1 //-*- mode: cpp; mode: fold -*- 
   3 // $Id: http.cc,v 1.59 2004/05/08 19:42:35 mdz Exp $ 
   4 /* ###################################################################### 
   6    HTTPS Acquire Method - This is the HTTPS aquire method for APT. 
  10    ##################################################################### */ 
  12 // Include Files                                                        /*{{{*/ 
  13 #include <apt-pkg/fileutl.h> 
  14 #include <apt-pkg/acquire-method.h> 
  15 #include <apt-pkg/error.h> 
  16 #include <apt-pkg/hashes.h> 
  17 #include <apt-pkg/netrc.h> 
  38 HttpsMethod::write_data(void *buffer
, size_t size
, size_t nmemb
, void *userp
) 
  40    HttpsMethod 
*me 
= (HttpsMethod 
*)userp
; 
  42    if(me
->File
->Write(buffer
, size
*nmemb
) != true) 
  49 HttpsMethod::progress_callback(void *clientp
, double dltotal
, double dlnow
,  
  50                               double ultotal
, double ulnow
) 
  52    HttpsMethod 
*me 
= (HttpsMethod 
*)clientp
; 
  53    if(dltotal 
> 0 && me
->Res
.Size 
== 0) { 
  54       me
->Res
.Size 
= (unsigned long)dltotal
; 
  55       me
->URIStart(me
->Res
); 
  60 void HttpsMethod::SetupProxy()                                          /*{{{*/ 
  62    URI ServerName 
= Queue
->Uri
; 
  64    // Determine the proxy setting - try https first, fallback to http and use env at last 
  65    string UseProxy 
= _config
->Find("Acquire::https::Proxy::" + ServerName
.Host
, 
  66                                    _config
->Find("Acquire::http::Proxy::" + ServerName
.Host
).c_str()); 
  68    if (UseProxy
.empty() == true) 
  69       UseProxy 
= _config
->Find("Acquire::https::Proxy", _config
->Find("Acquire::http::Proxy").c_str()); 
  71    // User want to use NO proxy, so nothing to setup 
  72    if (UseProxy 
== "DIRECT") 
  75    if (UseProxy
.empty() == false)  
  77       // Parse no_proxy, a comma (,) separated list of domains we don't want to use 
  78       // a proxy for so we stop right here if it is in the list 
  79       if (getenv("no_proxy") != 0 && CheckDomainList(ServerName
.Host
,getenv("no_proxy")) == true) 
  82       const char* result 
= getenv("http_proxy"); 
  83       UseProxy 
= result 
== NULL 
? "" : result
; 
  86    // Determine what host and port to use based on the proxy settings 
  87    if (UseProxy
.empty() == false)  
  91          curl_easy_setopt(curl
, CURLOPT_PROXYPORT
, Proxy
.Port
); 
  92       curl_easy_setopt(curl
, CURLOPT_PROXY
, Proxy
.Host
.c_str()); 
  95 // HttpsMethod::Fetch - Fetch an item                                   /*{{{*/ 
  96 // --------------------------------------------------------------------- 
  97 /* This adds an item to the pipeline. We keep the pipeline at a fixed 
  99 bool HttpsMethod::Fetch(FetchItem 
*Itm
) 
 103    struct curl_slist 
*headers
=NULL
;   
 104    char curl_errorstr
[CURL_ERROR_SIZE
]; 
 105    long curl_responsecode
; 
 107    string remotehost 
= Uri
.Host
; 
 110    //       - http::Pipeline-Depth 
 111    //       - error checking/reporting 
 112    //       - more debug options? (CURLOPT_DEBUGFUNCTION?) 
 114    curl_easy_reset(curl
); 
 117    maybe_add_auth (Uri
, _config
->FindFile("Dir::Etc::netrc")); 
 120    curl_easy_setopt(curl
, CURLOPT_URL
, static_cast<string
>(Uri
).c_str()); 
 121    curl_easy_setopt(curl
, CURLOPT_WRITEFUNCTION
, write_data
); 
 122    curl_easy_setopt(curl
, CURLOPT_WRITEDATA
, this); 
 123    curl_easy_setopt(curl
, CURLOPT_PROGRESSFUNCTION
, progress_callback
); 
 124    curl_easy_setopt(curl
, CURLOPT_PROGRESSDATA
, this); 
 125    curl_easy_setopt(curl
, CURLOPT_NOPROGRESS
, false); 
 126    curl_easy_setopt(curl
, CURLOPT_FAILONERROR
, true); 
 127    curl_easy_setopt(curl
, CURLOPT_FILETIME
, true); 
 129    // SSL parameters are set by default to the common (non mirror-specific) value 
 130    // if available (or a default one) and gets overload by mirror-specific ones. 
 132    // File containing the list of trusted CA. 
