From e07f7e3e6e5236e33c04e97971e835a0c6080da0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 28 Apr 2009 11:46:48 +0000 Subject: [PATCH] support for trusted CA certificates loading from file in PEM format --- elinks-nss-inc.patch | 58 +++++++++++++++++++++++++++++++++++++++ elinks-nss.patch | 64 ++++++++++++++++---------------------------- elinks.spec | 11 ++++++-- 3 files changed, 90 insertions(+), 43 deletions(-) create mode 100644 elinks-nss-inc.patch diff --git a/elinks-nss-inc.patch b/elinks-nss-inc.patch new file mode 100644 index 0000000..4ceab81 --- /dev/null +++ b/elinks-nss-inc.patch @@ -0,0 +1,58 @@ +diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c +--- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-28 13:12:19.365660000 +0200 ++++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-28 13:26:39.287600358 +0200 +@@ -48,10 +48,16 @@ SSL_CTX *context = NULL; + static void + init_openssl(struct module *module) + { ++ unsigned char *ca_file; + SSLeay_add_ssl_algorithms(); + context = SSL_CTX_new(SSLv23_client_method()); + SSL_CTX_set_options(context, SSL_OP_ALL); ++#ifdef CONFIG_NSS_COMPAT_OSSL ++ ca_file = get_opt_str("connection.ssl.trusted_ca_file"); ++ SSL_CTX_load_verify_locations(context, ca_file, NULL); ++#else + SSL_CTX_set_default_verify_paths(context); ++#endif + } + + static void +@@ -61,10 +67,27 @@ done_openssl(struct module *module) + } + + static struct option_info openssl_options[] = { ++#ifdef CONFIG_NSS_COMPAT_OSSL ++ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"), ++ "cert_verify", 0, 0, ++ N_("Verify the peer's SSL certificate.")), ++ ++ INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"), ++ "trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt", ++ N_("The location of a file containing certificates of " ++ "trusted certification authorities in PEM format. " ++ "ELinks then trusts certificates issued by these CAs.\n" ++ "\n" ++ "If you change this option or the file, you must " ++ "restart ELinks for the changes to take effect. " ++ "This option affects GnuTLS and nss_compat_ossl but not " ++ "OpenSSL.")), ++#else + INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"), + "cert_verify", 0, 0, + N_("Verify the peer's SSL certificate. Note that this " + "needs extensive configuration of OpenSSL by the user.")), ++#endif + + INIT_OPT_TREE("connection.ssl", N_("Client Certificates"), + "client_cert", OPT_SORT, +@@ -187,7 +210,8 @@ static struct option_info gnutls_options + "\n" + "If you change this option or the file, you must " + "restart ELinks for the changes to take effect. " +- "This option affects GnuTLS but not OpenSSL.")), ++ "This option affects GnuTLS and nss_compat_ossl but not " ++ "OpenSSL.")), + + NULL_OPTION_INFO, + }; diff --git a/elinks-nss.patch b/elinks-nss.patch index 9196d5c..d440a9f 100644 --- a/elinks-nss.patch +++ b/elinks-nss.patch @@ -1,6 +1,6 @@ diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in ---- elinks-0.12pre3.orig/configure.in 2009-04-14 13:46:26.749379000 +0200 -+++ elinks-0.12pre3/configure.in 2009-04-14 13:47:13.702846713 +0200 +--- elinks-0.12pre3.orig/configure.in 2009-04-28 12:19:38.816628000 +0200 ++++ elinks-0.12pre3/configure.in 2009-04-28 12:56:07.343999815 +0200 @@ -1014,6 +1014,7 @@ gnutls_withval="$withval" if test "$enable_gnutls" = yes; then @@ -62,7 +62,7 @@ diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/network/ssl/socket.c --- elinks-0.12pre3.orig/src/network/ssl/socket.c 2009-03-29 00:14:03.000000000 +0100 -+++ elinks-0.12pre3/src/network/ssl/socket.c 2009-04-14 13:47:13.704846733 +0200 ++++ elinks-0.12pre3/src/network/ssl/socket.c 2009-04-28 13:01:02.116180177 +0200 @@ -6,6 +6,10 @@ #ifdef CONFIG_OPENSSL @@ -153,8 +153,8 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/net #elif defined(CONFIG_GNUTLS) int err = rd; diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c ---- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-14 13:46:26.739379000 +0200 -+++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-14 13:52:15.813854125 +0200 +--- elinks-0.12pre3.orig/src/network/ssl/ssl.c 2009-04-28 12:19:38.782627000 +0200 ++++ elinks-0.12pre3/src/network/ssl/ssl.c 2009-04-28 12:59:09.000000000 +0200 @@ -7,6 +7,10 @@ #ifdef CONFIG_OPENSSL #include @@ -175,42 +175,24 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ #ifndef PATH_MAX #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ -@@ -57,10 +61,18 @@ done_openssl(struct module *module) - } - - static struct option_info openssl_options[] = { -+#ifdef CONFIG_NSS_COMPAT_OSSL -+ INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"), -+ "cert_verify", 0, 0, -+ N_("Verify the peer's SSL certificate. The NSS database " -+ "location can be changed by SSL_DIR environment variable. " -+ "The database can be also shared with Mozilla browsers.")), -+#else - INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"), - "cert_verify", 0, 0, - N_("Verify