On Tuesday 09 September 2008 23:07:04 Kalle Olavi Niemitalo wrote:
> ELinks should be kept compatible with Autoconf 2.59, but if you
> add four pairs of square brackets for that, I think Autoconf 2.62
> will then include too many of them in the --help output.  So the
> right solution seems to be to avoid AC_HELP_STRING and instead
> align the strings by hand.  Alternatively, one could define
> EL_HELP_STRING, but that would probably require more effort than
> it'd save.
>
> The alignment and brackets are minor details.  If you feel they
> are costing too much time, I think it'd be enough to have the
> same level of correctness as in the preexisting options.
> I do not want the four pairs of square brackets though.
Well, removed AC_HELP_STRING from elinks-nss.patch as well...

> > +   if test -z "$with_nss_compat_ossl" -o "$with_nss_compat_ossl" = yes;
> > then
>
> The Autoconf manual advises against using the -a and -o operators
> of test, because of variations in precedence.  Instead:
>
> +     if test -z "$with_nss_compat_ossl" || test "$with_nss_compat_ossl" = 
> yes;
> then
Also fixed, new patch in attachment...


Kamil
From aa219c6221c46e6a006f325e5d84b388f1c6662b Mon Sep 17 00:00:00 2001
From: Kamil Dudka <[EMAIL PROTECTED]>
Date: Wed, 10 Sep 2008 10:21:12 +0200
Subject: [PATCH] add support for nss_compat_ossl library (OpenSSL replacement)

* configure.in: Detection of nss_compat_ossl library.
New configure parameters --with-nss_compat_ossl, --without-nss_compat_ossl.
* socket.c: New configure option connection.ssl.client_cert.nickname.
* ssl.h: Handle CONFIG_NSS_COMPAT_OSSL macro.
* ssl.c: Add support for nss_compat_ossl.
* TODO: Remove completed task.
* NEWS: Mention the change.
---
 NEWS                     |    2 ++
 configure.in             |   33 ++++++++++++++++++++++++++++++++-
 src/network/ssl/TODO     |    4 ----
 src/network/ssl/socket.c |   29 ++++++++++++++++++++++-------
 src/network/ssl/ssl.c    |   32 +++++++++++++++++++++++++-------
 src/network/ssl/ssl.h    |    2 +-
 6 files changed, 82 insertions(+), 20 deletions(-)

diff --git a/NEWS b/NEWS
index 5267b83..1d9f71e 100644
--- a/NEWS
+++ b/NEWS
@@ -401,6 +401,8 @@ Released on 2007-04-15.
 * enhancement 767: recognize URL in META Refresh even without "URL="
 * enhancement 396: search for "<html>" if the server doesn't specify a
   Content-Type
+* enhancement: Add support for nss_compat_ossl library (OpenSSL
+  replacement).
 
 ELinks 0.11.2:
 --------------
diff --git a/configure.in b/configure.in
index 77133a9..06f66db 100644
--- a/configure.in
+++ b/configure.in
@@ -952,6 +952,7 @@ gnutls_withval="$withval"
 
 if test "$enable_gnutls" = yes; then
 	disable_openssl=yes;
+	with_nss_compat_ossl=no;
 fi
 
 AC_ARG_WITH(openssl, [  --without-openssl       disable OpenSSL support],
@@ -959,6 +960,35 @@ AC_ARG_WITH(openssl, [  --without-openssl       disable OpenSSL support],
 AC_ARG_WITH(openssl, [[  --with-openssl[=DIR]    enable OpenSSL support (default)]])
 openssl_withval="$withval"
 
+AC_ARG_WITH(nss_compat_ossl, [[  --with-nss_compat_ossl[=DIR]
+                          NSS compatibility SSL libraries/include files]])
+
+# nss_compat_ossl
+EL_SAVE_FLAGS
+if test "$with_nss_compat_ossl" != "no"; then
+        if test -z "$with_nss_compat_ossl" || test "$with_nss_compat_ossl" = yes; then
+		if pkg-config nss; then
+			CFLAGS="$CFLAGS_X `pkg-config --cflags nss`"
+			LIBS="$LIBS_X `pkg-config --libs nss`"
+		else
+			with_nss_compat_ossl=no
+		fi
+	else
+		# Without pkg-config, we'll kludge in some defaults
+		CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include -I/usr/include/nss3 -I/usr/include/nspr4"
+		LIBS="$LIBS_X -L$with_nss_compat_ossl/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
+	fi
+	AC_CHECK_HEADERS(nss_compat_ossl/nss_compat_ossl.h,, [with_nss_compat_ossl=no], [#define NSS_COMPAT_OSSL_H])
+	AC_CHECK_LIB(nss_compat_ossl, X509_free,, [with_nss_compat_ossl=no])
+fi
+
+if  test "$with_nss_compat_ossl" != "no"; then
+	LIBS="$LIBS -lnss_compat_ossl"
+	EL_CONFIG(CONFIG_NSS_COMPAT_OSSL, [nss_compat_ossl])
+	disable_openssl="yes"
+	disable_gnutls="yes"
+fi
+
 # ---- OpenSSL
 
