summaryrefslogtreecommitdiff
path: root/methods/connect.cc
AgeCommit message (Collapse)Author
2017-07-03don't set ip addresses as server names for SNIDavid Kalnischkies
It is kinda unlikely that apt will ever encounter a certificate for an IP and a user actually using it, but the API documentation for gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are not permitted to be set by this function.", so we should follow it. [jak@d.o: Slightly rebased]
2017-07-03Swap file descriptors before the handshakeJulian Andres Klode
This makes more sense. If the handshake failed midway, we still should run the gnutls bye stuff. The thinking here is to only set the fd after the session setup, as we do not modify it before, so if it fails in session setup, you retain a usable file descriptor. Gbp-Dch: ignore
2017-07-03Do not error out, only warn if ca certificates are not availableJulian Andres Klode
This probably makes more sense if Verify-Peer is set to off.
2017-07-03tls: Add more details to error messages, and detect more errorsJulian Andres Klode
This should make it easier to figure out what was going on.
2017-07-01Make Verify-Host and Verify-Peer independent againJulian Andres Klode
We can actually just pass null as a hostname, so let's just do that when Verify-Host is set to false.
2017-06-30TLS support: Error out on unsupported curl optionsJulian Andres Klode
Silently ignoring the options might be a security issue, so produce an error instead.
2017-06-30Improve closing the TLS connectionJulian Andres Klode
If gnutls_session_bye() exited with an error, we never closed the underlying file descriptor, causing the method to think the connection was still open. This caused problems especially in test-partial-file-support where we checked that a "complete" file and an incomplete file work. The first GET returns a 416 with Connection: close, and the next GET request then accidentally reads the body of the 416 as the header for its own request.
2017-06-30Allow running the TLS stack on any lower connectionJulian Andres Klode
This is especially needed if we use an HTTPS proxy to CONNECT to an HTTPS URI, as we run TLS-inside-TLS then.
2017-06-30Reset failure reason when connection was successfulJulian Andres Klode
When APT was trying multiple addresses, any later error somewhere else would be reported with ConnectionRefused or ConnectionTimedOut as the FailReason because that was set by early connect attempts. This causes APT to handle the failures differently, leading to some weirdly breaking test cases (like the changed one). Add debugging to the previously failing test case so we can find out when something goes wrong there again.
2017-06-30Don't read CaInfo if not specified (missing else)Julian Andres Klode
This fixes a regression from ~alpha2. Closes: #866559 Gbp-Dch: Full
2017-06-29http: Only use system CA store if CaInfo is not setJulian Andres Klode
It turns out that curl only sets the system trust store if the CaInfo option is not set, so let's do the same here.
2017-06-29Improve error message if system CA store is emptyJulian Andres Klode
Tell the user to install ca-certificates. Closes: #866377
2017-06-29use port from SRV record instead of initial portDavid Kalnischkies
An SRV record includes a portnumber to use with the host given, but apt was ignoring the portnumber and instead used either the port given by the user for the initial host or the default port for the service. In practice the service usually runs on another host on the default port, so it tends to work as intended and even if not and apt can't get a connection there it will gracefully fallback to contacting the initial host with the right port, so its a user invisible bug most of the time.
2017-06-28Introduce Acquire::AllowTLS to turn off TLS supportJulian Andres Klode
As requested by Henrique de Moraes Holschuh, here comes an option to disable TLS support. If the option is set to false, the internal TLS layer is disabled.
