Hi Tom, hello others,
it's time for me again to do a cvs diff between the lynx vendor branch
in mirbsd (at the moment it's 2.8.7dev.2 - but they should apply to
dev.4 as well) and what we have in -current.
I hand-edited the diffs, removing mirbsd-local changes, reformatting
some others (so don't wonder about a minor fuzz), and commented each
of the diffs. One is probably already fixed in dev.4, some others have
a chance of being rejected by you, but some of them you most definitively
want to apply.
About the HTTP.c big chunk changes: as the coding/indentation style of
lynx isn't really documented, I tried to stay close to the style that
was already used in the file, but where I couldn't figure it out easily
I used our KNF, except I didn't honour the 80-column limit. Sorry if
you have to reformat some of these.
I also changed --mirabilos to the more lynx-standard-ish -TG in the
comments, which is what I saw you using in the changelog file as well.
Please tell me what you think of these diffs. And everyone who's using
gnutls please have a look at that HTTP.c diff as I think it's very im-
portant to have it go into stock lynx, but I don't know how gnutls dif-
fers from OpenSSL.
bye,
//mirabile
--
I believe no one can invent an algorithm. One just happens to hit upon it
when God enlightens him. Or only God invents algorithms, we merely copy them.
If you don't believe in God, just consider God as Nature if you won't deny
existence. -- Coywolf Qi Hunt
***>> Cosmetics: less warnings (useful for these who build with -Werror)
This should definitively go in.
Index: configure.in
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/configure.in,v
retrieving revision 1.1.109.10
retrieving revision 1.15
diff -u -p -r1.1.109.10 -r1.15
--- configure.in 10 Nov 2006 20:04:53 -0000 1.1.109.10
+++ configure.in 10 Nov 2006 20:19:25 -0000 1.15
@@ -179,7 +181,7 @@ AC_MSG_RESULT($with_warnings)
if test "$with_warnings" = "yes"
then
CF_GCC_ATTRIBUTES
- CF_GCC_WARNINGS
+ CF_GCC_WARNINGS(Wno-cast-qual Wno-cast-align)
fi
fi
Index: WWW/Library/Implementation/HTTelnet.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTelnet.c,v
retrieving revision 1.1.109.2
diff -u -p -r1.1.109.2 HTTelnet.c
--- WWW/Library/Implementation/HTTelnet.c 2 Jun 2006 19:17:05 -0000
1.1.109.2
+++ WWW/Library/Implementation/HTTelnet.c 18 Apr 2007 12:04:49 -0000
@@ -35,6 +35,10 @@
#include <LYClean.h>
#include <LYLeaks.h>
+#ifdef __GNUC__
+static void do_system(char *) __attribute__((unused));
+#endif
+
static void do_system(char *command)
{
if (!isEmpty(command)) {
***>> Why not enable these by default?
Index: lynx.cfg
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/lynx.cfg,v
retrieving revision 1.1.109.10
retrieving revision 1.17
diff -u -p -r1.1.109.10 -r1.17
--- lynx.cfg 10 Nov 2006 20:04:53 -0000 1.1.109.10
