[openwrt/openwrt] apk: update to latest HEAD 2024-05-18
LEDE Commits
lede-commits at lists.infradead.org
Sat May 18 06:32:28 PDT 2024
ansuel pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/99636d4dd8d4bda15b9e072d2d92dd5f4ae0580f
commit 99636d4dd8d4bda15b9e072d2d92dd5f4ae0580f
Author: Paul Spooren <mail at aparcar.org>
AuthorDate: Sat May 18 16:29:07 2024 +0300
apk: update to latest HEAD 2024-05-18
Drop downstream mbedtls patch since it went upstream.
Signed-off-by: Paul Spooren <mail at aparcar.org>
Link: https://github.com/openwrt/openwrt/pull/15522
Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
---
package/system/apk/Makefile | 6 +-
.../system/apk/patches/0002-mbedtls-support.patch | 715 ---------------------
2 files changed, 3 insertions(+), 718 deletions(-)
diff --git a/package/system/apk/Makefile b/package/system/apk/Makefile
index 7aaf9f4c5e..332596719f 100644
--- a/package/system/apk/Makefile
+++ b/package/system/apk/Makefile
@@ -5,9 +5,9 @@ PKG_RELEASE:=1
PKG_SOURCE_URL=https://gitlab.alpinelinux.org/alpine/apk-tools.git
PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2024-04-16
-PKG_SOURCE_VERSION:=ba6c31a5469ef74fb85119508e55de9631ffef41
-PKG_MIRROR_HASH:=3455d5799481add9ece3db685576d58be6303f3a13140133979b965cbd3c9966
+PKG_SOURCE_DATE:=2024-05-18
+PKG_SOURCE_VERSION:=a6ce0a1be1a42a5cf4136eb0db5ea95168ee73fe
+PKG_MIRROR_HASH:=a5f59907cd742ec12f31f42910ea9a6ecfaf91e18218a7888836a01cfa272a72
PKG_VERSION=3.0.0_pre$(subst -,,$(PKG_SOURCE_DATE))
diff --git a/package/system/apk/patches/0002-mbedtls-support.patch b/package/system/apk/patches/0002-mbedtls-support.patch
deleted file mode 100644
index d06db30f03..0000000000
--- a/package/system/apk/patches/0002-mbedtls-support.patch
+++ /dev/null
@@ -1,715 +0,0 @@
-From 68352e0cb94fe08b220d4befec828171ec871154 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras at iki.fi>
-Date: Fri, 5 Apr 2024 12:06:56 +0300
-Subject: [PATCH 1/2] add alternate url wget implementation
-
----
- meson.build | 6 +-
- meson_options.txt | 1 +
- src/io_url_wget.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++
- src/meson.build | 8 ++-
- 4 files changed, 150 insertions(+), 2 deletions(-)
- create mode 100644 src/io_url_wget.c
-
-diff --git a/meson.build b/meson.build
-index 1a44c11f..9a14cac0 100644
---- a/meson.build
-+++ b/meson.build
-@@ -33,6 +33,10 @@ subproject = meson.is_subproject()
-
- subdir('doc')
- subdir('portability')
--subdir('libfetch')
-+if get_option('url_backend') == 'libfetch'
-+ subdir('libfetch')
-+else
-+ libfetch_dep = dependency('', required: false)
-+endif
- subdir('src')
- subdir('tests')
-diff --git a/meson_options.txt b/meson_options.txt
-index 693f46ec..44b88b32 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
- option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
- option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
- option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
-+option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
- option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
- option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
-diff --git a/src/io_url_wget.c b/src/io_url_wget.c
-new file mode 100644
-index 00000000..d8885a4f
---- /dev/null
-+++ b/src/io_url_wget.c
-@@ -0,0 +1,137 @@
-+/* io_url_wget.c - Alpine Package Keeper (APK)
-+ *
-+ * Copyright (C) 2005-2008 Natanael Copa <n at tanael.org>
-+ * Copyright (C) 2008-2011 Timo Teräs <timo.teras at iki.fi>
-+ * All rights reserved.
