1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00
Commit Graph

88 Commits

Author SHA1 Message Date
mancha
bc3fcb4696 Fix hostname verification code.
[ From bug 1123 attachment 569.  --KON ]
2012-07-18 12:37:55 +03:00
witekfl
7328bb9c9e gnutls_transport_ptr is deprecated. 2012-05-08 13:41:26 +02:00
Kalle Olavi Niemitalo
0c3f3e09a7 1024: Verify server certificate hostname with OpenSSL
Not tested with nss-compat-ossl.
2011-07-28 17:23:51 +03:00
Kalle Olavi Niemitalo
7c40e03421 1024: Always disable TLS1.1 with GnuTLS
Using the RFC 3546 server_name TLS extension with TLS 1.1 made
https://bugzilla.novell.com/ never respond to negotiation.
Disable TLS 1.1 with GnuTLS, like it has already been disabled with
OpenSSL.  And if an SSL error is detected, disable TLS 1.2 as well.
2011-07-28 17:23:51 +03:00
Kalle Olavi Niemitalo
6c84978cf5 1024: Use RFC 3546 server_name TLS extension
For both GnuTLS and OpenSSL.  Not tested with nss-compat-openssl.
2011-07-28 17:23:51 +03:00
Kalle Olavi Niemitalo
5d0e4e2452 1024: Reject OpenPGP certificates 2011-07-28 17:23:51 +03:00
Witold Filipczyk
a15216863f 1024: Verify hostname and expiration time of the certificate.
GnuTLS only.

[ From bug 1024 attachment 483.  Resolved conflicts with 0.13.GIT.  --KON ]
2011-07-28 17:23:51 +03:00
Kalle Olavi Niemitalo
5ddf20b85e GNUTLS: Make anon_cred and xcred static
anon_cred and xcred are defined in src/network/ssl/ssl.c and not
mentioned in any other file.  Make them static.
2011-05-02 14:55:17 +03:00
Kalle Olavi Niemitalo
6457a13005 GNUTLS: #if 0 arrays needed by deprecated functions
src/network/ssl/ssl.c defined some constant arrays for passing to
GnuTLS functions.  Those functions have been deprecated and their
calls are in #if 0 nowadays.  Put #if 0 around the arrays as well.
2011-05-02 14:55:17 +03:00
Kalle Olavi Niemitalo
2d8fd9cecf bug 1115: Check status after gnutls_certificate_verify_peers2
The deprecated gnutls_certificate_verify_peers function returns -1
if it fails, or a set of gnutls_certificate_status_t bits; each bit
indicates some kind of problem, so the result is zero if the
certificate is OK.

The newer gnutls_certificate_verify_peers2 function returns -1 if it
fails, or 0 if it succeeds; and writes the status bits via a pointer.
When using that function, ELinks must check the status separately.
Do that.

Also, if GnuTLS is not being used, do not declare a status variable,
because leaving it unused would break the debug build:

/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c: In function ‘ssl_want_read’:
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c:87: error: unused variable ‘status’
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c: In function ‘ssl_connect’:
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c:121: error: unused variable ‘status’
2011-05-01 02:27:19 +03:00
witekfl
b228fe82ab bug 1115: Avoid deprecated functions when compile --with-gnutls 2011-04-28 18:21:40 +02:00
witekfl
5a99cca30b gcry_create_nounce is part of libgcrypt.
Lack of -lgcrypt caused linking error when compiled --with-gnutls.
2011-04-28 18:02:00 +02:00
Kalle Olavi Niemitalo
683cfe4c86 Merge branch 'elinks-0.12' into elinks-0.13
Conflicts:
	NEWS: merged
	configure.in: VERSION changed in elinks-0.12; kept 0.13.GIT
	doc/man/man1/elinks.1.in: regenerated
	doc/man/man5/elinks.conf.5: regenerated
	doc/man/man5/elinkskeys.5: regenerated
	po/fr.po: kept 0.13.GIT
	po/pl.po: kept 0.13.GIT
2009-05-31 16:18:23 +03:00
Kalle Olavi Niemitalo
681e377027 Debian bug 528661: Check for gnutls_priority_set_direct
Avoid compilation error with GNUTLS 1.2.9:

/home/Kalle/src/elinks-0.12/src/network/ssl/ssl.c:258: error: implicit declaration of function ‘gnutls_priority_set_direct’

