summaryrefslogtreecommitdiff
path: root/methods
diff options
context:
space:
mode:
Diffstat (limited to 'methods')
-rw-r--r--methods/CMakeLists.txt11
-rw-r--r--methods/connect.cc259
-rw-r--r--methods/http.cc15
3 files changed, 3 insertions, 282 deletions
diff --git a/methods/CMakeLists.txt b/methods/CMakeLists.txt
index c27b1438b..beb08a81d 100644
--- a/methods/CMakeLists.txt
+++ b/methods/CMakeLists.txt
@@ -13,17 +13,12 @@ add_executable(http http.cc basehttp.cc $<TARGET_OBJECTS:connectlib>)
add_executable(mirror mirror.cc)
add_executable(rred rred.cc)
-if (WITH_OPENSSL)
- target_compile_definitions(connectlib PRIVATE ${OPENSSL_DEFINITIONS})
- target_include_directories(connectlib PRIVATE ${OPENSSL_INCLUDE_DIR})
-elseif (HAVE_GNUTLS)
- target_compile_definitions(connectlib PRIVATE ${GNUTLS_DEFINITIONS})
- target_include_directories(connectlib PRIVATE ${GNUTLS_INCLUDE_DIR})
-endif()
+target_compile_definitions(connectlib PRIVATE ${OPENSSL_DEFINITIONS})
+target_include_directories(connectlib PRIVATE ${OPENSSL_INCLUDE_DIR})
target_include_directories(http PRIVATE $<$<BOOL:${SYSTEMD_FOUND}>:${SYSTEMD_INCLUDE_DIRS}>)
# Additional libraries to link against for networked stuff
-target_link_libraries(http $<$<BOOL:${WITH_OPENSSL}>:OpenSSL::SSL> $<$<BOOL:${GNUTLS_FOUND}>:${GNUTLS_LIBRARIES}> $<$<BOOL:${SYSTEMD_FOUND}>:${SYSTEMD_LIBRARIES}>)
+target_link_libraries(http OpenSSL::SSL $<$<BOOL:${SYSTEMD_FOUND}>:${SYSTEMD_LIBRARIES}>)
target_link_libraries(rred apt-private)
diff --git a/methods/connect.cc b/methods/connect.cc
index fc1bd132c..b00e73eb7 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -21,13 +21,8 @@
#include <apt-pkg/srvrec.h>
#include <apt-pkg/strutl.h>
-#ifdef WITH_OPENSSL
#include <openssl/err.h>
#include <openssl/ssl.h>
-#elif defined(HAVE_GNUTLS)
-#include <gnutls/gnutls.h>
-#include <gnutls/x509.h>
-#endif
#include <cassert>
#include <cerrno>
@@ -807,7 +802,6 @@ ResultState UnwrapSocks(std::string Host, int Port, URI Proxy, std::unique_ptr<M
return ResultState::SUCCESSFUL;
}
-#if defined(WITH_OPENSSL)
// UnwrapTLS - Handle TLS connections /*{{{*/
// ---------------------------------------------------------------------
/* Performs a TLS handshake on the socket */
@@ -1088,256 +1082,3 @@ ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
return ResultState::SUCCESSFUL;
}
-#elif defined(HAVE_GNUTLS /*}}}*/
-// UnwrapTLS - Handle TLS connections /*{{{*/
-// ---------------------------------------------------------------------
-/* Performs a TLS handshake on the socket */
-struct TlsFd final : public MethodFd
-{
- std::unique_ptr<MethodFd> UnderlyingFd;
- gnutls_session_t session;
- gnutls_certificate_credentials_t credentials;
- std::string hostname;
- unsigned long Timeout;
-
- int Fd() APT_OVERRIDE { return UnderlyingFd->Fd(); }
-
- ssize_t Read(void *buf, size_t count) APT_OVERRIDE
- {
- return HandleError(gnutls_record_recv(session, buf, count));
- }
- ssize_t Write(void *buf, size_t count) APT_OVERRIDE
- {
- return HandleError(gnutls_record_send(session, buf, count));
- }
-
- ssize_t DoTLSHandshake()
- {
- int err;
- // Do the handshake. Our socket is non-blocking, so we need to call WaitFd()
- // accordingly.
- do
- {
- err = gnutls_handshake(session);
- if ((err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN) &&
- WaitFd(this->Fd(), gnutls_record_get_direction(session) == 1, Timeout) == false)
- {
- _error->Errno("select", "Could not wait for server fd");
- return err;
- }
- } while (err < 0 && gnutls_error_is_fatal(err) == 0);
-
- if (err < 0)
- {
- // Print reason why validation failed.
