On Saturday 20 September 2008 19:55:53 Kalle Olavi Niemitalo wrote: > Perhaps your ELinks changes are stable. However, nss_compat_ossl > 0.9.2 itself is not stable enough. Its SSL_library_init() calls > exit(1) with no error message at all if NSS_Init(certDir) fails. > That is just ridiculous; ELinks should still be able to access > non-SSL sites. This should be reported. If you agree I forward this report to nss_compat_ossl maintainer.
> Please change the configure script to select nss_compat_ossl only > if explicitly requested by the user. ELinks should not use it by > default, even if no other SSL library is available. This can be > revisited after an improved version of nss_compat_ossl has been > released and the configure script can check the version. Well, fixed. Support for nss_compat_ossl must be requested by user now. > Also, the configure script should remove NSS from CFLAGS and LIBS > again if it notices nss_compat_ossl has not been installed. Fixed. > Your patch added a NEWS entry into the section about ELinks 0.11.3, > which has already been released. I will move that to the right > place. Also, I would like to refer to the Fedora bugzilla: > > * Fedora enhancement 346861: Add support for nss_compat_ossl library > (OpenSSL replacement). Fixed. > I had some trouble building nss_compat_ossl 0.9.2 on Debian: > > - Here, the libnss3-dev package contains e.g. /usr/include/nss/ssl.h, and > pkg-config --cflags nss outputs "-I/usr/include/nss -I/usr/include/nspr", > but nss_compat_ossl-0.9.2/src/nss_compat_ossl.h does #include > <nss3/ssl.h>. As there is no actual nss3 directory, nor a symlink, this > does not work. > > - Likewise with #include <nspr4/nspr.h>. > > - Similarly, we have /usr/lib/nss/libsoftokn3.so, but pkg-config --libs nss > does not output any -L options, so -lsoftokn3 in > nss_compat_ossl-0.9.2/src/Makefile.am doesn't find the library; > however, if I remove that -lsoftokn3, then nss_compat_ossl builds. > > Browsing the source code, I noticed RAND_load_file() can get > stuck in a loop if I/O errors occur: fread() and feof() both > return 0. And RAND_write_file() should check for errors on > fwrite() and fclose(). I gave up on reviewing ssl.c because > I don't know NSPR and SSL well enough. I will forward this to nss_compat_ossl maintainer since this is fundamental package of further Fedora release. CryptoConsolidation tracking bug covers over 200 bugs, so these issues should be fixed as soon as possible. New patch in attachment. Let me just mention the configure --help indentation patch which has been not applied yet. Have a nice day Kamil
From 9bc26d3b5f5fe39e449cbbb5d69206f9bcfd1fa0 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[EMAIL PROTECTED]> Date: Tue, 23 Sep 2008 13:27:47 +0200 Subject: [PATCH] add support for nss_compat_ossl library (OpenSSL replacement) * configure.in: New configure parameter --with-nss_compat_ossl. * socket.c: New configure option connection.ssl.client_cert.nickname. * ssl.h: Handle CONFIG_NSS_COMPAT_OSSL macro. * ssl.c: Add support for nss_compat_ossl. * TODO: Remove completed task. * NEWS: Mention the change. --- NEWS | 2 ++ configure.in | 35 ++++++++++++++++++++++++++++++++++- src/network/ssl/TODO | 4 ---- src/network/ssl/socket.c | 29 ++++++++++++++++++++++------- src/network/ssl/ssl.c | 32 +++++++++++++++++++++++++------- src/network/ssl/ssl.h | 2 +- 6 files changed, 84 insertions(+), 20 deletions(-) diff --git a/NEWS b/NEWS index 5267b83..e6bff6d 100644 --- a/NEWS +++ b/NEWS @@ -48,6 +48,8 @@ Miscellaneous: * enhancement: Indicate backgrounded downloads using an unused led. * enhancement: Display the number of ECMAScript interpreters that have been allocated for documents in the Resources dialog. +* Fedora enhancement 346861: Add support for nss_compat_ossl library + (OpenSSL replacement). ////////////////////////////////////////////////////////////////////// The following changes should be removed from NEWS before ELinks 0.13.0 diff --git a/configure.in b/configure.in index a8f7c2d..fa8fcb5 100644 --- a/configure.in +++ b/configure.in @@ -952,6 +952,7 @@ gnutls_withval="$withval" if test "$enable_gnutls" = yes; then disable_openssl=yes; + with_nss_compat_ossl=no; fi AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], @@ -959,6 +960,37 @@ AC_ARG_WITH(openssl, [ --without-openssl