summaryrefslogtreecommitdiff
path: root/methods
Commit message (Collapse)AuthorAgeFilesLines
* Fix regression that prevented sending intermediate client certificatesSam Hartman2025-01-231-1/+1
| | | | | | | | | | | The change from the GNUTLS backend to the OpenSSL backend only loads the first certificate from a client certificate file. As a result it is no longer possible to send intermediate client certificates to the server to assist in certificate verification. Instead call ssl_ctx_use_certificate_chain_file so intermediate certificates can be sent. Signed-off-by: Sam Hartman <hartmans@debian.org>
* sqv, gpgv: Do not fail if Dir::Etc::Trusted is set and trusted.gpg.d is missingJulian Andres Klode2025-01-221-0/+11
| | | | | | | | | | This should remain a warning case for now. So push the errors to a stack and see if we can find any file. Explictly warn again if Dir::Etc::trusted is set, as it is like _super_ deprecated. Reported-By: Cyril Brulebois <kibi@debian.org> in Bug#1032131
* Remove superseded warning about trusted.gpg fallbackJulian Andres Klode2025-01-212-68/+4
| | | | | | | | | | This warning has been superseded by the missing sources.list notice (which will also become a warning shortly) Adjust the sqv exit to avoid introducing a new spurious "No good signature" that we did not reach before. moo
* Workaround gcc 14.2.0-9 regression in no-tree-slp-vectorize on GravitonJulian Andres Klode2025-01-171-1/+1
| | | | | | | | | | | | | | | gcc 14.2.0-9 causes vector instructions to be emitted in the constructor when it is being inlined into BaseHttpMethod::Loop(), which seemingly only on Graviton instances, causes the field to be initialized to 0 (Chunked) instead of 2 (Closes), causing the code to fail later when it tries to interpret file data as the chunk size. It's plausible we are missing some register saving here - that is, the q31 register overrides an x register. Work around this by making Closes element 0, such that 0 initialisation results in the correct Closes value. Reported-By: Myon on IRC
* methods/connect: Avoid unused argument warningJulian Andres Klode2025-01-141-1/+1
|
* Merge branch 'fix/cleanup' into 'main'Julian Andres Klode2025-01-1413-60/+57
|\ | | | | | | | | Drop unused and obsolete macros as well as documentation See merge request apt-team/apt!428
| * Remove leftovers of the apt-key removalDavid Kalnischkies2025-01-052-5/+5
| | | | | | | | References: a00fbbdb28cc31e78882301c2efe7218583ab4cb
| * Drop APT_NORETURN usageDavid Kalnischkies2025-01-051-1/+1
| | | | | | | | | | [[noreturn]] is a C++11 feature and so we can just use it unconditionally.
| * Drop the remaining usage of APT_ARRAY_SIZEDavid Kalnischkies2025-01-051-8/+5
| | | | | | | | | | | | That macro is not that useful as it might perhaps once was. Lets prepare dropping it now in favour of more standard ways of working with arrays now.
| * Drop usage of macro APT_OVERRIDE for simple overrideDavid Kalnischkies2025-01-0513-46/+46
| | | | | | | | | | | | | | | | | | We were rather inconsistent in using it and as our public headers contain deduction guides (a c++17 feature) it seems silly to try to hide a c++11 feature in a macro, so lets stop this charade and drop the macro and while we are changing all these lines lets apply [[nodiscard]] (another c++17 feature) and other suggestions from clang-tidy and formatting for a little more consistency.
* | ssl: Explictly return -1 (error) or 0 (server closed connection)Julian Andres Klode2025-01-081-5/+9
| | | | | | | | | | | | SSL_read() and SSL_write may return 0 for errors, whereas our callers only expect -1 for errors and 0 for closed connections, so map this accordingly.
* | ssl: Set an error when we receive SSL_ERROR_SYSCALLJulian Andres Klode2025-01-081-0/+1
|/ | | | | | | | | | | | The OpenSSL docs say: > For socket I/O on Unix systems, consult errno for details but also: > This value can also be returned for other errors, > check the error queue for details. This means it's possible errno isn't set, in which case we may appear to have reached an EOF when we did not.