- if (err == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR)
- {
- gnutls_datum_t txt;
- auto type = gnutls_certificate_type_get(session);
- auto status = gnutls_session_get_verify_cert_status(session);
- if (gnutls_certificate_verification_status_print(status, type, &txt, 0) == 0)
- {
- _error->Error("Certificate verification failed: %s", txt.data);
- }
- gnutls_free(txt.data);
- }
- _error->Error("Could not handshake: %s", gnutls_strerror(err));
- }
- return err;
- }
-
- template <typename T>
- T HandleError(T err)
- {
- // Server may request re-handshake if client certificates need to be provided
- // based on resource requested
- if (err == GNUTLS_E_REHANDSHAKE)
- {
- int rc = DoTLSHandshake();
- // Only reset err if DoTLSHandshake() fails.
- // Otherwise, we want to follow the original error path and set errno to EAGAIN
- // so that the request is retried.
- if (rc < 0)
- err = rc;
- }
-
- if (err < 0 && gnutls_error_is_fatal(err))
- errno = EIO;
- else if (err < 0)
- errno = EAGAIN;
- else
- errno = 0;
- return err;
- }
-
- int Close() APT_OVERRIDE
- {
- auto err = HandleError(gnutls_bye(session, GNUTLS_SHUT_RDWR));
- auto lower = UnderlyingFd->Close();
- return err < 0 ? HandleError(err) : lower;
- }
-
- bool HasPending() APT_OVERRIDE
- {
- return gnutls_record_check_pending(session) > 0;
- }
-};
-
-ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
- unsigned long const Timeout, aptMethod * const Owner,
- aptConfigWrapperForMethods const * const OwnerConf)
-{
- if (_config->FindB("Acquire::AllowTLS", true) == false)
- {
- _error->Error("TLS support has been disabled: Acquire::AllowTLS is false.");
- return ResultState::FATAL_ERROR;
- }
-
- int err;
- TlsFd *tlsFd = new TlsFd();
-
- tlsFd->hostname = Host;
- tlsFd->UnderlyingFd = MethodFd::FromFd(-1); // For now
- tlsFd->Timeout = Timeout;
-
- if ((err = gnutls_init(&tlsFd->session, GNUTLS_CLIENT | GNUTLS_NONBLOCK)) < 0)
- {
- _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
-
- FdFd *fdfd = dynamic_cast<FdFd *>(Fd.get());
- if (fdfd != nullptr)
- {
- gnutls_transport_set_int(tlsFd->session, fdfd->fd);
- }
- else
- {
- gnutls_transport_set_ptr(tlsFd->session, Fd.get());
- gnutls_transport_set_pull_function(tlsFd->session,
- [](gnutls_transport_ptr_t p, void *buf, size_t size) -> ssize_t {
- return reinterpret_cast<MethodFd *>(p)->Read(buf, size);
- });
- gnutls_transport_set_push_function(tlsFd->session,
- [](gnutls_transport_ptr_t p, const void *buf, size_t size) -> ssize_t {
- return reinterpret_cast<MethodFd *>(p)->Write((void *)buf, size);
- });
- }
-
- if ((err = gnutls_certificate_allocate_credentials(&tlsFd->credentials)) < 0)
- {
- _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
-
- // Credential setup
- std::string fileinfo = OwnerConf->ConfigFind("CaInfo", "");
- if (fileinfo.empty())
- {
- // No CaInfo specified, use system trust store.
- err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials);
- if (err == 0)
- Owner->Warning("No system certificates available. Try installing ca-certificates.");
- else if (err < 0)
- {
- _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
- }
- else
- {
- // CA location has been set, use the specified one instead
- gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
- err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM);
- if (err < 0)
- {
- _error->Error("Could not load certificates from %s (CaInfo option): %s", fileinfo.c_str(), gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
- }
-
- if (not OwnerConf->ConfigFind("IssuerCert", "").empty())
- {
- _error->Error("The option '%s' is not supported anymore", "IssuerCert");
- return ResultState::FATAL_ERROR;
- }
- if (not OwnerConf->ConfigFind("SslForceVersion", "").empty())
- {
- _error->Error("The option '%s' is not supported anymore", "SslForceVersion");
- return ResultState::FATAL_ERROR;
- }
-
- // For client authentication, certificate file ...