+++ lynx.cfg 7 Feb 2007 22:30:10 -0000 1.17
@@ -3333,26 +3324,26 @@ COLOR:6:brightred:black
#ENABLE_LYNXRC:emacs_keys:ON
#ENABLE_LYNXRC:file_editor:ON
#ENABLE_LYNXRC:file_sorting_method:ON
-#ENABLE_LYNXRC:force_cookie_prompt:OFF
-#ENABLE_LYNXRC:force_ssl_prompt:OFF
+ENABLE_LYNXRC:force_cookie_prompt:ON
+ENABLE_LYNXRC:force_ssl_prompt:ON
#ENABLE_LYNXRC:kblayout:ON
#ENABLE_LYNXRC:keypad_mode:ON
#ENABLE_LYNXRC:lineedit_mode:ON
#ENABLE_LYNXRC:locale_charset:ON
-#ENABLE_LYNXRC:make_links_for_all_images:OFF
-#ENABLE_LYNXRC:make_pseudo_alts_for_inlines:OFF
+ENABLE_LYNXRC:make_links_for_all_images:ON
+ENABLE_LYNXRC:make_pseudo_alts_for_inlines:ON
#ENABLE_LYNXRC:multi_bookmark:ON
#ENABLE_LYNXRC:personal_mail_address:ON
#ENABLE_LYNXRC:preferred_charset:ON
-#ENABLE_LYNXRC:preferred_encoding:OFF
+ENABLE_LYNXRC:preferred_encoding:ON
#ENABLE_LYNXRC:preferred_language:ON
-#ENABLE_LYNXRC:preferred_media_types:OFF
+ENABLE_LYNXRC:preferred_media_types:ON
#ENABLE_LYNXRC:raw_mode:OFF
#ENABLE_LYNXRC:run_all_execution_links:ON
#ENABLE_LYNXRC:run_execution_links_on_local_files:ON
#ENABLE_LYNXRC:scrollbar:OFF
#ENABLE_LYNXRC:select_popups:ON
-#ENABLE_LYNXRC:set_cookies:OFF
+ENABLE_LYNXRC:set_cookies:ON
#ENABLE_LYNXRC:show_color:ON
#ENABLE_LYNXRC:show_cursor:ON
#ENABLE_LYNXRC:show_dotfiles:ON
***>> Cosmetics, should go in
Index: lynx.man
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/lynx.man,v
retrieving revision 1.1.109.4
retrieving revision 1.5
diff -u -p -r1.1.109.4 -r1.5
--- lynx.man 10 Nov 2006 20:04:53 -0000 1.1.109.4
+++ lynx.man 10 Nov 2006 20:19:26 -0000 1.5
@@ -1,6 +1,6 @@
.nr N -1
.nr D 5
-.TH LYNX 1 Local
+.TH LYNX 1
.SH NAME
lynx \- a general purpose distributed information browser for the World Wide
Web
.SH SYNOPSIS
***>> Major X.509 certificate validation overhaul, should go in after
having been tested (or patched) to work with gnutls. Changes:
- peer certificate is cached, no need to call SSL_get_peer_certificate()
twice
- support foo.domain:port and [ip.add.re.ss] and [ip.add.re.ss]:port
and [i:p:v:6:ad:dr:es:s] and [i:p:v:6:ad:dr:es:s]:port
- add support for checking X.509v3 SubjectAltName extensions (of type
DNS - tested - and IP - untested) when the X.509 commonName check
fails; this might break gnutls unless they offer the same functions
- when displaying a list of failed CNs, change format from foo:bar:baz
to CN<foo>:CN<bar>:CN<baz>:SAN<DNS=foo>:SAN<IP=1.2.3.4> so that we
know where what comes from (in "Your recent statusline messages")
- if the peer certificate can *NOT* be verified, output a message to
the log as well
- fix a possible use of an uninitialised value ssl_all_cns
- output certificate issuer to the logs as well (so that you can,
before entering your online banking PIN, see if the certificate
