726394
* methods: Enable additional syscalls (SYSV IPC) in fakerootJulian Andres Klode2017-10-251-0/+10
| | | | | | | If FAKED_MODE is set, enable SYSV IPC so we don't crash when running in fakeroot. Closes: #879662
* CMake: methods: Cleanup link libraries, use OBJECT librariesJulian Andres Klode2017-10-231-17/+14
| | | | | | | | | | | | Use OBJECT libraries for http and connect stuff, and move the seccomp link expression into a global link_libraries() call. This also fixes a bug where only the http target pulled in the gnutls header arguments despite gnutls being used in connect.cc, and thus by mirror and ftp as well. Adjust translation support to ignore TARGET_OBJECTS sources and add the OBJECT libraries to the translated files.
* seccomp: Conditionalize statx() whitelistingJulian Andres Klode2017-10-231-0/+2
| | | | | statx was introduced in 4.11, so it fails to build in stretch if we just unconditionally use it.
* seccomp: Add missing syscalls for ppc64el, i386, and othersJulian Andres Klode2017-10-231-0/+11
| | | | | | | These are a few overlooked syscalls. Also add readv(), writev(), renameat2(), and statx() in case libc uses them. Gbp-Dch: ignore
* Sandbox methods with seccomp-BPF; except cdrom, gpgv, rshJulian Andres Klode2017-10-228-19/+240
| | | | | | | | | | | | This reduces the number of syscalls to about 140 from about 350 or so, significantly reducing security risks. Also change prepare-release to ignore the architecture lists in the build dependencies when generating the build-depends package for travis. We might want to clean up things a bit more and/or move it somewhere else.