1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00

add support for nss_compat_ossl library (OpenSSL replacement)

* configure.in: New configure parameter --with-nss_compat_ossl.
 * socket.c: New configure option connection.ssl.client_cert.nickname.
 * ssl.h: Handle CONFIG_NSS_COMPAT_OSSL macro.
 * ssl.c: Add support for nss_compat_ossl.
 * TODO: Remove completed task.
 * NEWS: Mention the change.
This commit is contained in:
Kamil Dudka 2008-09-23 13:27:47 +02:00 committed by Kalle Olavi Niemitalo
parent b40736cafe
commit a00a413765
6 changed files with 84 additions and 20 deletions

2
NEWS
View File

@ -48,6 +48,8 @@ Miscellaneous:
* enhancement: Indicate backgrounded downloads using an unused led. * enhancement: Indicate backgrounded downloads using an unused led.
* enhancement: Display the number of ECMAScript interpreters that have * enhancement: Display the number of ECMAScript interpreters that have
been allocated for documents in the Resources dialog. been allocated for documents in the Resources dialog.
* Fedora enhancement 346861: Add support for nss_compat_ossl library
(OpenSSL replacement).
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
The following changes should be removed from NEWS before ELinks 0.13.0 The following changes should be removed from NEWS before ELinks 0.13.0

View File

@ -952,6 +952,7 @@ gnutls_withval="$withval"
if test "$enable_gnutls" = yes; then if test "$enable_gnutls" = yes; then
disable_openssl=yes; disable_openssl=yes;
with_nss_compat_ossl=no;
fi fi
AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support],
@ -959,6 +960,37 @@ AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support],
AC_ARG_WITH(openssl, [[ --with-openssl[=DIR] enable OpenSSL support (default)]]) AC_ARG_WITH(openssl, [[ --with-openssl[=DIR] enable OpenSSL support (default)]])
openssl_withval="$withval" openssl_withval="$withval"
AC_ARG_WITH(nss_compat_ossl, [[ --with-nss_compat_ossl[=DIR]
NSS compatibility SSL libraries/include files]])
# nss_compat_ossl
if test -n "$with_nss_compat_ossl" && test "$with_nss_compat_ossl" != "no"; then
EL_SAVE_FLAGS
if test "$with_nss_compat_ossl" = yes; then
if pkg-config nss; then
CFLAGS="$CFLAGS_X `pkg-config --cflags nss`"
LIBS="$LIBS_X `pkg-config --libs nss`"
else
with_nss_compat_ossl=no
fi
else
# Without pkg-config, we'll kludge in some defaults
CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include -I/usr/include/nss3 -I/usr/include/nspr4"
LIBS="$LIBS_X -L$with_nss_compat_ossl/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
fi
AC_CHECK_HEADERS(nss_compat_ossl/nss_compat_ossl.h,, [with_nss_compat_ossl=no], [#define NSS_COMPAT_OSSL_H])
AC_CHECK_LIB(nss_compat_ossl, X509_free,, [with_nss_compat_ossl=no])
if test "$with_nss_compat_ossl" = "no"; then
EL_RESTORE_FLAGS
else
LIBS="$LIBS -lnss_compat_ossl"
EL_CONFIG(CONFIG_NSS_COMPAT_OSSL, [nss_compat_ossl])
disable_openssl="yes"
disable_gnutls="yes"
fi
fi
# ---- OpenSSL # ---- OpenSSL
AC_MSG_CHECKING([for OpenSSL]) AC_MSG_CHECKING([for OpenSSL])
@ -1075,10 +1107,11 @@ AC_MSG_RESULT($cf_result)
# Final SSL setup # Final SSL setup
EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS], [SSL]) EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS CONFIG_NSS_COMPAT_OSSL], [SSL])
AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT) AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT)
AC_SUBST(CONFIG_OPENSSL) AC_SUBST(CONFIG_OPENSSL)
AC_SUBST(CONFIG_GNUTLS) AC_SUBST(CONFIG_GNUTLS)
AC_SUBST(CONFIG_NSS_COMPAT_OSSL)
#endif #endif

View File

@ -5,10 +5,6 @@ We could add also support for:
format conviently readable for me; however, they say it is damn fast and very format conviently readable for me; however, they say it is damn fast and very
easy to use) easy to use)
* NSS (http://www.mozilla.org/projects/security/pki/nss/ - it could be pretty
widespread and nicely tested by mozilla, however it scares me, it looks to be
pretty complex and already needing some certificates db generated etc)
Possibly, we should drop support for native GnuTLS and use their OpenSSL Possibly, we should drop support for native GnuTLS and use their OpenSSL
wrapper instead, since I happen to feel very unsure about GnuTLS interface - wrapper instead, since I happen to feel very unsure about GnuTLS interface -
OpenSSL is not much better, but we can steal code from other applications ;-). OpenSSL is not much better, but we can steal code from other applications ;-).

