[Pkg-privacy-commits] [torbrowser-launcher] 02/10: Remove certificate pinning (#224)

Holger Levsen holger at moszumanska.debian.org
Thu Mar 3 14:38:41 UTC 2016


This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository torbrowser-launcher.

commit d054f2a03e9f16c91ed0888f0b6a540c21d9117f
Author: Micah Lee <micah at micahflee.com>
Date:   Tue Mar 1 16:26:39 2016 +0100

    Remove certificate pinning (#224)
---
 share/torbrowser-launcher/torproject.pem | 31 ----------------------
 torbrowser_launcher/launcher.py          | 45 +++++---------------------------
 2 files changed, 6 insertions(+), 70 deletions(-)

diff --git a/share/torbrowser-launcher/torproject.pem b/share/torbrowser-launcher/torproject.pem
deleted file mode 100644
index ba18169..0000000
--- a/share/torbrowser-launcher/torproject.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFXTCCBEWgAwIBAgIQCUixqTslHQ2xBRBZ4sJoCjANBgkqhkiG9w0BAQsFADBw
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
-dXJhbmNlIFNlcnZlciBDQTAeFw0xMzEwMjIxMjAwMDFaFw0xNjA1MDMxMjAwMDBa
-MHIxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQH
-EwdXYWxwb2xlMR4wHAYDVQQKExVUaGUgVG9yIFByb2plY3QsIEluYy4xGTAXBgNV
-BAMMECoudG9ycHJvamVjdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC3IzntyGiFJ+WBDpwADPriJSptB8h1Gkeq8FNJuWIXUlfA0RlAfNEOu85C
-G7rUzGxJWvCqT0qrCvxUoUl4S1geh7+VFdo0evz88YvEGizDALi0+aBwpEeiZyxW
-a1LT6udEZoWH4NeZMKLJhMz6i2tzQ3CubaU1+RePA7wU/tGgmUC53Shs1YYiSKRC
-XX03OvW9YuMRsoc6eAoVBQ7ZivTEWRUbwxZeGWlQXtoWsP/tZHphsIeVLmg/jw6k
-yZfscEHVAqylgYMJzlSySqq6dv2HNJpJExV6nVA9QUvsILwg4uuH+53csk0IG/CF
-qFhHheih24hWS1Uf6bh+uHG8kRfHAgMBAAGjggHvMIIB6zAfBgNVHSMEGDAWgBRR
-aP+QrwIHdTzM2WVkYqISuFlyOzAdBgNVHQ4EFgQUgiYI8RMpVTQUtI+AHXG4YNpL
-QcwwKwYDVR0RBCQwIoIQKi50b3Jwcm9qZWN0Lm9yZ4IOdG9ycHJvamVjdC5vcmcw
-DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1
-BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1o
-YS1zZXJ2ZXItZzEuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
-c2hhMi1oYS1zZXJ2ZXItZzEuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCow
-KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYMGCCsG
-AQUFBwEBBHcwdTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
-ME0GCCsGAQUFBzAChkFodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
-cnRTSEEySGlnaEFzc3VyYW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0G
-CSqGSIb3DQEBCwUAA4IBAQBvcHF+gBHQqmAJYTrpqUtCNI+rdGPQ1otYgx4E16qZ
-hd9kUgwug9c+ygo9LsRqap9aBMSOKYKc5MbHX1a9qkEYFOwlDN24IyClAV+MPkCV
-UKvNlZ9ZI0C0b1vbsl6L6Mtb0GA15ejF5/BT6Q38sN84PmeWp5nbYJ0ZAKsrky/c
-TOS/XxK3E7FmHsr6i/OHiGhK1eWbHKPAd6pTg7TT3VDlqyss8E+t7dckuArEekVj
-my8opy75N4xkzEhuRMdPq722uOnHsYxXvPOA96RKufTkFwJje/xVm/g7vlN23IEB
-eKm7UOp6ksIRGTo6b+yYr2fzVOVxpXnMNkbJ7WNS/ZtS
------END CERTIFICATE-----
diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
index 1f2dadd..37047a1 100644
--- a/torbrowser_launcher/launcher.py
+++ b/torbrowser_launcher/launcher.py
@@ -32,10 +32,7 @@ from twisted.web.client import Agent, RedirectAgent, ResponseDone, ResponseFaile
 from twisted.web.http_headers import Headers
 from twisted.web.iweb import IPolicyForHTTPS
 from twisted.internet.protocol import Protocol
-from twisted.internet.ssl import CertificateOptions
-from twisted.internet._sslverify import ClientTLSOptions
 from twisted.internet.error import DNSLookupError
-from zope.interface import implementer
 
