support for trusted CA certificates loading from file in PEM format

2009-04-28 11:46:48 +00:00 · 2009-04-28 11:46:48 +00:00 · e07f7e3e6e
commit e07f7e3e6e
parent e4a56895d1
3 changed files with 90 additions and 43 deletions
--- a/elinks-nss-inc.patch
+++ b/elinks-nss-inc.patch
@ -0,0 +1,58 @@
+diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
+--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-28 13:12:19.365660000 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-28 13:26:39.287600358 +0200
+@@ -48,10 +48,16 @@ SSL_CTX *context = NULL;
+ static void
+ init_openssl(struct module *module)
+ {
+	unsigned char *ca_file;
+ 	SSLeay_add_ssl_algorithms();
+ 	context = SSL_CTX_new(SSLv23_client_method());
+ 	SSL_CTX_set_options(context, SSL_OP_ALL);
+#ifdef CONFIG_NSS_COMPAT_OSSL
+	ca_file = get_opt_str("connection.ssl.trusted_ca_file");
+	SSL_CTX_load_verify_locations(context, ca_file, NULL);
+#else
+ 	SSL_CTX_set_default_verify_paths(context);
+#endif
+ }
+ 
+ static void
+@@ -61,10 +67,27 @@ done_openssl(struct module *module)
+ }
+ 
+ static struct option_info openssl_options[] = {
+#ifdef CONFIG_NSS_COMPAT_OSSL
+	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+		"cert_verify", 0, 0,
+		N_("Verify the peer's SSL certificate.")),
+
+	INIT_OPT_STRING("connection.ssl", N_("Trusted CA file"),
+		"trusted_ca_file", 0, "/etc/pki/tls/certs/ca-bundle.crt",
+		N_("The location of a file containing certificates of "
+		"trusted certification authorities in PEM format. "
+		"ELinks then trusts certificates issued by these CAs.\n"
+		"\n"
+		"If you change this option or the file, you must "
+		"restart ELinks for the changes to take effect. "
+		"This option affects GnuTLS and nss_compat_ossl but not "
+		"OpenSSL.")),
+#else
+ 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
+ 		"cert_verify", 0, 0,
+ 		N_("Verify the peer's SSL certificate. Note that this "
+ 		"needs extensive configuration of OpenSSL by the user.")),
+#endif
+ 
+ 	INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
+         	"client_cert", OPT_SORT,
+@@ -187,7 +210,8 @@ static struct option_info gnutls_options
+ 		"\n"
+ 		"If you change this option or the file, you must "
+ 		"restart ELinks for the changes to take effect. "
+-		"This option affects GnuTLS but not OpenSSL.")),
+		"This option affects GnuTLS and nss_compat_ossl but not "
+		"OpenSSL.")),
+ 
+ 	NULL_OPTION_INFO,
+ };
--- a/elinks-nss.patch
+++ b/elinks-nss.patch
@ -1,6 +1,6 @@
 diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
--- elinks-0.12pre3.orig/configure.in	2009-04-14 13:46:26.749379000 +0200
-+++ elinks-0.12pre3/configure.in	2009-04-14 13:47:13.702846713 +0200
+--- elinks-0.12pre3.orig/configure.in	2009-04-28 12:19:38.816628000 +0200
+++ elinks-0.12pre3/configure.in	2009-04-28 12:56:07.343999815 +0200
@@ -1014,6 +1014,7 @@ gnutls_withval="$withval"
 
 if test "$enable_gnutls" = yes; then
@ -62,7 +62,7 @@ diff -ruNp elinks-0.12pre3.orig/configure.in elinks-0.12pre3/configure.in
 
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/network/ssl/socket.c
 --- elinks-0.12pre3.orig/src/network/ssl/socket.c	2009-03-29 00:14:03.000000000 +0100
-+++ elinks-0.12pre3/src/network/ssl/socket.c	2009-04-14 13:47:13.704846733 +0200
+++ elinks-0.12pre3/src/network/ssl/socket.c	2009-04-28 13:01:02.116180177 +0200
@@ -6,6 +6,10 @@
 
 #ifdef CONFIG_OPENSSL
@ -153,8 +153,8 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/socket.c elinks-0.12pre3/src/net
 #elif defined(CONFIG_GNUTLS)
 		int err = rd;
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/network/ssl/ssl.c
--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-14 13:46:26.739379000 +0200
-+++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-14 13:52:15.813854125 +0200
+--- elinks-0.12pre3.orig/src/network/ssl/ssl.c	2009-04-28 12:19:38.782627000 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.c	2009-04-28 12:59:09.000000000 +0200
@@ -7,6 +7,10 @@
 #ifdef CONFIG_OPENSSL
 #include <openssl/ssl.h>
@ -175,42 +175,24 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 
 #ifndef PATH_MAX
 #define	PATH_MAX	256 /* according to my /usr/include/bits/posix1_lim.h */
-@@ -57,10 +61,18 @@ done_openssl(struct module *module)
- }
- 
- static struct option_info openssl_options[] = {
-+#ifdef CONFIG_NSS_COMPAT_OSSL
-+	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
-+		"cert_verify", 0, 0,
-+		N_("Verify the peer's SSL certificate. The NSS database "
-+		"location can be changed by SSL_DIR environment variable. "
-+		"The database can be also shared with Mozilla browsers.")),
-+#else
- 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
- 		"cert_verify", 0, 0,
- 		N_("Verify the peer's SSL certificate. Note that this "
- 		"needs extensive configuration of OpenSSL by the user.")),
-+#endif
- 
- 	INIT_OPT_TREE("connection.ssl", N_("Client Certificates"),
-         	"client_cert", OPT_SORT,
-@@ -71,12 +83,27 @@ static struct option_info openssl_option
+@@ -71,12 +75,28 @@ static struct option_info openssl_option
 		N_("Enable or not the sending of X509 client certificates "
 		"to servers which request them.")),
 