 133    string cainfo 
= _config
->Find("Acquire::https::CaInfo",""); 
 134    string knob 
= "Acquire::https::"+remotehost
+"::CaInfo"; 
 135    cainfo 
= _config
->Find(knob
.c_str(),cainfo
.c_str()); 
 136    if(cainfo
.empty() == false) 
 137       curl_easy_setopt(curl
, CURLOPT_CAINFO
,cainfo
.c_str()); 
 139    // Check server certificate against previous CA list ... 
 140    bool peer_verify 
= _config
->FindB("Acquire::https::Verify-Peer",true); 
 141    knob 
= "Acquire::https::" + remotehost 
+ "::Verify-Peer"; 
 142    peer_verify 
= _config
->FindB(knob
.c_str(), peer_verify
); 
 143    curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYPEER
, peer_verify
); 
 145    // ... and hostname against cert CN or subjectAltName 
 146    bool verify 
= _config
->FindB("Acquire::https::Verify-Host",true); 
 147    knob 
= "Acquire::https::"+remotehost
+"::Verify-Host"; 
 148    verify 
= _config
->FindB(knob
.c_str(),verify
); 
 149    int const default_verify 
= (verify 
== true) ? 2 : 0; 
 150    curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYHOST
, default_verify
); 
 152    // Also enforce issuer of server certificate using its cert 
 153    string issuercert 
= _config
->Find("Acquire::https::IssuerCert",""); 
 154    knob 
= "Acquire::https::"+remotehost
+"::IssuerCert"; 
 155    issuercert 
= _config
->Find(knob
.c_str(),issuercert
.c_str()); 
 156    if(issuercert
.empty() == false) 
 157       curl_easy_setopt(curl
, CURLOPT_ISSUERCERT
,issuercert
.c_str()); 
 159    // For client authentication, certificate file ... 
 160    string pem 
= _config
->Find("Acquire::https::SslCert",""); 
 161    knob 
= "Acquire::https::"+remotehost
+"::SslCert"; 
 162    pem 
= _config
->Find(knob
.c_str(),pem
.c_str()); 
 163    if(pem
.empty() == false) 
 164       curl_easy_setopt(curl
, CURLOPT_SSLCERT
, pem
.c_str()); 
 166    // ... and associated key. 
 167    string key 
= _config
->Find("Acquire::https::SslKey",""); 
 168    knob 
= "Acquire::https::"+remotehost
+"::SslKey"; 
 169    key 
= _config
->Find(knob
.c_str(),key
.c_str()); 
 170    if(key
.empty() == false) 
 171       curl_easy_setopt(curl
, CURLOPT_SSLKEY
, key
.c_str()); 
 173    // Allow forcing SSL version to SSLv3 or TLSv1 (SSLv2 is not 
 174    // supported by GnuTLS). 
 175    long final_version 
= CURL_SSLVERSION_DEFAULT
; 
 176    string sslversion 
= _config
->Find("Acquire::https::SslForceVersion",""); 
 177    knob 
= "Acquire::https::"+remotehost
+"::SslForceVersion"; 
 178    sslversion 
= _config
->Find(knob
.c_str(),sslversion
.c_str()); 
 179    if(sslversion 
== "TLSv1") 
 180      final_version 
= CURL_SSLVERSION_TLSv1
; 
 181    else if(sslversion 
== "SSLv3") 
 182      final_version 
= CURL_SSLVERSION_SSLv3
; 
 183    curl_easy_setopt(curl
, CURLOPT_SSLVERSION
, final_version
); 
 186    string crlfile 
= _config
->Find("Acquire::https::CrlFile",""); 
 187    knob 
= "Acquire::https::"+remotehost
+"::CrlFile"; 
 188    crlfile 
= _config
->Find(knob
.c_str(),crlfile
.c_str()); 
 189    if(crlfile
.empty() == false) 
 190       curl_easy_setopt(curl
, CURLOPT_CRLFILE
, crlfile
.c_str()); 
 193    if(_config
->FindB("Acquire::https::No-Cache", 
 194         _config
->FindB("Acquire::http::No-Cache",false)) == false) 
 197       if (_config
->FindB("Acquire::https::No-Store", 
 198                 _config
->FindB("Acquire::http::No-Store",false)) == true) 
 199          headers 
= curl_slist_append(headers
,"Cache-Control: no-store"); 
 200       ioprintf(ss
, "Cache-Control: max-age=%u", _config
->FindI("Acquire::https::Max-Age", 
 201                 _config
->FindI("Acquire::http::Max-Age",0))); 
 202       headers 
= curl_slist_append(headers
, ss
