Fossil SCM
Added very basic client certificate support for https.
Commit
513ea81005b9292c16b3896c339de12081f029a8
Parent
cdc4249268b7114…
1 file changed
+36
+36
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -131,10 +131,13 @@ | ||
| 131 | 131 | int ssl_open(void){ |
| 132 | 132 | X509 *cert; |
| 133 | 133 | int hasSavedCertificate = 0; |
| 134 | 134 | char *connStr ; |
| 135 | 135 | ssl_global_init(); |
| 136 | + | |
| 137 | + /* If client certificate/key has been set, load them into the SSL context. */ | |
| 138 | + load_client_authfiles(); | |
| 136 | 139 | |
| 137 | 140 | /* Get certificate for current server from global config and |
| 138 | 141 | * (if we have it in config) add it to certificate store. |
| 139 | 142 | */ |
| 140 | 143 | cert = ssl_get_certificate(); |
| @@ -285,7 +288,40 @@ | ||
| 285 | 288 | N -= got; |
| 286 | 289 | pContent = (void*)&((char*)pContent)[got]; |
| 287 | 290 | } |
| 288 | 291 | return total; |
| 289 | 292 | } |
| 293 | + | |
| 294 | +/* | |
| 295 | +** Read client certificate and key, if set, and store them in the SSL context | |
| 296 | +** to allow communication with servers which are configured to verify client | |
| 297 | +** certificates and certificate chains. | |
| 298 | +** We only support PEM and don't support password protected keys. | |
| 299 | +*/ | |
| 300 | +void load_client_authfiles(void) | |
| 301 | +{ | |
| 302 | + const char *certfile; | |
| 303 | + const char *keyfile; | |
| 304 | + | |
| 305 | + certfile = getenv("FOSSIL_CCERT"); | |
| 306 | + if( certfile == NULL ) | |
| 307 | + return; | |
| 308 | + | |
| 309 | + keyfile = getenv("FOSSIL_CKEY"); | |
| 310 | + | |
| 311 | + /* Assume the key is in the certificate file if key file was not specified */ | |
| 312 | + if( certfile && !keyfile ) | |
| 313 | + keyfile = certfile; | |
| 314 | + | |
| 315 | + if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM) <= 0 ){ | |
| 316 | + fossil_fatal("Unable to open client certificate in %s.", certfile); | |
| 317 | + } | |
| 318 | + if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM) <= 0 ){ | |
| 319 | + fossil_fatal("Unable to open client key in %s.", keyfile); | |
| 320 | + } | |
| 321 | + | |
| 322 | + if( !SSL_CTX_check_private_key(sslCtx) ){ | |
| 323 | + fossil_fatal("Private key does not match the certificate public key."); | |
| 324 | + } | |
| 325 | +} | |
| 290 | 326 | |
| 291 | 327 | #endif /* FOSSIL_ENABLE_SSL */ |
| 292 | 328 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -131,10 +131,13 @@ | |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr ; |
| 135 | ssl_global_init(); |
| 136 | |
| 137 | /* Get certificate for current server from global config and |
| 138 | * (if we have it in config) add it to certificate store. |
| 139 | */ |
| 140 | cert = ssl_get_certificate(); |
| @@ -285,7 +288,40 @@ | |
| 285 | N -= got; |
| 286 | pContent = (void*)&((char*)pContent)[got]; |
| 287 | } |
| 288 | return total; |
| 289 | } |
| 290 | |
| 291 | #endif /* FOSSIL_ENABLE_SSL */ |
| 292 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -131,10 +131,13 @@ | |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr ; |
| 135 | ssl_global_init(); |
| 136 | |
| 137 | /* If client certificate/key has been set, load them into the SSL context. */ |
| 138 | load_client_authfiles(); |
| 139 | |
| 140 | /* Get certificate for current server from global config and |
| 141 | * (if we have it in config) add it to certificate store. |
| 142 | */ |
| 143 | cert = ssl_get_certificate(); |
| @@ -285,7 +288,40 @@ | |
| 288 | N -= got; |
| 289 | pContent = (void*)&((char*)pContent)[got]; |
| 290 | } |
| 291 | return total; |
| 292 | } |
| 293 | |
| 294 | /* |
| 295 | ** Read client certificate and key, if set, and store them in the SSL context |
| 296 | ** to allow communication with servers which are configured to verify client |
| 297 | ** certificates and certificate chains. |
| 298 | ** We only support PEM and don't support password protected keys. |
| 299 | */ |
| 300 | void load_client_authfiles(void) |
| 301 | { |
| 302 | const char *certfile; |
| 303 | const char *keyfile; |
| 304 | |
| 305 | certfile = getenv("FOSSIL_CCERT"); |
| 306 | if( certfile == NULL ) |
| 307 | return; |
| 308 | |
| 309 | keyfile = getenv("FOSSIL_CKEY"); |
| 310 | |
| 311 | /* Assume the key is in the certificate file if key file was not specified */ |
| 312 | if( certfile && !keyfile ) |
| 313 | keyfile = certfile; |
| 314 | |
| 315 | if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM) <= 0 ){ |
| 316 | fossil_fatal("Unable to open client certificate in %s.", certfile); |
| 317 | } |
| 318 | if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM) <= 0 ){ |
| 319 | fossil_fatal("Unable to open client key in %s.", keyfile); |
| 320 | } |
| 321 | |
| 322 | if( !SSL_CTX_check_private_key(sslCtx) ){ |
| 323 | fossil_fatal("Private key does not match the certificate public key."); |
| 324 | } |
| 325 | } |
| 326 | |
| 327 | #endif /* FOSSIL_ENABLE_SSL */ |
| 328 |