* Merge branch 'openssl-directory' into 'main'Julian Andres Klode2025-01-011-1/+1
|\ | | | | | | | | http: seccomp: Allow reading directories See merge request apt-team/apt!421
| * http: seccomp: Allow reading directoriesJulian Andres Klode2025-01-011-1/+1
| | | | | | | | | | | | This is needed by OpenSSL. Closes: #1091351
* | sqv: Avoid propagating errors between filesJulian Andres Klode2025-01-011-1/+12
|/ | | | | | | | | | | We inadvertently did not discard pending errors when the fallback to Dir::Etc::trusted succeeded, do so. Also add some quick safety checks to make sure we enter the verification in a good state, and that if somehow errors are pending after a verification we return false. Closes: #1091679
* methods: Add new sqv methodJulian Andres Klode2024-12-222-1/+352
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new sqv method uses sequoia's sqv tool to verify files. The tool's interface is quite simple: It returns 0 on success, and prints one line per good signer with the fingerprint. sqv has a configurable crypto policy. We have defined apt-specific override mechanisms for sequoia's standard policy, allowing both users, distributions, and apt package to provide overrides for Sequoia's default policy in meaningful ways. The sqv method will be built and be the standard method for verifying OpenPGP signatures provided that `sqv` is in the PATH during building. It is not built if there was no sqv at build time, so you need a rebuild to enable sqv later on. On the flip side, the gpgv method is always built, but it does need to be always built: If APT::Key::GPGVCommand is set, we need to fallback to it - this is important to support existing users of that interface such as mmdebstrap. Also we want to fall back to it when /usr/bin/sqv disappears - for example in our CI :D A couple of concessions have been made for test suite purposes: - Failure to split a clearsigned file only shows the summary, as the gpgv method also only showed it, and no details why it failed. - We write "Got GOODSIG <fingerprint>" in debug mode to mimic the gpgv code to keep the test suite happy. - In various places in the test suite we assert minimal output from sqv, but sqv's human output is not intended to be stable. This will incur additional work when it breaks. However we do not _parse_ the output, so actual operation of apt is unaffected. A couple of things are suboptimal here: - We are still doing clearsigned splitting ourselves. sqv only has support for detached signatures right now, whereas sqopv has support for clearsigned files as well (but sqopv does not provide any reasons for why signature verification fails or means to set a policy). - Deprecation of algorithms happens on a timebomb basis in sequoia. We have no means to give users warnings ahead of time if their configuration is outdated. We have implemented various bits that probably should be going away: - Fallback to trusted.gpg This is just annoying... - Support for fingerprints in Signed-By (no subkey matching though) The extra work here is arguably less compared to gpgv. - Check the keyring for correctness. With Signed-By everywhere, we should just error out rather than skip broken keyrings. Moo
* Remove GnuTLS and gcrypt supportJulian Andres Klode2024-12-223-282/+3
| | | | | OpenSSL is mandatory now, it is no longer possible to build without https support either.
* hashes, methods: Add OpenSSL backendsJulian Andres Klode2024-12-223-12/+302
| | | | | | | | | | | | | | | | | | | | Introduce an OpenSSL::Crypto backend for the hashes library and an OpenSSL::SSL backend for the TLS support in our https method. Many thanks to curl for showing the way with how to handle a CRL file. There are some memory leaks here with the TlsFd itself as well as the proxy support; and we should reorganize the code to generate the ssl object as late as possible. A peculiar aspect of OpenSSL is that SSL_has_pending() returns 1 even if SSL_read() will fail to read anything and return the equivalent of EAGAIN. We work around this here by also peeking ahead 1 byte. I was running a very high RTT connection from Germany to Australia for testing, and with the peeking it's using negligible amounts of CPU; before that, it was busy looping at 100%. Bad OpenSSL!
* methods/gpgv: Remove apt-key mentionsJulian Andres Klode2024-12-071-3/+3
|
* Detect working gpgv using gpgv --dump-optionsJulian Andres Klode2024-11-281-0/+6
| | | | | | | | | | | | This gains us support for not using an absolute path, which is nice, and we can now cache the invocation across fork() in the method. Still keep preferring absolute paths, this avoids execvp() having to iterate the path and reduces bug potential with custom gpgv in /usr/local. Fix the last entry in the list of gpgvs to say gpgv1
* Do not implode key file name vector for calling gpgvJulian Andres Klode2024-11-281-2/+1
| | | | Converting it to a comma-separated string and back loses precision.
