From 163ffa7c4a7529ce257df72b1be392a0c0a32443 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 18:11:40 +0100 Subject: Allow URI schemes starting with "tor+", e.g. "tor+http://" --- Makefile.am | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index 7ebcb3a..e419b94 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,4 +4,8 @@ methodsdir = $(prefix)/lib/apt/methods methods_PROGRAMS = tor tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h +install-exec-hook: + cd $(DESTDIR)$(methodsdir) && \ + $(LN_S) tor tor+http + EXTRA_DIST = README.md -- cgit v1.2.3-70-g09d2 From 67d013f84c33a2a71fc237c0cfca99fe84b330a2 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Fri, 18 Jul 2014 18:33:00 +0100 Subject: Re-enable HTTPS support, with "tor+https://" URLs --- Makefile.am | 1 + tor.cc | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 68 insertions(+), 4 deletions(-) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index e419b94..668c13c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,6 +6,7 @@ tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h install-exec-hook: cd $(DESTDIR)$(methodsdir) && \ + $(LN_S) tor tor+https && \ $(LN_S) tor tor+http EXTRA_DIST = README.md diff --git a/tor.cc b/tor.cc index 4d7a91e..f071149 100644 --- a/tor.cc +++ b/tor.cc @@ -183,9 +183,72 @@ bool TorMethod::Fetch(FetchItem *Itm) // options curl_easy_setopt(curl, CURLOPT_NOPROGRESS, false); curl_easy_setopt(curl, CURLOPT_FILETIME, true); - // only allow curl to handle http, not the other stuff it supports - curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP); - curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP); + // Allow curl to handle just the protocols we want + curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + + // SSL parameters are set by default to the common (non mirror-specific) value + // if available (or a default one) and gets overload by mirror-specific ones. + + // File containing the list of trusted CA. + string cainfo = _config->Find("Acquire::https::CaInfo",""); + string knob = "Acquire::https::"+remotehost+"::CaInfo"; + cainfo = _config->Find(knob.c_str(),cainfo.c_str()); + if(cainfo.empty() == false) + curl_easy_setopt(curl, CURLOPT_CAINFO,cainfo.c_str()); + + // Check server certificate against previous CA list ... + bool peer_verify = _config->FindB("Acquire::https::Verify-Peer",true); + knob = "Acquire::https::" + remotehost + "::Verify-Peer"; + peer_verify = _config->FindB(knob.c_str(), peer_verify); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify); + + // ... and hostname against cert CN or subjectAltName + bool verify = _config->FindB("Acquire::https::Verify-Host",true); + knob = "Acquire::https::"+remotehost+"::Verify-Host"; + verify = _config->FindB(knob.c_str(),verify); + int const default_verify = (verify == true) ? 2 : 0; + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, default_verify); + + // Also enforce issuer of server certificate using its cert + string issuercert = _config->Find("Acquire::https::IssuerCert",""); + knob = "Acquire::https::"+remotehost+"::IssuerCert"; + issuercert = _config->Find(knob.c_str(),issuercert.c_str()); + if(issuercert.empty() == false) + curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str()); + + // For client authentication, certificate file ... + string pem = _config->Find("Acquire::https::SslCert",""); + knob = "Acquire::https::"+remotehost+"::SslCert"; + pem = _config->Find(knob.c_str(),pem.c_str()); + if(pem.empty() == false) + curl_easy_setopt(curl, CURLOPT_SSLCERT, pem.c_str()); + + // ... and associated key. + string key = _config->Find("Acquire::https::SslKey",""); + knob = "Acquire::https::"+remotehost+"::SslKey"; + key = _config->Find(knob.c_str(),key.c_str()); + if(key.empty() == false) + curl_easy_setopt(curl, CURLOPT_SSLKEY, key.c_str()); + + // Allow forcing SSL version to SSLv3 or TLSv1 (SSLv2 is not + // supported by GnuTLS). + long final_version = CURL_SSLVERSION_DEFAULT; + string sslversion = _config->Find("Acquire::https::SslForceVersion",""); + knob = "Acquire::https::"+remotehost+"::SslForceVersion"; + sslversion = _config->Find(knob.c_str(),sslversion.c_str()); + if(sslversion == "TLSv1") + final_version = CURL_SSLVERSION_TLSv1; + else if(sslversion == "SSLv3") + final_version = CURL_SSLVERSION_SSLv3; + curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version); + + // CRL file + string crlfile = _config->Find("Acquire::https::CrlFile",""); + knob = "Acquire::https::"+remotehost+"::CrlFile"; + crlfile = _config->Find(knob.c_str(),crlfile.c_str()); + if(crlfile.empty() == false) + curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str()); // cache-control if(_config->FindB("Acquire::tor::No-Cache", @@ -370,7 +433,7 @@ int main() setlocale(LC_ALL, ""); TorMethod Mth; - curl_global_init(CURL_GLOBAL_NOTHING) ; + curl_global_init(CURL_GLOBAL_SSL) ; return Mth.Run(); } -- cgit v1.2.3-70-g09d2 From e9f548297d3a545364adbb7b9a0dbb97ef97d605 Mon Sep 17 00:00:00 2001 From: Tim Retout Date: Sun, 20 Jul 2014 14:38:09 +0100 Subject: Use install-data-hook instead of install-exec-hook --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Makefile.am') diff --git a/Makefile.am b/Makefile.am index 668c13c..271579f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,7 +4,7 @@ methodsdir = $(prefix)/lib/apt/methods methods_PROGRAMS = tor tor_SOURCES = tor.cc tor.h server.cc server.h apti18n.h -install-exec-hook: +install-data-hook: cd $(DESTDIR)$(methodsdir) && \ $(LN_S) tor tor+https && \ $(LN_S) tor tor+http -- cgit v1.2.3-70-g09d2