If the function is not available, use gnutls_set_default_priority instead.
Perhaps it'll work with bugzilla.novell.com, perhaps not.
2009-05-30 14:34:01 +03:00
Witold Filipczyk
864fa0b56a Debian bug 528661: Disable some TLS extensions on GNUTLS.
- gnutls_handshake_set_private_extensions: Do not enable private cipher
  suites that might not be supported by anything other than GNUTLS.
  The GNUTLS 2.8.0 documentation notes that enabling these extensions
  can cause interoperability problems.
- gnutls_set_default_priority: Explicitly disable OpenPGP certificates.
- gnutls_certificate_type_set_priority: Do not enable OpenPGP certificates.
  The GNUTLS 2.8.0 documentation notes that OpenPGP certificate support
  requires libgnutls-extra.  Because libgnutls-extra 2.2.0 and later are
  under GPLv3-or-later and thus not GPLv2 compatible, ELinks doesn't use
  libgnutls-extra, so OpenPGP certificates didn't work anyway.
- gnutls_server_name_set: Do not tell the server the hostname from the URL.
  This was supposed to let the server choose the appropriate certificate
  for each name-based virtual host, but ELinks actually always sent just
  "localhost", so it didn't work anyway.  This will have to be revisited
  when ELinks is changed to actually verify the subject name from the
  server's certificate (ELinks bug 1024).

These changes should help ELinks negotiate SSL with bugzilla.novell.com.

[NEWS and commit message by me.  --KON]
2009-05-30 11:21:17 +03:00
Kalle Olavi Niemitalo
1bb71f3732 Merge branch 'elinks-0.12' into elinks-0.13
Conflicts:
	src/config/conf.c
	src/network/ssl/ssl.c
2009-03-12 08:46:02 +02:00
Kalle Olavi Niemitalo
5a43c55c9e Rewrap lines in option documentation.
Documentation strings of most options used to contain a "\n" at the
end of each source line.  When the option manager displayed these
strings, it treated each "\n" as a hard newline.  On 80x24 terminals
however, the option description window has only 60 columes available
for the text (with the default setup.h), and the hard newlines were
further apart, so the option manager wrapped the text a second time,
resulting in rather ugly output where long lones are interleaved with
short ones.  This could also cause the text to take up too much
vertical space and not fit in the window.

Replace most of those hard newlines with spaces so that the option
manager (or perhaps BFU) will take care of the wrapping.  At the same
time, rewrap the strings in source code so that the source lines are
at most 79 columns wide.

In some options though, there is a list of possible values and their
meanings.  In those lists, if the description of one value does not
fit in one line, then continuation lines should be indented.  The
option manager and BFU are not currently able to do that.  So, keep
the hard newlines in those lists, but rewrap them to 60 columns so
that they are less likely to require further wrapping at runtime.
2009-03-08 15:18:10 +02:00
Kamil Dudka
a00a413765 add support for nss_compat_ossl library (OpenSSL replacement)
* configure.in: New configure parameter --with-nss_compat_ossl.
 * socket.c: New configure option connection.ssl.client_cert.nickname.
 * ssl.h: Handle CONFIG_NSS_COMPAT_OSSL macro.
 * ssl.c: Add support for nss_compat_ossl.
 * TODO: Remove completed task.
 * NEWS: Mention the change.
2008-09-27 16:32:36 +03:00
Kalle Olavi Niemitalo
a73fe73cd2 Merge branch 'elinks-0.12' into elinks-0.13
Conflicts:

	src/document/document.h
	src/encoding/encoding.c
	src/network/connection.c
	src/protocol/bittorrent/bittorrent.c
	src/protocol/bittorrent/bittorrent.h
	src/protocol/bittorrent/common.h
	src/protocol/bittorrent/connection.c
	src/protocol/bittorrent/dialogs.c
	src/protocol/bittorrent/tracker.c
	src/protocol/file/cgi.c
	src/protocol/http/http.c
2008-08-03 22:18:53 +03:00
Kalle Olavi Niemitalo
6c2e8cd7b2 Bug 1013: Don't assume errno is between 0 and 100000
Replace almost all uses of enum connection_state with struct
connection_status.  This removes the assumption that errno values used
by the system are between 0 and 100000.  The GNU Hurd uses values like
ENOENT = 0x40000002 and EMIG_SERVER_DIED = -308.

This commit is derived from my attachments 450 and 467 to bug 1013.
2008-08-03 17:56:41 +03:00
Kalle Olavi Niemitalo
abe4927d69 1022: NEWS and option documentation 2008-07-27 20:11:39 +03:00
Witold Filipczyk
2e1983ce93 1022: Fixes issue with mbank.
New patch, fixes issue with mbank's certificate verification.
2008-07-27 17:15:36 +03:00
Kalle Olavi Niemitalo
a83ff1f565 1040: Blacklist servers that support SSL3 but not TLS1.
It seems GnuTLS is not as good at negotiating a supported protocol as
OpenSSL is.  ELinks tries to work around that by retrying with a
different protocol if the SSL library reports an error.  However,
ELinks must not automatically retry POST requests where some data may
have already reached the server; POST is not a safe method in HTTP.
So instead, collect the name of the TLS-incapable server in a blacklist
when ELinks e.g. loads an HTML form from it; the actual POST can then
immediately use the protocol that worked.