 +#ifdef CONFIG_NSS_COMPAT_OSSL
 +	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"),
 +		"nickname", 0, "",
-+		 N_("The nickname of the client certificate stored in NSS "
-+		    "database. If this value is unset, the nickname from "
-+		    "the X509_CLIENT_CERT variable is used instead. If you "
-+		    "have a PKCS#12 file containing client certificate, you "
-+		    "can import it into your NSS database with: "
-+		    "$ pk12util -i mycert.p12 -d /path/to/database "
-+		    " "
-+		    "The NSS database location can be changed by SSL_DIR "
-+		    "environment variable. The database can be also shared "
-+		    "with Mozilla browsers.")),
+		N_("The nickname of the client certificate stored in NSS "
+		"database. If this value is unset, the nickname from "
+		"the X509_CLIENT_CERT variable is used instead. If you "
+		"have a PKCS#12 file containing client certificate, you "
+		"can import it into your NSS database with:\n"
+		"\n"
+		"$ pk12util -i mycert.p12 -d /path/to/database\n"
+		"\n"
+		"The NSS database location can be changed by SSL_DIR "
+		"environment variable. The database can be also shared "
+		"with Mozilla browsers.")),
 +#else
 	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"),
 		"file", 0, "",
@ -222,7 +204,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 
 	NULL_OPTION_INFO,
 };
-@@ -182,7 +209,7 @@ static struct module gnutls_module = str
+@@ -182,7 +202,7 @@ static struct module gnutls_module = str
 	/* done: */		done_gnutls
 );
 
@ -231,7 +213,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 
 static struct option_info ssl_options[] = {
 	INIT_OPT_TREE("connection", N_("SSL"),
-@@ -193,7 +220,7 @@ static struct option_info ssl_options[] 
+@@ -193,7 +213,7 @@ static struct option_info ssl_options[] 
 };
 
 static struct module *ssl_modules[] = {
@ -240,7 +222,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 	&openssl_module,
 #elif defined(CONFIG_GNUTLS)
 	&gnutls_module,
-@@ -214,7 +241,7 @@ struct module ssl_module = struct_module
+@@ -214,7 +234,7 @@ struct module ssl_module = struct_module
 int
 init_ssl_connection(struct socket *socket)
 {
@ -249,7 +231,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 	socket->ssl = SSL_new(context);
 	if (!socket->ssl) return S_SSL_ERROR;
 #elif defined(CONFIG_GNUTLS)
-@@ -263,7 +290,7 @@ done_ssl_connection(struct socket *socke
+@@ -263,7 +283,7 @@ done_ssl_connection(struct socket *socke
 	ssl_t *ssl = socket->ssl;
 
 	if (!ssl) return;
@ -258,7 +240,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 	SSL_free(ssl);
 #elif defined(CONFIG_GNUTLS)
 	gnutls_deinit(*ssl);
-@@ -280,7 +307,7 @@ get_ssl_connection_cipher(struct socket 
+@@ -280,7 +300,7 @@ get_ssl_connection_cipher(struct socket 
 
 	if (!init_string(&str)) return NULL;
 
@ -269,7 +251,7 @@ diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.c elinks-0.12pre3/src/networ
 		SSL_get_cipher_version(ssl),
 diff -ruNp elinks-0.12pre3.orig/src/network/ssl/ssl.h elinks-0.12pre3/src/network/ssl/ssl.h
 --- elinks-0.12pre3.orig/src/network/ssl/ssl.h	2009-03-29 00:14:03.000000000 +0100
-+++ elinks-0.12pre3/src/network/ssl/ssl.h	2009-04-14 13:47:13.706846753 +0200
+++ elinks-0.12pre3/src/network/ssl/ssl.h	2009-04-28 12:56:59.000000000 +0200
@@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher
 
 /* Internal type used in ssl module. */
--- a/elinks.spec
+++ b/elinks.spec
@ -1,6 +1,6 @@
 Name:      elinks
 Summary:   A text-mode Web browser
-Version:   0.12
+Version:   0.13
 Release:   0.12.pre3%{?dist}
 License:   GPLv2
 URL:       http://elinks.or.cz
@ -35,6 +35,7 @@ Patch6: elinks-0.11.0-union.patch
 Patch7: elinks-0.11.3-macropen.patch
 Patch8: elinks-scroll.patch
 Patch9: elinks-nss.patch
+Patch10: elinks-nss-inc.patch

 %description
 Elinks is a text-based Web browser. Elinks does not display any images,
@ -62,8 +63,10 @@ quickly and swiftly displays Web pages.
 %patch7 -p1
 #upstream fix for out of screen dialogs
 %patch8 -p1
-# Port elinks to use NSS library for cryptography (#346861)
+# Port elinks to use NSS library for cryptography (#346861) - accepted upstream
 %patch9 -p1
+# Port elinks to use NSS library for cryptography (#346861) - incremental patch
+%patch10 -p1

 %build
 ./autogen.sh
@ -119,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/*

 %changelog
+* Tue Apr 28 2009 Kamil Dudka <kdudka@redhat.com> 0.12-0.13.pre3
+- use appropriate BuildRequires for nss_compat_ossl (#495532)
+- support for trusted CA certificates loading from file in PEM format
+
 * Fri Apr 03 2009 Ondrej Vasik <ovasik@redhat.com> 0.12.0.12.pre3
 - use word Elinks instead of Links in package description