From 99636d4dd8d4bda15b9e072d2d92dd5f4ae0580f Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Sat, 18 May 2024 16:29:07 +0300 Subject: [PATCH] apk: update to latest HEAD 2024-05-18 Drop downstream mbedtls patch since it went upstream. Signed-off-by: Paul Spooren Link: https://github.com/openwrt/openwrt/pull/15522 Signed-off-by: Christian Marangi --- package/system/apk/Makefile | 6 +- .../apk/patches/0002-mbedtls-support.patch | 715 ------------------ 2 files changed, 3 insertions(+), 718 deletions(-) delete mode 100644 package/system/apk/patches/0002-mbedtls-support.patch diff --git a/package/system/apk/Makefile b/package/system/apk/Makefile index 7aaf9f4c5e..332596719f 100644 --- a/package/system/apk/Makefile +++ b/package/system/apk/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_URL=https://gitlab.alpinelinux.org/alpine/apk-tools.git PKG_SOURCE_PROTO:=git -PKG_SOURCE_DATE:=2024-04-16 -PKG_SOURCE_VERSION:=ba6c31a5469ef74fb85119508e55de9631ffef41 -PKG_MIRROR_HASH:=3455d5799481add9ece3db685576d58be6303f3a13140133979b965cbd3c9966 +PKG_SOURCE_DATE:=2024-05-18 +PKG_SOURCE_VERSION:=a6ce0a1be1a42a5cf4136eb0db5ea95168ee73fe +PKG_MIRROR_HASH:=a5f59907cd742ec12f31f42910ea9a6ecfaf91e18218a7888836a01cfa272a72 PKG_VERSION=3.0.0_pre$(subst -,,$(PKG_SOURCE_DATE)) diff --git a/package/system/apk/patches/0002-mbedtls-support.patch b/package/system/apk/patches/0002-mbedtls-support.patch deleted file mode 100644 index d06db30f03..0000000000 --- a/package/system/apk/patches/0002-mbedtls-support.patch +++ /dev/null @@ -1,715 +0,0 @@ -From 68352e0cb94fe08b220d4befec828171ec871154 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= -Date: Fri, 5 Apr 2024 12:06:56 +0300 -Subject: [PATCH 1/2] add alternate url wget implementation - ---- - meson.build | 6 +- - meson_options.txt | 1 + - src/io_url_wget.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ - src/meson.build | 8 ++- - 4 files changed, 150 insertions(+), 2 deletions(-) - create mode 100644 src/io_url_wget.c - -diff --git a/meson.build b/meson.build -index 1a44c11f..9a14cac0 100644 ---- a/meson.build -+++ b/meson.build -@@ -33,6 +33,10 @@ subproject = meson.is_subproject() - - subdir('doc') - subdir('portability') --subdir('libfetch') -+if get_option('url_backend') == 'libfetch' -+ subdir('libfetch') -+else -+ libfetch_dep = dependency('', required: false) -+endif - subdir('src') - subdir('tests') -diff --git a/meson_options.txt b/meson_options.txt -index 693f46ec..44b88b32 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -5,5 +5,6 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe - option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto') - option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3') - option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false) -+option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch') - option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string') - option('zstd', description: 