search

Lanchon / ddwrt-secure-entware

Entware Over SSL/TLS For DD-WRT Installations
GNU General Public License v3.0
14 stars 2 forks source link

opkg install with package URL #1

Closed pthall closed 5 years ago

pthall commented 5 years ago

Installing with package URLs doesn't work for HTTPS addresses. 

root@DD-WRT:/opt# opkg install https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk
Collected errors:
 * wfopen: https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk.

Installing with the same URL works if the protocol is changed to HTTP.

HTTPS is used as long as package names are used.

root@DD-WRT:/opt# opkg upgrade coreutils
Upgrading coreutils on root from 8.30-1 to 8.30-2...
Downloading https://bin.entware.net/armv7sf-k3.2/coreutils_8.30-2_armv7-3.2.ipk
Configuring coreutils.
Lanchon commented 5 years ago

hi, thanks!

Installing with package URLs doesn't work for HTTPS addresses.

i didn't know you could install by URL. actually i don't know the first thing about opkg :)

the idea of this repo is to be able to bootstrap Entware securely, which i think you did. i don't propose a replacement for busybox ẁget for other purposes. i suppose u had to install curlize. after bootstrapping Entware you are supposed to do this, and my guess is you haven't. am i right?

pthall commented 5 years ago

Thanks for the information.

I made sure I had followed "Curlize Replacement" - incomplete configuration is not the root cause.

root@DD-WRT:~# opkg install wget ca-certificates
Installing wget (1.20.3-2) to root...
Downloading https://bin.entware.net/armv7sf-k3.2/wget_1.20.3-2_armv7-3.2.ipk
Installing ca-certificates (20190110-1) to root...
Downloading https://bin.entware.net/armv7sf-k3.2/ca-certificates_20190110-1_all.ipk
Configuring wget.
Configuring ca-certificates.
root@DD-WRT:~# ln -sf /opt/bin/wget /opt/bin-override/wget
root@DD-WRT:~# opkg install https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk
Collected errors:
 * wfopen: https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk: No such file or directory.
 * pkg_init_from_file: Failed to extract control file from https://bin.entware.net/armv7sf-k3.2/archive/libsigcxx_2.10.1-1_armv7-3.2.ipk.

root@DD-WRT:~# which wget
/opt/bin-override/wget

root@DD-WRT:~# wget --version
GNU Wget 1.20.3 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 -iri +large-file -metalink -nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
    /opt/etc/wgetrc (system)
Compile:
    arm-openwrt-linux-gnueabi-gcc -DHAVE_CONFIG_H
    -DSYSTEM_WGETRC="/opt/etc/wgetrc" -DLOCALEDIR="/opt/share/locale"
    -I. -I../lib -I../lib
    -I/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/include
    -I/media/ware/Entware.2019.10/staging_dir/toolchain-arm_cortex-a9_gcc-7.4.0_glibc-2.27_eabi/include
    -I/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/include
    -I/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/include
    -DNDEBUG -O2 -pipe -march=armv7-a -mtune=cortex-a9
    -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable
    -Wno-error=unused-result -mfloat-abi=soft
Link:
    arm-openwrt-linux-gnueabi-gcc
    -I/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/include
    -I/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/include
    -DNDEBUG -O2 -pipe -march=armv7-a -mtune=cortex-a9
    -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable
    -Wno-error=unused-result -mfloat-abi=soft
    -L/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib
    -Wl,-rpath,/opt/lib
    -Wl,-rpath-link=/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib
    -Wl,--dynamic-linker=/opt/lib/ld-linux.so.3
    -L/media/ware/Entware.2019.10/staging_dir/toolchain-arm_cortex-a9_gcc-7.4.0_glibc-2.27_eabi/lib
    -L/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib
    -lpcre
    /media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib/libssl.so
    /media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib/libcrypto.so
    -ldl
    -L/media/ware/Entware.2019.10/staging_dir/target-arm_cortex-a9_glibc-2.27_eabi/opt/lib
    -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
Lanchon commented 5 years ago

thanks!

this isn't related to this project, it's a peculiarity of Entware's build of opkg. i don't think opkg is meant to be used as opkg install <file> where <file> is a URL; i think it's supposed to be a local file, and the underlying fopen() library implementation is trying to fetch URLs (and it doesn't support TLS... of course, so helpful then!). wget or curl you package then install the local file.

thank you again

pthall commented 5 years ago

Good point that this isn't intended to fix all opkg limitations. And thanks for making this in the first place! There is a good "install from URL" example in the opkg doc https://openwrt.org/docs/guide-user/additional-software/opkg#package_manipulation

Lanchon commented 5 years ago

it's not an opkg limitation. opkg uses wget which should handle TLS. but DD-WRT comes with a toy wget from busybox, so...