From 7b1fb90b93ced7c0772d726e512da01fad456852 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Sat, 21 Dec 2024 15:26:34 +0100 Subject: Remove GnuTLS and gcrypt support OpenSSL is mandatory now, it is no longer possible to build without https support either. --- methods/connect.cc | 259 ----------------------------------------------------- 1 file changed, 259 deletions(-) (limited to 'methods/connect.cc') diff --git a/methods/connect.cc b/methods/connect.cc index fc1bd132c..b00e73eb7 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -21,13 +21,8 @@ #include #include -#ifdef WITH_OPENSSL #include #include -#elif defined(HAVE_GNUTLS) -#include -#include -#endif #include #include @@ -807,7 +802,6 @@ ResultState UnwrapSocks(std::string Host, int Port, URI Proxy, std::unique_ptr &Fd, return ResultState::SUCCESSFUL; } -#elif defined(HAVE_GNUTLS /*}}}*/ -// UnwrapTLS - Handle TLS connections /*{{{*/ -// --------------------------------------------------------------------- -/* Performs a TLS handshake on the socket */ -struct TlsFd final : public MethodFd -{ - std::unique_ptr UnderlyingFd; - gnutls_session_t session; - gnutls_certificate_credentials_t credentials; - std::string hostname; - unsigned long Timeout; - - int Fd() APT_OVERRIDE { return UnderlyingFd->Fd(); } - - ssize_t Read(void *buf, size_t count) APT_OVERRIDE - { - return HandleError(gnutls_record_recv(session, buf, count)); - } - ssize_t Write(void *buf, size_t count) APT_OVERRIDE - { - return HandleError(gnutls_record_send(session, buf, count)); - } - - ssize_t DoTLSHandshake() - { - int err; - // Do the handshake. Our socket is non-blocking, so we need to call WaitFd() - // accordingly. - do - { - err = gnutls_handshake(session); - if ((err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN) && - WaitFd(this->Fd(), gnutls_record_get_direction(session) == 1, Timeout) == false) - { - _error->Errno("select", "Could not wait for server fd"); - return err; - } - } while (err < 0 && gnutls_error_is_fatal(err) == 0); - - if (err < 0) - { - // Print reason why validation failed. - if (err == GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR) - { - gnutls_datum_t txt; - auto type = gnutls_certificate_type_get(session); - auto status = gnutls_session_get_verify_cert_status(session); - if (gnutls_certificate_verification_status_print(status, type, &txt, 0) == 0) - { - _error->Error("Certificate verification failed: %s", txt.data); - } - gnutls_free(txt.data); - } - _error->Error("Could not handshake: %s", gnutls_strerror(err)); - } - return err; - } - - template - T HandleError(T err) - { - // Server may request re-handshake if client certificates need to be provided - // based on resource requested - if (err == GNUTLS_E_REHANDSHAKE) - { - int rc = DoTLSHandshake(); - // Only reset err if DoTLSHandshake() fails. - // Otherwise, we want to follow the original error path and set errno to EAGAIN - // so that the request is retried. - if (rc < 0) - err = rc; - } - - if (err < 0 && gnutls_error_is_fatal(err)) - errno = EIO; - else if (err < 0) - errno = EAGAIN; - else - errno = 0; - return err; - } - - int Close() APT_OVERRIDE - { - auto err = HandleError(gnutls_bye(session, GNUTLS_SHUT_RDWR)); - auto lower = UnderlyingFd->Close(); - return err < 0 ? HandleError(err) : lower; - } - - bool HasPending() APT_OVERRIDE - { - return gnutls_record_check_pending(session) > 0; - } -}; - -ResultState UnwrapTLS(std::string const &Host, std::unique_ptr &Fd, - unsigned long const Timeout, aptMethod * const Owner, - aptConfigWrapperForMethods const * const OwnerConf) -{ - if (_config->FindB("Acquire::AllowTLS", true) == false) - { - _error->Error("TLS support has been disabled: Acquire::AllowTLS is false."); - return ResultState::FATAL_ERROR; - } - - int err; - TlsFd *tlsFd = new TlsFd(); - - tlsFd->hostname = Host; - tlsFd->UnderlyingFd = MethodFd::FromFd(-1); // For now - tlsFd->Timeout = Timeout; - - if ((err = gnutls_init(&tlsFd->session, GNUTLS_CLIENT | GNUTLS_NONBLOCK)) < 0) - { - _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - FdFd *fdfd = dynamic_cast(Fd.get()); - if (fdfd != nullptr) - { - gnutls_transport_set_int(tlsFd->session, fdfd->fd); - } - else - { - gnutls_transport_set_ptr(tlsFd->session, Fd.get()); - gnutls_transport_set_pull_function(tlsFd->session, - [](gnutls_transport_ptr_t