Hello, as requested in src/network/ssl/TODO support for NSS was added to elinks.
Proposed patch is based on nss_compat_ossl library: http://fedoraproject.org/wiki/Nss_compat_ossl Support for nss_compat_ossl is built automatically if the library is found on the system, there is also new configure option --with-nss_compat_ossl (--without-nss_compat_ossl) to adjust it manually. Greetings Kamil Dudka
From ecf66f77f721e564bfecfa782e12370fdaa9ca98 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[EMAIL PROTECTED]> Date: Tue, 19 Aug 2008 12:45:55 +0200 Subject: [PATCH] Add support for nss_compat_ossl library (OpenSSL replacement) --- NEWS | 2 ++ configure.in | 35 ++++++++++++++++++++++++++++++++++- src/network/ssl/TODO | 4 ---- src/network/ssl/socket.c | 22 +++++++++++++++++----- src/network/ssl/ssl.c | 31 ++++++++++++++++++++++++------- src/network/ssl/ssl.h | 2 +- 6 files changed, 78 insertions(+), 18 deletions(-) diff --git a/NEWS b/NEWS index f13e441..2e9f8c6 100644 --- a/NEWS +++ b/NEWS @@ -46,6 +46,8 @@ Miscellaneous: * enhancement: Add a new entry Link Info under Link main menu. * enhancement: New option protocol.http.compression. * enhancement: Indicate backgrounded downloads using an unused led. +* enhancement: Add support for nss_compat_ossl library (OpenSSL + replacement). ////////////////////////////////////////////////////////////////////// The following changes should be removed from NEWS before ELinks 0.13.0 diff --git a/configure.in b/configure.in index be0b64a..ff83218 100644 --- a/configure.in +++ b/configure.in @@ -988,6 +988,7 @@ gnutls_withval="$withval" if test "$enable_gnutls" = yes; then disable_openssl=yes; + with_nss_compat_ossl=no; fi AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], @@ -995,6 +996,37 @@ AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], AC_ARG_WITH(openssl, [ --with-openssl[=DIR] enable OpenSSL support (default)]) openssl_withval="$withval" +AC_ARG_WITH(nss_compat_ossl, AC_HELP_STRING([--with-nss_compat_ossl[=DIR]], + [NSS compatibility SSL libraries/include files])) + +# nss_compat_ossl +if test "$with_nss_compat_ossl" != "no"; then + if test -z "$with_nss_compat_ossl"; then + if pkg-config nss; then + CFLAGS="$CFLAGS_X `pkg-config --cflags nss`" + LIBS="$LIBS_X `pkg-config --libs nss`" + else + with_nss_compat_ossl=no + fi + else + # Without pkg-config, we'll kludge in some defaults + CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include -I/usr/include/nss3 -I/usr/include/nspr4" + LIBS="$LIBS_X -L$with_nss_compat_ossl/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl" + fi + AC_CHECK_HEADERS(nss_compat_ossl/nss_compat_ossl.h,, [with_nss_compat_ossl=no], [#define NSS_COMPAT_OSSL_H]) + AC_CHECK_LIB(nss_compat_ossl, X509_free,, [with_nss_compat_ossl=no]) +fi + +if test "$with_nss_compat_ossl" != "no"; then + LIBS="$LIBS -lnss_compat_ossl" + EL_CONFIG(CONFIG_NSS_COMPAT_OSSL, [nss_compat_ossl]) + disable_openssl="yes" + disable_gnutls="yes" + + # TODO: Mark this as non-warning when it becomes stable + AC_MSG_WARN([Using nss_compat_ossl library for SSL.]) +fi + # ---- OpenSSL AC_MSG_CHECKING([for OpenSSL]) @@ -1113,10 +1145,11 @@ AC_MSG_RESULT($cf_result) # Final SSL setup -EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS], [SSL]) +EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS CONFIG_NSS_COMPAT_OSSL], [SSL]) AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT) AC_SUBST(CONFIG_OPENSSL) AC_SUBST(CONFIG_GNUTLS) +AC_SUBST(CONFIG_NSS_COMPAT_OSSL) #endif diff --git a/src/network/ssl/TODO b/src/network/ssl/TODO index dad2835..3079e34 100644 --- a/src/network/ssl/TODO +++ b/src/network/ssl/TODO @@ -5,10 +5,6 @@ We could add also support for: format conviently readable for me; however, they say it is damn fast and very easy to use) -* NSS (http://www.mozilla.org/projects/security/pki/nss/ - it could be pretty - widespread and nicely tested by mozilla, however it scares me, it looks to be - pretty complex and already needing some certificates db generated etc) - Possibly, we should drop support for native GnuTLS and use their OpenSSL wrapper instead, since I happen to feel very unsure about GnuTLS interface - OpenSSL is not much better, but we can steal code from other applications ;-). diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 74c43b8..338bb20 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -6,6 +6,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gnutls/gnutls.h> #else @@ -26,7 +30,7 @@ /* SSL errors */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define SSL_ERROR_WANT_READ2 9999 /* XXX */ #define SSL_ERROR_WANT_WRITE2 SSL_ERROR_WANT_WRITE #define SSL_ERROR_SYSCALL2 SSL_ERROR_SYSCALL @@ -40,7 +44,7 @@ #define SSL_ERROR_SYSCALL2 GNUTLS_E_PULL_ERROR #endif -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define ssl_do_connect(socket) SSL_get_error(socket->ssl, SSL_connect(socket->ssl)) #define ssl_do_write(socket, data, len) SSL_write(socket->ssl, data, len) @@ -79,6 +83,8 @@ ssl_set_no_tls(struct socket *socket) gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority); } +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#warning "ssl_setno_tls is not implemented while using nss_compat_ossl" #endif } @@ -126,7 +132,7 @@ ssl_connect(struct socket *socket) if (socket->no_tls) ssl_set_no_tls(socket); -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_set_fd(socket->ssl, socket->fd); if (get_opt_bool("connection.ssl.cert_verify", NULL)) @@ -146,11 +152,17 @@ ssl_connect(struct socket *socket) } if (client_cert) { +#ifdef CONFIG_NSS_COMPAT_OSSL + SSL_CTX_use_certificate_chain_file( + (SSL *) socket->ssl, + client_cert); +#else SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx; SSL_CTX_use_certificate_chain_file(ctx, client_cert); SSL_CTX_use_PrivateKey_file(ctx, client_cert, SSL_FILETYPE_PEM); +#endif } } @@ -207,7 +219,7 @@ ssl_write(struct socket *socket, unsigned char *data, int len) ssize_t wr = ssl_do_write(socket, data, len); if (wr <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, wr); #elif defined(CONFIG_GNUTLS) int err = wr; @@ -236,7 +248,7 @@ ssl_read(struct socket *socket, unsigned char *data, int len) ssize_t rd = ssl_do_read(socket, data, len); if (rd <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, rd); #elif defined(CONFIG_GNUTLS) int err = rd; diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index 8777f3c..05b9f84 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -7,6 +7,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> #include <openssl/rand.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gcrypt.h> #include <gnutls/gnutls.h> @@ -35,7 +39,7 @@ /* FIXME: As you can see, SSL is currently implemented in very, erm, * decentralized manner. */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #ifndef PATH_MAX #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ @@ -85,12 +89,25 @@ static struct option_info openssl_options[] = { N_("Enable or not the sending of X509 client certificates\n" "to servers which request them.")), +#ifdef CONFIG_NSS_COMPAT_OSSL + INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"), + "file", 0, "", + N_("The nickname of the client certificate stored in NSS\n" + "database. If this value is unset, the file pointed to\n" + "by the X509_CLIENT_CERT variable is used instead. If\n" + "you have a PKCS#12 file containing client certificate,\n" + "you can import it into your NSS database with:\n" + "$ pk12util -i mycert.p12 -d /path/to/database\n\n" + "The NSS database location can be changed by SSL_DIR\n" + "environment variable.")), +#else INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"), "file", 0, "", N_("The location of a file containing the client certificate\n" "and unencrypted private key in PEM format. If unset, the\n" "file pointed to by the X509_CLIENT_CERT variable is used\n" "instead.")), +#endif NULL_OPTION_INFO, }; @@ -196,7 +213,7 @@ static struct module gnutls_module = struct_module( /* done: */ done_gnutls ); -#endif /* CONFIG_OPENSSL or CONFIG_GNUTLS */ +#endif /* USE_OPENSSL or CONFIG_GNUTLS */ static struct option_info ssl_options[] = { INIT_OPT_TREE("connection", N_("SSL"), @@ -207,7 +224,7 @@ static struct option_info ssl_options[] = { }; static struct module *ssl_modules[] = { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL &openssl_module, #elif defined(CONFIG_GNUTLS) &gnutls_module, @@ -228,7 +245,7 @@ struct module ssl_module = struct_module( int init_ssl_connection(struct socket *socket) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL socket->ssl = SSL_new(context); if (!socket->ssl) return S_SSL_ERROR; #elif defined(CONFIG_GNUTLS) @@ -277,7 +294,7 @@ done_ssl_connection(struct socket *socket) ssl_t *ssl = socket->ssl; if (!ssl) return; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_free(ssl); #elif defined(CONFIG_GNUTLS) gnutls_deinit(*ssl); @@ -294,7 +311,7 @@ get_ssl_connection_cipher(struct socket *socket) if (!init_string(&str)) return NULL; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL add_format_to_string(&str, "%ld-bit %s %s", SSL_get_cipher_bits(ssl, NULL), SSL_get_cipher_version(ssl), @@ -318,7 +335,7 @@ get_ssl_connection_cipher(struct socket *socket) void random_nonce(unsigned char buf[], size_t size) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL RAND_pseudo_bytes(buf, size); #elif defined(CONFIG_GNUTLS) gcry_create_nonce(buf, size); diff --git a/src/network/ssl/ssl.h b/src/network/ssl/ssl.h index 7c54a7a..21ca142 100644 --- a/src/network/ssl/ssl.h +++ b/src/network/ssl/ssl.h @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher(struct socket *socket); /* Internal type used in ssl module. */ -#ifdef CONFIG_OPENSSL +#if defined(CONFIG_OPENSSL) || defined(CONFIG_NSS_COMPAT_OSSL) #define ssl_t SSL #elif defined(CONFIG_GNUTLS) #define ssl_t gnutls_session_t -- 1.5.4.1
_______________________________________________ elinks-dev mailing list [email protected] http://linuxfromscratch.org/mailman/listinfo/elinks-dev
