Fossil SCM
Cache passphrase for protected PEM files to avoid having to re-type passphrase for each new https connection.
Commit
0c0392af3db7f5d4a1374460f77386333420d1d5
Parent
e4ebc85e66cf8da…
1 file changed
+27
+27
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -70,10 +70,11 @@ | ||
| 70 | 70 | static int sslIsInit = 0; /* True after global initialization */ |
| 71 | 71 | static BIO *iBio; /* OpenSSL I/O abstraction */ |
| 72 | 72 | static char *sslErrMsg = 0; /* Text of most recent OpenSSL error */ |
| 73 | 73 | static SSL_CTX *sslCtx; /* SSL context */ |
| 74 | 74 | static SSL *ssl; |
| 75 | +static char *pempasswd = 0; /* Passphrase used to unlock key */ | |
| 75 | 76 | |
| 76 | 77 | |
| 77 | 78 | /* |
| 78 | 79 | ** Clear the SSL error message |
| 79 | 80 | */ |
| @@ -97,10 +98,34 @@ | ||
| 97 | 98 | ** Return the current SSL error message |
| 98 | 99 | */ |
| 99 | 100 | const char *ssl_errmsg(void){ |
| 100 | 101 | return sslErrMsg; |
| 101 | 102 | } |
| 103 | + | |
| 104 | +/* | |
| 105 | +** Called by SSL when a passphrase protected file needs to be unlocked. | |
| 106 | +** We cache the passphrase so the user doesn't have to re-enter it for each new | |
| 107 | +** connection. | |
| 108 | +*/ | |
| 109 | +static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata){ | |
| 110 | + if( userdata==0 ){ | |
| 111 | + Blob passwd; | |
| 112 | + prompt_for_password("\nPEM unlock passphrase: ", &passwd, 0); | |
| 113 | + strncpy(buf, (char *)blob_str(&passwd), size); | |
| 114 | + buf[size-1] = '\0'; | |
| 115 | + blob_reset(&passwd); | |
| 116 | + pempasswd = strdup(buf); | |
| 117 | + if( !pempasswd ){ | |
| 118 | + fossil_panic("Unable to allocate memory for PEM passphrase."); | |
| 119 | + } | |
| 120 | + SSL_CTX_set_default_passwd_cb_userdata(sslCtx, pempasswd); | |
| 121 | + }else{ | |
| 122 | + strncpy(buf, (char *)userdata, size); | |
| 123 | + } | |
| 124 | + | |
| 125 | + return strlen(buf); | |
| 126 | +} | |
| 102 | 127 | |
| 103 | 128 | /* |
| 104 | 129 | ** Call this routine once before any other use of the SSL interface. |
| 105 | 130 | ** This routine does initial configuration of the SSL module. |
| 106 | 131 | */ |
| @@ -110,10 +135,12 @@ | ||
| 110 | 135 | SSL_load_error_strings(); |
| 111 | 136 | ERR_load_BIO_strings(); |
| 112 | 137 | OpenSSL_add_all_algorithms(); |
| 113 | 138 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 114 | 139 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 140 | + SSL_CTX_set_default_passwd_cb(sslCtx, ssl_passwd_cb); | |
| 141 | + SSL_CTX_set_default_passwd_cb_userdata(sslCtx, NULL); | |
| 115 | 142 | sslIsInit = 1; |
| 116 | 143 | } |
| 117 | 144 | } |
| 118 | 145 | |
| 119 | 146 | /* |
| 120 | 147 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -70,10 +70,11 @@ | |
| 70 | static int sslIsInit = 0; /* True after global initialization */ |
| 71 | static BIO *iBio; /* OpenSSL I/O abstraction */ |
| 72 | static char *sslErrMsg = 0; /* Text of most recent OpenSSL error */ |
| 73 | static SSL_CTX *sslCtx; /* SSL context */ |
| 74 | static SSL *ssl; |
| 75 | |
| 76 | |
| 77 | /* |
| 78 | ** Clear the SSL error message |
| 79 | */ |
| @@ -97,10 +98,34 @@ | |
| 97 | ** Return the current SSL error message |
| 98 | */ |
| 99 | const char *ssl_errmsg(void){ |
| 100 | return sslErrMsg; |
| 101 | } |
| 102 | |
| 103 | /* |
| 104 | ** Call this routine once before any other use of the SSL interface. |
| 105 | ** This routine does initial configuration of the SSL module. |
| 106 | */ |
| @@ -110,10 +135,12 @@ | |
| 110 | SSL_load_error_strings(); |
| 111 | ERR_load_BIO_strings(); |
| 112 | OpenSSL_add_all_algorithms(); |
| 113 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 114 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 115 | sslIsInit = 1; |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | /* |
| 120 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -70,10 +70,11 @@ | |
| 70 | static int sslIsInit = 0; /* True after global initialization */ |
| 71 | static BIO *iBio; /* OpenSSL I/O abstraction */ |
| 72 | static char *sslErrMsg = 0; /* Text of most recent OpenSSL error */ |
| 73 | static SSL_CTX *sslCtx; /* SSL context */ |
| 74 | static SSL *ssl; |
| 75 | static char *pempasswd = 0; /* Passphrase used to unlock key */ |
| 76 | |
| 77 | |
| 78 | /* |
| 79 | ** Clear the SSL error message |
| 80 | */ |
| @@ -97,10 +98,34 @@ | |
| 98 | ** Return the current SSL error message |
| 99 | */ |
| 100 | const char *ssl_errmsg(void){ |
| 101 | return sslErrMsg; |
| 102 | } |
| 103 | |
| 104 | /* |
| 105 | ** Called by SSL when a passphrase protected file needs to be unlocked. |
| 106 | ** We cache the passphrase so the user doesn't have to re-enter it for each new |
| 107 | ** connection. |
| 108 | */ |
| 109 | static int ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata){ |
| 110 | if( userdata==0 ){ |
| 111 | Blob passwd; |
| 112 | prompt_for_password("\nPEM unlock passphrase: ", &passwd, 0); |
| 113 | strncpy(buf, (char *)blob_str(&passwd), size); |
| 114 | buf[size-1] = '\0'; |
| 115 | blob_reset(&passwd); |
| 116 | pempasswd = strdup(buf); |
| 117 | if( !pempasswd ){ |
| 118 | fossil_panic("Unable to allocate memory for PEM passphrase."); |
| 119 | } |
| 120 | SSL_CTX_set_default_passwd_cb_userdata(sslCtx, pempasswd); |
| 121 | }else{ |
| 122 | strncpy(buf, (char *)userdata, size); |
| 123 | } |
| 124 | |
| 125 | return strlen(buf); |
| 126 | } |
| 127 | |
| 128 | /* |
| 129 | ** Call this routine once before any other use of the SSL interface. |
| 130 | ** This routine does initial configuration of the SSL module. |
| 131 | */ |
| @@ -110,10 +135,12 @@ | |
| 135 | SSL_load_error_strings(); |
| 136 | ERR_load_BIO_strings(); |
| 137 | OpenSSL_add_all_algorithms(); |
| 138 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 139 | X509_STORE_set_default_paths(SSL_CTX_get_cert_store(sslCtx)); |
| 140 | SSL_CTX_set_default_passwd_cb(sslCtx, ssl_passwd_cb); |
| 141 | SSL_CTX_set_default_passwd_cb_userdata(sslCtx, NULL); |
| 142 | sslIsInit = 1; |
| 143 | } |
| 144 | } |
| 145 | |
| 146 | /* |
| 147 |