* Merge branch 'fix/partialfilemirror' into 'main'Julian Andres Klode2024-11-224-86/+135
|\ | | | | | | | | Support uncompressed indexes from partial file:/ mirrors See merge request apt-team/apt!235
| * Look at non by-hash paths in copy and file methodsDavid Kalnischkies2024-11-223-86/+126
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ideally copy and file mirrors would support by-hash as well, but its harder to setup and maintain especially if you want to cache an online mirror who has by-hash enabled. We can avoid unneeded roundtrips (in the best case) and entire cache misses (in the usual worst case) by "just" telling methods that the URI we passed it has the requested file perhaps also in other paths. This is done in pseudo-relative paths as we would otherwise need to teach redirection code to rewrite those URIs as well. A method like http can easily ignore this value and await explicit instructions to look at that file, but inspecting the path in local sources via file or copy is (comparatively) free, so we just do it immediately. If that ends up being the wrong version of the file as by-hash would have protected us from we are in this feature branch now falling back to other mirrors which are like the ones online and in support of by-hash.
| * Do not assume mirror-URIs end in a filename causing a hangDavid Kalnischkies2024-11-221-2/+9
| | | | | | | | | | | | | | In practice most of them will, but making the acquire process hang in response if they don't seems like an overly excessive response if we can just support it gracefully to reply with an error (or actually succeed in the unlikely event this URI is actually correct).
| * Alternatively calculate alternative file hashes in file methodDavid Kalnischkies2024-11-221-0/+2
| | | | | | | | | | | | | | If we do not have the requested file we haven't calculated the hashes for it either and it is likely that the alternative file will be used, so to save the main thread from being busy with calculating hashes we do the calculation here in the method.
* | Tag hidden acquire classes as final for devirtualizationDavid Kalnischkies2024-11-227-9/+9
|/ | | | | | | gcc reports `warning: Declaring type ‘class X’ final would enable devirtualization of Y calls [-Wsuggest-final-types]`. Not that this would massively improve performance, but it shouldn't hurt telling the compiler what is obvious for a human.
* http: use Retry-After HTTP header to optimize retriesFelix Moessbauer2024-11-182-1/+29
| | | | | | | | | | | | | | | | | | | Some mirrors like snapshot.debian.org apply strict http rate limits. While apt already has an exponential backoff mechanism implemented, this is not sufficient due to the following reasons: 1. all retries happen roughly at the same time 2. the retry-after information from the server is not used We fix this by improving the algorithm: First, if present, the timestamp or duration of the Retry-After header is added to the exponential backoff, optimizing for success-on-second-try. Second, a random delay is added (delay += [0, delay]) to distribute the retries to not immediately run into the limit again. To avoid super-long delays, this is capped by the configured maximum delay. This logic only becomes active if the option Acquire::Retries::HandleRetryAfter is enabled. Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
* methods/http.cc: APT::StringView -> std::string_viewнаб2024-11-121-4/+3
|
* Turn char[APT_BUFFER_SIZE] buffers into std::array<char, APT_BUFFER_SIZE>наб2024-11-111-4/+5
|
* Remove ftp, rsh, ssh methods (disabled since 1.8)Julian Andres Klode2024-11-075-1921/+2
| | | | | | | | | These methods have been unsupported and disabled since 1.8, remove them for the 3.0 cleanup. Please migrate to http instead. If you need ad-hoc access to a remote repository, you can run `python3 -m http.server` on that machine and use SSH port forwarding to run http over ssh.
* Bump read()/write() loop buffers from 4k to APT_BUFFER_SIZE (64k). Bump ↵наб2024-11-072-2/+2
| | | | FileFdPrivate's read()/discard buffer from 1k to APT_BUFFER_SIZE (64k)
* Only revoke weak RSA keys for now, add 'next' and 'future' levelsJulian Andres Klode2024-07-151-0/+11
| | | | | | | | | | | Algorithms not in the next level give a warning, algorithms in not in the future level introduce an audit message for the --audit flag. next: >=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512 future: >=rsa3072,ed25519,ed448 LP: #2073126
* gpgv: Add a LaterWorthless level, a SoonWorthless but at 'audit' levelJulian Andres Klode2024-07-151-0/+10
|
* worker: Add an audit level to log audit messagesJulian Andres Klode2024-07-151-2/+10
|
* Revert "Temporarily downgrade key assertions to "soon worthless""Julian Andres Klode2024-04-091-1/+8
| | | | | | | | | | | | | We temporarily downgraded the errors to warnings to give the launchpad PPAs time to be fixed, but warnings are not safe: Untrusted keys could be hiding on your system, but just not used at the moment. Hence revert this so we get the errors we want. This reverts commit 66998ed3d299bede651ad40368bdb270f5f5b0f9. LP: #2060721 Gbp-Dch: full
* Support building without gnutlsSteve Langasek2024-03-033-6/+26
| | | | | | | | | Once in a generation, it may be necessary to bootstrap apt in an environment where gnutls is not yet available. This makes gnutls support in apt optional. You may also want a configure flag to force gnutls to be required from outside the buildsystem (e.g. debian/rules).