disable OpenSSL support], AC_ARG_WITH(openssl, [ --with-openssl[=DIR] enable OpenSSL support (default)]) openssl_withval="$withval" +AC_ARG_WITH(nss_compat_ossl, [[ --with-nss_compat_ossl[=DIR] + NSS compatibility SSL libraries/include files]]) + +# nss_compat_ossl +if test -n "$with_nss_compat_ossl" && test "$with_nss_compat_ossl" != "no"; then + EL_SAVE_FLAGS + if test "$with_nss_compat_ossl" = yes; then + if pkg-config nss; then + CFLAGS="$CFLAGS_X `pkg-config --cflags nss`" + LIBS="$LIBS_X `pkg-config --libs nss`" + else + with_nss_compat_ossl=no + fi + else + # Without pkg-config, we'll kludge in some defaults + CFLAGS="$CFLAGS_X -I$with_nss_compat_ossl/include -I/usr/include/nss3 -I/usr/include/nspr4" + LIBS="$LIBS_X -L$with_nss_compat_ossl/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl" + fi + AC_CHECK_HEADERS(nss_compat_ossl/nss_compat_ossl.h,, [with_nss_compat_ossl=no], [#define NSS_COMPAT_OSSL_H]) + AC_CHECK_LIB(nss_compat_ossl, X509_free,, [with_nss_compat_ossl=no]) + + if test "$with_nss_compat_ossl" = "no"; then + EL_RESTORE_FLAGS + else + LIBS="$LIBS -lnss_compat_ossl" + EL_CONFIG(CONFIG_NSS_COMPAT_OSSL, [nss_compat_ossl]) + disable_openssl="yes" + disable_gnutls="yes" + fi +fi + # ---- OpenSSL AC_MSG_CHECKING([for OpenSSL]) @@ -1075,10 +1107,11 @@ AC_MSG_RESULT($cf_result) # Final SSL setup -EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS], [SSL]) +EL_CONFIG_DEPENDS(CONFIG_SSL, [CONFIG_OPENSSL CONFIG_GNUTLS CONFIG_NSS_COMPAT_OSSL], [SSL]) AC_SUBST(CONFIG_GNUTLS_OPENSSL_COMPAT) AC_SUBST(CONFIG_OPENSSL) AC_SUBST(CONFIG_GNUTLS) +AC_SUBST(CONFIG_NSS_COMPAT_OSSL) #endif diff --git a/src/network/ssl/TODO b/src/network/ssl/TODO index dad2835..3079e34 100644 --- a/src/network/ssl/TODO +++ b/src/network/ssl/TODO @@ -5,10 +5,6 @@ We could add also support for: format conviently readable for me; however, they say it is damn fast and very easy to use) -* NSS (http://www.mozilla.org/projects/security/pki/nss/ - it could be pretty - widespread and nicely tested by mozilla, however it scares me, it looks to be - pretty complex and already needing some certificates db generated etc) - Possibly, we should drop support for native GnuTLS and use their OpenSSL wrapper instead, since I happen to feel very unsure about GnuTLS interface - OpenSSL is not much better, but we can steal code from other applications ;-). diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c index 74c43b8..1acf9d5 100644 --- a/src/network/ssl/socket.c +++ b/src/network/ssl/socket.c @@ -6,6 +6,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gnutls/gnutls.h> #else @@ -26,7 +30,7 @@ /* SSL errors */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define SSL_ERROR_WANT_READ2 9999 /* XXX */ #define SSL_ERROR_WANT_WRITE2 SSL_ERROR_WANT_WRITE #define SSL_ERROR_SYSCALL2 SSL_ERROR_SYSCALL @@ -40,7 +44,7 @@ #define SSL_ERROR_SYSCALL2 GNUTLS_E_PULL_ERROR #endif -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #define ssl_do_connect(socket) SSL_get_error(socket->ssl, SSL_connect(socket->ssl)) #define ssl_do_write(socket, data, len) SSL_write(socket->ssl, data, len) @@ -126,7 +130,7 @@ ssl_connect(struct socket *socket) if (socket->no_tls) ssl_set_no_tls(socket); -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_set_fd(socket->ssl, socket->fd); if (get_opt_bool("connection.ssl.cert_verify", NULL)) @@ -137,8 +141,13 @@ ssl_connect(struct socket *socket) if (get_opt_bool("connection.ssl.client_cert.enable", NULL)) { unsigned char *client_cert; - client_cert = get_opt_str("connection.ssl.client_cert.file", - NULL); +#ifdef CONFIG_NSS_COMPAT_OSSL + client_cert = get_opt_str( + "connection.ssl.client_cert.nickname", NULL); +#else + client_cert = get_opt_str( + "connection.ssl.client_cert.file", NULL); +#endif if (!*client_cert) { client_cert = getenv("X509_CLIENT_CERT"); if (client_cert && !