pkg.c revision 283790 
1272955Srodrigc/*-
2234949Sbapt * Copyright (c) 2012-2014 Baptiste Daroussin <bapt@FreeBSD.org>
3234949Sbapt * Copyright (c) 2013 Bryan Drewery <bdrewery@FreeBSD.org>
4234949Sbapt * All rights reserved.
5234949Sbapt *
6234949Sbapt * Redistribution and use in source and binary forms, with or without
7234949Sbapt * modification, are permitted provided that the following conditions
8234949Sbapt * are met:
9272955Srodrigc * 1. Redistributions of source code must retain the above copyright
10234949Sbapt *    notice, this list of conditions and the following disclaimer.
11234949Sbapt * 2. Redistributions in binary form must reproduce the above copyright
12234949Sbapt *    notice, this list of conditions and the following disclaimer in the
13268899Sbapt *    documentation and/or other materials provided with the distribution.
14268899Sbapt *
15268899Sbapt * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16268899Sbapt * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17268899Sbapt * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18268899Sbapt * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19234949Sbapt * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20234949Sbapt * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21234949Sbapt * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22234949Sbapt * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23234949Sbapt * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24268899Sbapt * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25234949Sbapt * SUCH DAMAGE.
26234949Sbapt */
27234949Sbapt
28234949Sbapt#include <sys/cdefs.h>
29234949Sbapt__FBSDID("$FreeBSD: stable/10/usr.sbin/pkg/pkg.c 283790 2015-05-30 21:32:02Z bapt $");
30234949Sbapt
31234949Sbapt#include <sys/param.h>
32234949Sbapt#include <sys/queue.h>
33234949Sbapt#include <sys/types.h>
34234949Sbapt#include <sys/sbuf.h>
35234949Sbapt#include <sys/wait.h>
36234949Sbapt
37234949Sbapt#define _WITH_GETLINE
38234949Sbapt#include <archive.h>
39234949Sbapt#include <archive_entry.h>
40234949Sbapt#include <dirent.h>
41234949Sbapt#include <err.h>
42234949Sbapt#include <errno.h>
43234949Sbapt#include <fcntl.h>
44234949Sbapt#include <fetch.h>
45234949Sbapt#include <paths.h>
46234949Sbapt#include <stdbool.h>
47234949Sbapt#include <stdlib.h>
48234949Sbapt#include <stdio.h>
49234949Sbapt#include <string.h>
50234949Sbapt#include <time.h>
51234949Sbapt#include <unistd.h>
52234949Sbapt#include <ucl.h>
53234949Sbapt
54234949Sbapt#include <openssl/err.h>
55234949Sbapt#include <openssl/ssl.h>
56234949Sbapt
57234949Sbapt#include "dns_utils.h"
58234949Sbapt#include "config.h"
59234949Sbapt
60234949Sbaptstruct sig_cert {
61234949Sbapt	char *name;
62234949Sbapt	unsigned char *sig;
63268899Sbapt	int siglen;
64234949Sbapt	unsigned char *cert;
65234949Sbapt	int certlen;
66234949Sbapt	bool trusted;
67234949Sbapt};
68234949Sbapt
69234949Sbapttypedef enum {
70234949Sbapt       HASH_UNKNOWN,
71234949Sbapt       HASH_SHA256,
72272955Srodrigc} hash_t;
73272955Srodrigc
74234949Sbaptstruct fingerprint {
75234949Sbapt       hash_t type;
76234949Sbapt       char *name;
77234949Sbapt       char hash[BUFSIZ];
78234949Sbapt       STAILQ_ENTRY(fingerprint) next;
79234949Sbapt};
80234949Sbapt
81234949SbaptSTAILQ_HEAD(fingerprint_list, fingerprint);
82234949Sbapt