View File

@ -6,6 +6,10 @@
#ifdef CONFIG_OPENSSL #ifdef CONFIG_OPENSSL
#include <openssl/ssl.h> #include <openssl/ssl.h>
#define USE_OPENSSL
#elif defined(CONFIG_NSS_COMPAT_OSSL)
#include <nss_compat_ossl/nss_compat_ossl.h>
#define USE_OPENSSL
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
#else #else
@ -26,7 +30,7 @@
/* SSL errors */ /* SSL errors */
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
#define SSL_ERROR_WANT_READ2 9999 /* XXX */ #define SSL_ERROR_WANT_READ2 9999 /* XXX */
#define SSL_ERROR_WANT_WRITE2 SSL_ERROR_WANT_WRITE #define SSL_ERROR_WANT_WRITE2 SSL_ERROR_WANT_WRITE
#define SSL_ERROR_SYSCALL2 SSL_ERROR_SYSCALL #define SSL_ERROR_SYSCALL2 SSL_ERROR_SYSCALL
@ -40,7 +44,7 @@
#define SSL_ERROR_SYSCALL2 GNUTLS_E_PULL_ERROR #define SSL_ERROR_SYSCALL2 GNUTLS_E_PULL_ERROR
#endif #endif
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
#define ssl_do_connect(socket) SSL_get_error(socket->ssl, SSL_connect(socket->ssl)) #define ssl_do_connect(socket) SSL_get_error(socket->ssl, SSL_connect(socket->ssl))
#define ssl_do_write(socket, data, len) SSL_write(socket->ssl, data, len) #define ssl_do_write(socket, data, len) SSL_write(socket->ssl, data, len)
@ -126,7 +130,7 @@ ssl_connect(struct socket *socket)
if (socket->no_tls) if (socket->no_tls)
ssl_set_no_tls(socket); ssl_set_no_tls(socket);
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
SSL_set_fd(socket->ssl, socket->fd); SSL_set_fd(socket->ssl, socket->fd);
if (get_opt_bool("connection.ssl.cert_verify", NULL)) if (get_opt_bool("connection.ssl.cert_verify", NULL))
@ -137,8 +141,13 @@ ssl_connect(struct socket *socket)
if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) { if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) {
unsigned char *client_cert; unsigned char *client_cert;
client_cert = get_opt_str("connection.ssl.client_cert.file", #ifdef CONFIG_NSS_COMPAT_OSSL
NULL); client_cert = get_opt_str(
"connection.ssl.client_cert.nickname", NULL);
#else
client_cert = get_opt_str(
"connection.ssl.client_cert.file", NULL);
#endif
if (!*client_cert) { if (!*client_cert) {
client_cert = getenv("X509_CLIENT_CERT"); client_cert = getenv("X509_CLIENT_CERT");
if (client_cert && !*client_cert) if (client_cert && !*client_cert)
@ -146,11 +155,17 @@ ssl_connect(struct socket *socket)
} }
if (client_cert) { if (client_cert) {
#ifdef CONFIG_NSS_COMPAT_OSSL
SSL_CTX_use_certificate_chain_file(
(SSL *) socket->ssl,
client_cert);
#else
SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx; SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
SSL_CTX_use_certificate_chain_file(ctx, client_cert); SSL_CTX_use_certificate_chain_file(ctx, client_cert);
SSL_CTX_use_PrivateKey_file(ctx, client_cert, SSL_CTX_use_PrivateKey_file(ctx, client_cert,
SSL_FILETYPE_PEM); SSL_FILETYPE_PEM);
#endif
} }
} }
@ -207,7 +222,7 @@ ssl_write(struct socket *socket, unsigned char *data, int len)
ssize_t wr = ssl_do_write(socket, data, len); ssize_t wr = ssl_do_write(socket, data, len);
if (wr <= 0) { if (wr <= 0) {
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
int err = SSL_get_error(socket->ssl, wr); int err = SSL_get_error(socket->ssl, wr);
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
int err = wr; int err = wr;
@ -236,7 +251,7 @@ ssl_read(struct socket *socket, unsigned char *data, int len)
ssize_t rd = ssl_do_read(socket, data, len); ssize_t rd = ssl_do_read(socket, data, len);
if (rd <= 0) { if (rd <= 0) {
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
int err = SSL_get_error(socket->ssl, rd); int err = SSL_get_error(socket->ssl, rd);
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
int err = rd; int err = rd;