 AC_MSG_CHECKING([for OpenSSL])
@@ -1075,10 +1105,11 @@ AC_MSG_RESULT($cf_result)
 
 # Final SSL setup
 
-EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS], [SSL])
+EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS CONFIG_NSS_COMPAT_OSSL], [SSL])
 AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT)
 AC_SUBST(CONFIG_OPENSSL)
 AC_SUBST(CONFIG_GNUTLS)
+AC_SUBST(CONFIG_NSS_COMPAT_OSSL)
 
 #endif
 
diff --git a/src/network/ssl/TODO b/src/network/ssl/TODO
index dad2835..3079e34 100644
--- a/src/network/ssl/TODO
+++ b/src/network/ssl/TODO
@@ -5,10 +5,6 @@ We could add also support for:
  format conviently readable for me; however, they say it is damn fast and very
  easy to use)
 
-* NSS (http://www.mozilla.org/projects/security/pki/nss/ - it could be pretty
- widespread and nicely tested by mozilla, however it scares me, it looks to be
- pretty complex and already needing some certificates db generated etc)
-
 Possibly, we should drop support for native GnuTLS and use their OpenSSL
 wrapper instead, since I happen to feel very unsure about GnuTLS interface -
 OpenSSL is not much better, but we can steal code from other applications ;-).
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index 74c43b8..1acf9d5 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -6,6 +6,10 @@
 
 #ifdef CONFIG_OPENSSL
 #include <openssl/ssl.h>
+#define USE_OPENSSL
+#elif defined(CONFIG_NSS_COMPAT_OSSL)
+#include <nss_compat_ossl/nss_compat_ossl.h>
+#define USE_OPENSSL
 #elif defined(CONFIG_GNUTLS)
 #include <gnutls/gnutls.h>
 #else
@@ -26,7 +30,7 @@
 
 
 /* SSL errors */
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 #define	SSL_ERROR_WANT_READ2	9999 /* XXX */
 #define	SSL_ERROR_WANT_WRITE2	SSL_ERROR_WANT_WRITE
 #define	SSL_ERROR_SYSCALL2	SSL_ERROR_SYSCALL
@@ -40,7 +44,7 @@
 #define	SSL_ERROR_SYSCALL2	GNUTLS_E_PULL_ERROR
 #endif
 
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 
 #define ssl_do_connect(socket)		SSL_get_error(socket->ssl, SSL_connect(socket->ssl))
 #define ssl_do_write(socket, data, len)	SSL_write(socket->ssl, data, len)
@@ -126,7 +130,7 @@ ssl_connect(struct socket *socket)
 	if (socket->no_tls)
 		ssl_set_no_tls(socket);
 
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	SSL_set_fd(socket->ssl, socket->fd);
 
 	if (get_opt_bool("connection.ssl.cert_verify", NULL))
@@ -137,8 +141,13 @@ ssl_connect(struct socket *socket)
 	if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) {
 		unsigned char *client_cert;
 
-		client_cert = get_opt_str("connection.ssl.client_cert.file",
-		                          NULL);
+#ifdef CONFIG_NSS_COMPAT_OSSL
+		client_cert = get_opt_str(
+				"connection.ssl.client_cert.nickname", NULL);
+#else
+		client_cert = get_opt_str(
+				"connection.ssl.client_cert.file", NULL);
+#endif
 		if (!*client_cert) {
 			client_cert = getenv("X509_CLIENT_CERT");
 			if (client_cert && !*client_cert)
@@ -146,11 +155,17 @@ ssl_connect(struct socket *socket)
 		}
 
 		if (client_cert) {
+#ifdef CONFIG_NSS_COMPAT_OSSL
+			SSL_CTX_use_certificate_chain_file(
+					(SSL *) socket->ssl,
+					client_cert);
+#else
 			SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
 
 			SSL_CTX_use_certificate_chain_file(ctx, client_cert);
 			SSL_CTX_use_PrivateKey_file(ctx, client_cert,
 						    SSL_FILETYPE_PEM);
+#endif
 		}
 	}
 