-+ *
-+ * SPDX-License-Identifier: GPL-2.0-only
-+ */
-+
-+#include <spawn.h>
-+#include <unistd.h>
-+#include <sys/wait.h>
-+#include "apk_io.h"
-+
-+static int wget_translate_status(int status)
-+{
-+ if (!WIFEXITED(status)) return -EFAULT;
-+ switch (WEXITSTATUS(status)) {
-+ case 0: return 0;
-+ case 3: return -EIO;
-+ case 4: return -ENETUNREACH;
-+ case 5: return -EACCES;
-+ case 6: return -EACCES;
-+ case 7: return -EPROTO;
-+ default: return -APKE_REMOTE_IO;
-+ }
-+}
-+
-+struct apk_wget_istream {
-+ struct apk_istream is;
-+ int fd;
-+ pid_t pid;
-+};
-+
-+static int wget_spawn(const char *url, pid_t *pid, int *fd)
-+{
-+ int r, pipefds[2];
-+ posix_spawn_file_actions_t act;
-+ char *argv[] = {
-+ (char*)"wget", "-q", (char*) url, "-O", "-", 0
-+ };
-+
-+ if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno;
-+
-+ posix_spawn_file_actions_init(&act);
-+ posix_spawn_file_actions_adddup2(&act, pipefds[1], STDOUT_FILENO);
-+ r = posix_spawnp(pid, "wget", &act, 0, argv, environ);
-+ posix_spawn_file_actions_destroy(&act);
-+ if (r != 0) return -r;
-+ close(pipefds[1]);
-+ *fd = pipefds[0];
-+ return 0;
-+}
-+
-+static int wget_check_exit(struct apk_wget_istream *wis)
-+{
-+ int status;
-+
-+ if (wis->pid == 0) return apk_istream_error(&wis->is, 0);
-+ if (waitpid(wis->pid, &status, 0) == wis->pid) {
-+ wis->pid = 0;
-+ return apk_istream_error(&wis->is, wget_translate_status(status));
-+ }
-+ return 0;
-+}
-+
-+static void wget_get_meta(struct apk_istream *is, struct apk_file_meta *meta)
-+{
-+}
-+
-+static ssize_t wget_read(struct apk_istream *is, void *ptr, size_t size)
-+{
-+ struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is);
-+ ssize_t r;
-+
-+ r = read(wis->fd, ptr, size);
-+ if (r < 0) return -errno;
-+ if (r == 0) return wget_check_exit(wis);
-+ return r;
-+}
-+
-+static int wget_close(struct apk_istream *is)
-+{
-+ int r = is->err;
-+ struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is);
-+
-+ while (wis->pid != 0)
-+ wget_check_exit(wis);
-+
-+ close(wis->fd);
-+ free(wis);
-+ return r < 0 ? r : 0;
-+}
-+
-+static const struct apk_istream_ops wget_istream_ops = {
-+ .get_meta = wget_get_meta,
-+ .read = wget_read,
-+ .close = wget_close,
-+};
-+
-+struct apk_istream *apk_io_url_istream(const char *url, time_t since)
-+{
-+ struct apk_wget_istream *wis;
-+ int r;
-+
-+ wis = malloc(sizeof(*wis) + apk_io_bufsize);
-+ if (wis == NULL) return ERR_PTR(-ENOMEM);
-+
-+ *wis = (struct apk_wget_istream) {
-+ .is.ops = &wget_istream_ops,
-+ .is.buf = (uint8_t *)(wis + 1),
-+ .is.buf_size = apk_io_bufsize,
-+ };
-+ r = wget_spawn(url, &wis->pid, &wis->fd);
-+ if (r != 0) {
-+ free(wis);
-+ return ERR_PTR(r);
-+ }
-+
-+ return &wis->is;
-+}
-+
-+void apk_io_url_no_check_certificate(void)
-+{
-+}
-+
-+void apk_io_url_set_timeout(int timeout)
-+{
-+}
-+
-+void apk_io_url_set_redirect_callback(void (*cb)(int, const char *))
-+{
-+}
-+
-+void apk_io_url_init(void)
-+{
-+}
-diff --git a/src/meson.build b/src/meson.build
-index c1aae550..28bfce7e 100644
---- a/src/meson.build
-+++ b/src/meson.build
-@@ -22,7 +22,6 @@ libapk_src = [
- 'fs_uvol.c',
- 'hash.c',
- 'io.c',
-- 'io_url_libfetch.c',
- 'io_gunzip.c',
- 'package.c',
- 'pathbuilder.c',
-@@ -87,6 +86,13 @@ apk_src = [
- 'applet.c',
- ]
-
-+url_backend = get_option('url_backend')
-+if url_backend == 'libfetch'
-+ libapk_src += [ 'io_url_libfetch.c' ]
-+elif url_backend == 'wget'
-+ libapk_src += [ 'io_url_wget.c' ]
-+endif
-+
- if lua_bin.found()
- genhelp_script = files('genhelp.lua')
- genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
---
-GitLab
-
-
-From dc7ff789a45522eb847118a29b60b896de55d083 Mon Sep 17 00:00:00 2001
-From: Jonas Jelonek <jelonek.jonas at gmail.com>
-Date: Sun, 14 Apr 2024 00:20:14 +0200
-Subject: [PATCH 2/2] crypto: add support for mbedtls as backend
-
-backend is selected at compile-time with crypto_backend option