 import xml.etree.ElementTree as ET
 
@@ -54,30 +51,6 @@ class TryDefaultMirrorException(Exception):
 class DownloadErrorException(Exception):
     pass
 
-class TorProjectCertificateOptions(CertificateOptions):
-    def __init__(self, torproject_pem):
-        CertificateOptions.__init__(self)
-        self.torproject_ca = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open(torproject_pem, 'r').read())
-
-    def getContext(self, host, port):
-        ctx = CertificateOptions.getContext(self)
-        ctx.set_verify_depth(0)
-        ctx.set_verify(OpenSSL.SSL.VERIFY_PEER | OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.verifyHostname)
-        return ctx
-
-    def verifyHostname(self, connection, cert, errno, depth, preverifyOK):
-        return cert.digest('sha256') == self.torproject_ca.digest('sha256')
-
- at implementer(IPolicyForHTTPS)
-class TorProjectPolicyForHTTPS:
-    def __init__(self, torproject_pem):
-        self.torproject_pem = torproject_pem
-
-    def creatorForNetloc(self, hostname, port):
-        certificateOptions = TorProjectCertificateOptions(self.torproject_pem)
-        return ClientTLSOptions(hostname.decode('utf-8'),
-                                certificateOptions.getContext(hostname, port))
-
 class Launcher:
     def __init__(self, common, url_list):
         self.common = common
@@ -86,7 +59,7 @@ class Launcher:
         # init launcher
         self.set_gui(None, '', [])
         self.launch_gui = True
-        
+
         # if Tor Browser is not installed, detect latest version, download, and install
         if not self.common.settings['installed']:
             # if downloading over Tor, include txsocksx
@@ -112,7 +85,7 @@ class Launcher:
                           'verify',
                           'extract',
                           'run'])
-        
+
         else:
             # Tor Browser is already installed, so run
             self.run(False)
@@ -264,9 +237,9 @@ class Launcher:
         if task == 'download_version_check':
             print _('Downloading'), self.common.paths['version_check_url']
             self.download('version check', self.common.paths['version_check_url'], self.common.paths['version_check_file'])
-        
+
         if task == 'set_version':
-            version = self.get_stable_version() 
+            version = self.get_stable_version()
             if version:
                 self.common.build_paths(self.get_stable_version())
                 print _('Latest version: {}').format(version)
@@ -414,15 +387,9 @@ class Launcher:
             torEndpoint = TCP4ClientEndpoint(reactor, '127.0.0.1', 9050)
 
             # default mirror gets certificate pinning, only for requests that use the mirror
-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
-                agent = SOCKS5Agent(reactor, TorProjectPolicyForHTTPS(self.common.paths['torproject_pem']), proxyEndpoint=torEndpoint)
-            else:
-                agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
+            agent = SOCKS5Agent(reactor, proxyEndpoint=torEndpoint)
         else:
-            if self.common.settings['mirror'] == self.common.default_mirror and '{0}' in url:
-                agent = Agent(reactor, TorProjectPolicyForHTTPS(self.common.paths['torproject_pem']))
-            else:
-                agent = Agent(reactor)
+            agent = Agent(reactor)
 
         # actually, agent needs to follow redirect
         agent = RedirectAgent(agent)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git



More information about the Pkg-privacy-commits mailing list