83234949Sbaptstatic int
84234949Sbaptextract_pkg_static(int fd, char *p, int sz)
85234949Sbapt{
86234949Sbapt	struct archive *a;
87234949Sbapt	struct archive_entry *ae;
88234949Sbapt	char *end;
89234949Sbapt	int ret, r;
90234949Sbapt
91234949Sbapt	ret = -1;
92234949Sbapt	a = archive_read_new();
93234949Sbapt	if (a == NULL) {
94234949Sbapt		warn("archive_read_new");
95234949Sbapt		return (ret);
96234949Sbapt	}
97234949Sbapt	archive_read_support_filter_all(a);
98234949Sbapt	archive_read_support_format_tar(a);
99234949Sbapt
100234949Sbapt	if (lseek(fd, 0, 0) == -1) {
101234949Sbapt		warn("lseek");
102234949Sbapt		goto cleanup;
103234949Sbapt	}
104234949Sbapt
105234949Sbapt	if (archive_read_open_fd(a, fd, 4096) != ARCHIVE_OK) {
106234949Sbapt		warnx("archive_read_open_fd: %s", archive_error_string(a));
107234949Sbapt		goto cleanup;
108234949Sbapt	}
109234949Sbapt
110234949Sbapt	ae = NULL;
111268899Sbapt	while ((r = archive_read_next_header(a, &ae)) == ARCHIVE_OK) {
112234949Sbapt		end = strrchr(archive_entry_pathname(ae), '/');
113234949Sbapt		if (end == NULL)
114234949Sbapt			continue;
115234949Sbapt
116234949Sbapt		if (strcmp(end, "/pkg-static") == 0) {
117234949Sbapt			r = archive_read_extract(a, ae,
118234949Sbapt			    ARCHIVE_EXTRACT_OWNER | ARCHIVE_EXTRACT_PERM |
119234949Sbapt			    ARCHIVE_EXTRACT_TIME | ARCHIVE_EXTRACT_ACL |
120234949Sbapt			    ARCHIVE_EXTRACT_FFLAGS | ARCHIVE_EXTRACT_XATTR);
121234949Sbapt			strlcpy(p, archive_entry_pathname(ae), sz);
122234949Sbapt			break;
123234949Sbapt		}
124234949Sbapt	}
125234949Sbapt
126234949Sbapt	if (r == ARCHIVE_OK)
127234949Sbapt		ret = 0;
128234949Sbapt	else
129234949Sbapt		warnx("failed to extract pkg-static: %s",
130234949Sbapt		    archive_error_string(a));
131234949Sbapt
132234949Sbaptcleanup:
133234949Sbapt	archive_read_free(a);
134234949Sbapt	return (ret);
135234949Sbapt
136234949Sbapt}
137234949Sbapt
138234949Sbaptstatic int
139234949Sbaptinstall_pkg_static(const char *path, const char *pkgpath, bool force)
140234949Sbapt{
141234949Sbapt	int pstat;
142234949Sbapt	pid_t pid;
143234949Sbapt
144234949Sbapt	switch ((pid = fork())) {
145234949Sbapt	case -1:
146234949Sbapt		return (-1);
147234949Sbapt	case 0:
148234949Sbapt		if (force)
149234949Sbapt			execl(path, "pkg-static", "add", "-f", pkgpath,
150234949Sbapt			    (char *)NULL);
151234949Sbapt		else
152234949Sbapt			execl(path, "pkg-static", "add", pkgpath,
153234949Sbapt			    (char *)NULL);
154234949Sbapt		_exit(1);
155234949Sbapt	default:
156234949Sbapt		break;
157234949Sbapt	}
158234949Sbapt
159234949Sbapt	while (waitpid(pid, &pstat, 0) == -1)
160234949Sbapt		if (errno != EINTR)
161234949Sbapt			return (-1);
162234949Sbapt
163234949Sbapt	if (WEXITSTATUS(pstat))
164234949Sbapt		return (WEXITSTATUS(pstat));
165234949Sbapt	else if (WIFSIGNALED(pstat))
166234949Sbapt		return (128 & (WTERMSIG(pstat)));
167234949Sbapt	return (pstat);
168234949Sbapt}
169234949Sbapt
170234949Sbaptstatic int
171234949Sbaptfetch_to_fd(const char *url, char *path)
172234949Sbapt{
173234949Sbapt	struct url *u;
174234949Sbapt	struct dns_srvinfo *mirrors, *current;
175234949Sbapt	struct url_stat st;
176234949Sbapt	FILE *remote;
177234949Sbapt	/* To store _https._tcp. + hostname + \0 */
178234949Sbapt	int fd;
179234949Sbapt	int retry, max_retry;
180234949Sbapt	off_t done, r;