has been issued not only _to_ your bank but also _from_ a place
you trust, in case /etc/ssl/certs/ contains a lot of Root CA certs)
Index: WWW/Library/Implementation/HTTP.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c,v
retrieving revision 1.1.109.4
retrieving revision 1.11
diff -u -p -r1.1.109.4 -r1.11
--- WWW/Library/Implementation/HTTP.c 13 Sep 2006 19:11:36 -0000
1.1.109.4
+++ WWW/Library/Implementation/HTTP.c 18 Apr 2007 12:15:05 -0000 1.11
@@ -42,6 +42,10 @@
#include <LYrcFile.h>
#include <LYLeaks.h>
+#ifdef USE_SSL
+#include <openssl/x509v3.h>
+#endif
+
struct _HTStream {
HTStreamClass *isa;
};
@@ -479,6 +483,7 @@ static int HTLoadHTTP(const char *arg,
const char *connect_url = NULL; /* The URL being proxied */
char *connect_host = NULL; /* The host being proxied */
SSL *handle = NULL; /* The SSL handle */
+ X509 *peer_cert; /* The peer certificate */
char ssl_dn[1024];
char *cert_host;
char *ssl_host;
@@ -486,7 +491,7 @@ static int HTLoadHTTP(const char *arg,
char *msg = NULL;
int status_sslcertcheck;
char *ssl_dn_start;
- char *ssl_all_cns;
+ char *ssl_all_cns = NULL;
#ifdef USE_GNUTLS_INCL
int ret;
@@ -689,7 +694,8 @@ static int HTLoadHTTP(const char *arg,
}
#endif
-
X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(handle)),
+ X509_NAME_oneline(X509_get_subject_name(peer_cert =
+
SSL_get_peer_certificate(handle)),
#ifndef USE_GNUTLS_INCL
ssl_dn, sizeof(ssl_dn));
#else
@@ -719,12 +725,13 @@ static int HTLoadHTTP(const char *arg,
/* initialise status information */
status_sslcertcheck = 0; /* 0 = no CN found in DN */
ssl_dn_start = ssl_dn;
- ssl_all_cns = NULL;
/* get host we're connecting to */
ssl_host = HTParse(url, "", PARSE_HOST);
- /* strip port number */
- if ((p = strchr(ssl_host, ':')) != NULL)
+ /* strip port number or extract hostname component */
+ if ((p = strchr(ssl_host, (ssl_host[0] == '[') ? ']' : ':')) != NULL)
*p = '\0';
+ if (ssl_host[0] == '[')
+ ssl_host++;
/* validate all CNs found in DN */
while ((cert_host = strstr(ssl_dn_start, "/CN=")) != NULL) {
status_sslcertcheck = 1; /* 1 = could not verify CN */
@@ -736,13 +743,16 @@ static int HTLoadHTTP(const char *arg,
ssl_dn_start = p; /* yes this points to the NUL byte */
} else
ssl_dn_start = NULL;
- /* strip port number */
- if ((p = strchr(cert_host, ':')) != NULL)
+ /* strip port number (XXX [ip]:port encap here too? -TG) */
+ if ((p = strchr(cert_host,
+ (cert_host[0] == '[') ? ']' : ':')) != NULL)
*p = '\0';
+ if (cert_host[0] == '[')
+ cert_host++;
/* verify this CN */
if (!strcasecomp_asterisk(ssl_host, cert_host)) {
status_sslcertcheck = 2; /* 2 = verified peer */
- /* I think this is cool to have in the logs --mirabilos */
+ /* I think this is cool to have in the logs -TG */
HTSprintf0(&msg,
gettext("Verified connection to %s (cert=%s)"),
ssl_host, cert_host);