-
-Co-developed-by: Christian Marangi <ansuelsmth at gmail.com>
-Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
-Signed-off-by: Jonas Jelonek <jelonek.jonas at gmail.com>
----
- libfetch/meson.build | 2 +-
- meson.build | 14 +-
- meson_options.txt | 1 +
- src/apk_crypto.h | 5 +
- src/apk_crypto_mbedtls.h | 26 ++++
- src/crypto_mbedtls.c | 305 +++++++++++++++++++++++++++++++++++++++
- src/meson.build | 23 ++-
- 7 files changed, 364 insertions(+), 12 deletions(-)
- create mode 100644 src/apk_crypto_mbedtls.h
- create mode 100644 src/crypto_mbedtls.c
-
-diff --git a/libfetch/meson.build b/libfetch/meson.build
-index 431ba197..e24f95eb 100644
---- a/libfetch/meson.build
-+++ b/libfetch/meson.build
-@@ -40,7 +40,7 @@ libfetch = static_library(
- c_args: libfetch_cargs,
- dependencies: [
- libportability_dep.partial_dependency(compile_args: true, includes: true),
-- openssl_dep.partial_dependency(compile_args: true, includes: true)
-+ crypto_dep.partial_dependency(compile_args: true, includes: true)
- ],
- )
-
-diff --git a/meson.build b/meson.build
-index 9a14cac0..3a83f4e1 100644
---- a/meson.build
-+++ b/meson.build
-@@ -13,15 +13,21 @@ apk_libdir = get_option('libdir')
- lua_bin = find_program('lua' + get_option('lua_version'), required: get_option('help'))
- lua_dep = dependency('lua' + get_option('lua_version'), required: get_option('lua'))
- scdoc_dep = dependency('scdoc', version: '>=1.10', required: get_option('docs'))
--openssl_dep = dependency('openssl')
--openssl_static_dep = dependency('openssl', static: true)
- zlib_dep = dependency('zlib')
- zlib_static_dep = dependency('zlib', static: true)
- libzstd_dep = dependency('libzstd', required: get_option('zstd'))
- libzstd_static_dep = dependency('libzstd', required: get_option('zstd'), static: true)
-
--shared_deps = [ openssl_dep, zlib_dep, libzstd_dep ]
--static_deps = [ openssl_static_dep, zlib_static_dep, libzstd_static_dep ]
-+if get_option('crypto_backend') == 'openssl'
-+ crypto_dep = dependency('openssl')
-+ crypto_static_dep = dependency('openssl', static: true)
-+elif get_option('crypto_backend') == 'mbedtls'
-+ crypto_dep = [ dependency('mbedtls'), dependency('mbedcrypto') ]
-+ crypto_static_dep = [ dependency('mbedtls', static: true), dependency('mbedcrypto', static: true) ]
-+endif
-+
-+shared_deps = [ crypto_dep, zlib_dep, libzstd_dep ]
-+static_deps = [ crypto_static_dep, zlib_static_dep, libzstd_static_dep ]
-
- add_project_arguments('-D_GNU_SOURCE', language: 'c')
-
-diff --git a/meson_options.txt b/meson_options.txt
-index 44b88b32..2b1d24ce 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -5,6 +5,7 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe
- option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto')
- option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3')
- option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false)
-+option('crypto_backend', description: 'SSL backend', type: 'string', value: 'openssl')
- option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch')
- option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string')
- option('zstd', description: 'Build with zstd support', type: 'boolean', value: true)
-diff --git a/src/apk_crypto.h b/src/apk_crypto.h
-index 7de88dfc..5cae3bfe 100644
---- a/src/apk_crypto.h
-+++ b/src/apk_crypto.h
-@@ -12,7 +12,12 @@
- #include <string.h>
- #include "apk_defines.h"
- #include "apk_blob.h"
-+
-+#if defined(CRYPTO_USE_OPENSSL)
- #include "apk_crypto_openssl.h"
-+#elif defined(CRYPTO_USE_MBEDTLS)
-+#include "apk_crypto_mbedtls.h"
-+#endif
-
- // Digest
-
-diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h
-new file mode 100644
-index 00000000..e379535b
---- /dev/null
-+++ b/src/apk_crypto_mbedtls.h
-@@ -0,0 +1,26 @@
-+/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK)
-+ *
-+ * Copyright (C) 2024
-+ * All rights reserved.