'Build with zstd support', type: 'boolean', value: true) -diff --git a/src/io_url_wget.c b/src/io_url_wget.c -new file mode 100644 -index 00000000..d8885a4f ---- /dev/null -+++ b/src/io_url_wget.c -@@ -0,0 +1,137 @@ -+/* io_url_wget.c - Alpine Package Keeper (APK) -+ * -+ * Copyright (C) 2005-2008 Natanael Copa -+ * Copyright (C) 2008-2011 Timo Teräs -+ * All rights reserved. -+ * -+ * SPDX-License-Identifier: GPL-2.0-only -+ */ -+ -+#include -+#include -+#include -+#include "apk_io.h" -+ -+static int wget_translate_status(int status) -+{ -+ if (!WIFEXITED(status)) return -EFAULT; -+ switch (WEXITSTATUS(status)) { -+ case 0: return 0; -+ case 3: return -EIO; -+ case 4: return -ENETUNREACH; -+ case 5: return -EACCES; -+ case 6: return -EACCES; -+ case 7: return -EPROTO; -+ default: return -APKE_REMOTE_IO; -+ } -+} -+ -+struct apk_wget_istream { -+ struct apk_istream is; -+ int fd; -+ pid_t pid; -+}; -+ -+static int wget_spawn(const char *url, pid_t *pid, int *fd) -+{ -+ int r, pipefds[2]; -+ posix_spawn_file_actions_t act; -+ char *argv[] = { -+ (char*)"wget", "-q", (char*) url, "-O", "-", 0 -+ }; -+ -+ if (pipe2(pipefds, O_CLOEXEC) != 0) return -errno; -+ -+ posix_spawn_file_actions_init(&act); -+ posix_spawn_file_actions_adddup2(&act, pipefds[1], STDOUT_FILENO); -+ r = posix_spawnp(pid, "wget", &act, 0, argv, environ); -+ posix_spawn_file_actions_destroy(&act); -+ if (r != 0) return -r; -+ close(pipefds[1]); -+ *fd = pipefds[0]; -+ return 0; -+} -+ -+static int wget_check_exit(struct apk_wget_istream *wis) -+{ -+ int status; -+ -+ if (wis->pid == 0) return apk_istream_error(&wis->is, 0); -+ if (waitpid(wis->pid, &status, 0) == wis->pid) { -+ wis->pid = 0; -+ return apk_istream_error(&wis->is, wget_translate_status(status)); -+ } -+ return 0; -+} -+ -+static void wget_get_meta(struct apk_istream *is, struct apk_file_meta *meta) -+{ -+} -+ -+static ssize_t wget_read(struct apk_istream *is, void *ptr, size_t size) -+{ -+ struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is); -+ ssize_t r; -+ -+ r = read(wis->fd, ptr, size); -+ if (r < 0) return -errno; -+ if (r == 0) return wget_check_exit(wis); -+ return r; -+} -+ -+static int wget_close(struct apk_istream *is) -+{ -+ int r = is->err; -+ struct apk_wget_istream *wis = container_of(is, struct apk_wget_istream, is); -+ -+ while (wis->pid != 0) -+ wget_check_exit(wis); -+ -+ close(wis->fd); -+ free(wis); -+ return r < 0 ? r : 0; -+} -+ -+static const struct apk_istream_ops wget_istream_ops = { -+ .get_meta = wget_get_meta, -+ .read = wget_read, -+ .close = wget_close, -+}; -+ -+struct apk_istream *apk_io_url_istream(const char *url, time_t since) -+{ -+ struct apk_wget_istream *wis; -+ int r; -+ -+ wis = malloc(sizeof(*wis) + apk_io_bufsize); -+ if (wis == NULL) return ERR_PTR(-ENOMEM); -+ -+ *wis = (struct apk_wget_istream) { -+ .is.ops = &wget_istream_ops, -+ .is.buf = (uint8_t *)(wis + 1), -+ .is.buf_size = apk_io_bufsize, -+ }; -+ r = wget_spawn(url, &wis->pid, &wis->fd); -+ if (r != 0) { -+ free(wis); -+ return ERR_PTR(r); -+ } -+ -+ return &wis->is; -+} -+ -+void apk_io_url_no_check_certificate(void) -+{ -+} -+ -+void apk_io_url_set_timeout(int timeout) -+{ -+} -+ -+void apk_io_url_set_redirect_callback(void (*cb)(int, const char *)) -+{ -+} -+ -+void apk_io_url_init(void) -+{ -+} -diff --git a/src/meson.build b/src/meson.build -index c1aae550..28bfce7e 100644 ---- a/src/meson.build -+++ b/src/meson.build -@@ -22,7 +22,6 @@ libapk_src = [ - 'fs_uvol.c', - 'hash.c', - 'io.c', -- 'io_url_libfetch.c', - 'io_gunzip.c', - 'package.c', - 'pathbuilder.c', -@@ -87,6 +86,13 @@ apk_src = [ - 'applet.c', - ] - -+url_backend = get_option('url_backend') -+if url_backend == 'libfetch' -+ libapk_src += [ 'io_url_libfetch.c' ] -+elif url_backend == 'wget' -+ libapk_src += [ 'io_url_wget.c' ] -+endif -+ - if lua_bin.found() - genhelp_script = files('genhelp.lua') - genhelp_args = [lua_bin, genhelp_script, '@INPUT@'] --- -GitLab - - -From dc7ff789a45522eb847118a29b60b896de55d083 Mon Sep 17 00:00:00 2001 -From: Jonas Jelonek -Date: Sun, 14 Apr 2024 00:20:14 +0200 -Subject: [PATCH 2/2] crypto: add support for mbedtls as backend - -backend is selected at compile-time with crypto_backend option - -Co-developed-by: Christian Marangi -Signed-off-by: Christian Marangi -Signed-off-by: Jonas Jelonek ---- - libfetch/meson.build | 2 +- - meson.build | 14 +- - meson_options.txt | 1 + - src/apk_crypto.h | 5 + - src/apk_crypto_mbedtls.h | 26 ++++ - src/crypto_mbedtls.c | 305 +++++++++++++++++++++++++++++++++++++++ - src/meson.build | 23 ++- - 7 files changed, 364 insertions(+), 12 deletions(-) - create mode 100644 src/apk_crypto_mbedtls.h - create mode 100644 src/crypto_mbedtls.c - -diff --git a/libfetch/meson.build b/libfetch/meson.build -index 431ba197..e24f95eb 100644 ---- a/libfetch/meson.build -+++ b/libfetch/meson.build -@@ -40,7 +40,7 @@ libfetch = static_library( - c_args: libfetch_cargs, - dependencies: [ - libportability_dep.partial_dependency(compile_args: true, includes: true), -- openssl_dep.partial_dependency(compile_args: true, includes: true) -+ crypto_dep.partial_dependency(compile_args: true, includes: true) - ], - ) - -diff --git a/meson.build b/meson.build -index 9a14cac0..3a83f4e1 100644 ---- a/meson.build -+++ b/meson.build -@@ -13,15 +13,21 @@ apk_libdir = get_option('libdir') - lua_bin = find_program('lua' + get_option('lua_version'), required: get_option('help')) - lua_dep = dependency('lua' + get_option('lua_version'), required: get_option('lua')) - scdoc_dep = dependency('scdoc', version: '>=1.10', required: get_option('docs')) --openssl_dep = dependency('openssl') --openssl_static_dep = dependency('openssl', static: true) - zlib_dep = dependency('zlib') - zlib_static_dep = dependency('zlib', static: true) - libzstd_dep = dependency('libzstd', required: get_option('zstd')) - libzstd_static_dep = dependency('libzstd', required: get_option('zstd'), static: true) - --shared_deps = [ openssl_dep, zlib_dep, libzstd_dep ] --static_deps = [ openssl_static_dep, zlib_static_dep, libzstd_static_dep ] -+if get_option('crypto_backend') == 'openssl' -+ crypto_dep = dependency('openssl') -+ crypto_static_dep = dependency('openssl', static: true) -+elif get_option('crypto_backend') == 'mbedtls' -+ crypto_dep = [ dependency('mbedtls'), dependency('mbedcrypto') ] -+ crypto_static_dep = [ dependency('mbedtls', static: true), dependency('mbedcrypto', static: true) ] -+endif -+ -+shared_deps = [ crypto_dep, zlib_dep, libzstd_dep ] -+static_deps = [ crypto_static_dep, zlib_static_dep, libzstd_static_dep ] - - add_project_arguments('-D_GNU_SOURCE', language: 'c') - -diff --git a/meson_options.txt b/meson_options.txt -index 44b88b32..2b1d24ce 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -5,6 +5,7 @@ option('help', description: 'Build help into apk binaries, needs lua', type: 'fe - option('lua', description: 'Build luaapk (lua bindings)', type: 'feature', value: 'auto') - option('lua_version', description: 'Lua version to build against', type: 'string', value: '5.3') - option('static_apk', description: 'Also build apk.static', type: 'boolean', value: false) -+option('crypto_backend', description: 'SSL backend', type: 'string', value: 'openssl') - option('url_backend', description: 'URL backend', type: 'string', value: 'libfetch') - option('uvol_db_target', description: 'Default target for uvol database layer', type: 'string') - option('zstd', description: 'Build with zstd support', type: 'boolean', value: true) -diff --git a/src/apk_crypto.h b/src/apk_crypto.h -index 7de88dfc..5cae3bfe 100644 ---- a/src/apk_crypto.h -+++ b/src/apk_crypto.h -@@ -12,7 +12,12 @@ - #include - #include "apk_defines.h" - #include "apk_blob.h" -+ -+#if defined(CRYPTO_USE_OPENSSL) - #include "apk_crypto_openssl.h" -+#elif defined(CRYPTO_USE_MBEDTLS) -+#include "apk_crypto_mbedtls.h" -+#endif - - // Digest - -diff --git a/src/apk_crypto_mbedtls.h b/src/apk_crypto_mbedtls.h -new file mode 100644 -index 00000000..e379535b ---- /dev/null -+++ b/src/apk_crypto_mbedtls.h -@@ -0,0 +1,26 @@ -+/* apk_crypto_mbedtls.h - Alpine Package Keeper (APK) -+ * -+ * Copyright (C) 2024 -+ * All rights reserved. -+ * -+ * SPDX-License-Identifier: GPL-2.0-only -+ */ -+ -+#ifndef APK_CRYPTO_MBEDTLS_H -+#define APK_CRYPTO_MBEDTLS_H -+ -+#include -+#include -+ -+struct apk_pkey { -+ uint8_t id[16]; -+ mbedtls_pk_context *key; -+}; -+ -+struct apk_digest_ctx { -+ mbedtls_md_context_t *mdctx; -+ struct apk_pkey *sigver_key; -+ uint8_t alg; -+}; -+ -+#endif -diff --git a/src/crypto_mbedtls.c b/src/crypto_mbedtls.c -new file mode 100644 -index 00000000..9ce148b5 ---- /dev/null -+++ b/src/crypto_mbedtls.c -@@ -0,0 +1,305 @@ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "apk_crypto.h" -+ -+static inline const mbedtls_md_type_t apk_digest_alg_to_mbedtls_type(uint8_t alg) { -+ switch (alg) { -+ case APK_DIGEST_NONE: return MBEDTLS_MD_NONE; -+ case APK_DIGEST_MD5: return MBEDTLS_MD_MD5; -+ case APK_DIGEST_SHA1: return MBEDTLS_MD_SHA1; -+ case APK_DIGEST_SHA256_160: -+ case APK_DIGEST_SHA256: return MBEDTLS_MD_SHA256; -+ case APK_DIGEST_SHA512: return MBEDTLS_MD_SHA512; -+ default: -+ assert(alg); -+ return MBEDTLS_MD_NONE; -+ } -+} -+ -+static inline const mbedtls_md_info_t *apk_digest_alg_to_mdinfo(uint8_t alg) -+{ -+ return mbedtls_md_info_from_type( -+ apk_digest_alg_to_mbedtls_type(alg) -+ ); -+} -+ -+int apk_digest_calc(struct apk_digest *d, uint8_t alg, const void *ptr, size_t sz) -+{ -+ if (mbedtls_md(apk_digest_alg_to_mdinfo(alg), ptr, sz, d->data)) -+ return -APKE_CRYPTO_ERROR; -+ -+ apk_digest_set(d, alg); -+ return 0; -+} -+ -+int apk_digest_ctx_init(struct apk_digest_ctx *dctx, uint8_t alg) -+{ -+ dctx->alg = alg; -+ dctx->mdctx = malloc(sizeof(mbedtls_md_context_t)); -+ -+ if (!dctx->mdctx) return -ENOMEM; -+ -+ mbedtls_md_init(dctx->mdctx); -+ if (alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || -+ mbedtls_md_starts(dctx->mdctx)) -+ return -APKE_CRYPTO_ERROR; -+ -+ return 0; -+} -+ -+int apk_digest_ctx_reset(struct apk_digest_ctx *dctx) -+{ -+ if (dctx->alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_starts(dctx->mdctx)) return -APKE_CRYPTO_ERROR; -+ return 0; -+} -+ -+int apk_digest_ctx_reset_alg(struct apk_digest_ctx *dctx, uint8_t alg) -+{ -+ mbedtls_md_free(dctx->mdctx); -+ -+ dctx->alg = alg; -+ if (alg == APK_DIGEST_NONE) return 0; -+ if (mbedtls_md_setup(dctx->mdctx, apk_digest_alg_to_mdinfo(alg), 0) || -+ mbedtls_md_starts(dctx->mdctx)) -+ return -APKE_CRYPTO_ERROR; -+ -+ return 0; -+} -+ -+void apk_digest_ctx_free(struct apk_digest_ctx *dctx) -+{ -+ free(dctx->mdctx); -+ dctx->mdctx = 0; -+} -+ -+int apk_digest_ctx_update(struct apk_digest_ctx *dctx, const void *ptr, size_t sz) -+{ -+ if (dctx->alg == APK_DIGEST_NONE) return 0; -+ return mbedtls_md_update(dctx->mdctx, ptr, sz) == 0 ? 0 : -APKE_CRYPTO_ERROR; -+} -+ -+int apk_digest_ctx_final(struct apk_digest_ctx *dctx, struct apk_digest *d) -+{ -+ if (mbedtls_md_finish(dctx->mdctx, d->data)) { -+ apk_digest_reset(d); -+ return -APKE_CRYPTO_ERROR; -+ } -+ -+ mbedtls_md_free(dctx->mdctx); -+ -+ d->alg = dctx->alg; -+ d->len = apk_digest_alg_len(d->alg); -+ return 0; -+} -+ -+// Entropy function adopted from ustream-ssl to avoid using the bloated mbedtls' -+// mbedtls_entropy_context and mbedtls_ctr_drbg_context. -+static int _apk_random(void *ctx, unsigned char *out, size_t len) -+{ -+ static FILE *f; -+ -+ if (!f) -+ f = fopen("/dev/urandom", "r"); -+ if (fread(out, len, 1, f) != 1) -+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; -+ -+ return 0; -+} -+ -+// adopted from mbedtls_pk_load_file -+static int apk_load_file_fd(int fd, unsigned char **buf, size_t *n) -+{ -+ FILE *f; -+ long size; -+ -+ if ((f = fdopen(fd, "rb")) == NULL) { -+ return MBEDTLS_ERR_PK_FILE_IO_ERROR; -+ } -+ -+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) -+ /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */ -+ mbedtls_setbuf(f, NULL); -+#endif -+ -+ fseek(f, 0, SEEK_END); -+ if ((size = ftell(f)) == -1) { -+ fclose(f); -+ return MBEDTLS_ERR_PK_FILE_IO_ERROR; -+ } -+ fseek(f, 0, SEEK_SET); -+ -+ *n = (size_t) size; -+ -+ if (*n + 1 == 0 || -+ (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { -+ fclose(f); -+ return MBEDTLS_ERR_PK_ALLOC_FAILED; -+ } -+ -+ if (fread(*buf, 1, *n, f) != *n) { -+ fclose(f); -+ -+ mbedtls_platform_zeroize(*buf, *n); -+ mbedtls_free(*buf); -+ -+ return MBEDTLS_ERR_PK_FILE_IO_ERROR; -+ } -+ -+ fclose(f); -+ -+ (*buf)[*n] = '\0'; -+ -+ if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { -+ ++*n; -+ } -+ -+ return 0; -+} -+ -+static int apk_pkey_init(struct apk_pkey *pkey, mbedtls_pk_context *key) -+{ -+ unsigned char dig[APK_DIGEST_MAX_LENGTH], *pub = NULL; -+ unsigned char *c; -+ int len, publen, r = -APKE_CRYPTO_ERROR; -+ -+ // Assume byte len is always * 2 + NULL terminated -+ publen = mbedtls_pk_get_len(key) * 2 + 1; -+ pub = malloc(publen); -+ if (!pub) -+ return -ENOMEM; -+ c = pub + publen; -+ -+ if ((len = mbedtls_pk_write_pubkey(&c, pub, key)) < 0) return -APKE_CRYPTO_ERROR; -+ if (!mbedtls_md(apk_digest_alg_to_mdinfo(APK_DIGEST_SHA512), pub, len, dig)) { -+ memcpy(pkey->id, dig, sizeof pkey->id); -+ r = 0; -+ } -+ -+ free(pub); -+ pkey->key = key; -+ -+ return r; -+} -+ -+void apk_pkey_free(struct apk_pkey *pkey) -+{ -+ mbedtls_pk_free(pkey->key); -+} -+ -+int apk_pkey_load(struct apk_pkey *pkey, int dirfd, const char *fn) -+{ -+ mbedtls_pk_context *key; -+ unsigned char *buf; -+ size_t blen; -+ int ret, fd; -+ -+ fd = openat(dirfd, fn, O_RDONLY|O_CLOEXEC); -+ if (fd < 0) -+ return -errno; -+ -+ key = malloc(sizeof *key); -+ if (!key) -+ return -ENOMEM; -+ -+ mbedtls_pk_init(key); -+ if (apk_load_file_fd(fd, &buf, &blen)) -+ return -APKE_CRYPTO_ERROR; -+ -+ if ((ret = mbedtls_pk_parse_public_key(key, buf, blen)) != 0) { -+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) -+ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0, _apk_random, NULL); -+#else -+ ret = mbedtls_pk_parse_key(key, buf, blen, NULL, 0); -+#endif -+ } -+ mbedtls_platform_zeroize(buf, blen); -+ mbedtls_free(buf); -+ if (ret != 0) -+ return -APKE_CRYPTO_KEY_FORMAT; -+ -+ return apk_pkey_init(pkey, key); -+} -+ -+int apk_sign_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey) -+{ -+ if (apk_digest_ctx_reset_alg(dctx, alg)) -+ return -APKE_CRYPTO_ERROR; -+ -+ dctx->sigver_key = pkey; -+ -+ return 0; -+} -+ -+int apk_sign(struct apk_digest_ctx *dctx, void *sig, size_t *len) -+{ -+ struct apk_digest dig; -+ int r = 0; -+ -+ if (apk_digest_ctx_final(dctx, &dig)) -+ return -APKE_SIGNATURE_GEN_FAILURE; -+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) -+ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), -+ &dig.data, dig.len, sig, sizeof *sig, len, _apk_random, NULL)) -+#else -+ if (mbedtls_pk_sign(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), -+ &dig.data, dig.len, sig, len, _apk_random, NULL)) -+#endif -+ r = -APKE_SIGNATURE_GEN_FAILURE; -+ -+ -+ dctx->sigver_key = NULL; -+ return r; -+} -+ -+int apk_verify_start(struct apk_digest_ctx *dctx, uint8_t alg, struct apk_pkey *pkey) -+{ -+ if (apk_digest_ctx_reset_alg(dctx, alg)) -+ return -APKE_CRYPTO_ERROR; -+ -+ dctx->sigver_key = pkey; -+ -+ return 0; -+} -+ -+int apk_verify(struct apk_digest_ctx *dctx, void *sig, size_t len) -+{ -+ struct apk_digest dig; -+ int r = 0; -+ -+ if (apk_digest_ctx_final(dctx, &dig)) -+ return -APKE_SIGNATURE_GEN_FAILURE; -+ -+ if (mbedtls_pk_verify(dctx->sigver_key->key, apk_digest_alg_to_mbedtls_type(dctx->alg), &dig.data, dig.len, sig, len)) -+ r = -APKE_SIGNATURE_INVALID; -+ -+ dctx->sigver_key = NULL; -+ return r; -+} -+ -+static void apk_crypto_cleanup(void) -+{ -+#ifdef MBEDTLS_PSA_CRYPTO_C -+ mbedtls_psa_crypto_free(); -+#endif -+} -+ -+void apk_crypto_init(void) -+{ -+ atexit(apk_crypto_cleanup); -+ -+#ifdef MBEDTLS_PSA_CRYPTO_C -+ psa_crypto_init(); -+#endif -+} -diff --git a/src/meson.build b/src/meson.build -index 28bfce7e..4eab6e0d 100644 ---- a/src/meson.build -+++ b/src/meson.build -@@ -13,7 +13,6 @@ libapk_src = [ - 'common.c', - 'context.c', - 'crypto.c', -- 'crypto_openssl.c', - 'ctype.c', - 'database.c', - 'extract_v2.c', -@@ -37,7 +36,6 @@ libapk_headers = [ - 'apk_atom.h', - 'apk_blob.h', - 'apk_crypto.h', -- 'apk_crypto_openssl.h', - 'apk_ctype.h', - 'apk_database.h', - 'apk_defines.h', -@@ -86,6 +84,11 @@ apk_src = [ - 'applet.c', - ] - -+apk_cargs = [ -+ '-DAPK_VERSION="' + meson.project_version() + '"', -+ '-D_ATFILE_SOURCE', -+] -+ - url_backend = get_option('url_backend') - if url_backend == 'libfetch' - libapk_src += [ 'io_url_libfetch.c' ] -@@ -93,6 +96,17 @@ elif url_backend == 'wget' - libapk_src += [ 'io_url_wget.c' ] - endif - -+crypto_backend = get_option('crypto_backend') -+if crypto_backend == 'openssl' -+ apk_cargs += [ '-DCRYPTO_USE_OPENSSL' ] -+ libapk_src += [ 'crypto_openssl.c' ] -+ libapk_headers += [ 'apk_crypto_openssl.h' ] -+elif crypto_backend == 'mbedtls' -+ apk_cargs += [ '-DCRYPTO_USE_MBEDTLS' ] -+ libapk_src += [ 'crypto_mbedtls.c' ] -+ libapk_headers += [ 'apk_crypto_mbedtls.h' ] -+endif -+ - if lua_bin.found() - genhelp_script = files('genhelp.lua') - genhelp_args = [lua_bin, genhelp_script, '@INPUT@'] -@@ -119,11 +133,6 @@ endif - - apk_src += [ generated_help ] - --apk_cargs = [ -- '-DAPK_VERSION="' + meson.project_version() + '"', -- '-D_ATFILE_SOURCE', --] -- - apk_arch_prefix = get_option('arch_prefix') - if apk_arch_prefix != '' - apk_cargs += ['-DAPK_ARCH_PREFIX="@0@"'.format(apk_arch_prefix)] --- -GitLab -