2017-06-28methods: http: Drain pending data before selectingJulian Andres Klode
GnuTLS can already have data pending in its buffers, we need to to drain that first otherwise select() might block indefinitely. Gbp-Dch: ignore
2017-06-28methods: Add HTTPS support to http method, using GnuTLSJulian Andres Klode
The http method will eventually replace the curl-based https method, but for now, this is an opt-in experiment that can be enabled by setting Dir::Bin::Methods::https to "http". Known issues: - We do not support HTTPS proxies yet - We do not support proxying HTTPS connections yet (CONNECT) - IssuerCert and SslForceVersion are unsupported Gbp-Dch: Full
2017-06-28methods: connect: Switch from int fds to new MethodFdJulian Andres Klode
Use std::unique_ptr<MethodFd> everywhere we used an integer-based file descriptor before. This allows us to implement stuff like TLS support easily. Gbp-Dch: ignore
2017-06-28methods: connect: Change PkgAcqMethod to aptMethodJulian Andres Klode
This will allow us to access ConfigFind() and stuff which makes it possible for us to implement TLS support. Gbp-Dch: ignore
2016-09-04abort connection on '.' target replies in SRVDavid Kalnischkies
Commit 3af3ac2f5ec007badeded46a94be2bd06b9917a2 (released in 1.3~pre1) implements proper fallback for SRV, but that works actually too good as the RFC defines that such an SRV record should indicate that the server doesn't provide this service and apt should respect this. The solution is hence to fail again as requested even if that isn't what the user (and perhaps even the server admins) wanted. At least we will print a message now explicitly mentioning SRV to point people in the right direction. Reported-In: https://bugs.kali.org/view.php?id=3525 Reported-By: Raphaël Hertzog
2016-08-26methods/connect.cc: Only use AI_IDN if definedJulian Andres Klode
Gbp-Dch: ignore
2016-08-11block direct connections to .onion domains (RFC7687)David Kalnischkies
Doing a direct connect to an .onion address (if you don't happen to use it as a local domain, which you shouldn't) is bound to fail and does leak the information that you do use Tor and which hidden service you wanted to connect to to a DNS server. Worse, if the DNS is poisoned and actually resolves tricking a user into believing the setup would work correctly… This does block also the usage of wrappers like torsocks with apt, but with native support available and advertised in the error message this shouldn't really be an issue. Inspired-by: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
2016-07-06keep trying with next if connection to a SRV host failedDavid Kalnischkies
Instead of only trying the first host we get via SRV, we try them all as we are supposed to and if that isn't working we try to connect to the host itself as if we hadn't seen any SRV records. This was already the intend of the old code, but it failed to hide earlier problems for the next call, which would unconditionally fail then resulting in an all around failure to connect. With proper stacking we can also keep the error messages of each call around (and in the order tried) so if the entire connection fails we can report all the things we have tried while we discard the entire stack if something works out in the end.
2016-01-05Do not remove a not working SrvRecords server twiceMichael Vogt
The PopFromSrvRecs() already removed the entry from the active list, so the extra SrvRecords.erase() was incorrect. Git-Dch: ignore
2015-11-05activate AI_IDN by default to support IDN domainsDavid Kalnischkies
AI_IDN is a glibc extension, but we can worry about this at the time actually anyone is seriously trying apt on non-glibc systems. Closes: 763437
2015-11-04allow getaddrinfo flag AI_ADDRCONFIG to be disabledDavid Kalnischkies
This flags is generally handy to avoid having to deal with ipv6 results on an ipv4-only system, but it prevents e.g. the testcases from working if the testsystem has no configured address at the moment (expect loopback), so allow it to be sidestepped and let the testcases sidestep it. Git-Dch: Ignore
2015-08-31fix some unused parameter/variable warningsDavid Kalnischkies
Reported-By: gcc Git-Dch: Ignore
2015-08-24Fix typoMichael Vogt
Thanks: Julian Andres Klode Git-Dch: ignore
2015-08-20Add basic (non weight adjusted) shuffling for SrvRecords selectionMichael Vogt
Also add "Debug::Acquire::SrvRecs" debug option and the option "Acquire::EnableSrvRecods" to allow disabling this lookup.