-+ *
-+ * SPDX-License-Identifier: GPL-2.0-only
-+ */
-+
-+#ifndef APK_CRYPTO_MBEDTLS_H
-+#define APK_CRYPTO_MBEDTLS_H
-+
-+#include <mbedtls/md.h>
-+#include <mbedtls/pk.h>
-+
-+struct apk_pkey {
-+ uint8_t id[16];
-+ mbedtls_pk_context *key;
-+};
-+
-+struct apk_digest_ctx {
-+ mbedtls_md_context_t *mdctx;
-+ struct apk_pkey *sigver_key;
-+ uint8_t alg;
-+};
-+
-+#endif
-diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c
-new file mode 100644
-index 00000000..9ce148b5
---- /dev/null
-+++ b/src/crypto_mbedtls.c
-@@ -0,0 +1,305 @@
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <fcntl.h>
-+#include <sys/random.h>
-+
-+#include <mbedtls/platform.h>
-+#include <mbedtls/md.h>
-+#include <mbedtls/pk.h>
-+#include <mbedtls/entropy.h>
-+#include <psa/crypto.h>
-+
-+#include "apk_crypto.h"
-+
-+static inline const mbedtls_md_type_t apk_digest_alg_to_mbedtls_type(uint8_t alg) {
-+ switch (alg) {
-+ case APK_DIGEST_NONE: return MBEDTLS_MD_NONE;
-+ case APK_DIGEST_MD5: return MBEDTLS_MD_MD5;
-+ case APK_DIGEST_SHA1: return MBEDTLS_MD_SHA1;
-+ case APK_DIGEST_SHA256_160:
-+ case APK_DIGEST_SHA256: return MBEDTLS_MD_SHA256;
-+ case APK_DIGEST_SHA512: return MBEDTLS_MD_SHA512;
-+ default:
-+ assert(alg);
-+ return MBEDTLS_MD_NONE;
-+ }
-+}
-+
-+static inline const mbedtls_md_info_t *apk_digest_alg_to_mdinfo(uint8_t alg)
-+{
-+ return mbedtls_md_info_from_type(
-+ apk_digest_alg_to_mbedtls_type(alg)
-+ );
-+}
-+
-+int apk_digest_calc(struct apk_digest *d, uint8_t alg, const void *ptr, size_t sz)
-+{
-+ if (mbedtls_md(apk_digest_alg_to_mdinfo(alg), ptr, sz, d->data))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ apk_digest_set(d, alg);
-+ return 0;
-+}
-+
-+int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg)
-+{
-+ dctx->alg = alg;
-+ dctx->mdctx = malloc(sizeof(mbedtls_md_context_t));
-+
-+ if (!dctx->mdctx) return -ENOMEM;
-+
-+ mbedtls_md_init(dctx->mdctx);
-+ if (alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+ mbedtls_md_starts(dctx->mdctx))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ return 0;
-+}
-+
-+int apk_digest_ctx_reset(struct apk_digest_ctx *dctx)
-+{
-+ if (dctx->alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_starts(dctx->mdctx)) return -APKE_CRYPTO_ERROR;
-+ return 0;
-+}
-+
-+int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg)
-+{
-+ mbedtls_md_free(dctx->mdctx);
-+
-+ dctx->alg = alg;
-+ if (alg == APK_DIGEST_NONE) return 0;
-+ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) ||
-+ mbedtls_md_starts(dctx->mdctx))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ return 0;
-+}
-+
-+void apk_digest_ctx_free(struct apk_digest_ctx *dctx)
-+{
-+ free(dctx->mdctx);
-+ dctx->mdctx = 0;
-+}
-+
-+int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz)
-+{
-+ if (dctx->alg == APK_DIGEST_NONE) return 0;
-+ return mbedtls_md_update(dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR;
-+}
-+
-+int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d)
-+{
-+ if (mbedtls_md_finish(dctx->mdctx, d->data)) {
-+ apk_digest_reset(d);
-+ return -APKE_CRYPTO_ERROR;
-+ }
-+
-+ mbedtls_md_free(dctx->mdctx);
-+
-+ d->alg = dctx->alg;
-+ d->len = apk_digest_alg_len(d->alg);
-+ return 0;
-+}
-+
-+// Entropy function adopted from ustream-ssl to avoid using the bloated mbedtls'
-+// mbedtls_entropy_context and mbedtls_ctr_drbg_context.
