[pkg-lynx-commits] [lynx-cur] 01/01: Add patches gnutls_add_rehandshake_support + add_client_certificate_support
Axel Beckert
abe at deuxchevaux.org
Thu Sep 3 18:47:31 UTC 2015
This is an automated email from the git hooks/post-receive script.
abe pushed a commit to branch master
in repository lynx-cur.
commit 6f4009b4bfa9bee59a0a057b7d7c3dfef562e425
Author: Simon Kainz <skainz at debian.org>
Date: Thu Sep 3 20:40:31 2015 +0200
Add patches gnutls_add_rehandshake_support + add_client_certificate_support
Closes: #797059, #797901
---
debian/changelog | 4 +
debian/patches/add_client_certificate_support.diff | 251 +++++++++++++++++++++
debian/patches/gnutls_add_rehandshake_support.diff | 80 +++++++
debian/patches/series | 2 +
4 files changed, 337 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 258a54c..34a2fb6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,10 @@ lynx-cur (2.8.9dev6-4) UNRELEASED; urgency=medium
* 40_reproducible_build.diff: Sort cfg_defs.h independent of locale.
Closes: #792770
+ [ Simon Kainz ]
+ * Add patch gnutls_add_rehandshake_support.diff. (Closes: #797059)
+ * Add patch add_client_certificate_support.diff. (Closes: #797901)
+
-- Andreas Metzler <ametzler at debian.org> Sat, 18 Jul 2015 16:36:13 +0200
lynx-cur (2.8.9dev6-3) unstable; urgency=medium
diff --git a/debian/patches/add_client_certificate_support.diff b/debian/patches/add_client_certificate_support.diff
new file mode 100644
index 0000000..1e36e45
--- /dev/null
+++ b/debian/patches/add_client_certificate_support.diff
@@ -0,0 +1,251 @@
+Description: Add client certificate support
+ This feature is neccessary to enable lynx to use Debian SSO
+ infrastructure, which now relies on client certificates.
+ .
+ Currently, client certificates and their corresponding key files
+ must be in PEM format.
+Author: Simon Kainz <skainz at debian.org>
+Forwarded: no
+Reviewed-By: Mario Lang <mlang at debian.org>
+Last-Update: 2015-09-03
+
+--- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/HTTP.c
++++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/HTTP.c
+@@ -162,6 +162,9 @@ SSL *HTGetSSLHandle(void)
+ {
+ #ifdef USE_GNUTLS_INCL
+ static char *certfile = NULL;
++ static char *client_keyfile = NULL;
++ static char *client_certfile = NULL;
++
+ #endif
+
+ if (ssl_ctx == NULL) {
+@@ -204,6 +207,9 @@ SSL *HTGetSSLHandle(void)
+ }
+ #endif
+ #ifdef USE_GNUTLS_INCL
++
++
++
+ if ((certfile = LYGetEnv("SSL_CERT_FILE")) != NULL) {
+ CTRACE((tfp,
+ "HTGetSSLHandle: certfile is set to %s by SSL_CERT_FILE\n",
+@@ -225,10 +231,40 @@ SSL *HTGetSSLHandle(void)
+ }
+ #endif
+ atexit(free_ssl_ctx);
++
+ }
+ #ifdef USE_GNUTLS_INCL
++
++
++ if (non_empty(SSL_client_key_file))
++ {
++ client_keyfile=SSL_client_key_file;
++ CTRACE((tfp,
++ "HTGetSSLHandle: client key file is set to %s by config SSL_CLIENT_KEY_FILE\n",
++ client_keyfile));
++ }
++
++
++
++ if (non_empty(SSL_client_cert_file))
++ {
++ client_certfile=SSL_client_cert_file;
++ CTRACE((tfp,
++ "HTGetSSLHandle: client cert file is set to %s by config SSL_CLIENT_CERT_FILE\n",
++ client_certfile));
++ }
++
++
++
++
++
+ ssl_ctx->certfile = certfile;
+ ssl_ctx->certfile_type = GNUTLS_X509_FMT_PEM;
++ ssl_ctx->client_keyfile = client_keyfile;
++ ssl_ctx->client_keyfile_type = GNUTLS_X509_FMT_PEM;
++ ssl_ctx->client_certfile = client_certfile;
++ ssl_ctx->client_certfile_type = GNUTLS_X509_FMT_PEM;
++
+ #endif
+ ssl_okay = 0;
+ return (SSL_new(ssl_ctx));
+--- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/tidy_tls.h
++++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/tidy_tls.h
+@@ -78,6 +78,11 @@ typedef struct _SSL_CTX {
+ int (*verify_callback) (int, X509_STORE_CTX *);
+ int verify_mode;
+
++ char *client_certfile;
++ int client_certfile_type;
++ char *client_keyfile;
++ int client_keyfile_type;
++
+ } SSL_CTX;
+
+ struct _SSL {
+--- lynx-cur-2.8.9dev6.orig/lynx.cfg
++++ lynx-cur-2.8.9dev6/lynx.cfg
+@@ -3561,6 +3561,20 @@ NESTED_TABLES: false
+ SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt
+ #SSL_CERT_FILE:NULL
+
++.h2 SSL_CLIENT_CERT_FILE
++# Set SSL_CLIENT_CERT_FILE to the file that contains a client certificate
++# (in PEM format) in case the $SSL_CLIENT_CERT_FILE environment variable is
++# not set, e.g.,
++#
++#SSL_CLIENT_CERT_FILE:/home/qux/certs/cert.crt
++
++.h2 SSL_CLIENT_KEY_FILE
++# Set SSL_CLIENT_KEY_FILE to the file that contains a client certificate
++# key (in PEM format), in case the $SSL_CLIENT_KEY_FILE environment variable
++# is not set, e.g.,
++#
++#SSL_CLIENT_KEY_FILE:/home/qux/certs/cert.key
++
+ .h1 Appearance
+
+ .h2 SCREEN_SIZE
+--- lynx-cur-2.8.9dev6.orig/src/LYGlobalDefs.h
++++ lynx-cur-2.8.9dev6/src/LYGlobalDefs.h
+@@ -536,6 +536,8 @@ extern "C" {
+ extern int LYHiddenLinks;
+
+ extern char *SSL_cert_file; /* Default CA CERT file */
++ extern char *SSL_client_cert_file; /* Default client CERT file */
++ extern char *SSL_client_key_file; /* Default client key file */
+
+ extern int Old_DTD;
+
+--- lynx-cur-2.8.9dev6.orig/src/LYMain.c
++++ lynx-cur-2.8.9dev6/src/LYMain.c
+@@ -553,7 +553,9 @@ char *XLoadImageCommand = NULL; /* Defau
+ BOOLEAN LYNoISMAPifUSEMAP = FALSE; /* Omit ISMAP link if MAP present? */
+ int LYHiddenLinks = HIDDENLINKS_SEPARATE; /* Show hidden links? */
+
+-char *SSL_cert_file = NULL; /* Default CA CERT file */
++char *SSL_cert_file = NULL; /*y Default CA CERT file */
++char *SSL_client_cert_file = NULL;
++char * SSL_client_key_file = NULL;
+
+ int Old_DTD = NO;
+ static BOOLEAN DTD_recovery = NO;
+@@ -1579,6 +1581,27 @@ int main(int argc,
+ */
+ read_cfg(lynx_cfg_file, "main program", 1, (FILE *) 0);
+
++ static char *client_keyfile = NULL;
++ static char *client_certfile = NULL;
++
++ if ((client_keyfile = LYGetEnv("SSL_CLIENT_KEY_FILE")) != NULL) {
++ CTRACE((tfp,
++ "HTGetSSLHandle: client keyfile is set to %s by SSL_CLIENT_KEY_FILE\n",
++ client_keyfile));
++ StrAllocCopy(SSL_client_key_file,client_keyfile);
++
++ }
++
++ if ((client_certfile = LYGetEnv("SSL_CLIENT_CERT_FILE")) != NULL) {
++ CTRACE((tfp,
++ "HTGetSSLHandle: client certfile is set to %s by SSL_CLIENT_CERT_FILE\n",
++ client_certfile));
++ StrAllocCopy(SSL_client_cert_file,client_certfile);
++ }
++
++
++
++
+ #if defined(USE_COLOR_STYLE)
+ if (!dump_output_immediately) {
+ init_color_styles(&lynx_lss_file2, default_color_styles);
+--- lynx-cur-2.8.9dev6.orig/src/LYOptions.c
++++ lynx-cur-2.8.9dev6/src/LYOptions.c
+@@ -2444,6 +2444,9 @@ static const char *preferred_doc_lang_st
+ static const char *send_user_agent_string = RC_SEND_USERAGENT;
+ static const char *user_agent_string = RC_USERAGENT;
+
++static const char *ssl_client_certificate_file = RC_SSL_CLIENT_CERT_FILE;
++static const char *ssl_client_key_file = RC_SSL_CLIENT_KEY_FILE;
++
+ #define PutHeader(fp, Name) \
+ fprintf(fp, "\n%s<em>%s</em>\n", MARGIN_STR, LYEntifyTitle(&buffer, Name));
+
+@@ -3260,6 +3263,18 @@ int postoptions(DocInfo *newdoc)
+ LYSendUserAgent = (BOOLEAN) !strcasecomp(data[i].value, "ON");
+ }
+
++ if (!strcmp(data[i].tag,ssl_client_certificate_file))
++ {
++ FREE(SSL_client_cert_file);
++ StrAllocCopy(SSL_client_cert_file,data[i].value);
++ }
++
++ if (!strcmp(data[i].tag,ssl_client_key_file))
++ {
++ FREE(SSL_client_key_file);
++ StrAllocCopy(SSL_client_key_file,data[i].value);
++ }
++
+ /* User Agent: INPUT */
+ if (!strcmp(data[i].tag, user_agent_string) && (!no_useragent)) {
+ if (strcmp(LYUserAgent, data[i].value)) {
+@@ -3729,6 +3744,15 @@ static int gen_options(char **newfile)
+ BeginSelect(fp0, ssl_prompt_string);
+ PutOptValues(fp0, ssl_noprompt, prompt_values);
+ EndSelect(fp0);
++
++ PutLabel(fp0, gettext("SSL client certificate file"), ssl_client_certificate_file);
++ PutTextInput(fp0, ssl_client_certificate_file,
++ NonNull(SSL_client_cert_file), text_len, "");
++
++ PutLabel(fp0, gettext("SSL client key file"), ssl_client_key_file);
++ PutTextInput(fp0, ssl_client_key_file,
++ NonNull(SSL_client_key_file), text_len, "");
++
+ #endif
+
+ PutHeader(fp0, gettext("Keyboard Input"));
+--- lynx-cur-2.8.9dev6.orig/src/LYReadCFG.c
++++ lynx-cur-2.8.9dev6/src/LYReadCFG.c
+@@ -1719,6 +1719,8 @@ static Config_Type Config_Table [] =
+ PARSE_ENU(RC_SOURCE_CACHE_FOR_ABORTED, LYCacheSourceForAborted, tbl_abort_source_cache),
+ #endif
+ PARSE_STR(RC_SSL_CERT_FILE, SSL_cert_file),
++ PARSE_STR(RC_SSL_CLIENT_CERT_FILE, SSL_client_cert_file),
++ PARSE_STR(RC_SSL_CLIENT_KEY_FILE, SSL_client_key_file),
+ PARSE_FUN(RC_STARTFILE, startfile_fun),
+ PARSE_FUN(RC_STATUS_BUFFER_SIZE, status_buffer_size_fun),
+ PARSE_SET(RC_STRIP_DOTDOT_URLS, LYStripDotDotURLs),
+--- lynx-cur-2.8.9dev6.orig/src/LYrcFile.h
++++ lynx-cur-2.8.9dev6/src/LYrcFile.h
+@@ -234,6 +234,8 @@
+ #define RC_SOURCE_CACHE "source_cache"
+ #define RC_SOURCE_CACHE_FOR_ABORTED "source_cache_for_aborted"
+ #define RC_SSL_CERT_FILE "ssl_cert_file"
++#define RC_SSL_CLIENT_CERT_FILE "ssl_client_cert_file"
++#define RC_SSL_CLIENT_KEY_FILE "ssl_client_key_file"
+ #define RC_STARTFILE "startfile"
+ #define RC_STATUS_BUFFER_SIZE "status_buffer_size"
+ #define RC_STRIP_DOTDOT_URLS "strip_dotdot_urls"
+--- lynx-cur-2.8.9dev6.orig/src/tidy_tls.c
++++ lynx-cur-2.8.9dev6/src/tidy_tls.c
+@@ -549,11 +549,11 @@ SSL *SSL_new(SSL_CTX * ctx)
+ gnutls_certificate_set_x509_trust_file(ssl->gnutls_cred,
+ ctx->certfile,
+ ctx->certfile_type);
+- if (ctx->keyfile)
++ if (ctx->client_keyfile)
+ gnutls_certificate_set_x509_key_file(ssl->gnutls_cred,
+- ctx->certfile,
+- ctx->keyfile,
+- ctx->keyfile_type);
++ ctx->client_certfile,
++ ctx->client_keyfile,
++ ctx->client_keyfile_type);
+ ssl->verify_mode = ctx->verify_mode;
+ ssl->verify_callback = ctx->verify_callback;
+
+
diff --git a/debian/patches/gnutls_add_rehandshake_support.diff b/debian/patches/gnutls_add_rehandshake_support.diff
new file mode 100644
index 0000000..a0047d0
--- /dev/null
+++ b/debian/patches/gnutls_add_rehandshake_support.diff
@@ -0,0 +1,80 @@
+Description: Add support for GNUTLS rehandshake
+Author: Simon Kainz <skainz at debian.org>
+Bug-Debian: https://bugs.debian.org/797059
+Forwarded: http://permalink.gmane.org/gmane.comp.web.lynx.devel/8455
+
+--- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/tidy_tls.h
++++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/tidy_tls.h
+@@ -98,6 +98,9 @@ struct _SSL {
+
+ gnutls_transport_ptr_t rfd;
+ gnutls_transport_ptr_t wfd;
++
++ void *sendbuffer;
++ int bytes_sent;
+ };
+
+ /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
+--- lynx-cur-2.8.9dev6.orig/src/tidy_tls.c
++++ lynx-cur-2.8.9dev6/src/tidy_tls.c
+@@ -530,7 +530,6 @@ SSL *SSL_new(SSL_CTX * ctx)
+ {
+ SSL *ssl;
+ int rc;
+-
+ if ((ssl = typeCalloc(SSL)) != 0) {
+
+ rc = gnutls_certificate_allocate_credentials(&ssl->gnutls_cred);
+@@ -564,6 +563,9 @@ SSL *SSL_new(SSL_CTX * ctx)
+ ssl->wfd = (gnutls_transport_ptr_t) (-1);
+ }
+ }
++ ssl->bytes_sent=0;
++ ssl->sendbuffer=0;
++
+ return ssl;
+ }
+
+@@ -576,13 +578,22 @@ int SSL_read(SSL * ssl, void *buffer, in
+ int rc;
+
+ rc = gnutls_record_recv(ssl->gnutls_state, buffer, length);
+- ssl->last_error = rc;
+
++ if ( rc <0 && gnutls_error_is_fatal(rc) == 0) {
++ if (rc == GNUTLS_E_REHANDSHAKE ) {
++ rc=gnutls_handshake(ssl->gnutls_state);
++ gnutls_record_send(ssl->gnutls_state,ssl->sendbuffer,ssl->bytes_sent);
++ rc = gnutls_record_recv(ssl->gnutls_state, buffer, length);
++ }
++ }
++
++ ssl->last_error = rc;
++
+ if (rc < 0) {
+- last_error = rc;
+- rc = 0;
++ last_error = rc;
++ rc = 0;
+ }
+-
++
+ return rc;
+ }
+
+@@ -611,6 +622,15 @@ int SSL_write(SSL * ssl, const void *buf
+ last_error = rc;
+ rc = 0;
+ }
++ else {
++ if (ssl->sendbuffer)
++ {
++ free(ssl->sendbuffer);
++ }
++ ssl->sendbuffer=malloc(rc);
++ ssl->bytes_sent=rc;
++ }
++
+
+ return rc;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 5502c0b..cc27a2e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,5 @@ use-dpkg-buildflags.patch
nested_tables.patch
manpage_improved.patch
gnutls_set_default_priority.diff
+gnutls_add_rehandshake_support.diff
+add_client_certificate_support.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-lynx/lynx-cur.git
More information about the pkg-lynx-commits
mailing list