2015-08-18cleanupMichael Vogt
2014-05-23when using srv records, use the next server if one fails to connectMichael Vogt
2014-05-22WIP make connect use GetSrvRecordsMichael Vogt
2014-03-13cleanup headers and especially #includes everywhereDavid Kalnischkies
Beside being a bit cleaner it hopefully also resolves oddball problems I have with high levels of parallel jobs. Git-Dch: Ignore Reported-By: iwyu (include-what-you-use)
2014-01-16correct some style/performance/warnings from cppcheckDavid Kalnischkies
The most "visible" change is from utime to utimensat/futimens as the first one isn't part of POSIX anymore. Reported-By: cppcheck Git-Dch: Ignore
2013-03-25* methods/connect.cc:Michael Vogt
- use Errno() instead of strerror(), thanks to David Kalnischk
2013-03-22add new config options "Acquire::ForceIPv4" and Michael Vogt
"Acquire::ForceIPv6" to allow focing one or the other (closes: #611891)
2013-03-21merge patch from Colin to fix error message from getaddrinfo() (#703603)Michael Vogt
2011-09-19use forward declaration in headers if possible instead of includesDavid Kalnischkies
2011-09-19do not pollute namespace in the headers with using (Closes: #500198)David Kalnischkies
2011-09-13reorder includes: add <config.h> if needed and include it at firstDavid Kalnischkies
2010-04-14merged from lp:~mvo/apt/mvoMichael Vogt
2010-04-14Remember hosts with general failures forMichael Vogt
https://wiki.ubuntu.com/NetworklessInstallationFixes (LP: #556831).
2009-12-18* Merged from the mvo branchMichael Vogt
* merged from the lp:~mvo/apt/history branch * Fix apt-ftparchive(1) wrt description of the "-o" option. Thanks to Dann Frazier for the patch. Closes: #273100 * po/LINGUAS. Re-disable Hebrew. Closes: #534992 * po/LINGUAS. Enable Asturian and Lithuanian * Fix typo in apt-cache.8.xml: nessasarily * Fix "with with" in apt-get.8.xml * Fix some of the typos mentioned by the german team Closes: #479997 * Polish translation update by Wiktor Wandachowicz Closes: #548571 * German translation update by Holger Wansing Closes: #551534 * Italian translation update by Milo Casagrande Closes: #555797 * Simplified Chinese translation update by Aron Xu Closes: #558737 * Slovak translation update by Ivan Masár Closes: #559277 * apt-pkg/packagemanager.cc: - add output about pre-depends configuring when debug::pkgPackageManager is used * methods/https.cc: - fix incorrect use of CURLOPT_TIMEOUT, closes: #497983, LP: #354972 thanks to Brian Thomason for the patch * merge lp:~mvo/apt/netrc branch, this adds support for a /etc/apt/auth.conf that can be used to store username/passwords in a "netrc" style file (with the extension that it supports "/" in a machine definition). Based on the maemo git branch (Closes: #518473) (thanks also to Jussi Hakala and Julian Andres Klode) * apt-pkg/deb/dpkgpm.cc: - add "purge" to list of known actions * apt-pkg/init.h: - add compatibility with old ABI name until the next ABI break * merge segfault fix from Mario Sanchez Prada, many thanks (closes: #561109) * apt-pkg/depcache.cc, apt-pkg/indexcopy.cc: - typo fix (LP: #462328) * cmdline/apt-key: - Emit a warning if removed keys keyring is missing and skip associated checks (LP: #218971) * apt-pkg/packagemanager.cc: - better debug output for ImmediateAdd with depth and why - improve the message shown for failing immediate configuration * doc/guide.it.sgml: moved to doc/it/guide.it.sgml * doc/po4a.conf: activate translation of guide.sgml and offline.sgml * doc/apt.conf.5.xml: - provide a few more details about APT::Immediate-Configure - briefly document the behaviour of the new https options * doc/sources.list.5.xml: - add note about additional apt-transport-methods * doc/apt-mark.8.xml: - correct showauto synopsis, thanks Andrew Schulman (Closes: #551440) * cmdline/apt-get.cc: - source should display his final pkg pick (Closes: #249383, #550952) - source doesn't need the complete version for match (Closes: #245250) - source ignores versions/releases if not available (Closes: #377424) - only warn if (free) space overflows (Closes: #522238) - add --debian-only as alias for --diff-only * methods/connect.cc: - display also strerror of "wicked" getaddrinfo errors - add AI_ADDRCONFIG to ai_flags as suggested by Aurelien Jarno in response to Bernhard R. Link, thanks! (Closes: #505020) * buildlib/configure.mak, buildlib/config.