the peer's SSL certificate. Note that this " - "needs extensive configuration of OpenSSL by the user.")), -+#endif - - INIT_OPT_TREE("connection.ssl", N_("Client Certificates"), - "client_cert", OPT_SORT, -@@ -71,12 +83,27 @@ static struct option_info openssl_option +@@ -71,12 +75,28 @@ static struct option_info openssl_option N_("Enable or not the sending of X509 client certificates " "to servers which request them.")), +#ifdef CONFIG_NSS_COMPAT_OSSL + INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"), + "nickname", 0, "", -+ N_("The nickname of the client certificate stored in NSS " -+ "database. If this value is unset, the nickname from " -+ "the X509_CLIENT_CERT variable is used instead. If you " -+ "have a PKCS#12 file containing client certificate, you " -+ "can import it into your NSS database with: " -+ "$ pk12util -i mycert.p12 -d /path/to/database " -+ " " -+ "The NSS database location can be changed by SSL_DIR " -+ "environment variable. The database can be also shared " -+ "with Mozilla browsers.")), ++ N_("The nickname of the client certificate stored in NSS " ++ "database. If this value is unset, the nickname from " ++ "the X509_CLIENT_CERT variable is used instead. If you " ++ "have a PKCS#12 file containing client certificate, you " ++ "can import it into your NSS database with:\n" ++ "\n" ++ "$ pk12util -i mycert.p12 -d /path/to/database\n" ++ "\n" ++ "The NSS database location can be changed by SSL_DIR " ++ "environment variable. The database can be also shared " ++ "with Mozilla browsers.")), +#else INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"), "file", 0, "", @@ -222,7 +204,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ NULL_OPTION_INFO, }; -@@ -182,7 +209,7 @@ static struct module gnutls_module = str +@@ -182,7 +202,7 @@ static struct module gnutls_module = str /* done: */ done_gnutls ); @@ -231,7 +213,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ static struct option_info ssl_options[] = { INIT_OPT_TREE("connection", N_("SSL"), -@@ -193,7 +220,7 @@ static struct option_info ssl_options[] +@@ -193,7 +213,7 @@ static struct option_info ssl_options[] }; static struct module *ssl_modules[] = { @@ -240,7 +222,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ &openssl_module, #elif defined(CONFIG_GNUTLS) &gnutls_module, -@@ -214,7 +241,7 @@ struct module ssl_module = struct_module +@@ -214,7 +234,7 @@ struct module ssl_module = struct_module int init_ssl_connection(struct socket *socket) { @@ -249,7 +231,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ socket->ssl = SSL_new(context); if (!socket->ssl) return S_SSL_ERROR; #elif defined(CONFIG_GNUTLS) -@@ -263,7 +290,7 @@ done_ssl_connection(struct socket *socke +@@ -263,7 +283,7 @@ done_ssl_connection(struct socket *socke ssl_t *ssl = socket->ssl; if (!ssl) return; @@ -258,7 +240,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ SSL_free(ssl); #elif defined(CONFIG_GNUTLS) gnutls_deinit(*ssl); -@@ -280,7 +307,7 @@ get_ssl_connection_cipher(struct socket +@@ -280,7 +300,7 @@ get_ssl_connection_cipher(struct socket if (!init_string(&str)) return NULL; @@ -269,7 +251,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ SSL_get_cipher_version(ssl), diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.h elinks-0.12pre3/src/network/ssl/ssl.h --- elinks-0.12pre3.orig/src/network/ssl/ssl.h 2009-03-29 00:14:03.000000000 +0100 -+++ elinks-0.12pre3/src/network/ssl/ssl.h 2009-04-14 13:47:13.706846753 +0200 ++++ elinks-0.12pre3/src/network/ssl/ssl.h 2009-04-28 12:56:59.000000000 +0200 @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher /* Internal type used in ssl module. */ diff --git a/elinks.spec b/elinks.spec index b385391..4621276 100644 --- a/elinks.spec +++ b/elinks.spec @@ -1,6 +1,6 @@ Name: elinks Summary: A text-mode Web browser -Version: 0.12 +Version: 0.13 Release: 0.12.pre3%{?dist} License: GPLv2 URL: http://elinks.or.cz @@ -35,6 +35,7 @@ Patch6: elinks-0.11.0-union.patch Patch7: elinks-0.11.3-macropen.patch Patch8: elinks-scroll.patch Patch9: elinks-nss.patch +Patch10: elinks-nss-inc.patch %description Elinks is a text-based Web browser. Elinks does not display any images, @@ -62,8 +63,10 @@ quickly and swiftly displays Web pages. %patch7 -p1 #upstream fix for out of screen dialogs %patch8 -p1 -# Port elinks to use NSS library for cryptography (#346861) +# Port elinks to use NSS library for cryptography (#346861) - accepted upstream %patch9 -p1 +# Port elinks to use NSS library for cryptography (#346861) - incremental patch +%patch10 -p1 %build ./autogen.sh @@ -119,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/* %changelog +* Tue Apr 28 2009 Kamil Dudka 0.12-0.13.pre3 +- use appropriate BuildRequires for nss_compat_ossl (#495532) +- support for trusted CA certificates loading from file in PEM format + * Fri Apr 03 2009 Ondrej Vasik 0.12.0.12.pre3 - use word Elinks instead of Links in package description