181272955Srodrigc	time_t now, last;
182234949Sbapt	char buf[10240];
183234949Sbapt	char zone[MAXHOSTNAMELEN + 13];
184234949Sbapt	static const char *mirror_type = NULL;
185234949Sbapt
186268899Sbapt	done = 0;
187234949Sbapt	last = 0;
188234949Sbapt	max_retry = 3;
189268899Sbapt	current = mirrors = NULL;
190234949Sbapt	remote = NULL;
191234949Sbapt
192234949Sbapt	if (mirror_type == NULL && config_string(MIRROR_TYPE, &mirror_type)
193234949Sbapt	    != 0) {
194234949Sbapt		warnx("No MIRROR_TYPE defined");
195234949Sbapt		return (-1);
196268899Sbapt	}
197234949Sbapt
198234949Sbapt	if ((fd = mkstemp(path)) == -1) {
199234949Sbapt		warn("mkstemp()");
200234949Sbapt		return (-1);
201234949Sbapt	}
202234949Sbapt
203234949Sbapt	retry = max_retry;
204234949Sbapt
205234949Sbapt	if ((u = fetchParseURL(url)) == NULL) {
206234949Sbapt		warn("fetchParseURL('%s')", url);
207234949Sbapt		return (-1);
208234949Sbapt	}
209234949Sbapt
210234949Sbapt	while (remote == NULL) {
211234949Sbapt		if (retry == max_retry) {
212234949Sbapt			if (strcmp(u->scheme, "file") != 0 &&
213234949Sbapt			    strcasecmp(mirror_type, "srv") == 0) {
214234949Sbapt				snprintf(zone, sizeof(zone),
215234949Sbapt				    "_%s._tcp.%s", u->scheme, u->host);
216234949Sbapt				mirrors = dns_getsrvinfo(zone);
217234949Sbapt				current = mirrors;
218234949Sbapt			}
219234949Sbapt		}
220234949Sbapt
221234949Sbapt		if (mirrors != NULL) {
222234949Sbapt			strlcpy(u->host, current->host, sizeof(u->host));
223234949Sbapt			u->port = current->port;
224234949Sbapt		}
225234949Sbapt
226234949Sbapt		remote = fetchXGet(u, &st, "");
227268899Sbapt		if (remote == NULL) {
228234949Sbapt			--retry;
229234949Sbapt			if (retry <= 0)
230234949Sbapt				goto fetchfail;
231234949Sbapt			if (mirrors == NULL) {
232234949Sbapt				sleep(1);
233234949Sbapt			} else {
234234949Sbapt				current = current->next;
235234949Sbapt				if (current == NULL)
236234949Sbapt					current = mirrors;
237234949Sbapt			}
238234949Sbapt		}
239234949Sbapt	}
240234949Sbapt
241234949Sbapt	while (done < st.size) {
242234949Sbapt		if ((r = fread(buf, 1, sizeof(buf), remote)) < 1)
243234949Sbapt			break;
244234949Sbapt
245234949Sbapt		if (write(fd, buf, r) != r) {
246234949Sbapt			warn("write()");
247234949Sbapt			goto fetchfail;
248234949Sbapt		}
249234949Sbapt
250234949Sbapt		done += r;
251234949Sbapt		now = time(NULL);
252234949Sbapt		if (now > last || done == st.size)
253234949Sbapt			last = now;
254234949Sbapt	}
255234949Sbapt
256234949Sbapt	if (ferror(remote))
257234949Sbapt		goto fetchfail;
258234949Sbapt
259234949Sbapt	goto cleanup;
260
261fetchfail:
262	if (fd != -1) {
263		close(fd);
264		fd = -1;
265		unlink(path);
266	}
267
268cleanup:
269	if (remote != NULL)
270		fclose(remote);
271
272	return fd;
273}
274
275static struct fingerprint *
276parse_fingerprint(ucl_object_t *obj)
277{
278	const ucl_object_t *cur;
279	ucl_object_iter_t it = NULL;
280	const char *function, *fp, *key;
281	struct fingerprint *f;
282	hash_t fct = HASH_UNKNOWN;
283
284	function = fp = NULL;
285
286	while ((cur = ucl_iterate_object(obj, &it, true))) {
287		key = ucl_object_key(cur);
288		if (cur->type != UCL_STRING)
289			continue;
290		if (strcasecmp(key, "function") == 0) {
291			function = ucl_object_tostring(cur);
292			continue;
293		}
294		if (strcasecmp(key, "fingerprint") == 0) {
