support for trusted CA certificates loading from file in PEM format

elinks-nss-inc.patch

@@ -0,0 +1,58 @@
+diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
+--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-28 13:12:19.365660000 +0200
++++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-28 13:26:39.287600358 +0200
+@@ -48,10 +48,16 @@ SSL_CTX *context = NULL;
+ static void
+ init_openssl(struct module *module)
+ {
++	unsigned char *ca_file;
+ 	SSLeay_add_ssl_algorithms();
+ 	context = SSL_CTX_new(SSLv23_client_method());
+ 	SSL_CTX_set_options(context, SSL_OP_ALL);
++#ifdef CONFIG_NSS_COMPAT_OSSL
++	ca_file = get_opt_str("connection.ssl.trusted_ca_file");
++	SSL_CTX_load_verify_locations(context, ca_file, NULL);
++#else
+ 	SSL_CTX_set_default_verify_paths(context);
++#endif
+ }
+ 
+ static void
+@@ -61,10 +67,27 @@ done_openssl(struct module *module)
+ }
+ 
+ static struct option_info openssl_options[] = {
++#ifdef CONFIG_NSS_COMPAT_OSSL
++	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
++		"cert_verify", 0, 0,
++		N_("Verify the peer's SSL certificate.")),
++
++	INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
++		"trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt",
++		N_("The location of a file containing certificates of "
++		"trusted certification authorities in PEM format. "
++		"ELinks then trusts certificates issued by these CAs.\n"
++		"\n"
++		"If you change this option or the file, you must "
++		"restart ELinks for the changes to take effect. "
++		"This option affects GnuTLS and nss_compat_ossl but not "
++		"OpenSSL.")),
++#else
+ 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+ 		"cert_verify", 0, 0,
+ 		N_("Verify the peer's SSL certificate. Note that this "
+ 		"needs extensive configuration of OpenSSL by the user.")),
++#endif
+ 
+ 	INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
+         	"client_cert", OPT_SORT,
+@@ -187,7 +210,8 @@ static struct option_info gnutls_options
+ 		"\n"
+ 		"If you change this option or the file, you must "
+ 		"restart ELinks for the changes to take effect. "
+-		"This option affects GnuTLS but not OpenSSL.")),
++		"This option affects GnuTLS and nss_compat_ossl but not "
++		"OpenSSL.")),
+ 
+ 	NULL_OPTION_INFO,
+ };

elinks-nss.patch

@@ -1,6 +1,6 @@
 diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
---- elinks-0.12pre3.orig/configure.in	2009-04-14 13:46:26.749379000 +0200
+--- elinks-0.12pre3.orig/configure.in	2009-04-28 12:19:38.816628000 +0200
-+++ elinks-0.12pre3/configure.in	2009-04-14 13:47:13.702846713 +0200
++++ elinks-0.12pre3/configure.in	2009-04-28 12:56:07.343999815 +0200
 @@ -1014,6 +1014,7 @@ gnutls_withval="$withval"
  
  if test "$enable_gnutls" = yes; then
@@ -62,7 +62,7 @@ diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
  
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/network/ssl/socket.c
 --- elinks-0.12pre3.orig/src/network/ssl/socket.c	2009-03-29 00:14:03.000000000 +0100
-+++ elinks-0.12pre3/src/network/ssl/socket.c	2009-04-14 13:47:13.704846733 +0200
++++ elinks-0.12pre3/src/network/ssl/socket.c	2009-04-28 13:01:02.116180177 +0200
 @@ -6,6 +6,10 @@
  
  #ifdef CONFIG_OPENSSL
@@ -153,8 +153,8 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/net
  #elif defined(CONFIG_GNUTLS)
  		int err = rd;
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
---- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-14 13:46:26.739379000 +0200
+--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-28 12:19:38.782627000 +0200
-+++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-14 13:52:15.813854125 +0200
++++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-28 12:59:09.000000000 +0200
 @@ -7,6 +7,10 @@
  #ifdef CONFIG_OPENSSL
  #include <openssl/ssl.h>
@@ -175,42 +175,24 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  
  #ifndef PATH_MAX
  #define	PATH_MAX	256 /* according to my /usr/include/bits/posix1_lim.h */
-@@ -57,10 +61,18 @@ done_openssl(struct module *module)
+@@ -71,12 +75,28 @@ static struct option_info openssl_option
- }
- 
- static struct option_info openssl_options[] = {
-+#ifdef CONFIG_NSS_COMPAT_OSSL
-+	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
-+		"cert_verify", 0, 0,
-+		N_("Verify the peer's SSL certificate. The NSS database "
-+		"location can be changed by SSL_DIR environment variable. "
-+		"The database can be also shared with Mozilla browsers.")),
-+#else
- 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
- 		"cert_verify", 0, 0,
- 		N_("Verify the peer's SSL certificate. Note that this "
- 		"needs extensive configuration of OpenSSL by the user.")),
-+#endif
- 
- 	INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
-         	"client_cert", OPT_SORT,
-@@ -71,12 +83,27 @@ static struct option_info openssl_option
  		N_("Enable or not the sending of X509 client certificates "
  		"to servers which request them.")),
  
