Package: links
Version: 2.10-1
Severity: normal
Tags: patch
Hello,
we have implemented a new experimental single signon for Debian based on
client certificates:
https://lists.debian.org/debian-devel/2015/08/msg00539.html
and while evaluating its accessibility:
https://lists.debian.org/debian-accessibility/2015/08/msg00070.html
it turned out that at the moment no text-based browser supports it.
Let's fix that.
Please find attached a patch that makes links work with client
certificates.
With that patch applied, I can do:
links2 https://contributors.debian.org
(shows login button)
and:
links2 -http.client_cert_key enrico.key -http.client_cert_crt enrico.crt
https://contributors.debian.org
(shows me logged in)
If you want to test it, you can go to
https://sso.debian.org/spkac/enroll_manually/
to obtain a local key/crt pair for your Debian or Alioth account.
Enrico
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages links depends on:
ii libbz2-1.0 1.0.6-8
ii libc6 2.19-19
ii libgpm2 1.20.4-6.1+b2
ii liblzma5 5.1.1alpha+20120614-2.1
ii libssl1.0.0 1.0.2d-1
ii zlib1g 1:1.2.8.dfsg-2+b1
links recommends no packages.
links suggests no packages.
-- no debconf information
diff -Naur links2-2.10/default.c links2-2.10.patched/default.c
--- links2-2.10/default.c 2015-08-27 16:22:08.000000000 +0200
+++ links2-2.10.patched/default.c 2015-08-27 16:23:20.778841403 +0200
@@ -1696,6 +1696,14 @@
" -http.fake-user-agent <string>\n"
" Fake user agent value.\n"
"\n"
+" -http.client_cert_key <filename>\n"
+" Name of the PEM encoded file with the user private key\n"
+" for client certificate authentication.\n"
+"\n"
+" -http.client_cert_crt <filename>\n"
+" Name of the PEM encoded file with the user certificate\n"
+" for client certificate authentication.\n"
+"\n"
" -http.extra-header <string>\n"
" Extra string added to HTTP header.\n"
"\n"
@@ -2122,6 +2130,8 @@
{1, gen_cmd, num_rd, num_wr, 0, 1, &http_options.header.fake_firefox, "fake_firefox", "http.fake-firefox"},
{1, gen_cmd, num_rd, num_wr, 0, 1, &http_options.header.do_not_track, "http_do_not_track", "http.do-not-track"},
{1, gen_cmd, num_rd, num_wr, 0, 4, &http_options.header.referer, "http_referer", "http.referer"},
+ {1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.client_cert_key, "client_cert_key", "http.client_cert_key"},
+ {1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.client_cert_crt, "client_cert_crt", "http.client_cert_crt"},
{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.fake_referer, "fake_referer", "http.fake-referer"},
{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.fake_useragent, "fake_useragent", "http.fake-user-agent"},
{1, gen_cmd, str_rd, str_wr, 0, MAX_STR_LEN, &http_options.header.extra_header, "http.extra_header", "http.extra-header"},
diff -Naur links2-2.10/https.c links2-2.10.patched/https.c
--- links2-2.10/https.c 2015-08-27 16:22:08.000000000 +0200
+++ links2-2.10.patched/https.c 2015-08-27 16:23:53.875566921 +0200
@@ -91,6 +91,10 @@
SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_default_verify_paths(context);
SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
+ if (http_options.client_cert_key[0])
+ SSL_CTX_use_PrivateKey_file(context, http_options.client_cert_key, SSL_FILETYPE_PEM);
+ if (http_options.client_cert_crt[0])
+ SSL_CTX_use_certificate_file(context, http_options.client_cert_crt, SSL_FILETYPE_PEM);
}
return (SSL_new(context));
diff -Naur links2-2.10/links.h links2-2.10.patched/links.h
--- links2-2.10/links.h 2015-07-04 13:58:49.000000000 +0200
+++ links2-2.10.patched/links.h 2015-08-27 16:24:16.520063425 +0200
@@ -4526,6 +4526,8 @@
int no_compression;
int retry_internal_errors;
struct http_header_options header;
+ unsigned char client_cert_key[MAX_STR_LEN];
+ unsigned char client_cert_crt[MAX_STR_LEN];
};
extern struct http_options http_options;