It's a bit ugly that src/network/socket.c now uses
protocol/http/blacklist.h.  It might be better to move the blacklist
files out of the http directory, and perhaps merge them with the
BitTorrent blacklisting code.
2008-07-27 01:39:01 +03:00
Kalle Olavi Niemitalo
7a72a685e5 1008: Centralize random numbers.
If ELinks is being linked with SSL library, use its random number
generator.

Otherwise, try /dev/urandom and /dev/prandom.  If they do not work,
fall back to rand(), calling srand() only once.  This fallback is
mostly interesting for the Hurd and Microsoft Windows.

BitTorrent piece selection and dom/test/html-mangle.c still use rand()
(but not srand()) directly.  Those would not benefit from being
unpredictable, I think.
2008-05-25 18:44:21 +03:00
Kalle Olavi Niemitalo
3c861fd530 Merge branch 'elinks-0.12' into elinks-0.13
Conflicts:

	configure.in
	src/protocol/http/http.c
2008-02-24 22:49:47 +02:00
Kalle Olavi Niemitalo
6555359f8e Debian bug 464384: fix cast warning in ssl_connect
There are warnings about casts in the Debian amd64 build logs:
http://buildd.debian.org/fetch.cgi?&pkg=elinks&ver=0.11.3-2&arch=amd64&stamp=1200348983&file=log

	[CC]   src/intl/gettext/dcigettext.o
/build/buildd/elinks-0.11.3/src/intl/gettext/dcigettext.c: In function '_nl_find_msg':
/build/buildd/elinks-0.11.3/src/intl/gettext/dcigettext.c:745: warning: cast from pointer to integer of different size
/build/buildd/elinks-0.11.3/src/intl/gettext/dcigettext.c:746: warning: cast from pointer to integer of different size
...
	[CC]   src/network/ssl/socket.o
/build/buildd/elinks-0.11.3/src/network/ssl/socket.c: In function 'ssl_connect':
/build/buildd/elinks-0.11.3/src/network/ssl/socket.c:219: warning: cast to pointer from integer of different size

The warnings in _nl_find_msg were caused by alignof, which I already
fixed.  This commit ought to fix the gnutls_transport_set_ptr call in
ssl_connect.  This warning did not yet happen in bug 464384 because
the others broke the build before it got that far.
2008-02-09 15:19:20 +02:00
Miciah Dashiel Butler Masters
ea372bd0cd get_opt_*: Add ses parameter
Add a session parameter to get_opt_ and its wrappers in preparation for session-specific and domain-specific options.
2007-08-28 17:24:59 +00:00
Kalle Olavi Niemitalo
2f25d3e57c Bug 712, ssl_set_no_tls: Disable TLS protocols for GnuTLS too.
And log this in NEWS, although that may have to be reverted later if
it turns out this change just hides a real bug elsewhere in ELinks.
2007-04-21 13:58:20 +03:00
Simon Josefsson
82edb1f892 Use gnutls_set_default_priority.
Thereby enabling TLS 1.2 on GnuTLS versions that support it.
2007-04-21 13:30:34 +03:00
Jonas Fonseca
2748d043f9 Autogenerate .vimrc files and put the master in config/vimrc
This changes the init target to be idempotent: most importantly it will now
never overwrite a Makefile if it exists. Additionally 'make init' will
generate the .vimrc files. Yay, no more stupid 'added fairies' commits! ;)
2006-01-15 18:38:58 +01:00
Laurent MONIN
df065ead80 Remove now useless $Id: lines. 2005-10-21 09:14:07 +02:00
Jonas Fonseca
c88afeb1c2 path_to_top -> top_builddir 2005-10-20 04:00:35 +02:00
Jonas Fonseca
e39a4342d6 Include $(top_srcdir)/Makefile.lib instead of $(path_to_top)/Makefile.lib
A step towards out of tree builds ...
2005-10-20 01:11:47 +02:00
Jonas Fonseca
1efab31581 Simplify building of and linking with directories
Ditch the building of an archive (.a) in favour of linking all objects in a
directory into a lib.o file. This makes it easy to link in subdirectories
and more importantly keeps the build logic in the local subdirectories.

Note: after updating you will have to rm **/*.a if you do not make clean
before updating.
2005-09-27 21:38:58 +02:00
Jonas Fonseca
b30064c0d0 Rename targets: *-l -> *-local 2005-09-27 21:11:28 +02:00
Petr Baudis
1f0cd14e91 Converted another bunch of submakefiles to ELBuild 2005-09-16 04:07:37 +02:00
Jonas Fonseca
7462f22635 Remove now obsolete .cvsignore files. 2005-09-15 18:33:20 +02:00
Petr Baudis
0f6d4310ad Initial commit of the HEAD branch of the ELinks CVS repository, as of
Thu Sep 15 15:57:07 CEST 2005. The previous history can be added to this
by grafting.
2005-09-15 15:58:31 +02:00