@@ -752,12 +762,12 @@ static int HTLoadHTTP(const char *arg,
break;
}
/* add this CN to list of failed CNs */
- if (ssl_all_cns == NULL) {
- StrAllocCopy(ssl_all_cns, cert_host);
- } else {
- StrAllocCat(ssl_all_cns, ":");
- StrAllocCat(ssl_all_cns, cert_host);
- }
+ if (ssl_all_cns == NULL)
+ StrAllocCopy(ssl_all_cns, "CN<");
+ else
+ StrAllocCat(ssl_all_cns, ":CN<");
+ StrAllocCat(ssl_all_cns, cert_host);
+ StrAllocCat(ssl_all_cns, ">");
/* if we cannot retry, don't try it */
if (ssl_dn_start == NULL)
break;
@@ -765,6 +775,64 @@ static int HTLoadHTTP(const char *arg,
*ssl_dn_start = '/'; /* formerly NUL byte */
}
+ /* check the X.509v3 Subject Alternative Name */
+ if (status_sslcertcheck < 2) {
+ STACK_OF(GENERAL_NAME) *gens;
+ int i, numalts;
+ const GENERAL_NAME *gn;
+
+ if ((gens = X509_get_ext_d2i(peer_cert, NID_subject_alt_name,
+ NULL, NULL)) != NULL) {
+ numalts = sk_GENERAL_NAME_num(gens);
+ for (i = 0; i < numalts; ++i) {
+ gn = sk_GENERAL_NAME_value(gens, i);
+ if (gn->type == GEN_DNS)
+ cert_host = ASN1_STRING_data(gn->d.ia5);
+ else if (gn->type == GEN_IPADD) {
+ /* XXX untested -TG */
+ size_t j =
ASN1_STRING_length(gn->d.ia5);
+ cert_host = malloc(j + 1);
+ memcpy(cert_host,
ASN1_STRING_data(gn->d.ia5), j);
+ cert_host[j] = '\0';
+ } else
+ continue;
+ status_sslcertcheck = 1; /* got at least
one */
+ /* verify this SubjectAltName (see above) */
+ if ((p = strchr(cert_host,
+ (cert_host[0] == '[') ? ']' : ':')) != NULL)
+ *p = '\0';
+ if (cert_host[0] == '[')
+ cert_host++;
+ if (!(gn->type == GEN_IPADD ? strcasecomp :
+ strcasecomp_asterisk)(ssl_host, cert_host))
{
+ status_sslcertcheck = 2;
+ HTSprintf0(&msg,
+ gettext("Verified connection
to %s (subj=%s)"),
+ ssl_host, cert_host);
+ _HTProgress(msg);
+ FREE(msg);
+ if (gn->type == GEN_IPADD)
+ free(cert_host);
+ break;
+ }
+ /* add to list of failed CNs */
+ if (ssl_all_cns == NULL)
+ StrAllocCopy(ssl_all_cns, "SAN<");
+ else
+ StrAllocCat(ssl_all_cns, ":SAN<");
+ if (gn->type == GEN_DNS)
+ StrAllocCat(ssl_all_cns, "DNS=");
+ else if (gn->type == GEN_IPADD)
+ StrAllocCat(ssl_all_cns, "IP=");
+ StrAllocCat(ssl_all_cns, cert_host);
+ StrAllocCat(ssl_all_cns, ">");
+ if (gn->type == GEN_IPADD)
+ free(cert_host);
+ }
+ sk_GENERAL_NAME_free(gens);
+ }
+ }
+
/* if an error occurred, format the appropriate message */
if (status_sslcertcheck == 0) {
HTSprintf0(&msg, SSL_FORCED_PROMPT,
@@ -783,8 +851,17 @@ static int HTLoadHTTP(const char *arg,
FREE(ssl_all_cns);
goto done;
}
+ HTSprintf0(&msg,
+ gettext("UNVERIFIED connection to %s (cert=%s)"),
+ ssl_host, ssl_all_cns ? ssl_all_cns : "NONE");
+ _HTProgress(msg);
+ FREE(msg);
}
+ X509_NAME_oneline(X509_get_issuer_name(peer_cert), ssl_dn, sizeof
(ssl_dn));
+ HTSprintf0(&msg, gettext("Certificate issued by: %s"), ssl_dn);
+ _HTProgress(msg);
+ FREE(msg);
