From 81db3b13dbb3f5115918cf38db80cb2752c3c07f Mon Sep 17 00:00:00 2001
From: "Gerd v. Egidy" <gerd@egidy.de>
Date: Sun, 7 Aug 2022 12:53:16 +0200
Subject: [PATCH 1/2] improve error message in case the lua script can't
 download a file

Now prints the actual error message from the http library instead of a
generic "Could not connect" message.
---
 airootfs/usr/bin/sysrescue-configuration.lua | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/airootfs/usr/bin/sysrescue-configuration.lua b/airootfs/usr/bin/sysrescue-configuration.lua
index 2518b1f..7b96abf 100755
--- a/airootfs/usr/bin/sysrescue-configuration.lua
+++ b/airootfs/usr/bin/sysrescue-configuration.lua
@@ -169,7 +169,8 @@ function download_file(fileurl)
     local headers, stream = req:go(req_timeout)
 
     if headers == nil then
-        io.stderr:write(string.format("Failed to download %s: Could not connect\n", fileurl))
+        --- the second return variable (=stream) contains the error message in case of an error
+        io.stderr:write(string.format("Failed to download %s: %s\n", fileurl, stream))
         return nil
     end
 

From e9549eba3484ea7ca2db6fd2094239efb751144e Mon Sep 17 00:00:00 2001
From: "Gerd v. Egidy" <gerd@egidy.de>
Date: Sun, 7 Aug 2022 12:56:41 +0200
Subject: [PATCH 2/2] don't do certificate verification for https downloads in
 the lua script

it is usually run during initramfs: we don't have a CA database there, so
all https downloads would fail otherwise.

Not doing cert verification at this step is clearly documented, so no
unexpected security risk for the user.
---
 airootfs/usr/bin/sysrescue-configuration.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/airootfs/usr/bin/sysrescue-configuration.lua b/airootfs/usr/bin/sysrescue-configuration.lua
index 7b96abf..49e8626 100755
--- a/airootfs/usr/bin/sysrescue-configuration.lua
+++ b/airootfs/usr/bin/sysrescue-configuration.lua
@@ -24,6 +24,9 @@ local lfs = require('lfs')
 local yaml = require('yaml')
 local json = require("dkjson")
 local request = require("http.request")
+local tls_ctx = require "http.tls".new_client_context()
+local tls_ctx_noverify = require "openssl.ssl.context".VERIFY_NONE
+local tls_ctx_doverify = require "openssl.ssl.context".VERIFY_PEER
 
 -- ==============================================================================
 -- Utility functions
@@ -166,6 +169,11 @@ end
 function download_file(fileurl)
     local req_timeout = 10
     local req = request.new_from_uri(fileurl)
+
+    --- we (usually) run during initramfs where the CA database is not available, so don't verify certificates
+    tls_ctx:setVerify(tls_ctx_noverify)
+    req.ctx = tls_ctx
+
     local headers, stream = req:go(req_timeout)
 
     if headers == nil then