* Temporarily downgrade key assertions to "soon worthless"Julian Andres Klode2024-02-281-8/+1
| | | | | This will only issue warnings instead of errors while we continue cleaning up our repositories.
* Rename 'weak digest algorithm' to 'weak algorithm'Julian Andres Klode2024-02-281-1/+1
| | | | This allows us to render public key algorithms as weak as well.
* Implement gpgv --assert-pubkey-algo=>=rsa2048,ed25519,ed448Julian Andres Klode2024-02-281-0/+20
| | | | | | | | | | | | The assertion can be overriden using apt::key::assert-pubkey-algo, the default is the most opinionated one. This will inform the user during apt-cdrom add as we do not pass --quiet to user, so adjust test case. Add a simple test case for it to test-method-gpgv. LP: #2055193
* gpgv: Add a reason to worthless signersJulian Andres Klode2024-02-281-6/+26
|
* gpgv: Surface [GNUPG:] ERROR and [GNUPG:] WARNING status messagesJulian Andres Klode2024-02-281-0/+9
|
* Modernize standard library includesJulian Andres Klode2024-02-2014-47/+47
| | | | | | This was automated with sed and git-clang-format, and then I had to fix up the top of policy.cc by hand as git-clang-format accidentally indented it by two spaces.
* methods: store: Use APT_BUFFER_SIZE (64k) instead of 4k buffersJulian Andres Klode2023-08-301-1/+1
|
* We do not believe rsh was supposed to exclude GPL-3Julian Andres Klode2023-03-061-0/+14
|
* Ignore return of .c_str() in preemptive call for signal handlerDavid Kalnischkies2023-01-293-3/+3
| | | | | Reported-By: gcc-13 -Wunused-result Gbp-Dch: Ignore
* Actually delete temporary apt-key.*.asc helper filesJulian Andres Klode2022-10-311-1/+1
| | | | | | | During development there was an if (0) there for debugging purposes that unfortunately stayed in and caused files to accumulate. LP: #1995247
* Fix mirror method dequeuing incorrect itemsTroy Varney2022-04-281-2/+14
| | | | | | | | | | | | | When the mirror method handles a URI Acquire from apt for a mirror list it already has, it calls the `RedirectItem` function directly. This function assumes that the item being redirected is at the head of the queue, and as such calls `Dequeue` to remove it from the queue. This resulted in incorrect items being removed from the queue when this branch is taken and the queue was already non-empty, as the item to be handled in this case is actually the last item in the queue. This changes `RedirectItem` to properly remove the item passed to it instead of calling Dequeue.
* gpgv: Use Valid instead of Good to determine fallbackJulian Andres Klode2022-03-071-2/+2
| | | | | | | | | | | | Change the logic to use "Valid" instead of "Good" to determine whether we need to fallback and if fallback was successful. That means that if you have an expired key in trusted.gpg.d, and a non-expired in trusted.gpg, verification will now fail directly with the expired key in trusted.gpg.d and not try to fallback. Likewise, if the key in trusted.gpg is expired, this will now also be reported correctly again, instead of producing an error message that the key could not be found.
* gpgv: Fix legacy fallback on unavailable keysJulian Andres Klode2022-03-071-4/+10
| | | | | | | | | | | | | | | | | | | | | If a repository is signed with multiple keys, apt 2.4.0 would ignore the fallback result if some keys were still missing, causing signature verification to fail. Rework the logic such that when checking if fallback was "succesful", missing keys are ignored - it only matters if we managed to verify one key now, whether good or bad. Likewise, simplify the logic when to do the fallback: If there was a bad signature in trusted.gpg.d, do NOT fallback at all - this is a minor security issue, as a key in trusted.gpg.d could fail silently with a bad signature, and then a key in trusted.gpg might allow the signature to succeed (as trusted.gpg.d key is then missing). Only fallback if we are missing a good signature, and there are keys we have not yet checked.
* Warn if the legacy trusted.gpg keyring is used for verificationJulian Andres Klode2022-02-221-1/+43
| | | | | With apt-key going away, people need to manage key files, rather than keys, so they need to know if any keys are in the legacy keyring.