*client_cert) @@ -146,11 +155,17 @@ ssl_connect(struct socket *socket) } if (client_cert) { +#ifdef CONFIG_NSS_COMPAT_OSSL + SSL_CTX_use_certificate_chain_file( + (SSL *) socket->ssl, + client_cert); +#else SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx; SSL_CTX_use_certificate_chain_file(ctx, client_cert); SSL_CTX_use_PrivateKey_file(ctx, client_cert, SSL_FILETYPE_PEM); +#endif } } @@ -207,7 +222,7 @@ ssl_write(struct socket *socket, unsigned char *data, int len) ssize_t wr = ssl_do_write(socket, data, len); if (wr <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, wr); #elif defined(CONFIG_GNUTLS) int err = wr; @@ -236,7 +251,7 @@ ssl_read(struct socket *socket, unsigned char *data, int len) ssize_t rd = ssl_do_read(socket, data, len); if (rd <= 0) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL int err = SSL_get_error(socket->ssl, rd); #elif defined(CONFIG_GNUTLS) int err = rd; diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c index 8777f3c..84aaa58 100644 --- a/src/network/ssl/ssl.c +++ b/src/network/ssl/ssl.c @@ -7,6 +7,10 @@ #ifdef CONFIG_OPENSSL #include <openssl/ssl.h> #include <openssl/rand.h> +#define USE_OPENSSL +#elif defined(CONFIG_NSS_COMPAT_OSSL) +#include <nss_compat_ossl/nss_compat_ossl.h> +#define USE_OPENSSL #elif defined(CONFIG_GNUTLS) #include <gcrypt.h> #include <gnutls/gnutls.h> @@ -35,7 +39,7 @@ /* FIXME: As you can see, SSL is currently implemented in very, erm, * decentralized manner. */ -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL #ifndef PATH_MAX #define PATH_MAX 256 /* according to my /usr/include/bits/posix1_lim.h */ @@ -85,12 +89,26 @@ static struct option_info openssl_options[] = { N_("Enable or not the sending of X509 client certificates\n" "to servers which request them.")), +#ifdef CONFIG_NSS_COMPAT_OSSL + INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate nickname"), + "nickname", 0, "", + N_("The nickname of the client certificate stored in NSS\n" + "database. If this value is unset, the nickname from\n" + "the X509_CLIENT_CERT variable is used instead. If you\n" + "have a PKCS#12 file containing client certificate, you\n" + "can import it into your NSS database with:\n" + "$ pk12util -i mycert.p12 -d /path/to/database\n\n" + "The NSS database location can be changed by SSL_DIR\n" + "environment variable. The database can be also shared\n" + "with Mozilla browsers.")), +#else INIT_OPT_STRING("connection.ssl.client_cert", N_("Certificate File"), "file", 0, "", N_("The location of a file containing the client certificate\n" "and unencrypted private key in PEM format. If unset, the\n" "file pointed to by the X509_CLIENT_CERT variable is used\n" "instead.")), +#endif NULL_OPTION_INFO, }; @@ -196,7 +214,7 @@ static struct module gnutls_module = struct_module( /* done: */ done_gnutls ); -#endif /* CONFIG_OPENSSL or CONFIG_GNUTLS */ +#endif /* USE_OPENSSL or CONFIG_GNUTLS */ static struct option_info ssl_options[] = { INIT_OPT_TREE("connection", N_("SSL"), @@ -207,7 +225,7 @@ static struct option_info ssl_options[] = { }; static struct module *ssl_modules[] = { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL &openssl_module, #elif defined(CONFIG_GNUTLS) &gnutls_module, @@ -228,7 +246,7 @@ struct module ssl_module = struct_module( int init_ssl_connection(struct socket *socket) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL socket->ssl = SSL_new(context); if (!socket->ssl) return S_SSL_ERROR; #elif defined(CONFIG_GNUTLS) @@ -277,7 +295,7 @@ done_ssl_connection(struct socket *socket) ssl_t *ssl = socket->ssl; if (!ssl) return; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL SSL_free(ssl); #elif defined(CONFIG_GNUTLS) gnutls_deinit(*ssl); @@ -294,7 +312,7 @@ get_ssl_connection_cipher(struct socket *socket) if (!init_string(&str)) return NULL; -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL add_format_to_string(&str, "%ld-bit %s %s", SSL_get_cipher_bits(ssl, NULL), SSL_get_cipher_version(ssl), @@ -318,7 +336,7 @@ get_ssl_connection_cipher(struct socket *socket) void random_nonce(unsigned char buf[], size_t size) { -#ifdef CONFIG_OPENSSL +#ifdef USE_OPENSSL RAND_pseudo_bytes(buf, size); #elif defined(CONFIG_GNUTLS) gcry_create_nonce(buf, size); diff --git a/src/network/ssl/ssl.h b/src/network/ssl/ssl.h index 7c54a7a..21ca142 100644 --- a/src/network/ssl/ssl.h +++ b/src/network/ssl/ssl.h @@ -22,7 +22,7 @@ unsigned char *get_ssl_connection_cipher(struct socket *socket); /* Internal type used in ssl module. */ -#ifdef CONFIG_OPENSSL +#if defined(CONFIG_OPENSSL) || defined(CONFIG_NSS_COMPAT_OSSL) #define ssl_t SSL #elif defined(CONFIG_GNUTLS) #define ssl_t gnutls_session_t -- 1.5.4.1
_______________________________________________ elinks-dev mailing list [email protected] http://linuxfromscratch.org/mailman/listinfo/elinks-dev