p, void *buf, size_t size) -> ssize_t { - return reinterpret_cast(p)->Read(buf, size); - }); - gnutls_transport_set_push_function(tlsFd->session, - [](gnutls_transport_ptr_t p, const void *buf, size_t size) -> ssize_t { - return reinterpret_cast(p)->Write((void *)buf, size); - }); - } - - if ((err = gnutls_certificate_allocate_credentials(&tlsFd->credentials)) < 0) - { - _error->Error("Internal error: could not allocate credentials: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - // Credential setup - std::string fileinfo = OwnerConf->ConfigFind("CaInfo", ""); - if (fileinfo.empty()) - { - // No CaInfo specified, use system trust store. - err = gnutls_certificate_set_x509_system_trust(tlsFd->credentials); - if (err == 0) - Owner->Warning("No system certificates available. Try installing ca-certificates."); - else if (err < 0) - { - _error->Error("Could not load system TLS certificates: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - else - { - // CA location has been set, use the specified one instead - gnutls_certificate_set_verify_flags(tlsFd->credentials, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); - err = gnutls_certificate_set_x509_trust_file(tlsFd->credentials, fileinfo.c_str(), GNUTLS_X509_FMT_PEM); - if (err < 0) - { - _error->Error("Could not load certificates from %s (CaInfo option): %s", fileinfo.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - if (not OwnerConf->ConfigFind("IssuerCert", "").empty()) - { - _error->Error("The option '%s' is not supported anymore", "IssuerCert"); - return ResultState::FATAL_ERROR; - } - if (not OwnerConf->ConfigFind("SslForceVersion", "").empty()) - { - _error->Error("The option '%s' is not supported anymore", "SslForceVersion"); - return ResultState::FATAL_ERROR; - } - - // For client authentication, certificate file ... - std::string const cert = OwnerConf->ConfigFind("SslCert", ""); - std::string const key = OwnerConf->ConfigFind("SslKey", ""); - if (cert.empty() == false) - { - if ((err = gnutls_certificate_set_x509_key_file( - tlsFd->credentials, - cert.c_str(), - key.empty() ? cert.c_str() : key.c_str(), - GNUTLS_X509_FMT_PEM)) < 0) - { - _error->Error("Could not load client certificate (%s, SslCert option) or key (%s, SslKey option): %s", cert.c_str(), key.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - // CRL file - std::string const crlfile = OwnerConf->ConfigFind("CrlFile", ""); - if (crlfile.empty() == false) - { - if ((err = gnutls_certificate_set_x509_crl_file(tlsFd->credentials, - crlfile.c_str(), - GNUTLS_X509_FMT_PEM)) < 0) - { - _error->Error("Could not load custom certificate revocation list %s (CrlFile option): %s", crlfile.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - if ((err = gnutls_credentials_set(tlsFd->session, GNUTLS_CRD_CERTIFICATE, tlsFd->credentials)) < 0) - { - _error->Error("Internal error: Could not add certificates to session: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - if ((err = gnutls_set_default_priority(tlsFd->session)) < 0) - { - _error->Error("Internal error: Could not set algorithm preferences: %s", gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - - if (OwnerConf->ConfigFindB("Verify-Peer", true)) - { - gnutls_session_set_verify_cert(tlsFd->session, OwnerConf->ConfigFindB("Verify-Host", true) ? tlsFd->hostname.c_str() : nullptr, 0); - } - - // set SNI only if the hostname is really a name and not an address - { - struct in_addr addr4; - struct in6_addr addr6; - - if (inet_pton(AF_INET, tlsFd->hostname.c_str(), &addr4) == 1 || - inet_pton(AF_INET6, tlsFd->hostname.c_str(), &addr6) == 1) - /* not a host name */; - else if ((err = gnutls_server_name_set(tlsFd->session, GNUTLS_NAME_DNS, tlsFd->hostname.c_str(), tlsFd->hostname.length())) < 0) - { - _error->Error("Could not set host name %s to indicate to server: %s", tlsFd->hostname.c_str(), gnutls_strerror(err)); - return ResultState::FATAL_ERROR; - } - } - - // Set the FD now, so closing it works reliably. - tlsFd->UnderlyingFd = std::move(Fd); - Fd.reset(tlsFd); - - // Do the handshake. - err = tlsFd->DoTLSHandshake(); - - if (err < 0) - return ResultState::TRANSIENT_ERROR; - - return ResultState::SUCCESSFUL; -} -#endif /*}}}*/ -- cgit v1.2.3-70-g09d2