 +#ifdef CONFIG_NSS_COMPAT_OSSL
 +	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"),
 +		"nickname", 0, "",
-+		 N_("The nickname of the client certificate stored in NSS "
++		N_("The nickname of the client certificate stored in NSS "
-+		    "database. If this value is unset, the nickname from "
++		"database. If this value is unset, the nickname from "
-+		    "the X509_CLIENT_CERT variable is used instead. If you "
++		"the X509_CLIENT_CERT variable is used instead. If you "
-+		    "have a PKCS#12 file containing client certificate, you "
++		"have a PKCS#12 file containing client certificate, you "
-+		    "can import it into your NSS database with: "
++		"can import it into your NSS database with:\n"
-+		    "$ pk12util -i mycert.p12 -d /path/to/database "
++		"\n"
-+		    " "
++		"$ pk12util -i mycert.p12 -d /path/to/database\n"
-+		    "The NSS database location can be changed by SSL_DIR "
++		"\n"
-+		    "environment variable. The database can be also shared "
++		"The NSS database location can be changed by SSL_DIR "
-+		    "with Mozilla browsers.")),
++		"environment variable. The database can be also shared "
++		"with Mozilla browsers.")),
 +#else
  	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"),
  		"file", 0, "",
@@ -222,7 +204,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  
  	NULL_OPTION_INFO,
  };
-@@ -182,7 +209,7 @@ static struct module gnutls_module = str
+@@ -182,7 +202,7 @@ static struct module gnutls_module = str
  	/* done: */		done_gnutls
  );
  
@@ -231,7 +213,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  
  static struct option_info ssl_options[] = {
  	INIT_OPT_TREE("connection", N_("SSL"),
-@@ -193,7 +220,7 @@ static struct option_info ssl_options[] 
+@@ -193,7 +213,7 @@ static struct option_info ssl_options[] 
  };
  
  static struct module *ssl_modules[] = {
@@ -240,7 +222,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  	&openssl_module,
  #elif defined(CONFIG_GNUTLS)
  	&gnutls_module,
-@@ -214,7 +241,7 @@ struct module ssl_module = struct_module
+@@ -214,7 +234,7 @@ struct module ssl_module = struct_module
  int
  init_ssl_connection(struct socket *socket)
  {
@@ -249,7 +231,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  	socket->ssl = SSL_new(context);
  	if (!socket->ssl) return S_SSL_ERROR;
  #elif defined(CONFIG_GNUTLS)
-@@ -263,7 +290,7 @@ done_ssl_connection(struct socket *socke
+@@ -263,7 +283,7 @@ done_ssl_connection(struct socket *socke
  	ssl_t *ssl = socket->ssl;
  
  	if (!ssl) return;
@@ -258,7 +240,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  	SSL_free(ssl);
  #elif defined(CONFIG_GNUTLS)
  	gnutls_deinit(*ssl);
-@@ -280,7 +307,7 @@ get_ssl_connection_cipher(struct socket 
+@@ -280,7 +300,7 @@ get_ssl_connection_cipher(struct socket 
  
  	if (!init_string(&str)) return NULL;
  
@@ -269,7 +251,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
  		SSL_get_cipher_version(ssl),
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.h elinks-0.12pre3/src/network/ssl/ssl.h
 --- elinks-0.12pre3.orig/src/network/ssl/ssl.h	2009-03-29 00:14:03.000000000 +0100
-+++ elinks-0.12pre3/src/network/ssl/ssl.h	2009-04-14 13:47:13.706846753 +0200
++++ elinks-0.12pre3/src/network/ssl/ssl.h	2009-04-28 12:56:59.000000000 +0200
 @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher
  
  /* Internal type used in ssl module. */

elinks.spec

@@ -1,6 +1,6 @@
 Name:      elinks
 Summary:   A text-mode Web browser
-Version:   0.12
+Version:   0.13
 Release:   0.12.pre3%{?dist}
 License:   GPLv2
 URL:       http://elinks.or.cz
@@ -35,6 +35,7 @@ Patch6: elinks-0.11.0-union.patch
 Patch7: elinks-0.11.3-macropen.patch
 Patch8: elinks-scroll.patch
 Patch9: elinks-nss.patch
+Patch10: elinks-nss-inc.patch
 
 %description
 Elinks is a text-based Web browser. Elinks does not display any images,
@@ -62,8 +63,10 @@ quickly and swiftly displays Web pages.
 %patch7 -p1
 #upstream fix for out of screen dialogs
 %patch8 -p1
-# Port elinks to use NSS library for cryptography (#346861)
+# Port elinks to use NSS library for cryptography (#346861) - accepted upstream
 %patch9 -p1
+# Port elinks to use NSS library for cryptography (#346861) - incremental patch
+%patch10 -p1
 
 %build
 ./autogen.sh
@@ -119,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/*
 
 %changelog
+* Tue Apr 28 2009 Kamil Dudka <kdudka@redhat.com> 0.12-0.13.pre3
+- use appropriate BuildRequires for nss_compat_ossl (#495532)
+- support for trusted CA certificates loading from file in PEM format
+
 * Fri Apr 03 2009 Ondrej Vasik <ovasik@redhat.com> 0.12.0.12.pre3
 - use word Elinks instead of Links in package description