On Sunday 07 September 2008 02:05:07 Kalle Olavi Niemitalo wrote: > Kamil Dudka <[EMAIL PROTECTED]> writes: > > +AC_ARG_WITH(nss_compat_ossl, > > AC_HELP_STRING([--with-nss_compat_ossl[=DIR]], + [NSS compatibility > > SSL libraries/include files])) > > + > > +# nss_compat_ossl > > +if test "$with_nss_compat_ossl" != "no"; then > > + if test -z "$with_nss_compat_ossl"; then > > + if pkg-config nss; then > > + CFLAGS="$CFLAGS_X `pkg-config --cflags nss`" > > + LIBS="$LIBS_X `pkg-config --libs nss`" > > Unfortunately, this part breaks Ruby scripting support. > EL_CONFIG_SCRIPTING_RUBY saves CFLAGS and LIBS in the *_X > variables, checks for Ruby, and restores the variables if Ruby > did not work. Now when you copy LIBS_X to LIBS, you lose the > -lruby1.8 that was added in LIBS but not in LIBS_X. > In general, each check should set the *_X variables on its own > rather than rely on values left from the previous check. Good point, fixed by calling EL_SAVE_FLAGS.
> The NSS support should be mentioned in doc/installation.txt. > I was thinking of the following change, but you can do something > else if you have better ideas. Good idea. On Sunday 07 September 2008 02:27:16 Kalle Olavi Niemitalo wrote: > > +if test "$with_nss_compat_ossl" != "no"; then > > + if test -z "$with_nss_compat_ossl"; then > > + if pkg-config nss; then > > + CFLAGS="$CFLAGS_X `pkg-config --cflags nss`" > > + LIBS="$LIBS_X `pkg-config --libs nss`" > > + else > > + with_nss_compat_ossl=no > > + fi > > + else > > + # Without pkg-config, we'll kludge in some defaults > > + CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include > > -I/usr/include/nss3 > > -I/usr/include/nspr4" + LIBS="$LIBS_X > > -L$with_nss_compat_ossl/lib -lssl3 > > -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl" + fi > Autoconf considers --with-nss_compat_ossl equivalent to > --with-nss_compat_ossl=yes. Your code seems to treat that > "yes" as a directory name and skip pkg-config. Fixed by -o "$with_nss_compat_ossl" = yes. > > + # TODO: Mark this as non-warning when it becomes stable > > + AC_MSG_WARN([Using nss_compat_ossl library for SSL.]) > > Because you don't consider the nss_compat_ossl support stable, > I think the configure script should select it only if the user > explicitly requests it or no other SSL library is available. I consider nss_compat_ossl support stable, but it has not been tested by users yet. If it will be used by default, we can get more experiences from users to declare it stable. I don't think ordinary user uses last git snapshot of elinks :-) Anyway I have removed this configure warning, it may frighten users. New patch in attachment. Kamil
From 2506e5757e943e77c2e8580ae973a45df5b85e3b Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[EMAIL PROTECTED]> Date: Mon, 8 Sep 2008 12:06:55 +0200 Subject: [PATCH] add support for nss_compat_ossl library (OpenSSL replacement) * configure.in: Detection of nss_compat_ossl library. New configure parameters --with-nss_compat_ossl, --without-nss_compat_ossl. * socket.c: New configure option connection.ssl.client_cert.nickname. * ssl.h: Handle CONFIG_NSS_COMPAT_OSSL macro. * ssl.c: Add support for nss_compat_ossl. * TODO: Remove completed task. * NEWS: Mention the change. --- NEWS | 2 ++ configure.in | 33 ++++++++++++++++++++++++++++++++- src/network/ssl/TODO | 4 ---- src/network/ssl/socket.c | 29 ++++++++++++++++++++++------- src/network/ssl/ssl.c | 32 +++++++++++++++++++++++++------- src/network/ssl/ssl.h | 2 +- 6 files changed, 82 insertions(+), 20 deletions(-) diff --git a/NEWS b/NEWS index 5267b83..1d9f71e 100644 --- a/NEWS +++ b/NEWS @@ -401,6 +401,8 @@ Released on 2007-04-15. * enhancement 767: recognize URL in META Refresh even without "URL=" * enhancement 396: search for "<html>" if the server doesn't specify a Content-Type +* enhancement: Add support for nss_compat_ossl library (OpenSSL + replacement). ELinks 0.11.2: -------------- diff --git a/configure.in b/configure.in index a8f7c2d..8207d8b 100644 --- a/configure.in +++ b/configure.in @@ -952,6 +952,7 @@ gnutls_withval="$withval" if test "$enable_gnutls" = yes; then disable_openssl=yes; + with_nss_compat_ossl=no; fi AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], @@ -959,6 +960,35 @@ AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], AC_ARG_WITH(openssl, [ --with-openssl[=DIR] enable OpenSSL support (default)]) openssl_withval="$withval" +AC_ARG_WITH(nss_compat_ossl, AC_HELP_STRING([--with-nss_compat_ossl[=DIR]], + [NSS compatibility SSL libraries/include files])) + +# nss_compat_ossl +EL_SAVE_FLAGS +if test "$with_nss_compat_ossl" != "no"; then + if test -z "$with_nss_compat_ossl" -o "$with_nss_compat_ossl" = yes; then + if pkg-config nss; then + CFLAGS="$CFLAGS_X `pkg-config --cflags nss`" + LIBS="$LIBS_X `pkg-config --libs nss`" + else + with_nss_compat_ossl=no + fi + else + # Without pkg-config, we'll kludge in some defaults + CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include -I/usr/include/nss3 -I/usr/include/nspr4" + LIBS="$LIBS_X -L$with_nss_compat_ossl/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl" + fi + AC_CHECK_HEADERS(nss_compat_ossl/nss_compat_ossl.h,, [with_nss_compat_ossl=no], [#define NSS_COMPAT_OSSL_H]) + AC_CHECK_LIB(nss_compat_ossl, X509_free,, [with_nss_compat_ossl=no]) +fi + +if test "$with_nss_compat_ossl" != "no"; then + LIBS="$LIBS -lnss_compat_ossl" + EL_CONFIG(CONFIG_NSS_COMPAT_OSSL, [nss_compat_ossl]) + disable_openssl="yes" + disable_gnutls="yes" +fi + # ---- OpenSSL AC_MSG_CHECKING([for OpenSSL]) @@ -1075,10 +1105,11 @@ AC_MSG_RESULT($cf_result) # Final SSL setup -EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS], [SSL]) +EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS CONFIG_NSS_COMPAT_OSSL], [SSL]) AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT) AC_SUBST(CONFIG_OPENSSL) AC_SUBST(CONFIG_GNUTLS) +AC_SUBST(CONFIG_NSS_COMPAT_OSSL) #endif diff --git a/src/network/ssl/TODO b/src/network/ssl/TODO index dad2835..3079e34 100644 --- a/src/network/ssl/TODO +++ b/src/network/ssl/TODO @@ -5,10 +5,6 @@ We could add also support for: format conviently readable for me; however, they say it is damn fast and very easy to use) -* NSS (http://www.mozilla.org/projects/security/pki/nss/ - it could be pretty - widespread and nicely tested by mozilla, however it scares me, it looks to be - pretty complex and already needing some certificates db generated etc) - Possibly, we should drop support for native GnuTLS and use their OpenSSL wrapper instead, since I happen to feel very unsure about GnuTLS interface - OpenSSL is not much better, but we can steal code from other applications ;-). diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 74c43b8..1acf9d5 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -6,6 +6,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gnutls/gnutls.h> #else @@ -26,7 +30,7 @@ /* SSL errors */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define SSL_ERROR_WANT_READ2 9999 /* XXX */ #define SSL_ERROR_WANT_WRITE2 SSL_ERROR_WANT_WRITE #define SSL_ERROR_SYSCALL2 SSL_ERROR_SYSCALL @@ -40,7 +44,7 @@ #define SSL_ERROR_SYSCALL2 GNUTLS_E_PULL_ERROR #endif -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define ssl_do_connect(socket) SSL_get_error(socket->ssl, SSL_connect(socket->ssl)) #define ssl_do_write(socket, data, len) SSL_write(socket->ssl, data, len) @@ -126,7 +130,7 @@ ssl_connect(struct socket *socket) if (socket->no_tls) ssl_set_no_tls(socket); -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_set_fd(socket->ssl, socket->fd); if (get_opt_bool("connection.ssl.cert_verify", NULL)) @@ -137,8 +141,13 @@ ssl_connect(struct socket *socket) if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) { unsigned char *client_cert; - client_cert = get_opt_str("connection.ssl.client_cert.file", - NULL); +#ifdef CONFIG_NSS_COMPAT_OSSL + client_cert = get_opt_str( + "connection.ssl.client_cert.nickname", NULL); +#else + client_cert = get_opt_str( + "connection.ssl.client_cert.file", NULL); +#endif if (!*client_cert) { client_cert = getenv("X509_CLIENT_CERT"); if (client_cert && !