@@ -207,7 +222,7 @@ ssl_write(struct socket *socket, unsigned char *data, int len)
 	ssize_t wr = ssl_do_write(socket, data, len);
 
 	if (wr <= 0) {
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 		int err = SSL_get_error(socket->ssl, wr);
 #elif defined(CONFIG_GNUTLS)
 		int err = wr;
@@ -236,7 +251,7 @@ ssl_read(struct socket *socket, unsigned char *data, int len)
 	ssize_t rd = ssl_do_read(socket, data, len);
 
 	if (rd <= 0) {
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 		int err = SSL_get_error(socket->ssl, rd);
 #elif defined(CONFIG_GNUTLS)
 		int err = rd;
diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c
index 8777f3c..84aaa58 100644
--- a/src/network/ssl/ssl.c
+++ b/src/network/ssl/ssl.c
@@ -7,6 +7,10 @@
 #ifdef CONFIG_OPENSSL
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
+#define USE_OPENSSL
+#elif defined(CONFIG_NSS_COMPAT_OSSL)
+#include <nss_compat_ossl/nss_compat_ossl.h>
+#define USE_OPENSSL
 #elif defined(CONFIG_GNUTLS)
 #include <gcrypt.h>
 #include <gnutls/gnutls.h>
@@ -35,7 +39,7 @@
 /* FIXME: As you can see, SSL is currently implemented in very, erm,
  * decentralized manner. */
 
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 
 #ifndef PATH_MAX
 #define	PATH_MAX	256 /* according to my /usr/include/bits/posix1_lim.h */
@@ -85,12 +89,26 @@ static struct option_info openssl_options[] = {
 		 N_("Enable or not the sending of X509 client certificates\n"
 		    "to servers which request them.")),
 
+#ifdef CONFIG_NSS_COMPAT_OSSL
+	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"),
+		"nickname", 0, "",
+		 N_("The nickname of the client certificate stored in NSS\n"
+		    "database. If this value is unset, the nickname from\n"
+		    "the X509_CLIENT_CERT variable is used instead. If you\n"
+		    "have a PKCS#12 file containing client certificate, you\n"
+		    "can import it into your NSS database with:\n"
+		    "$ pk12util -i mycert.p12 -d /path/to/database\n\n"
+		    "The NSS database location can be changed by SSL_DIR\n"
+		    "environment variable. The database can be also shared\n"
+		    "with Mozilla browsers.")),
+#else
 	INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"),
 		"file", 0, "",
 		 N_("The location of a file containing the client certificate\n"
 		    "and unencrypted private key in PEM format. If unset, the\n"
 		    "file pointed to by the X509_CLIENT_CERT variable is used\n"
 		    "instead.")),
+#endif
 
 	NULL_OPTION_INFO,
 };
@@ -196,7 +214,7 @@ static struct module gnutls_module = struct_module(
 	/* done: */		done_gnutls
 );
 
-#endif /* CONFIG_OPENSSL or CONFIG_GNUTLS */
+#endif /* USE_OPENSSL or CONFIG_GNUTLS */
 
 static struct option_info ssl_options[] = {
 	INIT_OPT_TREE("connection", N_("SSL"),
@@ -207,7 +225,7 @@ static struct option_info ssl_options[] = {
 };
 
 static struct module *ssl_modules[] = {
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	&openssl_module,
 #elif defined(CONFIG_GNUTLS)
 	&gnutls_module,
@@ -228,7 +246,7 @@ struct module ssl_module = struct_module(
 int
 init_ssl_connection(struct socket *socket)
 {
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	socket->ssl = SSL_new(context);
 	if (!socket->ssl) return S_SSL_ERROR;
 #elif defined(CONFIG_GNUTLS)
@@ -277,7 +295,7 @@ done_ssl_connection(struct socket *socket)
 	ssl_t *ssl = socket->ssl;
 
 	if (!ssl) return;
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	SSL_free(ssl);
 #elif defined(CONFIG_GNUTLS)
 	gnutls_deinit(*ssl);
@@ -294,7 +312,7 @@ get_ssl_connection_cipher(struct socket *socket)
 
 	if (!init_string(&str)) return NULL;
 
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	add_format_to_string(&str, "%ld-bit %s %s",
 		SSL_get_cipher_bits(ssl, NULL),
 		SSL_get_cipher_version(ssl),
@@ -318,7 +336,7 @@ get_ssl_connection_cipher(struct socket *socket)
 void
 random_nonce(unsigned char buf[], size_t size)
 {
-#ifdef CONFIG_OPENSSL
+#ifdef USE_OPENSSL
 	RAND_pseudo_bytes(buf, size);
 #elif defined(CONFIG_GNUTLS)
 	gcry_create_nonce(buf, size);
diff --git a/src/network/ssl/ssl.h b/src/network/ssl/ssl.h
index 7c54a7a..21ca142 100644
--- a/src/network/ssl/ssl.h
+++ b/src/network/ssl/ssl.h
@@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher(struct socket *socket);
 
 /* Internal type used in ssl module. */
 
-#ifdef CONFIG_OPENSSL
+#if defined(CONFIG_OPENSSL) || defined(CONFIG_NSS_COMPAT_OSSL)
 #define	ssl_t	SSL
 #elif defined(CONFIG_GNUTLS)
 #define	ssl_t	gnutls_session_t
-- 
1.5.4.1

_______________________________________________
elinks-dev mailing list
elinks-dev@linuxfromscratch.org
http://linuxfromscratch.org/mailman/listinfo/elinks-dev

Reply via email to