Disable TLS verification for builtin fetchurl
This makes it consistent with the Nixpkgs fetchurl and makes it work in chroots. We don't need verification because the hash of the result is checked anyway.
This commit is contained in:
parent
357d31b339
commit
5db358d4d7
4 changed files with 32 additions and 12 deletions
|
@ -8,7 +8,13 @@ void builtinFetchurl(const BasicDerivation & drv)
|
||||||
auto url = drv.env.find("url");
|
auto url = drv.env.find("url");
|
||||||
if (url == drv.env.end()) throw Error("attribute ‘url’ missing");
|
if (url == drv.env.end()) throw Error("attribute ‘url’ missing");
|
||||||
printMsg(lvlInfo, format("downloading ‘%1%’...") % url->second);
|
printMsg(lvlInfo, format("downloading ‘%1%’...") % url->second);
|
||||||
auto data = downloadFile(url->second); // FIXME: show progress
|
|
||||||
|
/* No need to do TLS verification, because we check the hash of
|
||||||
|
the result anyway. */
|
||||||
|
DownloadOptions options;
|
||||||
|
options.verifyTLS = false;
|
||||||
|
|
||||||
|
auto data = downloadFile(url->second, options); // FIXME: show progress
|
||||||
|
|
||||||
auto out = drv.env.find("out");
|
auto out = drv.env.find("out");
|
||||||
if (out == drv.env.end()) throw Error("attribute ‘url’ missing");
|
if (out == drv.env.end()) throw Error("attribute ‘url’ missing");
|
||||||
|
|
|
@ -102,7 +102,6 @@ struct Curl
|
||||||
if (!curl) throw Error("unable to initialize curl");
|
if (!curl) throw Error("unable to initialize curl");
|
||||||
|
|
||||||
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
|
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
|
||||||
curl_easy_setopt(curl, CURLOPT_CAINFO, getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt").c_str());
|
|
||||||
curl_easy_setopt(curl, CURLOPT_USERAGENT, ("Nix/" + nixVersion).c_str());
|
curl_easy_setopt(curl, CURLOPT_USERAGENT, ("Nix/" + nixVersion).c_str());
|
||||||
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
|
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
|
||||||
|
|
||||||
|
@ -125,10 +124,17 @@ struct Curl
|
||||||
if (requestHeaders) curl_slist_free_all(requestHeaders);
|
if (requestHeaders) curl_slist_free_all(requestHeaders);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool fetch(const string & url, const string & expectedETag = "")
|
bool fetch(const string & url, const DownloadOptions & options)
|
||||||
{
|
{
|
||||||
curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
|
curl_easy_setopt(curl, CURLOPT_URL, url.c_str());
|
||||||
|
|
||||||
|
if (options.verifyTLS)
|
||||||
|
curl_easy_setopt(curl, CURLOPT_CAINFO, getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt").c_str());
|
||||||
|
else {
|
||||||
|
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
|
||||||
|
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
|
||||||
|
}
|
||||||
|
|
||||||
data.clear();
|
data.clear();
|
||||||
|
|
||||||
if (requestHeaders) {
|
if (requestHeaders) {
|
||||||
|
@ -136,9 +142,9 @@ struct Curl
|
||||||
requestHeaders = 0;
|
requestHeaders = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!expectedETag.empty()) {
|
if (!options.expectedETag.empty()) {
|
||||||
this->expectedETag = expectedETag;
|
this->expectedETag = options.expectedETag;
|
||||||
requestHeaders = curl_slist_append(requestHeaders, ("If-None-Match: " + expectedETag).c_str());
|
requestHeaders = curl_slist_append(requestHeaders, ("If-None-Match: " + options.expectedETag).c_str());
|
||||||
}
|
}
|
||||||
|
|
||||||
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, requestHeaders);
|
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, requestHeaders);
|
||||||
|
@ -154,7 +160,7 @@ struct Curl
|
||||||
//std::cerr << "\e[" << moveBack << "D\e[K\n";
|
//std::cerr << "\e[" << moveBack << "D\e[K\n";
|
||||||
std::cerr << "\n";
|
std::cerr << "\n";
|
||||||
checkInterrupt();
|
checkInterrupt();
|
||||||
if (res == CURLE_WRITE_ERROR && etag == expectedETag) return false;
|
if (res == CURLE_WRITE_ERROR && etag == options.expectedETag) return false;
|
||||||
if (res != CURLE_OK)
|
if (res != CURLE_OK)
|
||||||
throw DownloadError(format("unable to download ‘%1%’: %2% (%3%)")
|
throw DownloadError(format("unable to download ‘%1%’: %2% (%3%)")
|
||||||
% url % curl_easy_strerror(res) % res);
|
% url % curl_easy_strerror(res) % res);
|
||||||
|
@ -168,11 +174,11 @@ struct Curl
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
DownloadResult downloadFile(string url, string expectedETag)
|
DownloadResult downloadFile(string url, const DownloadOptions & options)
|
||||||
{
|
{
|
||||||
DownloadResult res;
|
DownloadResult res;
|
||||||
Curl curl;
|
Curl curl;
|
||||||
if (curl.fetch(url, expectedETag)) {
|
if (curl.fetch(url, options)) {
|
||||||
res.cached = false;
|
res.cached = false;
|
||||||
res.data = curl.data;
|
res.data = curl.data;
|
||||||
} else
|
} else
|
||||||
|
@ -224,7 +230,9 @@ Path downloadFileCached(const string & url, bool unpack)
|
||||||
if (!skip) {
|
if (!skip) {
|
||||||
|
|
||||||
try {
|
try {
|
||||||
auto res = downloadFile(url, expectedETag);
|
DownloadOptions options;
|
||||||
|
options.expectedETag = expectedETag;
|
||||||
|
auto res = downloadFile(url, options);
|
||||||
|
|
||||||
if (!res.cached)
|
if (!res.cached)
|
||||||
storePath = store->addTextToStore(name, res.data, PathSet(), false);
|
storePath = store->addTextToStore(name, res.data, PathSet(), false);
|
||||||
|
|
|
@ -5,13 +5,19 @@
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
|
struct DownloadOptions
|
||||||
|
{
|
||||||
|
string expectedETag;
|
||||||
|
bool verifyTLS{true};
|
||||||
|
};
|
||||||
|
|
||||||
struct DownloadResult
|
struct DownloadResult
|
||||||
{
|
{
|
||||||
bool cached;
|
bool cached;
|
||||||
string data, etag;
|
string data, etag;
|
||||||
};
|
};
|
||||||
|
|
||||||
DownloadResult downloadFile(string url, string expectedETag = "");
|
DownloadResult downloadFile(string url, const DownloadOptions & options);
|
||||||
|
|
||||||
Path downloadFileCached(const string & url, bool unpack);
|
Path downloadFileCached(const string & url, bool unpack);
|
||||||
|
|
||||||
|
|
|
@ -158,7 +158,7 @@ int main(int argc, char * * argv)
|
||||||
auto actualUri = resolveMirrorUri(state, uri);
|
auto actualUri = resolveMirrorUri(state, uri);
|
||||||
|
|
||||||
/* Download the file. */
|
/* Download the file. */
|
||||||
auto result = downloadFile(actualUri);
|
auto result = downloadFile(actualUri, DownloadOptions());
|
||||||
|
|
||||||
AutoDelete tmpDir(createTempDir(), true);
|
AutoDelete tmpDir(createTempDir(), true);
|
||||||
Path tmpFile = (Path) tmpDir + "/tmp";
|
Path tmpFile = (Path) tmpDir + "/tmp";
|
||||||
|
|
Loading…
Reference in a new issue