-+static int _apk_random(void *ctx, unsigned char *out, size_t len)
-+{
-+ static FILE *f;
-+
-+ if (!f)
-+ f = fopen("/dev/urandom", "r");
-+ if (fread(out, len, 1, f) != 1)
-+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-+
-+ return 0;
-+}
-+
-+// adopted from mbedtls_pk_load_file
-+static int apk_load_file_fd(int fd, unsigned char **buf, size_t *n)
-+{
-+ FILE *f;
-+ long size;
-+
-+ if ((f = fdopen(fd, "rb")) == NULL) {
-+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-+ }
-+
-+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
-+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
-+ mbedtls_setbuf(f, NULL);
-+#endif
-+
-+ fseek(f, 0, SEEK_END);
-+ if ((size = ftell(f)) == -1) {
-+ fclose(f);
-+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-+ }
-+ fseek(f, 0, SEEK_SET);
-+
-+ *n = (size_t) size;
-+
-+ if (*n + 1 == 0 ||
-+ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) {
-+ fclose(f);
-+ return MBEDTLS_ERR_PK_ALLOC_FAILED;
-+ }
-+
-+ if (fread(*buf, 1, *n, f) != *n) {
-+ fclose(f);
-+
-+ mbedtls_platform_zeroize(*buf, *n);
-+ mbedtls_free(*buf);
-+
-+ return MBEDTLS_ERR_PK_FILE_IO_ERROR;
-+ }
-+
-+ fclose(f);
-+
-+ (*buf)[*n] = '\0';
-+
-+ if (strstr((const char *) *buf, "-----BEGIN ") != NULL) {
-+ ++*n;
-+ }
-+
-+ return 0;
-+}
-+
-+static int apk_pkey_init(struct apk_pkey *pkey, mbedtls_pk_context *key)
-+{
-+ unsigned char dig[APK_DIGEST_MAX_LENGTH], *pub = NULL;
-+ unsigned char *c;
-+ int len, publen, r = -APKE_CRYPTO_ERROR;
-+
-+ // Assume byte len is always * 2 + NULL terminated
-+ publen = mbedtls_pk_get_len(key) * 2 + 1;
-+ pub = malloc(publen);
-+ if (!pub)
-+ return -ENOMEM;
-+ c = pub + publen;
-+
-+ if ((len = mbedtls_pk_write_pubkey(&c, pub, key)) < 0) return -APKE_CRYPTO_ERROR;
-+ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), pub, len, dig)) {
-+ memcpy(pkey->id, dig, sizeof pkey->id);
-+ r = 0;
-+ }
-+
-+ free(pub);
-+ pkey->key = key;
-+
-+ return r;
-+}
-+
-+void apk_pkey_free(struct apk_pkey *pkey)
-+{
-+ mbedtls_pk_free(pkey->key);
-+}
-+
-+int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn)
-+{
-+ mbedtls_pk_context *key;
-+ unsigned char *buf;
-+ size_t blen;
-+ int ret, fd;
-+
-+ fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC);
-+ if (fd < 0)
-+ return -errno;
-+
-+ key = malloc(sizeof *key);
-+ if (!key)
-+ return -ENOMEM;
-+
-+ mbedtls_pk_init(key);
-+ if (apk_load_file_fd(fd, &buf, &blen))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ if ((ret = mbedtls_pk_parse_public_key(key, buf, blen)) != 0) {
-+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
-+ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0, _apk_random, NULL);
-+#else
-+ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0);
-+#endif
-+ }
-+ mbedtls_platform_zeroize(buf, blen);
-+ mbedtls_free(buf);
-+ if (ret != 0)
-+ return -APKE_CRYPTO_KEY_FORMAT;
-+
-+ return apk_pkey_init(pkey, key);
-+}
-+
-+int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
-+{
-+ if (apk_digest_ctx_reset_alg(dctx, alg))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ dctx->sigver_key = pkey;
-+
-+ return 0;
-+}
-+