- std::string const cert = OwnerConf->ConfigFind("SslCert", "");
- std::string const key = OwnerConf->ConfigFind("SslKey", "");
- if (cert.empty() == false)
- {
- if ((err = gnutls_certificate_set_x509_key_file(
- tlsFd->credentials,
- cert.c_str(),
- key.empty() ? cert.c_str() : key.c_str(),
- GNUTLS_X509_FMT_PEM)) < 0)
- {
- _error->Error("Could not load client certificate (%s, SslCert option) or key (%s, SslKey option): %s", cert.c_str(), key.c_str(), gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
- }
-
- // CRL file
- std::string const crlfile = OwnerConf->ConfigFind("CrlFile", "");
- if (crlfile.empty() == false)
- {
- if ((err = gnutls_certificate_set_x509_crl_file(tlsFd->credentials,
- crlfile.c_str(),
- GNUTLS_X509_FMT_PEM)) < 0)
- {
- _error->Error("Could not load custom certificate revocation list %s (CrlFile option): %s", crlfile.c_str(), gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
- }
-
- if ((err = gnutls_credentials_set(tlsFd->session, GNUTLS_CRD_CERTIFICATE, tlsFd->credentials)) < 0)
- {
- _error->Error("Internal error: Could not add certificates to session: %s", gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
-
- if ((err = gnutls_set_default_priority(tlsFd->session)) < 0)
- {
- _error->Error("Internal error: Could not set algorithm preferences: %s", gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
-
- if (OwnerConf->ConfigFindB("Verify-Peer", true))
- {
- gnutls_session_set_verify_cert(tlsFd->session, OwnerConf->ConfigFindB("Verify-Host", true) ? tlsFd->hostname.c_str() : nullptr, 0);
- }
-
- // set SNI only if the hostname is really a name and not an address
- {
- struct in_addr addr4;
- struct in6_addr addr6;
-
- if (inet_pton(AF_INET, tlsFd->hostname.c_str(), &addr4) == 1 ||
- inet_pton(AF_INET6, tlsFd->hostname.c_str(), &addr6) == 1)
- /* not a host name */;
- else if ((err = gnutls_server_name_set(tlsFd->session, GNUTLS_NAME_DNS, tlsFd->hostname.c_str(), tlsFd->hostname.length())) < 0)
- {
- _error->Error("Could not set host name %s to indicate to server: %s", tlsFd->hostname.c_str(), gnutls_strerror(err));
- return ResultState::FATAL_ERROR;
- }
- }
-
- // Set the FD now, so closing it works reliably.
- tlsFd->UnderlyingFd = std::move(Fd);
- Fd.reset(tlsFd);
-
- // Do the handshake.
- err = tlsFd->DoTLSHandshake();
-
- if (err < 0)
- return ResultState::TRANSIENT_ERROR;
-
- return ResultState::SUCCESSFUL;
-}
-#endif /*}}}*/
diff --git a/methods/http.cc b/methods/http.cc
index 48c3d540d..678ce3952 100644
--- a/methods/http.cc
+++ b/methods/http.cc
@@ -428,9 +428,7 @@ ResultState HttpServerState::Open()
Out.Reset();
Persistent = true;
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
bool tls = (ServerName.Access == "https" || APT::String::Endswith(ServerName.Access, "+https"));
-#endif
// Determine the proxy setting
// Used to run AutoDetectProxy(ServerName) here, but we now send a Proxy
@@ -455,7 +453,6 @@ ResultState HttpServerState::Open()
{
char *result = getenv("http_proxy");
Proxy = result ? result : "";
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
if (tls == true)
{
char *result = getenv("https_proxy");
@@ -464,7 +461,6 @@ ResultState HttpServerState::Open()
Proxy = result;
}
}
-#endif
}
}
@@ -478,13 +474,8 @@ ResultState HttpServerState::Open()
if (Proxy.empty() == false)
Owner->AddProxyAuth(Proxy, ServerName);
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
auto const DefaultService = tls ? "https" : "http";
auto const DefaultPort = tls ? 443 : 80;
-#else
- auto const DefaultService = "http";
- auto const DefaultPort = 80;
-#endif
if (Proxy.Access == "socks5h")
{
auto result = Connect(Proxy.Host, Proxy.Port, "socks", 1080, ServerFd, TimeOut, Owner);
@@ -518,15 +509,12 @@ ResultState HttpServerState::Open()
Port = Proxy.Port;
Host = Proxy.Host;
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
if (Proxy.Access == "https" && Port == 0)
Port = 443;
-#endif
}
auto result = Connect(Host, Port, DefaultService, DefaultPort, ServerFd, TimeOut, Owner);
if (result != ResultState::SUCCESSFUL)
return result;
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
if (Host == Proxy.Host && Proxy.Access == "https")
{
aptConfigWrapperForMethods ProxyConf{std::vector<std::string>{"http", "https"}};
@@ -541,13 +529,10 @@ ResultState HttpServerState::Open()
if (result != ResultState::SUCCESSFUL)
return result;
}
-#endif
}
-#if defined(HAVE_GNUTLS) || defined(WITH_OPENSSL)
if (tls)
return UnwrapTLS(ServerName.Host, ServerFd, TimeOut, Owner, Owner);
-#endif
return ResultState::SUCCESSFUL;
}