View File

@ -7,6 +7,10 @@
#ifdef CONFIG_OPENSSL #ifdef CONFIG_OPENSSL
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#define USE_OPENSSL
#elif defined(CONFIG_NSS_COMPAT_OSSL)
#include <nss_compat_ossl/nss_compat_ossl.h>
#define USE_OPENSSL
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
#include <gcrypt.h> #include <gcrypt.h>
#include <gnutls/gnutls.h> #include <gnutls/gnutls.h>
@ -35,7 +39,7 @@
/* FIXME: As you can see, SSL is currently implemented in very, erm, /* FIXME: As you can see, SSL is currently implemented in very, erm,
* decentralized manner. */ * decentralized manner. */
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
#ifndef PATH_MAX #ifndef PATH_MAX
#define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */
@ -85,12 +89,26 @@ static struct option_info openssl_options[] = {
N_("Enable or not the sending of X509 client certificates\n" N_("Enable or not the sending of X509 client certificates\n"
"to servers which request them.")), "to servers which request them.")),
#ifdef CONFIG_NSS_COMPAT_OSSL
INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"),
"nickname", 0, "",
N_("The nickname of the client certificate stored in NSS\n"
"database. If this value is unset, the nickname from\n"
"the X509_CLIENT_CERT variable is used instead. If you\n"
"have a PKCS#12 file containing client certificate, you\n"
"can import it into your NSS database with:\n"
"$ pk12util -i mycert.p12 -d /path/to/database\n\n"
"The NSS database location can be changed by SSL_DIR\n"
"environment variable. The database can be also shared\n"
"with Mozilla browsers.")),
#else
INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"), INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"),
"file", 0, "", "file", 0, "",
N_("The location of a file containing the client certificate\n" N_("The location of a file containing the client certificate\n"
"and unencrypted private key in PEM format. If unset, the\n" "and unencrypted private key in PEM format. If unset, the\n"
"file pointed to by the X509_CLIENT_CERT variable is used\n" "file pointed to by the X509_CLIENT_CERT variable is used\n"
"instead.")), "instead.")),
#endif
NULL_OPTION_INFO, NULL_OPTION_INFO,
}; };
@ -196,7 +214,7 @@ static struct module gnutls_module = struct_module(
/* done: */ done_gnutls /* done: */ done_gnutls
); );
#endif /* CONFIG_OPENSSL or CONFIG_GNUTLS */ #endif /* USE_OPENSSL or CONFIG_GNUTLS */
static struct option_info ssl_options[] = { static struct option_info ssl_options[] = {
INIT_OPT_TREE("connection", N_("SSL"), INIT_OPT_TREE("connection", N_("SSL"),
@ -207,7 +225,7 @@ static struct option_info ssl_options[] = {
}; };
static struct module *ssl_modules[] = { static struct module *ssl_modules[] = {
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
&openssl_module, &openssl_module,
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
&gnutls_module, &gnutls_module,
@ -228,7 +246,7 @@ struct module ssl_module = struct_module(
int int
init_ssl_connection(struct socket *socket) init_ssl_connection(struct socket *socket)
{ {
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
socket->ssl = SSL_new(context); socket->ssl = SSL_new(context);
if (!socket->ssl) return S_SSL_ERROR; if (!socket->ssl) return S_SSL_ERROR;
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
@ -277,7 +295,7 @@ done_ssl_connection(struct socket *socket)
ssl_t *ssl = socket->ssl; ssl_t *ssl = socket->ssl;
if (!ssl) return; if (!ssl) return;
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
SSL_free(ssl); SSL_free(ssl);
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
gnutls_deinit(*ssl); gnutls_deinit(*ssl);
@ -294,7 +312,7 @@ get_ssl_connection_cipher(struct socket *socket)
if (!init_string(&str)) return NULL; if (!init_string(&str)) return NULL;
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
add_format_to_string(&str, "%ld-bit %s %s", add_format_to_string(&str, "%ld-bit %s %s",
SSL_get_cipher_bits(ssl, NULL), SSL_get_cipher_bits(ssl, NULL),
SSL_get_cipher_version(ssl), SSL_get_cipher_version(ssl),
@ -318,7 +336,7 @@ get_ssl_connection_cipher(struct socket *socket)
void void
random_nonce(unsigned char buf[], size_t size) random_nonce(unsigned char buf[], size_t size)
{ {
#ifdef CONFIG_OPENSSL #ifdef USE_OPENSSL
RAND_pseudo_bytes(buf, size); RAND_pseudo_bytes(buf, size);
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
gcry_create_nonce(buf, size); gcry_create_nonce(buf, size);

View File

@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher(struct socket *socket);
/* Internal type used in ssl module. */ /* Internal type used in ssl module. */
#ifdef CONFIG_OPENSSL #if defined(CONFIG_OPENSSL) || defined(CONFIG_NSS_COMPAT_OSSL)
#define ssl_t SSL #define ssl_t SSL
#elif defined(CONFIG_GNUTLS) #elif defined(CONFIG_GNUTLS)
#define ssl_t gnutls_session_t #define ssl_t gnutls_session_t