-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package: lynx Version: 2.8.9dev6-3 Tags: patch Control: block -1 by 797059 X-Debbugs-CC: debian-accessibil...@lists.debian.org
Dear Maintainer, lynx has currently no support for client certificates, which, due to the recent introduction of client certificate usage for Debian SSO, renders websites protected by this system unusable for lynx users. The attached patch adds the following features to lynx: * Support for 1 client certificate and 1 key file * Configurable via: - /etc/lynx-cur/lynx.cfg, variables SSL_CLIENT_CERT_FILE and SSL_CLIENT_KEY_FILE - Environment variables: SSL_CLIENT_CERT_FILE and SSL_CLIENT_KEY_FILE - Built-In Option Menu (Options "SSL client certificate file","SSL client key file") This patch was reviewed by a long time lynx user, trying out http://contributors.debian.net. Please note that you need to apply this patch [1] (Bug 797059 [2]) first. Cheers, Simon [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;att=1;filename=gnutls_add_rehandshake_support.diff;bug=797059 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797059 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV6FB8AAoJEBy08PeN7K/pwPkQALdiJvKX+7hBz27dD8Uat/gF +f8mopJegp6ezgTzPfZ9EPJT/UPoDLHu3HpAM/iSU1W33qVgfZQIed9gp8mcm87S 7f83ly0JkmyYa4niHWPTfZUIW2KvaeNyf1bsUN5iITKoARUPi/sOyrVayEXINYB0 IN5ZSgAJ/oBXDeHQCxcroO0mUrdQyUZil+oVwaZWzfxaNi8rccjzILg35ZQfUSdy uyzkHElj4bj6GAD0VWOLVoiSPCjAuW5RMkFJzYz6ypCZTGXNT/L40bvoHaOojBe5 Mrp102tPOFIcQgCZO4AC8M+3M10qr2k/AgH1BvedNVlhZ7ACeJsbcHbiUZDogzYs g3AwRBDrHZDTx5vu/2hKeOeekD3izwjmIEJcmdVgHZfkJPu7NubeJ2qIJcL0EfHO T0eS8RSg1IBpdysCEQA9vXDzuNtL/qWoWjeAoJ388PfB6zHzR6M7b+KegI5WItba L8xV/C3+4i0vPkp1Eca4VPEzPEyQB9dwC5pDNeByGngIaGhReZx+QCpAuIhuUD+W yd/kmLt7cpL7IAOSDFJwL+tbLw+DgC3/bujAPhx4NAd8MOy2XN9GTGlkuBzSKmso o8mqsE4oEjalbu/KQ7bIUWWaHbjwgG1UhwBxJahfbEgVfOgP3cBEQimpT65XYlkJ rR/2KpZbFRl00tdiba5J =bmnH -----END PGP SIGNATURE-----
Description: Add client certificate support This feature is neccessary to enable lynx to use Debian SSO infrastructure, which now relies on client certificates. . Currently, client certificates and their corresponding key files must be in PEM format. Author: Simon Kainz <ska...@debian.org> --- Origin: other Forwarded: no Reviewed-By: Mario Lang <ml...@debian.org> Last-Update: 2015-09-03 --- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/HTTP.c +++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/HTTP.c @@ -162,6 +162,9 @@ SSL *HTGetSSLHandle(void) { #ifdef USE_GNUTLS_INCL static char *certfile = NULL; + static char *client_keyfile = NULL; + static char *client_certfile = NULL; + #endif if (ssl_ctx == NULL) { @@ -204,6 +207,9 @@ SSL *HTGetSSLHandle(void) } #endif #ifdef USE_GNUTLS_INCL + + + if ((certfile = LYGetEnv("SSL_CERT_FILE")) != NULL) { CTRACE((tfp, "HTGetSSLHandle: certfile is set to %s by SSL_CERT_FILE\n", @@ -225,10 +231,40 @@ SSL *HTGetSSLHandle(void) } #endif atexit(free_ssl_ctx); + } #ifdef USE_GNUTLS_INCL + + + if (non_empty(SSL_client_key_file)) + { + client_keyfile=SSL_client_key_file; + CTRACE((tfp, + "HTGetSSLHandle: client key file is set to %s by config SSL_CLIENT_KEY_FILE\n", + client_keyfile)); + } + + + + if (non_empty(SSL_client_cert_file)) + { + client_certfile=SSL_client_cert_file; + CTRACE((tfp, + "HTGetSSLHandle: client cert file is set to %s by config SSL_CLIENT_CERT_FILE\n", + client_certfile)); + } + + + + + ssl_ctx->certfile = certfile; ssl_ctx->certfile_type = GNUTLS_X509_FMT_PEM; + ssl_ctx->client_keyfile = client_keyfile; + ssl_ctx->client_keyfile_type = GNUTLS_X509_FMT_PEM; + ssl_ctx->client_certfile = client_certfile; + ssl_ctx->client_certfile_type = GNUTLS_X509_FMT_PEM; + #endif ssl_okay = 0; return (SSL_new(ssl_ctx)); --- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/tidy_tls.h +++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/tidy_tls.h @@ -78,6 +78,11 @@ typedef struct _SSL_CTX { int (*verify_callback) (int, X509_STORE_CTX *); int verify_mode; + char *client_certfile; + int client_certfile_type; + char *client_keyfile; + int client_keyfile_type; + } SSL_CTX; struct _SSL { --- lynx-cur-2.8.9dev6.orig/lynx.cfg +++ lynx-cur-2.8.9dev6/lynx.cfg @@ -3561,6 +3561,20 @@ NESTED_TABLES: false SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt #SSL_CERT_FILE:NULL +.h2 SSL_CLIENT_CERT_FILE +# Set SSL_CLIENT_CERT_FILE to the file that contains a client certificate +# (in PEM format) in case the $SSL_CLIENT_CERT_FILE environment variable is +# not set, e.g., +# +#SSL_CLIENT_CERT_FILE:/home/qux/certs/cert.crt + +.h2 SSL_CLIENT_KEY_FILE +# Set SSL_CLIENT_KEY_FILE to the file that contains a client certificate +# key (in PEM format), in case the $SSL_CLIENT_KEY_FILE environment variable +# is not set, e.g., +# +#SSL_CLIENT_KEY_FILE:/home/qux/certs/cert.key + .h1 Appearance .h2 SCREEN_SIZE --- lynx-cur-2.8.9dev6.orig/src/LYGlobalDefs.h +++ lynx-cur-2.8.9dev6/src/LYGlobalDefs.h @@ -536,6 +536,8 @@ extern "C" { extern int LYHiddenLinks; extern char *SSL_cert_file; /* Default CA CERT file */ + extern char *SSL_client_cert_file; /* Default client CERT file */ + extern char *SSL_client_key_file; /* Default client key file */ extern int Old_DTD; --- lynx-cur-2.8.9dev6.orig/src/LYMain.c +++ lynx-cur-2.8.9dev6/src/LYMain.c @@ -553,7 +553,9 @@ char *XLoadImageCommand = NULL; /* Defau BOOLEAN LYNoISMAPifUSEMAP = FALSE; /* Omit ISMAP link if MAP present? */ int LYHiddenLinks = HIDDENLINKS_SEPARATE; /* Show hidden links? */ -char *SSL_cert_file = NULL; /* Default CA CERT file */ +char *SSL_cert_file = NULL; /*y Default CA CERT file */ +char *SSL_client_cert_file = NULL; +char * SSL_client_key_file = NULL; int Old_DTD = NO; static BOOLEAN DTD_recovery = NO; @@ -1579,6 +1581,27 @@ int main(int argc, */ read_cfg(lynx_cfg_file, "main program", 1, (FILE *) 0); + static char *client_keyfile = NULL; + static char *client_certfile = NULL; + + if ((client_keyfile = LYGetEnv("SSL_CLIENT_KEY_FILE")) != NULL) { + CTRACE((tfp, + "HTGetSSLHandle: client keyfile is set to %s by SSL_CLIENT_KEY_FILE\n", + client_keyfile)); + StrAllocCopy(SSL_client_key_file,client_keyfile); + + } + + if ((client_certfile = LYGetEnv("SSL_CLIENT_CERT_FILE")) != NULL) { + CTRACE((tfp, + "HTGetSSLHandle: client certfile is set to %s by SSL_CLIENT_CERT_FILE\n", + client_certfile)); + StrAllocCopy(SSL_client_cert_file,client_certfile); + } + + + + #if defined(USE_COLOR_STYLE) if (!dump_output_immediately) { init_color_styles(&lynx_lss_file2, default_color_styles); --- lynx-cur-2.8.9dev6.orig/src/LYOptions.c +++ lynx-cur-2.8.9dev6/src/LYOptions.c @@ -2444,6 +2444,9 @@ static const char *preferred_doc_lang_st static const char *send_user_agent_string = RC_SEND_USERAGENT; static const char *user_agent_string = RC_USERAGENT; +static const char *ssl_client_certificate_file = RC_SSL_CLIENT_CERT_FILE; +static const char *ssl_client_key_file = RC_SSL_CLIENT_KEY_FILE; + #define PutHeader(fp, Name) \ fprintf(fp, "\n%s<em>%s</em>\n", MARGIN_STR, LYEntifyTitle(&buffer, Name)); @@ -3260,6 +3263,18 @@ int postoptions(DocInfo *newdoc) LYSendUserAgent = (BOOLEAN) !strcasecomp(data[i].value, "ON"); } + if (!strcmp(data[i].tag,ssl_client_certificate_file)) + { + FREE(SSL_client_cert_file); + StrAllocCopy(SSL_client_cert_file,data[i].value); + } + + if (!strcmp(data[i].tag,ssl_client_key_file)) + { + FREE(SSL_client_key_file); + StrAllocCopy(SSL_client_key_file,data[i].value); + } + /* User Agent: INPUT */ if (!strcmp(data[i].tag, user_agent_string) && (!no_useragent)) { if (strcmp(LYUserAgent, data[i].value)) { @@ -3729,6 +3744,15 @@ static int gen_options(char **newfile) BeginSelect(fp0, ssl_prompt_string); PutOptValues(fp0, ssl_noprompt, prompt_values); EndSelect(fp0); + + PutLabel(fp0, gettext("SSL client certificate file"), ssl_client_certificate_file); + PutTextInput(fp0, ssl_client_certificate_file, + NonNull(SSL_client_cert_file), text_len, ""); + + PutLabel(fp0, gettext("SSL client key file"), ssl_client_key_file); + PutTextInput(fp0, ssl_client_key_file, + NonNull(SSL_client_key_file), text_len, ""); + #endif PutHeader(fp0, gettext("Keyboard Input")); --- lynx-cur-2.8.9dev6.orig/src/LYReadCFG.c +++ lynx-cur-2.8.9dev6/src/LYReadCFG.c @@ -1719,6 +1719,8 @@ static Config_Type Config_Table [] = PARSE_ENU(RC_SOURCE_CACHE_FOR_ABORTED, LYCacheSourceForAborted, tbl_abort_source_cache), #endif PARSE_STR(RC_SSL_CERT_FILE, SSL_cert_file), + PARSE_STR(RC_SSL_CLIENT_CERT_FILE, SSL_client_cert_file), + PARSE_STR(RC_SSL_CLIENT_KEY_FILE, SSL_client_key_file), PARSE_FUN(RC_STARTFILE, startfile_fun), PARSE_FUN(RC_STATUS_BUFFER_SIZE, status_buffer_size_fun), PARSE_SET(RC_STRIP_DOTDOT_URLS, LYStripDotDotURLs), --- lynx-cur-2.8.9dev6.orig/src/LYrcFile.h +++ lynx-cur-2.8.9dev6/src/LYrcFile.h @@ -234,6 +234,8 @@ #define RC_SOURCE_CACHE "source_cache" #define RC_SOURCE_CACHE_FOR_ABORTED "source_cache_for_aborted" #define RC_SSL_CERT_FILE "ssl_cert_file" +#define RC_SSL_CLIENT_CERT_FILE "ssl_client_cert_file" +#define RC_SSL_CLIENT_KEY_FILE "ssl_client_key_file" #define RC_STARTFILE "startfile" #define RC_STATUS_BUFFER_SIZE "status_buffer_size" #define RC_STRIP_DOTDOT_URLS "strip_dotdot_urls" --- lynx-cur-2.8.9dev6.orig/src/tidy_tls.c +++ lynx-cur-2.8.9dev6/src/tidy_tls.c @@ -549,11 +549,11 @@ SSL *SSL_new(SSL_CTX * ctx) gnutls_certificate_set_x509_trust_file(ssl->gnutls_cred, ctx->certfile, ctx->certfile_type); - if (ctx->keyfile) + if (ctx->client_keyfile) gnutls_certificate_set_x509_key_file(ssl->gnutls_cred, - ctx->certfile, - ctx->keyfile, - ctx->keyfile_type); + ctx->client_certfile, + ctx->client_keyfile, + ctx->client_keyfile_type); ssl->verify_mode = ctx->verify_mode; ssl->verify_callback = ctx->verify_callback;