{sub,guess}: - remove (outdated) config.{sub,guess} and use the ones provided by the new added build-dependency autotools-dev instead * configure.in, buildlib/{xml,yodl,sgml}_manpage.mak: - remove the now obsolete manpage buildsystems * doc/{pl,pt_BR,es,it}/*.{sgml,xml}: - convert all remaining translation to the po4a system * debian/control: - drop build-dependency on docbook-utils and xmlto - add build-dependency on autotools-dev - bump policy to 3.8.3 as we have no outdated manpages anymore * debian/NEWS: - fix a typo in 0.7.24: Allready -> Already (Closes: #557674) * ftparchive/writer.{cc,h}: - add APT::FTPArchive::LongDescription to be able to disable them * apt-pkg/deb/debsrcrecords.cc: - use "diff" filetype for .debian.tar.* files (Closes: #554898) * methods/rred.cc: - rewrite to be able to handle even big patch files - adopt optional mmap+iovec patch from Morten Hustveit (Closes: #463354) which should speed up a bit. Thanks! * methods/http{,s}.cc - add config setting for User-Agent to the Acquire group, thanks Timothy J. Miller! (Closes: #355782) - add https options which default to http ones (Closes: #557085) * debian/apt.cron.daily: - check cache size even if we do nothing else otherwise, thanks Francesco Poli for patch(s) and patience! (Closes: #459344) * ftparchive/*: - fix a few typos in strings, comments and manpage, thanks Karl Goetz! (Closes: #558757) * cmdline/apt-mark: - print an error if a new state file can't be created (Closes: #521289) and - exit nicely if python-apt is not installed (Closes: #521284) * doc/de: German translation of manpages (Closes: #552606) * doc/ various manpages: - correct various errors, typos and oddities (Closes: #552535) * doc/apt-secure.8.xml: - replace literal with emphasis tags in Archive configuration * doc/apt-ftparchive.1.xml: - remove informalexample tag which hides the programlisting * doc/apt-get.8.xml: - change equivalent "for" to "to the" (purge command) - clarify --fix-broken sentence about specifying packages * apt-pkg/contib/strutl.h - Avoid extra inner copy in APT_MKSTRCMP and APT_MKSTRCMP2. * build infrastructure: - Bumped libapt version, excluded eglibc from SONAME. (Closes: #448249) * doc/apt.conf.5.xml: - Deprecate unquoted values, string concatenation and explain what should not be written inside a value (quotes,backslash). - Restrict option names to alphanumerical characters and "/-:._+". - Deprecate #include, we have apt.conf.d nowadays which should be sufficient. * ftparchive/apt-ftparchive.cc: - Call setlocale() so translations are actually used. * debian/apt.conf.autoremove: - Add kfreebsd-image-* to the list (Closes: #558803)
2009-12-11add AI_ADDRCONFIG to ai_flags in connect.cc as suggested by Aurelien JarnoDavid Kalnischkies
in his response to Bernhard R. Link's patch, thanks! (Closes: #505020)
2009-10-20 * methods/connect.cc:David Kalnischkies
- display also strerror of "wicked" getaddrinfo errors
2009-09-26Fix some typos from #479997bubulle@debian.org
2008-02-08* methods/connect.cc:Michael Vogt
- remember hosts with Resolve failures or connect Timeouts see https://wiki.ubuntu.com/NetworklessInstallationFixes
2008-02-08* methods/connect.cc:Michael Vogt
- remember hosts with Resolve failures or connect Timeouts
2008-01-07* apt-pkg/acquire-worker.cc, methods/connect.cc:Michael Vogt
- consider a ResolveError a transient-network problem
2007-02-05* use pkgAcqMethod::FailReason() for consistent error reportingMichael Vogt
2007-02-01* commited the latest mirror failure detection codeMichael Vogt