HTSprintf0(&msg,
gettext("Secure %d-bit %s (%s) HTTP connection"),
SSL_get_cipher_bits(handle, NULL),
***>> No idea about this, but you might want it?
Index: samples/lynx.lss
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/samples/lynx.lss,v
retrieving revision 1.1.109.3
retrieving revision 1.3
diff -u -p -r1.1.109.3 -r1.3
--- samples/lynx.lss 20 Sep 2006 21:51:41 -0000 1.1.109.3
+++ samples/lynx.lss 20 Sep 2006 22:03:17 -0000 1.3
@@ -6,7 +6,7 @@
# If you really want the terminal's default colors, and if lynx is built using
# ncurses' default-color support, remove these two lines:
normal: normal: lightgray:black
-default: normal: white:black
+default: normal: lightgray:black
# Normal type styles correspond to HTML tags.
#
***>> what's this, is this already in dev.4?
Index: src/LYEdit.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/src/LYEdit.c,v
retrieving revision 1.1.109.1
retrieving revision 1.2
diff -u -p -r1.1.109.1 -r1.2
--- src/LYEdit.c 27 Mar 2005 22:12:09 -0000 1.1.109.1
+++ src/LYEdit.c 13 Feb 2007 18:57:47 -0000 1.2
@@ -247,7 +247,7 @@ void edit_temporary_file(char *filename,
CTRACE((tfp, "ExtEditForm: system() returned %d (0x%x), %s\n",
rv, rv, errno ? LYStrerror(errno) : "reason unknown"));
LYFixCursesOn("show error warning:");
- if (rv != -1 && (rv && 0xff) && !rvhi) {
+ if (rv != -1 && (rv & 0xff) && !rvhi) {
HTAlwaysAlert(NULL, gettext("Editor killed by signal"));
} else if (!(rv == -1 || (rvhi == 127 && errno))) {
HTUserMsg2(gettext("Editor returned with error status, %s"),
***>> switch KANJI_CODE_OVERRIDE from Ctrl-L to capital J (LYK_JUMP is
still mapped to lower-case J key even if KANJI_CODE_OVERRIDE is
enabled, and I _do_ need ^L fairly often to redraw the screen
_especially_ in unicode mode…) please apply this (and probably
add a heads-up to the docs)
Index: src/LYKeymap.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/src/LYKeymap.c,v
retrieving revision 1.1.109.3
retrieving revision 1.4
diff -u -p -r1.1.109.3 -r1.4
--- src/LYKeymap.c 2 Jun 2006 19:17:39 -0000 1.1.109.3
+++ src/LYKeymap.c 2 Jun 2006 19:32:54 -0000 1.4
@@ -72,14 +74,8 @@ LYK_ABORT, LYK_END, LYK_
LYK_HISTORY, LYK_FASTFORW_LINK, LYK_ACTIVATE, LYK_COOKIE_JAR,
/* bs */ /* ht */ /* nl */ /* ^K */
-#ifdef KANJI_CODE_OVERRIDE
-LYK_CHG_KCODE, LYK_ACTIVATE, LYK_DOWN_TWO, 0,
-/* ^L */ /* cr */ /* ^N */ /* ^O */
-
-#else
LYK_REFRESH, LYK_ACTIVATE, LYK_DOWN_TWO, 0,
/* ^L */ /* cr */ /* ^N */ /* ^O */
-#endif
LYK_UP_TWO, LYK_CHG_CENTER, LYK_RELOAD, LYK_TO_CLIPBOARD,
/* ^P */ /* XON */ /* ^R */ /* ^S */
@@ -128,8 +124,14 @@ LYK_RAW_TOGGLE, LYK_ADDRLIST, LYK_P
LYK_DOWNLOAD, LYK_ELGOTO, LYK_DIRED_MENU, LYK_ECGOTO,
/* D */ /* E */ /* F */ /* G */
+#ifdef KANJI_CODE_OVERRIDE
+LYK_HELP, LYK_INDEX, LYK_CHG_KCODE, LYK_KEYMAP,
+/* H */ /* I */ /* J */ /* K */
+
+#else
LYK_HELP, LYK_INDEX, LYK_JUMP, LYK_KEYMAP,
/* H */ /* I */ /* J */ /* K */
+#endif
LYK_LIST, LYK_MAIN_MENU, LYK_PREV, LYK_OPTIONS,
/* L */ /* M */ /* N */ /* O */
***>> support iconv libraries without support for //TRANSLIT coding,
such as Citrus iconv, found in NetBSD(R) and MirBSD, please apply
Index: src/UCdomap.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/lynx/src/UCdomap.c,v
retrieving revision 1.1.109.4
retrieving revision 1.4
diff -u -p -r1.1.109.4 -r1.4
--- src/UCdomap.c 2 Jun 2006 19:17:59 -0000 1.1.109.4
+++ src/UCdomap.c 2 Jun 2006 20:14:37 -0000 1.4
@@ -952,7 +952,9 @@ int UCTransUniCharStr(char *outbuf,
HTSprintf0(&tocode, "%s//TRANSLIT",
LYCharSet_UC[charset_out].MIMEname);
cd = iconv_open(tocode, "UTF-16BE");
FREE(tocode)
- rc = iconv(cd, &pin, &inleft, &pout, &outleft);
+ if (cd == (iconv_t)-1)
+ cd = iconv_open(LYCharSet_UC[charset_out].MIMEname, "UTF-16BE");
+ rc = iconv(cd, &pin, &inleft, &pout, &outleft);
iconv_close(cd);
if ((pout - outbuf) == 3) {
CTRACE((tfp,
_______________________________________________
Lynx-dev mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/lynx-dev