295			fp = ucl_object_tostring(cur);
296			continue;
297		}
298	}
299
300	if (fp == NULL || function == NULL)
301		return (NULL);
302
303	if (strcasecmp(function, "sha256") == 0)
304		fct = HASH_SHA256;
305
306	if (fct == HASH_UNKNOWN) {
307		warnx("Unsupported hashing function: %s", function);
308		return (NULL);
309	}
310
311	f = calloc(1, sizeof(struct fingerprint));
312	f->type = fct;
313	strlcpy(f->hash, fp, sizeof(f->hash));
314
315	return (f);
316}
317
318static void
319free_fingerprint_list(struct fingerprint_list* list)
320{
321	struct fingerprint *fingerprint, *tmp;
322
323	STAILQ_FOREACH_SAFE(fingerprint, list, next, tmp) {
324		free(fingerprint->name);
325		free(fingerprint);
326	}
327	free(list);
328}
329
330static struct fingerprint *
331load_fingerprint(const char *dir, const char *filename)
332{
333	ucl_object_t *obj = NULL;
334	struct ucl_parser *p = NULL;
335	struct fingerprint *f;
336	char path[MAXPATHLEN];
337
338	f = NULL;
339
340	snprintf(path, MAXPATHLEN, "%s/%s", dir, filename);
341
342	p = ucl_parser_new(0);
343	if (!ucl_parser_add_file(p, path)) {
344		warnx("%s: %s", path, ucl_parser_get_error(p));
345		ucl_parser_free(p);
346		return (NULL);
347	}
348
349	obj = ucl_parser_get_object(p);
350
351	if (obj->type == UCL_OBJECT)
352		f = parse_fingerprint(obj);
353
354	if (f != NULL)
355		f->name = strdup(filename);
356
357	ucl_object_unref(obj);
358	ucl_parser_free(p);
359
360	return (f);
361}
362
363static struct fingerprint_list *
364load_fingerprints(const char *path, int *count)
365{
366	DIR *d;
367	struct dirent *ent;
368	struct fingerprint *finger;
369	struct fingerprint_list *fingerprints;
370
371	*count = 0;
372
373	fingerprints = calloc(1, sizeof(struct fingerprint_list));
374	if (fingerprints == NULL)
375		return (NULL);
376	STAILQ_INIT(fingerprints);
377
378	if ((d = opendir(path)) == NULL) {
379		free(fingerprints);
380
381		return (NULL);
382	}
383
384	while ((ent = readdir(d))) {
385		if (strcmp(ent->d_name, ".") == 0 ||
386		    strcmp(ent->d_name, "..") == 0)
387			continue;
388		finger = load_fingerprint(path, ent->d_name);
389		if (finger != NULL) {
390			STAILQ_INSERT_TAIL(fingerprints, finger, next);
391			++(*count);
392		}
393	}
394
395	closedir(d);
396
397	return (fingerprints);
398}
399
400static void
401sha256_hash(unsigned char hash[SHA256_DIGEST_LENGTH],
402    char out[SHA256_DIGEST_LENGTH * 2 + 1])
403{
404	int i;
405
406	for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
407		sprintf(out + (i * 2), "%02x", hash[i]);
408
409	out[SHA256_DIGEST_LENGTH * 2] = '\0';
410}
411
412static void
413sha256_buf(char *buf, size_t len, char out[SHA256_DIGEST_LENGTH * 2 + 1])
414{
415	unsigned char hash[SHA256_DIGEST_LENGTH];
416	SHA256_CTX sha256;
417
418	out[0] = '\0';
419
420	SHA256_Init(&sha256);
421	SHA256_Update(&sha256, buf, len);
422	SHA256_Final(hash, &sha256);
423	sha256_hash(hash, out);
424}
425
426static int
427sha256_fd(int fd, char out[SHA256_DIGEST_LENGTH * 2 + 1])
428{
429	int my_fd;
430	FILE *fp;
431	char buffer[BUFSIZ];
432	unsigned char hash[SHA256_DIGEST_LENGTH];
433	size_t r;
434	int ret;
435	SHA256_CTX sha256;
436
437	my_fd = -1;
438	fp = NULL;
439	r = 0;
440	ret = 1;
441
442	out[0] = '\0';
443
444	/* Duplicate the fd so that fclose(3) does not close it. */
445	if ((my_fd = dup(fd)) == -1) {
446		warnx("dup");
447		goto cleanup;
448	}
449
450	if ((fp = fdopen(my_fd, "rb")) == NULL) {
451		warnx("fdopen");
452		goto cleanup;
453	}
454
455	SHA256_Init(&sha256);
456
457	while ((r = fread(buffer, 1, BUFSIZ, fp)) > 0)
458		SHA256_Update(&sha256, buffer, r);
459
460	if (ferror(fp) != 0) {
461		warnx("fread");
462		goto cleanup;
463	}
464
465	SHA256_Final(hash, &sha256);
466	sha256_hash(hash, out);
467	ret = 0;
468
469cleanup:
470	if (fp != NULL)
471		fclose(fp);
472	else if (my_fd != -1)
473		close(my_fd);
474	(void)lseek(fd, 0, SEEK_SET);
475
476	return (ret);
477}
478
479static EVP_PKEY *
480load_public_key_buf(const unsigned char *cert, int certlen)
481{
482	EVP_PKEY *pkey;
483	BIO *bp;
484	char errbuf[1024];
485
486	bp = BIO_new_mem_buf(__DECONST(void *, cert), certlen);
487
488	if ((pkey = PEM_read_bio_PUBKEY(bp, NULL, NULL, NULL)) == NULL)
489		warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
490
491	BIO_free(bp);
492
493	return (pkey);
494}
495
496static bool
497rsa_verify_cert(int fd, const unsigned char *key, int keylen,
498    unsigned char *sig, int siglen)
499{
500	EVP_MD_CTX *mdctx;
501	EVP_PKEY *pkey;
502	char sha256[(SHA256_DIGEST_LENGTH * 2) + 2];
503	char errbuf[1024];
504	bool ret;
505
506	pkey = NULL;
507	mdctx = NULL;
508	ret = false;
509
510	/* Compute SHA256 of the package. */
511	if (lseek(fd, 0, 0) == -1) {
512		warn("lseek");
513		goto cleanup;
514	}
515	if ((sha256_fd(fd, sha256)) == -1) {
516		warnx("Error creating SHA256 hash for package");
517		goto cleanup;
518	}
519
520	if ((pkey = load_public_key_buf(key, keylen)) == NULL) {
521		warnx("Error reading public key");
522		goto cleanup;
523	}
524
525	/* Verify signature of the SHA256(pkg) is valid. */
526	if ((mdctx = EVP_MD_CTX_create()) == NULL) {
527		warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
528		goto error;
529	}
530
531	if (EVP_DigestVerifyInit(mdctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
532		warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
533		goto error;
534	}
535	if (EVP_DigestVerifyUpdate(mdctx, sha256, strlen(sha256)) != 1) {
536		warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
537		goto error;
538	}
539
540	if (EVP_DigestVerifyFinal(mdctx, sig, siglen) != 1) {
541		warnx("%s", ERR_error_string(ERR_get_error(), errbuf));
542		goto error;
543	}
544
545	ret = true;
546	printf("done\n");
547	goto cleanup;
548
549error:
550	printf("failed\n");
551
552cleanup:
553	if (pkey)
554		EVP_PKEY_free(pkey);
555	if (mdctx)
556		EVP_MD_CTX_destroy(mdctx);
557	ERR_free_strings();
558
559	return (ret);
560}
561
562static struct sig_cert *
563parse_cert(int fd) {
564	int my_fd;
565	struct sig_cert *sc;
566	FILE *fp;
567	struct sbuf *buf, *sig, *cert;
568	char *line;
569	size_t linecap;
570	ssize_t linelen;
571
572	buf = NULL;
573	my_fd = -1;
574	sc = NULL;
575	line = NULL;
576	linecap = 0;
577
578	if (lseek(fd, 0, 0) == -1) {
579		warn("lseek");
580		return (NULL);
581	}
582
583	/* Duplicate the fd so that fclose(3) does not close it. */
584	if ((my_fd = dup(fd)) == -1) {
585		warnx("dup");
586		return (NULL);
587	}
588
589	if ((fp = fdopen(my_fd, "rb")) == NULL) {
590		warn("fdopen");
591		close(my_fd);
592		return (NULL);
593	}
594
595	sig = sbuf_new_auto();
596	cert = sbuf_new_auto();
597
598	while ((linelen = getline(&line, &linecap, fp)) > 0) {