.str().c_str()); 
 204       // cache disabled by user 
 205       headers 
= curl_slist_append(headers
, "Cache-Control: no-cache"); 
 206       headers 
= curl_slist_append(headers
, "Pragma: no-cache"); 
 208    curl_easy_setopt(curl
, CURLOPT_HTTPHEADER
, headers
); 
 211    int const dlLimit 
= _config
->FindI("Acquire::https::Dl-Limit", 
 212                 _config
->FindI("Acquire::http::Dl-Limit",0))*1024; 
 214       curl_easy_setopt(curl
, CURLOPT_MAX_RECV_SPEED_LARGE
, dlLimit
); 
 217    curl_easy_setopt(curl
, CURLOPT_USERAGENT
, 
 218         _config
->Find("Acquire::https::User-Agent", 
 219                 _config
->Find("Acquire::http::User-Agent", 
 220                         "Debian APT-CURL/1.0 ("VERSION
")").c_str()).c_str()); 
 223    int const timeout 
= _config
->FindI("Acquire::https::Timeout", 
 224                 _config
->FindI("Acquire::http::Timeout",120)); 
 225    curl_easy_setopt(curl
, CURLOPT_CONNECTTIMEOUT
, timeout
); 
 226    //set really low lowspeed timeout (see #497983) 
 227    curl_easy_setopt(curl
, CURLOPT_LOW_SPEED_LIMIT
, DL_MIN_SPEED
); 
 228    curl_easy_setopt(curl
, CURLOPT_LOW_SPEED_TIME
, timeout
); 
 230    // set redirect options and default to 10 redirects 
 231    bool const AllowRedirect 
= _config
->FindB("Acquire::https::AllowRedirect", 
 232         _config
->FindB("Acquire::http::AllowRedirect",true)); 
 233    curl_easy_setopt(curl
, CURLOPT_FOLLOWLOCATION
, AllowRedirect
); 
 234    curl_easy_setopt(curl
, CURLOPT_MAXREDIRS
, 10); 
 237    if(_config
->FindB("Debug::Acquire::https", false)) 
 238       curl_easy_setopt(curl
, CURLOPT_VERBOSE
, true); 
 241    curl_easy_setopt(curl
, CURLOPT_ERRORBUFFER
, curl_errorstr
); 
 243    // if we have the file send an if-range query with a range header 
 244    if (stat(Itm
->DestFile
.c_str(),&SBuf
) >= 0 && SBuf
.st_size 
> 0) 
 247       sprintf(Buf
,"Range: bytes=%li-\r\nIf-Range: %s\r\n", 
 248               (long)SBuf
.st_size 
- 1, 
 249               TimeRFC1123(SBuf
.st_mtime
).c_str()); 
 250       headers 
= curl_slist_append(headers
, Buf
); 
 252    else if(Itm
->LastModified 
> 0) 
 254       curl_easy_setopt(curl
, CURLOPT_TIMECONDITION
, CURL_TIMECOND_IFMODSINCE
); 
 255       curl_easy_setopt(curl
, CURLOPT_TIMEVALUE
, Itm
->LastModified
); 
 258    // go for it - if the file exists, append on it 
 259    File 
= new FileFd(Itm
->DestFile
, FileFd::WriteAny
); 
 260    if (File
->Size() > 0) 
 261       File
->Seek(File
->Size() - 1); 
 264    Res
.Filename 
= Itm
->DestFile
; 
 267    CURLcode success 
= curl_easy_perform(curl
); 
 268    curl_easy_getinfo(curl
, CURLINFO_RESPONSE_CODE
, &curl_responsecode
); 
 271    curl_easy_getinfo(curl
, CURLINFO_FILETIME
, &curl_servdate
); 
 278       _error
->Error("%s", curl_errorstr
); 
 279       // unlink, no need keep 401/404 page content in partial/ 
 280       unlink(File
->Name().c_str()); 
 287    if (curl_servdate 
!= -1) { 
 288        UBuf
.actime 
= curl_servdate
; 
 289        UBuf
.modtime 
= curl_servdate
; 
 290        utime(File
->Name().c_str(),&UBuf
); 
 293    // check the downloaded result 
 295    if (stat(File
->Name().c_str(),&Buf
) == 0) 
 297       Res
.Filename 
= File
->Name(); 
 298       Res
.LastModified 
= Buf
.st_mtime
; 
 300       if (curl_responsecode 
== 304) 
 302          unlink(File
->Name().c_str()); 
 304          Res
.LastModified 
= Itm
->LastModified
; 
 309       Res
.Size 
= Buf
.st_size
; 
 314    FileFd 
Fd(Res
.Filename
, FileFd::ReadOnly
); 
 315    Hash
.AddFD(Fd
.Fd(), Fd
.Size()); 
 316    Res
.TakeHashes(Hash
); 
 324    curl_slist_free_all(headers
); 
 331    setlocale(LC_ALL
, ""); 
 334    curl_global_init(CURL_GLOBAL_SSL
) ;