*client_cert) @@ -146,11 +155,17 @@ ssl_connect(struct socket *socket) } if (client_cert) { +#ifdef CONFIG_NSS_COMPAT_OSSL + SSL_CTX_use_certificate_chain_file( + (SSL *) socket->ssl, + client_cert); +#else SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx; SSL_CTX_use_certificate_chain_file(ctx, client_cert); SSL_CTX_use_PrivateKey_file(ctx, client_cert, SSL_FILETYPE_PEM); +#endif } } @@ -207,7 +222,7 @@ ssl_write(struct socket *socket, unsigned char *data, int len) ssize_t wr = ssl_do_write(socket, data, len); if (wr <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, wr); #elif defined(CONFIG_GNUTLS) int err = wr; @@ -236,7 +251,7 @@ ssl_read(struct socket *socket, unsigned char *data, int len) ssize_t rd = ssl_do_read(socket, data, len); if (rd <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, rd); #elif defined(CONFIG_GNUTLS) int err = rd; diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index 8777f3c..84aaa58 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -7,6 +7,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> #include <openssl/rand.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gcrypt.h> #include <gnutls/gnutls.h> @@ -35,7 +39,7 @@ /* FIXME: As you can see, SSL is currently implemented in very, erm, * decentralized manner. */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #ifndef PATH_MAX #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ @@ -85,12 +89,26 @@ static struct option_info openssl_options[] = { N_("Enable or not the sending of X509 client certificates\n" "to servers which request them.")), +#ifdef CONFIG_NSS_COMPAT_OSSL + INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"), + "nickname", 0, "", + N_("The nickname of the client certificate stored in NSS\n" + "database. If this value is unset, the nickname from\n" + "the X509_CLIENT_CERT variable is used instead. If you\n" + "have a PKCS#12 file containing client certificate, you\n" + "can import it into your NSS database with:\n" + "$ pk12util -i mycert.p12 -d /path/to/database\n\n" + "The NSS database location can be changed by SSL_DIR\n" + "environment variable. The database can be also shared\n" + "with Mozilla browsers.")), +#else INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"), "file", 0, "", N_("The location of a file containing the client certificate\n" "and unencrypted private key in PEM format. If unset, the\n" "file pointed to by the X509_CLIENT_CERT variable is used\n" "instead.")), +#endif NULL_OPTION_INFO, }; @@ -196,7 +214,7 @@ static struct module gnutls_module = struct_module( /* done: */ done_gnutls ); -#endif /* CONFIG_OPENSSL or CONFIG_GNUTLS */ +#endif /* USE_OPENSSL or CONFIG_GNUTLS */ static struct option_info ssl_options[] = { INIT_OPT_TREE("connection", N_("SSL"), @@ -207,7 +225,7 @@ static struct option_info ssl_options[] = { }; static struct module *ssl_modules[] = { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL &openssl_module, #elif defined(CONFIG_GNUTLS) &gnutls_module, @@ -228,7 +246,7 @@ struct module ssl_module = struct_module( int init_ssl_connection(struct socket *socket) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL socket->ssl = SSL_new(context); if (!socket->ssl) return S_SSL_ERROR; #elif defined(CONFIG_GNUTLS) @@ -277,7 +295,7 @@ done_ssl_connection(struct socket *socket) ssl_t *ssl = socket->ssl; if (!ssl) return; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_free(ssl); #elif defined(CONFIG_GNUTLS) gnutls_deinit(*ssl); @@ -294,7 +312,7 @@ get_ssl_connection_cipher(struct socket *socket) if (!init_string(&str)) return NULL; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL add_format_to_string(&str, "%ld-bit %s %s", SSL_get_cipher_bits(ssl, NULL), SSL_get_cipher_version(ssl), @@ -318,7 +336,7 @@ get_ssl_connection_cipher(struct socket *socket) void random_nonce(unsigned char buf[], size_t size) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL RAND_pseudo_bytes(buf, size); #elif defined(CONFIG_GNUTLS) gcry_create_nonce(buf, size); diff --git a/src/network/ssl/ssl.h b/src/network/ssl/ssl.h index 7c54a7a..21ca142 100644 --- a/src/network/ssl/ssl.h +++ b/src/network/ssl/ssl.h @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher(struct socket *socket); /* Internal type used in ssl module. */ -#ifdef CONFIG_OPENSSL +#if defined(CONFIG_OPENSSL) || defined(CONFIG_NSS_COMPAT_OSSL) #define ssl_t SSL #elif defined(CONFIG_GNUTLS) #define ssl_t gnutls_session_t -- 1.5.4.1
_______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev
