Bug#797066: marked as done (Please implement https client certificate authentication (patch included))

Thu, 27 Aug 2015 15:03:48 -0700 

Your message dated Thu, 27 Aug 2015 22:00:35 +0000
with message-id <[email protected]>
and subject line Bug#797066: fixed in links2 2.10-2
has caused the Debian Bug report #797066,
regarding Please implement https client certificate authentication (patch 
included)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
797066: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797066
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: links
Version: 2.10-1
Severity: normal
Tags: patch

Hello,

we have implemented a new experimental single signon for Debian based on
client certificates:
https://lists.debian.org/debian-devel/2015/08/msg00539.html
and while evaluating its accessibility:
https://lists.debian.org/debian-accessibility/2015/08/msg00070.html
it turned out that at the moment no text-based browser supports it.

Let's fix that.

Please find attached a patch that makes links work with client
certificates.

With that patch applied, I can do:

  links2 https://contributors.debian.org
  (shows login button)

and:

  links2 -http.client_cert_key enrico.key -http.client_cert_crt enrico.crt 
https://contributors.debian.org
  (shows me logged in)

If you want to test it, you can go to 
https://sso.debian.org/spkac/enroll_manually/
to obtain a local key/crt pair for your Debian or Alioth account.


Enrico

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages links depends on:
ii  libbz2-1.0   1.0.6-8
ii  libc6        2.19-19
ii  libgpm2      1.20.4-6.1+b2
ii  liblzma5     5.1.1alpha+20120614-2.1
ii  libssl1.0.0  1.0.2d-1
ii  zlib1g       1:1.2.8.dfsg-2+b1

links recommends no packages.

links suggests no packages.

-- no debconf information

diff -Naur links2-2.10/default.c links2-2.10.patched/default.c
--- links2-2.10/default.c	2015-08-27 16:22:08.000000000 +0200
+++ links2-2.10.patched/default.c	2015-08-27 16:23:20.778841403 +0200
@@ -1696,6 +1696,14 @@
 " -http.fake-user-agent <string>\n"
 "  Fake user agent value.\n"
 "\n"
+" -http.client_cert_key <filename>\n"
+"  Name of the PEM encoded file with the user private key\n"
+"  for client certificate authentication.\n"
+"\n"
+" -http.client_cert_crt <filename>\n"
+"  Name of the PEM encoded file with the user certificate\n"
+"  for client certificate authentication.\n"
+"\n"
 " -http.extra-header <string>\n"
 "  Extra string added to HTTP header.\n"
 "\n"
@@ -2122,6 +2130,8 @@
 	{1, gen_cmd, num_rd, num_wr, 0, 1, &http_options.header.fake_firefox, "fake_firefox", "http.fake-firefox"},
 	{1, gen_cmd, num_rd, num_wr, 0, 1, &http_options.header.do_not_track, "http_do_not_track", "http.do-not-track"},
 	{1, gen_cmd, num_rd, num_wr, 0, 4, &http_options.header.referer, "http_referer", "http.referer"},
+	{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.client_cert_key, "client_cert_key", "http.client_cert_key"},
+	{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.client_cert_crt, "client_cert_crt", "http.client_cert_crt"},
 	{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.fake_referer, "fake_referer", "http.fake-referer"},
 	{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.fake_useragent, "fake_useragent", "http.fake-user-agent"},
 	{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.extra_header, "http.extra_header", "http.extra-header"},
diff -Naur links2-2.10/https.c links2-2.10.patched/https.c
--- links2-2.10/https.c	2015-08-27 16:22:08.000000000 +0200
+++ links2-2.10.patched/https.c	2015-08-27 16:23:53.875566921 +0200
@@ -91,6 +91,10 @@
 		SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_default_verify_paths(context);
 		SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
+		if (http_options.client_cert_key[0])
+			SSL_CTX_use_PrivateKey_file(context, http_options.client_cert_key, SSL_FILETYPE_PEM);
+		if (http_options.client_cert_crt[0])
+			SSL_CTX_use_certificate_file(context, http_options.client_cert_crt, SSL_FILETYPE_PEM);
 
 	}
 	return (SSL_new(context));
diff -Naur links2-2.10/links.h links2-2.10.patched/links.h
--- links2-2.10/links.h	2015-07-04 13:58:49.000000000 +0200
+++ links2-2.10.patched/links.h	2015-08-27 16:24:16.520063425 +0200
@@ -4526,6 +4526,8 @@
 	int no_compression;
 	int retry_internal_errors;
 	struct http_header_options header;
+	unsigned char client_cert_key[MAX_STR_LEN];
+	unsigned char client_cert_crt[MAX_STR_LEN];
 };
 
 extern struct http_options http_options;

--- End Message ---
--- Begin Message --- 
Source: links2
Source-Version: 2.10-2

We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated links2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Aug 2015 22:42:23 +0200
Source: links2
Binary: links2 links
Architecture: source amd64
Version: 2.10-2
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Description:
 links      - Web browser running in text mode
 links2     - Web browser running in both graphics and text mode
Closes: 797066
Changes:
 links2 (2.10-2) unstable; urgency=medium
 .
   * Fix typo in patch description.
   * Add patch for basic client certificate support by Enrico
     Zini. (Closes: #797066) Thanks!
Checksums-Sha1:
 35a7ba7fb0cc0b8a3db4463402955e81550a4445 2064 links2_2.10-2.dsc
 dc642d39f56bad3d5beecdb410597e77b8bdf644 13964 links2_2.10-2.debian.tar.xz
 8bf5f7f8b9599bbf7bc1d4f7a7fc53a6e157e191 2888888 links2_2.10-2_amd64.deb
 73554e6346c13fb85578f14c9e4e0402fa45ec7e 428492 links_2.10-2_amd64.deb
Checksums-Sha256:
 f4cd392a1a6e93393ba80d65f5ff7fb0880b58d639f7e8bf9cbaa88d44105f01 2064 
links2_2.10-2.dsc
 2fbefdaed1864fd4e21b2dd8aed477e3954a7edd69bc16bb1cecd4ebcf16295c 13964 
links2_2.10-2.debian.tar.xz
 32a18b56ff8837854ff5348af0d17444763d434d93ce7c11bec8b8152f3812ae 2888888 
links2_2.10-2_amd64.deb
 e98603ed9ccb93a54a918801e4eedba33e9fd0fd31ef87c048c4a0f0932efd89 428492 
links_2.10-2_amd64.deb
Files:
 cc5012925a2348deec83cbb44400a4be 2064 web optional links2_2.10-2.dsc
 989e0c70d54eca1723edcece79df6317 13964 web optional links2_2.10-2.debian.tar.xz
 bfce16138136babaf00d6bf49dbf5730 2888888 web optional links2_2.10-2_amd64.deb
 05fcd9b77e183f7739ff6d4b00447516 428492 web optional links_2.10-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV33bDAAoJEGvmY8daNcl1q8AP/0zGZOQxxZ9H0kac3ogDhNDB
WKu6LeOCORN443ExdSOqIPxmbCIehPzGQ1759LF25TrXLb2ArSA4ZzAT3lF5QY4d
WF66VfiHz7cTziTic0jYbG9iRvQGf/DIj6hLuU+VbRN8Qwnevoqr4zKbRQx9kHmy
+B656mZf5CvlDS/nmSTr/hJ+26cGhqb89XQ0wlHs16EiLRVaQCurfoxHrFIfbq1c
RLd9Rc7kcp85CHNFDXoyDOJM7/BPTKbP/6wSlPGUygIn7aGTcgatDQfVl7Xc9kPc
TPiCZX4GTkXMwhdTMzD7TcBSjB6PFalis4Lpd9O5ZR6OxEuldJx9va3PX/HJgifK
1R/3BtxmqI1P9TJI7t+mZgUjchC3FdMWmZ8WGZvmjV6Q7M6LOeD0IUcTDcR7jmqI
iqGSdV8fSdEmcF1DW4qlvebTgU6xF96W1OpRTWX75PqY/WaxmITrJ6tPxmcRzUMv
LJCXeEmnrlWt83V1FVYUMIDfJ9qigot9O/gvsqzGwpHQyHCG2O8mJVDw79C1/YnE
RFSBaoozG42Sw8IHpaHABJ2P+uoIAuWdpxlmI3cdWF3eWM3mE1cEe+FeePiB9Z1L
yd1O57oNMB/oU6bs6UslnKKFKNqmNMMXvcBSGdlRKeZAUVeZ1Dcw/0uu6g/hcy7J
fs0Ftzta7Fgu40mKczfu
=FbHd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to