From 511fb0f0b5b0bf6c83c91a84633a22ae1c7cddf6 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 17:58:31 +0100 Subject: tor.cc: Hardcode useragent to constant string --- tor.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tor.cc b/tor.cc index 1df0a07..8406cba 100644 --- a/tor.cc +++ b/tor.cc @@ -205,10 +205,9 @@ bool TorMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_MAX_RECV_SPEED_LARGE, dlLimit); // set header + // Hardcoded so that all apt-transport-tor users look the same. curl_easy_setopt(curl, CURLOPT_USERAGENT, - _config->Find("Acquire::tor::User-Agent", - _config->Find("Acquire::http::User-Agent", - "Debian APT-CURL/1.0 (" PACKAGE_VERSION ")").c_str()).c_str()); + "Debian APT-CURL/1.0 (0.1)"); // set timeout int const timeout = _config->FindI("Acquire::tor::Timeout", -- cgit v1.2.3-70-g09d2 From 163ffa7c4a7529ce257df72b1be392a0c0a32443 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 18:11:40 +0100 Subject: Allow URI schemes starting with "tor+", e.g. "tor+http://" --- Makefile.am | 4 ++++ configure.ac | 1 + tor.cc | 12 ++++++++++-- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 7ebcb3a..e419b94 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,4 +4,8 @@ methodsdir = $(prefix)/lib/apt/methods methods_PROGRAMS = tor tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h +install-exec-hook: + cd $(DESTDIR)$(methodsdir) && \ + $(LN_S) tor tor+http + EXTRA_DIST = README.md diff --git a/configure.ac b/configure.ac index 21f82ab..1188688 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,7 @@ AC_INIT([apt-transport-tor], [0.1], [diocles@debian.org]) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AC_PROG_CXX +AC_PROG_LN_S AC_CONFIG_HEADERS([config.h]) AC_CHECK_LIB([apt-pkg], [main]) AC_CHECK_LIB([curl], [curl_version]) diff --git a/tor.cc b/tor.cc index 8406cba..4d7a91e 100644 --- a/tor.cc +++ b/tor.cc @@ -151,8 +151,16 @@ bool TorMethod::Fetch(FetchItem *Itm) URI Uri = Itm->Uri; string remotehost = Uri.Host; - // Undo the "tor" at the start - Uri.Access = "http"; + // Undo any "tor" or "tor+" at the start + string prefix="tor+"; + if ("tor" == Uri.Access) + { + Uri.Access = "http"; + } + else if (!Uri.Access.compare(0, prefix.size(), prefix)) + { + Uri.Access = Uri.Access.substr(prefix.size()); + } // TODO: // - http::Pipeline-Depth -- cgit v1.2.3-70-g09d2 From 67d013f84c33a2a71fc237c0cfca99fe84b330a2 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 18:33:00 +0100 Subject: Re-enable HTTPS support, with "tor+https://" URLs --- Makefile.am | 1 + tor.cc | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 68 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index e419b94..668c13c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,6 +6,7 @@ tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h install-exec-hook: cd $(DESTDIR)$(methodsdir) && \ + $(LN_S) tor tor+https && \ $(LN_S) tor tor+http EXTRA_DIST = README.md diff --git a/tor.cc b/tor.cc index 4d7a91e..f071149 100644 --- a/tor.cc +++ b/tor.cc @@ -183,9 +183,72 @@ bool TorMethod::Fetch(FetchItem *Itm) // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); - // only allow curl to handle http, not the other stuff it supports - curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP); - curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP); + // Allow curl to handle just the protocols we want + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + + // SSL parameters are set by default to the common (non mirror-specific) value + // if available (or a default one) and gets overload by mirror-specific ones. + + // File containing the list of trusted CA. + string cainfo = _config->Find("Acquire::https::CaInfo",""); + string knob = "Acquire::https::"+remotehost+"::CaInfo"; + cainfo = _config->Find(knob.c_str(),cainfo.c_str()); + if(cainfo.empty() == false) + curl_easy_setopt(curl, CURLOPT_CAINFO,cainfo.c_str()); + + // Check server certificate against previous CA list ... + bool peer_verify = _config->FindB("Acquire::https::Verify-Peer",true); + knob = "Acquire::https::" + remotehost + "::Verify-Peer"; + peer_verify = _config->FindB(knob.c_str(), peer_verify); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify); + + // ... and hostname against cert CN or subjectAltName + bool verify = _config->FindB("Acquire::https::Verify-Host",true); + knob = "Acquire::https::"+remotehost+"::Verify-Host"; + verify = _config->FindB(knob.c_str(),verify); + int const default_verify = (verify == true) ? 