599		if (strcmp(line, "SIGNATURE\n") == 0) {
600			buf = sig;
601			continue;
602		} else if (strcmp(line, "CERT\n") == 0) {
603			buf = cert;
604			continue;
605		} else if (strcmp(line, "END\n") == 0) {
606			break;
607		}
608		if (buf != NULL)
609			sbuf_bcat(buf, line, linelen);
610	}
611
612	fclose(fp);
613
614	/* Trim out unrelated trailing newline */
615	sbuf_setpos(sig, sbuf_len(sig) - 1);
616
617	sbuf_finish(sig);
618	sbuf_finish(cert);
619
620	sc = calloc(1, sizeof(struct sig_cert));
621	sc->siglen = sbuf_len(sig);
622	sc->sig = calloc(1, sc->siglen);
623	memcpy(sc->sig, sbuf_data(sig), sc->siglen);
624
625	sc->certlen = sbuf_len(cert);
626	sc->cert = strdup(sbuf_data(cert));
627
628	sbuf_delete(sig);
629	sbuf_delete(cert);
630
631	return (sc);
632}
633
634static bool
635verify_signature(int fd_pkg, int fd_sig)
636{
637	struct fingerprint_list *trusted, *revoked;
638	struct fingerprint *fingerprint;
639	struct sig_cert *sc;
640	bool ret;
641	int trusted_count, revoked_count;
642	const char *fingerprints;
643	char path[MAXPATHLEN];
644	char hash[SHA256_DIGEST_LENGTH * 2 + 1];
645
646	sc = NULL;
647	trusted = revoked = NULL;
648	ret = false;
649
650	/* Read and parse fingerprints. */
651	if (config_string(FINGERPRINTS, &fingerprints) != 0) {
652		warnx("No CONFIG_FINGERPRINTS defined");
653		goto cleanup;
654	}
655
656	snprintf(path, MAXPATHLEN, "%s/trusted", fingerprints);
657	if ((trusted = load_fingerprints(path, &trusted_count)) == NULL) {
658		warnx("Error loading trusted certificates");
659		goto cleanup;
660	}
661
662	if (trusted_count == 0 || trusted == NULL) {
663		fprintf(stderr, "No trusted certificates found.\n");
664		goto cleanup;
665	}
666
667	snprintf(path, MAXPATHLEN, "%s/revoked", fingerprints);
668	if ((revoked = load_fingerprints(path, &revoked_count)) == NULL) {
669		warnx("Error loading revoked certificates");
670		goto cleanup;
671	}
672
673	/* Read certificate and signature in. */
674	if ((sc = parse_cert(fd_sig)) == NULL) {
675		warnx("Error parsing certificate");
676		goto cleanup;
677	}
678	/* Explicitly mark as non-trusted until proven otherwise. */
679	sc->trusted = false;
680
681	/* Parse signature and pubkey out of the certificate */
682	sha256_buf(sc->cert, sc->certlen, hash);
683
684	/* Check if this hash is revoked */
685	if (revoked != NULL) {
686		STAILQ_FOREACH(fingerprint, revoked, next) {
687			if (strcasecmp(fingerprint->hash, hash) == 0) {
688				fprintf(stderr, "The package was signed with "
689				    "revoked certificate %s\n",
690				    fingerprint->name);
691				goto cleanup;
692			}
693		}
694	}
695
696	STAILQ_FOREACH(fingerprint, trusted, next) {
697		if (strcasecmp(fingerprint->hash, hash) == 0) {
698			sc->trusted = true;
699			sc->name = strdup(fingerprint->name);
700			break;
701		}
702	}
703
704	if (sc->trusted == false) {
705		fprintf(stderr, "No trusted fingerprint found matching "
706		    "package's certificate\n");
707		goto cleanup;
708	}
709
710	/* Verify the signature. */
711	printf("Verifying signature with trusted certificate %s... ", sc->name);
712	if (rsa_verify_cert(fd_pkg, sc->cert, sc->certlen, sc->sig,
713	    sc->siglen) == false) {
714		fprintf(stderr, "Signature is not valid\n");
715		goto cleanup;
716	}
717
718	ret = true;
719
720cleanup:
721	if (trusted)
