From: bones_was_here Date: Wed, 26 Feb 2025 01:54:20 +0000 (+1000) Subject: rsync: implement SSL/TLS, change URL X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=a2811f60fc0313ec52260a3740271f0d2324faaf;p=xonotic%2Fxonotic.git rsync: implement SSL/TLS, change URL I've added rsync TLS termination to the xonotic.org reverse proxy and updated its rsyncd config. Legacy Xonotic rsync updaters are still supported. These client scripts use openssl to verify the server certificate and protect the rsync connection. Changed the URL so the server config no longer needs to define a module for every package, so rsync URLs can also be browsable via https, and so we don't confusingly use beta.xonotic.org to update to a stable release. --- diff --git a/misc/tools/all/release.subr b/misc/tools/all/release.subr index 7fafe363..fee5d75e 100644 --- a/misc/tools/all/release.subr +++ b/misc/tools/all/release.subr @@ -681,7 +681,7 @@ case "$cmd" in release-rsync) release_common # make sure everything we need is installed and updated - verbose "$d0"/misc/tools/msys2-linux.sh --schroot=sid rsync dash + verbose "$d0"/misc/tools/msys2-linux.sh --schroot=sid rsync dash openssl targetroot="$PWD/Xonotic" verbose cd "$HOME/msys64" # see msys2-linux.sh verbose cp --parents \ @@ -689,9 +689,12 @@ case "$cmd" in usr/bin/msys-crypto-3.dll \ usr/bin/msys-iconv-2.dll \ usr/bin/msys-lz4-1.dll \ + usr/bin/msys-ssl-3.dll \ usr/bin/msys-xxhash-0.dll \ usr/bin/msys-zstd-1.dll \ + usr/bin/openssl.exe \ usr/bin/rsync.exe \ + usr/ssl/cert.pem \ "$targetroot/misc/tools/rsync-updater/" # msys2 sh.exe is currently bash verbose cp usr/bin/dash.exe "$targetroot/misc/tools/rsync-updater/usr/bin/sh.exe" diff --git a/misc/tools/rsync-updater/update-to-autobuild.sh b/misc/tools/rsync-updater/update-to-autobuild.sh index d75df770..17cb618c 100755 --- a/misc/tools/rsync-updater/update-to-autobuild.sh +++ b/misc/tools/rsync-updater/update-to-autobuild.sh @@ -9,6 +9,27 @@ if ! command -v rsync > /dev/null; then exit 1 fi +if ! command -v rsync-ssl >/dev/null; then + export PATH="$PWD/usr/bin:$PATH" +fi + +# openssl is the only option, as gnutls-cli is broken in rsync-ssl and stunnel doesn't verify the cert. +rsynccmd=rsync-ssl +if ! command -v openssl > /dev/null; then + if [ $interactive = false ]; then + printf >&2 "\033[1;31mFATAL: openssl not found, please install the openssl package!\033[m\n" + exit 1 + fi + printf "\033[1;33mWARNING: openssl not found, please install the openssl package!\033[m\n" + unset secchoice # no automated skipping, this is important + until [ "$secchoice" = y ] || [ "$secchoice" = Y ]; do + printf "\033[1;33mConnecting without openssl is insecure, continue? [Y/N] \033[m" + read -r secchoice + [ "$secchoice" = n ] || [ "$secchoice" = N ] && exit 1 + done + rsynccmd=rsync +fi + case "${0##*/}" in update-to-autobuild.sh) buildtype=autobuild @@ -26,7 +47,10 @@ if [ -n "$(rsync --help | sed -En 's/(--delete-delay)/\1/p')" ]; then else options="$options --delete-after" fi -if [ "$OS" != "Windows_NT" ]; then +if [ "$OS" = "Windows_NT" ]; then + # use blocking stdio for the remote shell (openssl) to avoid random failures (msys2/cygwin bug?) + options="$options --blocking-io" +else options="$options --executability" fi @@ -55,7 +79,7 @@ elif [ -e "Xonotic-high" ]; then printf "\033[1;35mFound manually created 'Xonotic-high' package override\033[m\n" package="Xonotic-high" fi -url="beta.xonotic.org/$buildtype-$package" +url="rsync.xonotic.org/$buildtype/$package" excludes= if [ -n "$XONOTIC_INCLUDE_ALL" ]; then @@ -124,4 +148,4 @@ until [ "$choice" = y ] || [ "$choice" = Y ]; do done # exec ensures this script stops before it's updated to prevent potential glitches -exec rsync $options $excludes "rsync://$url/" "$target" +exec $rsynccmd $options $excludes "rsync://$url/" "$target" diff --git a/misc/tools/rsync-updater/usr/bin/rsync-ssl b/misc/tools/rsync-updater/usr/bin/rsync-ssl new file mode 100755 index 00000000..54447b52 --- /dev/null +++ b/misc/tools/rsync-updater/usr/bin/rsync-ssl @@ -0,0 +1,47 @@ +#!/bin/sh + +# Minimal and POSIX-compatible version of rsync-ssl, supports only openssl +# because gnutls-cli is broken and stunnel doesn't verify the server's certificate. + +# Other differences: +# - supports spaces in the path to this script + +# By default this script takes rsync args and hands them off to the actual +# rsync command with an --rsh option that makes it open an SSL connection to an +# rsync daemon. See the rsync-ssl manpage for usage details and env variables. + +# When the first arg is --HELPER, we are being used by rsync as an --rsh helper +# script, and the args are (note the trailing dot): +# +# rsync-ssl --HELPER HOSTNAME rsync --server --daemon . +# +# --HELPER is not a user-facing option, so it is not documented in the manpage. + +if [ "$1" = --HELPER ]; then + shift + + port="${RSYNC_PORT:-0}" + if [ "$port" -eq 0 ]; then + port="${RSYNC_SSL_PORT:-874}" + fi + + # If the user specified USER@HOSTNAME::module, then rsync passes us + # the -l USER option too, so we must be prepared to ignore it. + if [ "$1" = "-l" ]; then + shift 2 + fi + + hostname="$1" + shift + + if [ -z "$hostname" ] || [ "$1" != rsync ] || [ "$2" != --server ] || [ "$3" != --daemon ]; then + echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 + fi + + exec openssl s_client -verify_return_error -verify 4 -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port +fi + +# The --rsh parameter string will need to be word split between $0 and --HELPER when executed +# but $0 may contain space(s) and must not be split, hence its extra quotes. +exec rsync --rsh="'$0' --HELPER" "${@}"