2 : 0; + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, default_verify); + + // Also enforce issuer of server certificate using its cert + string issuercert = _config->Find("Acquire::https::IssuerCert",""); + knob = "Acquire::https::"+remotehost+"::IssuerCert"; + issuercert = _config->Find(knob.c_str(),issuercert.c_str()); + if(issuercert.empty() == false) + curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str()); + + // For client authentication, certificate file ... + string pem = _config->Find("Acquire::https::SslCert",""); + knob = "Acquire::https::"+remotehost+"::SslCert"; + pem = _config->Find(knob.c_str(),pem.c_str()); + if(pem.empty() == false) + curl_easy_setopt(curl, CURLOPT_SSLCERT, pem.c_str()); + + // ... and associated key. + string key = _config->Find("Acquire::https::SslKey",""); + knob = "Acquire::https::"+remotehost+"::SslKey"; + key = _config->Find(knob.c_str(),key.c_str()); + if(key.empty() == false) + curl_easy_setopt(curl, CURLOPT_SSLKEY, key.c_str()); + + // Allow forcing SSL version to SSLv3 or TLSv1 (SSLv2 is not + // supported by GnuTLS). + long final_version = CURL_SSLVERSION_DEFAULT; + string sslversion = _config->Find("Acquire::https::SslForceVersion",""); + knob = "Acquire::https::"+remotehost+"::SslForceVersion"; + sslversion = _config->Find(knob.c_str(),sslversion.c_str()); + if(sslversion == "TLSv1") + final_version = CURL_SSLVERSION_TLSv1; + else if(sslversion == "SSLv3") + final_version = CURL_SSLVERSION_SSLv3; + curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version); + + // CRL file + string crlfile = _config->Find("Acquire::https::CrlFile",""); + knob = "Acquire::https::"+remotehost+"::CrlFile"; + crlfile = _config->Find(knob.c_str(),crlfile.c_str()); + if(crlfile.empty() == false) + curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str()); // cache-control if(_config->FindB("Acquire::tor::No-Cache", @@ -370,7 +433,7 @@ int main() setlocale(LC_ALL, ""); TorMethod Mth; - curl_global_init(CURL_GLOBAL_NOTHING) ; + curl_global_init(CURL_GLOBAL_SSL) ; return Mth.Run(); } -- cgit v1.2.3-70-g09d2 From 2178b5a7f8f4d581dc428958f10bb720c9197e34 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 19:09:53 +0100 Subject: README.md: Make tor+http the default URL scheme in the docs --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e06b277..117c297 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Easily install Debian packages via Tor. This package implements an APT "acquire method" that handles URLs starting -with "tor://" in your sources.list. +with "tor+http://" or "tor+https://" in your sources.list. ## Installation @@ -30,8 +30,8 @@ Then, or if installing from a tarball: Edit your /etc/apt/sources.list like so, adjusting the suite/components appropriately for your system: - deb tor://http.debian.net/debian unstable main - deb-src tor://http.debian.net/debian unstable main + deb tor+http://http.debian.net/debian unstable main + deb-src tor+http://http.debian.net/debian unstable main Note the use of http.debian.net so that a mirror close to your exit node will be automatically chosen. @@ -39,8 +39,8 @@ will be automatically chosen. Alternatively, if you have the Tor hidden service address of a Debian mirror, you can use that: - deb tor://.onion/debian unstable main - deb-src tor://.onion/debian unstable main + deb tor+http://.onion/debian unstable main + deb-src tor+http://.onion/debian unstable main ## Configuration -- cgit v1.2.3-70-g09d2 From e594096cc1063c617de8981d09e97d9b4912c4d8 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Sun, 20 Jul 2014 14:02:25 +0100 Subject: Bump version to 0.2 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 1188688..e82f9e1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([apt-transport-tor], [0.1], [diocles@debian.org]) +AC_INIT([apt-transport-tor], [0.2], [diocles@debian.org]) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AC_PROG_CXX AC_PROG_LN_S -- cgit v1.2.3-70-g09d2 From e9f548297d3a545364adbb7b9a0dbb97ef97d605 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Sun, 20 Jul 2014 14:38:09 +0100 Subject: Use install-data-hook instead of install-exec-hook --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 668c13c..271579f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,7 +4,7 @@ methodsdir = $(prefix)/lib/apt/methods methods_PROGRAMS = tor tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h -install-exec-hook: +install-data-hook: cd $(DESTDIR)$(methodsdir) && \ $(LN_S) tor tor+https && \ $(LN_S) tor tor+http -- cgit v1.2.3-70-g09d2 From 07e5fae5a93a0265ae9cf0d8651aa5fa47bc1e0a Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Sun, 20 Jul 2014 14:39:05 +0100 Subject: Bump version to 0.2.1 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index e82f9e1..4341f88 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([apt-transport-tor], [0.2], [diocles@debian.org]) +AC_INIT([apt-transport-tor], [0.2.1], [diocles@debian.org]) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AC_PROG_CXX AC_PROG_LN_S -- cgit v1.2.3-70-g09d2