722		free_fingerprint_list(trusted);
723	if (revoked)
724		free_fingerprint_list(revoked);
725	if (sc) {
726		free(sc->cert);
727		free(sc->sig);
728		free(sc->name);
729		free(sc);
730	}
731
732	return (ret);
733}
734
735static int
736bootstrap_pkg(bool force)
737{
738	int fd_pkg, fd_sig;
739	int ret;
740	char url[MAXPATHLEN];
741	char tmppkg[MAXPATHLEN];
742	char tmpsig[MAXPATHLEN];
743	const char *packagesite;
744	const char *signature_type;
745	char pkgstatic[MAXPATHLEN];
746
747	fd_sig = -1;
748	ret = -1;
749
750	if (config_string(PACKAGESITE, &packagesite) != 0) {
751		warnx("No PACKAGESITE defined");
752		return (-1);
753	}
754
755	if (config_string(SIGNATURE_TYPE, &signature_type) != 0) {
756		warnx("Error looking up SIGNATURE_TYPE");
757		return (-1);
758	}
759
760	printf("Bootstrapping pkg from %s, please wait...\n", packagesite);
761
762	/* Support pkg+http:// for PACKAGESITE which is the new format
763	   in 1.2 to avoid confusion on why http://pkg.FreeBSD.org has
764	   no A record. */
765	if (strncmp(URL_SCHEME_PREFIX, packagesite,
766	    strlen(URL_SCHEME_PREFIX)) == 0)
767		packagesite += strlen(URL_SCHEME_PREFIX);
768	snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz", packagesite);
769
770	snprintf(tmppkg, MAXPATHLEN, "%s/pkg.txz.XXXXXX",
771	    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
772
773	if ((fd_pkg = fetch_to_fd(url, tmppkg)) == -1)
774		goto fetchfail;
775
776	if (signature_type != NULL &&
777	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
778		snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
779		    getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
780		snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
781		    packagesite);
782
783		if ((fd_sig = fetch_to_fd(url, tmpsig)) == -1) {
784			fprintf(stderr, "Signature for pkg not available.\n");
785			goto fetchfail;
786		}
787
788		if (verify_signature(fd_pkg, fd_sig) == false)
789			goto cleanup;
790	}
791
792	if ((ret = extract_pkg_static(fd_pkg, pkgstatic, MAXPATHLEN)) == 0)
793		ret = install_pkg_static(pkgstatic, tmppkg, force);
794
795	goto cleanup;
796
797fetchfail:
798	warnx("Error fetching %s: %s", url, fetchLastErrString);
799	fprintf(stderr, "A pre-built version of pkg could not be found for "
800	    "your system.\n");
801	fprintf(stderr, "Consider changing PACKAGESITE or installing it from "
802	    "ports: 'ports-mgmt/pkg'.\n");
803
804cleanup:
805	if (fd_sig != -1) {
806		close(fd_sig);
807		unlink(tmpsig);
808	}
809
810	if (fd_pkg != -1) {
811		close(fd_pkg);
812		unlink(tmppkg);
813	}
814
815	return (ret);
816}
817
818static const char confirmation_message[] =
819"The package management tool is not yet installed on your system.\n"
820"Do you want to fetch and install it now? [y/N]: ";
821
822static const char non_interactive_message[] =
823"The package management tool is not yet installed on your system.\n"
824"Please set ASSUME_ALWAYS_YES=yes environment variable to be able to bootstrap "
825"in non-interactive (stdin not being a tty)\n";
826
827static int
828pkg_query_yes_no(void)
829{
830	int ret, c;
831
832	c = getchar();
833
834	if (c == 'y' || c == 'Y')
835		ret = 1;
836	else
837		ret = 0;
838
839	while (c != '\n' && c != EOF)
840		c = getchar();
841
842	return (ret);
843}
844
845static int
846bootstrap_pkg_local(const char *pkgpath, bool force)