-+int apk_sign(struct apk_digest_ctx *dctx, void *sig, size_t *len)
-+{
-+ struct apk_digest dig;
-+ int r = 0;
-+
-+ if (apk_digest_ctx_final(dctx, &dig))
-+ return -APKE_SIGNATURE_GEN_FAILURE;
-+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
-+ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+ &dig.data, dig.len, sig, sizeof *sig, len, _apk_random, NULL))
-+#else
-+ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg),
-+ &dig.data, dig.len, sig, len, _apk_random, NULL))
-+#endif
-+ r = -APKE_SIGNATURE_GEN_FAILURE;
-+
-+
-+ dctx->sigver_key = NULL;
-+ return r;
-+}
-+
-+int apk_verify_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey)
-+{
-+ if (apk_digest_ctx_reset_alg(dctx, alg))
-+ return -APKE_CRYPTO_ERROR;
-+
-+ dctx->sigver_key = pkey;
-+
-+ return 0;
-+}
-+
-+int apk_verify(struct apk_digest_ctx *dctx, void *sig, size_t len)
-+{
-+ struct apk_digest dig;
-+ int r = 0;
-+
-+ if (apk_digest_ctx_final(dctx, &dig))
-+ return -APKE_SIGNATURE_GEN_FAILURE;
-+
-+ if (mbedtls_pk_verify(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), &dig.data, dig.len, sig, len))
-+ r = -APKE_SIGNATURE_INVALID;
-+
-+ dctx->sigver_key = NULL;
-+ return r;
-+}
-+
-+static void apk_crypto_cleanup(void)
-+{
-+#ifdef MBEDTLS_PSA_CRYPTO_C
-+ mbedtls_psa_crypto_free();
-+#endif
-+}
-+
-+void apk_crypto_init(void)
-+{
-+ atexit(apk_crypto_cleanup);
-+
-+#ifdef MBEDTLS_PSA_CRYPTO_C
-+ psa_crypto_init();
-+#endif
-+}
-diff --git a/src/meson.build b/src/meson.build
-index 28bfce7e..4eab6e0d 100644
---- a/src/meson.build
-+++ b/src/meson.build
-@@ -13,7 +13,6 @@ libapk_src = [
- 'common.c',
- 'context.c',
- 'crypto.c',
-- 'crypto_openssl.c',
- 'ctype.c',
- 'database.c',
- 'extract_v2.c',
-@@ -37,7 +36,6 @@ libapk_headers = [
- 'apk_atom.h',
- 'apk_blob.h',
- 'apk_crypto.h',
-- 'apk_crypto_openssl.h',
- 'apk_ctype.h',
- 'apk_database.h',
- 'apk_defines.h',
-@@ -86,6 +84,11 @@ apk_src = [
- 'applet.c',
- ]
-
-+apk_cargs = [
-+ '-DAPK_VERSION="' + meson.project_version() + '"',
-+ '-D_ATFILE_SOURCE',
-+]
-+
- url_backend = get_option('url_backend')
- if url_backend == 'libfetch'
- libapk_src += [ 'io_url_libfetch.c' ]
-@@ -93,6 +96,17 @@ elif url_backend == 'wget'
- libapk_src += [ 'io_url_wget.c' ]
- endif
-
-+crypto_backend = get_option('crypto_backend')
-+if crypto_backend == 'openssl'
-+ apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ]
-+ libapk_src += [ 'crypto_openssl.c' ]
-+ libapk_headers += [ 'apk_crypto_openssl.h' ]
-+elif crypto_backend == 'mbedtls'
-+ apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ]
-+ libapk_src += [ 'crypto_mbedtls.c' ]
-+ libapk_headers += [ 'apk_crypto_mbedtls.h' ]
-+endif
-+
- if lua_bin.found()
- genhelp_script = files('genhelp.lua')
- genhelp_args = [lua_bin, genhelp_script, '@INPUT@']
-@@ -119,11 +133,6 @@ endif
-
- apk_src += [ generated_help ]
-
--apk_cargs = [
-- '-DAPK_VERSION="' + meson.project_version() + '"',
-- '-D_ATFILE_SOURCE',
--]
--
- apk_arch_prefix = get_option('arch_prefix')
- if apk_arch_prefix != ''
- apk_cargs += ['-DAPK_ARCH_PREFIX="@0@"'.format(apk_arch_prefix)]
---
-GitLab
-
More information about the lede-commits
mailing list