Skip to content
Snippets Groups Projects
Select Git revision
  • ac84ddf10135b62d32504f2035e1c7f06b0593e6
  • experimental default protected
  • v2023.2.5-ffs
  • nrb/ex400-remove-wps
  • nrb/airmax-test
  • v2023.2.4-ffs
  • nrb/ar9344-reset-sequence
  • autinerd/experimental-openwrt-24.10
  • v2023.2.3-ffs
  • v2023.2.2-ffs
  • v2023.2-ffs
  • v2023.1-ffs
  • v2022.1.4-ffs
  • feature/addMikrotikwAP
  • v2022.1.3-ffs
  • v2021.1.2-ffs
  • v2022.1.1-ffs
  • master protected
  • v2021.1.1-ffs
  • nrb/gluon-master-cpe510
  • v2021.1-ffs
  • experimental-2025-07-12
  • experimental-2025-07-12-base
  • experimental-2025-07-04
  • experimental-2025-07-04-base
  • experimental-2025-07-01
  • experimental-2025-07-01-base
  • experimental-2025-06-25
  • experimental-2025-06-25-base
  • experimental-2025-06-24
  • experimental-2025-06-24-base
  • experimental-2025-06-22
  • experimental-2025-06-22-base
  • v2023.2.5-ffs0.1
  • experimental-2025-06-08
  • experimental-2025-06-08-base
  • experimental-2025-06-06
  • experimental-2025-06-06-base
  • experimental-2025-05-27
  • experimental-2025-05-27-base
  • experimental-2025-05-18
41 results

check_site.lua

Blame
  • user avatar
    Matthias Schiffer authored
    The autoupdater supports HTTPS when a ustream TLS backend is installed,
    but we did not allow this in site.conf. However, just allowing HTTPS
    URLs unconditionally is also a bad idea, as it might result in nodes
    being unable to reach the mirror, in particular if the `tls` feature is
    enabled only for some devices.
    
    Solve this by allowing https:// URLs only if the marker file installed
    by gluon-tls is found, failing the site check with an error message like
    the following otherwise:
    
        *** All of the following alternatives have failed:
            1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value)
            2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value)
            3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value)
    
    In addition, introduce support for protocol-less //server/path URLs,
    which will use either HTTP or HTTPS depending on the availablility of
    the `tls` feature. No fallback happens when `tls` is available, but the
    HTTPS connection fails, preventing downgrade attack.
    
    Based-on-patch-by: default avatarKevin Olbrich <ko@sv01.de>
    c800fe7f
    History
    check_site.lua 1.48 KiB
    local has_tls = (function()
    	local f = io.open((os.getenv('IPKG_INSTROOT') or '') .. '/lib/gluon/features/tls')
    	if f then
    		f:close()
    		return true
    	end
    	return false
    end)()
    
    local branches = table_keys(need_table({'autoupdater', 'branches'}, function(branch)
    	need_alphanumeric_key(branch)
    
    	need_string(in_site(extend(branch, {'name'})))
    	need_array(extend(branch, {'mirrors'}), function(mirror)
    		alternatives(function()
    			need_string_match(mirror, 'http://')
    		end, function()
    			need_string_match(mirror, 'https://')
    			need(mirror, function() return has_tls end, nil,
    				"use HTTPS only if the 'tls' feature is enabled")
    		end, function()
    			need_string_match(mirror, '^//')
    		end)
    	end)
    
    	local pubkeys = need_string_array_match(in_site(extend(branch, {'pubkeys'})), '^%x+$')
    	need_number(in_site(extend(branch, {'good_signatures'})))
    	need(in_site(extend(branch, {'good_signatures'})), function(good_signatures)
    		return good_signatures <= #pubkeys
    	end, nil, string.format('be less than or equal to the number of public keys (%d)', #pubkeys))
    
    	obsolete(in_site(extend(branch, {'probability'})), 'Use GLUON_PRIORITY in site.mk instead.')
    end))
    
    need_one_of(in_site({'autoupdater', 'branch'}), branches, false)
    
    -- Check GLUON_AUTOUPDATER_BRANCH
    local default_branch
    local f = io.open((os.getenv('IPKG_INSTROOT') or '') .. '/lib/gluon/autoupdater/default_branch')
    if f then
    	default_branch = f:read('*line')
    	f:close()
    end
    need_one_of(value('GLUON_AUTOUPDATER_BRANCH', default_branch), branches, false)