847{
848	char path[MAXPATHLEN];
849	char pkgstatic[MAXPATHLEN];
850	const char *signature_type;
851	int fd_pkg, fd_sig, ret;
852
853	fd_sig = -1;
854	ret = -1;
855
856	fd_pkg = open(pkgpath, O_RDONLY);
857	if (fd_pkg == -1)
858		err(EXIT_FAILURE, "Unable to open %s", pkgpath);
859
860	if (config_string(SIGNATURE_TYPE, &signature_type) != 0) {
861		warnx("Error looking up SIGNATURE_TYPE");
862		goto cleanup;
863	}
864	if (signature_type != NULL &&
865	    strcasecmp(signature_type, "FINGERPRINTS") == 0) {
866		snprintf(path, sizeof(path), "%s.sig", pkgpath);
867
868		if ((fd_sig = open(path, O_RDONLY)) == -1) {
869			fprintf(stderr, "Signature for pkg not available.\n");
870			goto cleanup;
871		}
872
873		if (verify_signature(fd_pkg, fd_sig) == false)
874			goto cleanup;
875	}
876
877	if ((ret = extract_pkg_static(fd_pkg, pkgstatic, MAXPATHLEN)) == 0)
878		ret = install_pkg_static(pkgstatic, pkgpath, force);
879
880cleanup:
881	close(fd_pkg);
882	if (fd_sig != -1)
883		close(fd_sig);
884
885	return (ret);
886}
887
888int
889main(int argc, char *argv[])
890{
891	char pkgpath[MAXPATHLEN];
892	const char *pkgarg;
893	bool bootstrap_only, force, yes;
894
895	bootstrap_only = false;
896	force = false;
897	pkgarg = NULL;
898	yes = false;
899
900	snprintf(pkgpath, MAXPATHLEN, "%s/sbin/pkg",
901	    getenv("LOCALBASE") ? getenv("LOCALBASE") : _LOCALBASE);
902
903	if (argc > 1 && strcmp(argv[1], "bootstrap") == 0) {
904		bootstrap_only = true;
905		if (argc == 3 && strcmp(argv[2], "-f") == 0)
906			force = true;
907	}
908
909	if ((bootstrap_only && force) || access(pkgpath, X_OK) == -1) {
910		/*
911		 * To allow 'pkg -N' to be used as a reliable test for whether
912		 * a system is configured to use pkg, don't bootstrap pkg
913		 * when that argument is given as argv[1].
914		 */
915		if (argv[1] != NULL && strcmp(argv[1], "-N") == 0)
916			errx(EXIT_FAILURE, "pkg is not installed");
917
918		config_init();
919
920		if (argc > 1 && strcmp(argv[1], "add") == 0) {
921			if (argc > 2 && strcmp(argv[2], "-f") == 0) {
922				force = true;
923				pkgarg = argv[3];
924			} else
925				pkgarg = argv[2];
926			if (pkgarg == NULL) {
927				fprintf(stderr, "Path to pkg.txz required\n");
928				exit(EXIT_FAILURE);
929			}
930			if (access(pkgarg, R_OK) == -1) {
931				fprintf(stderr, "No such file: %s\n", pkgarg);
932				exit(EXIT_FAILURE);
933			}
934			if (bootstrap_pkg_local(pkgarg, force) != 0)
935				exit(EXIT_FAILURE);
936			exit(EXIT_SUCCESS);
937		}
938		/*
939		 * Do not ask for confirmation if either of stdin or stdout is
940		 * not tty. Check the environment to see if user has answer
941		 * tucked in there already.
942		 */
943		config_bool(ASSUME_ALWAYS_YES, &yes);
944		if (!yes) {
945			if (!isatty(fileno(stdin))) {
946				fprintf(stderr, non_interactive_message);
947				exit(EXIT_FAILURE);
948			}
949
950			printf("%s", confirmation_message);
951			if (pkg_query_yes_no() == 0)
952				exit(EXIT_FAILURE);
953		}
954		if (bootstrap_pkg(force) != 0)
955			exit(EXIT_FAILURE);
956		config_finish();
957
958		if (bootstrap_only)
959			exit(EXIT_SUCCESS);
960	} else if (bootstrap_only) {
961		printf("pkg already bootstrapped at %s\n", pkgpath);
962		exit(EXIT_SUCCESS);
963	}
964
965	execv(pkgpath, argv);
966
967	/* NOT REACHED */
968	return (EXIT_FAILURE);
969}
970