Fossil SCM
tls: fix reading a loaded cert to be used with fossil server --tls repo.fossil
Commit
81c486badfaa806b6bd00bdf62ab1b7f4b887b48bf6c2bc249c5fe68b30c46e9
Parent
c2562490d491a65…
1 file changed
+47
-12
+47
-12
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -2589,10 +2589,26 @@ | ||
| 2589 | 2589 | } |
| 2590 | 2590 | } |
| 2591 | 2591 | #endif |
| 2592 | 2592 | @ %d(GETPID()) |
| 2593 | 2593 | } |
| 2594 | + | |
| 2595 | +/* | |
| 2596 | +** Initialize the SSL decoder. | |
| 2597 | +*/ | |
| 2598 | +static void init_ssl_decoder(const char *zCertFile, int tls){ | |
| 2599 | +#if FOSSIL_ENABLE_SSL | |
| 2600 | + if( zCertFile ){ | |
| 2601 | + g.httpUseSSL = 1; | |
| 2602 | + ssl_init_server(zCertFile, zCertFile); | |
| 2603 | + } | |
| 2604 | + if( 1 == tls ){ | |
| 2605 | + g.httpUseSSL = 1; | |
| 2606 | + ssl_init_server(0,0); | |
| 2607 | + } | |
| 2608 | +#endif | |
| 2609 | +} | |
| 2594 | 2610 | |
| 2595 | 2611 | /* |
| 2596 | 2612 | ** Check for options to "fossil server" or "fossil ui" that imply that |
| 2597 | 2613 | ** SSL should be used, and initialize the SSL decoder. |
| 2598 | 2614 | */ |
| @@ -2599,16 +2615,14 @@ | ||
| 2599 | 2615 | static void decode_ssl_options(void){ |
| 2600 | 2616 | #if FOSSIL_ENABLE_SSL |
| 2601 | 2617 | const char *zCertFile = 0; |
| 2602 | 2618 | zCertFile = find_option("tls-cert-file",0,1); |
| 2603 | 2619 | if( zCertFile ){ |
| 2604 | - g.httpUseSSL = 1; | |
| 2605 | - ssl_init_server(zCertFile, zCertFile); | |
| 2620 | + init_ssl_decoder(zCertFile, 0); | |
| 2606 | 2621 | } |
| 2607 | 2622 | if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){ |
| 2608 | - g.httpUseSSL = 1; | |
| 2609 | - ssl_init_server(0,0); | |
| 2623 | + init_ssl_decoder(0, 1); | |
| 2610 | 2624 | } |
| 2611 | 2625 | #endif |
| 2612 | 2626 | } |
| 2613 | 2627 | |
| 2614 | 2628 | /* |
| @@ -3049,12 +3063,14 @@ | ||
| 3049 | 3063 | const char *zInitPage = 0; /* Start on this page. --page option */ |
| 3050 | 3064 | int findServerArg = 2; /* argv index for find_server_repository() */ |
| 3051 | 3065 | char *zRemote = 0; /* Remote host on which to run "fossil ui" */ |
| 3052 | 3066 | const char *zJsMode; /* The --jsmode parameter */ |
| 3053 | 3067 | const char *zFossilCmd =0; /* Name of "fossil" binary on remote system */ |
| 3054 | - | |
| 3055 | - | |
| 3068 | +#if FOSSIL_ENABLE_SSL | |
| 3069 | + const char *zCertFile =0; /* Internal - TLS/SSL cert filename of the --tls-cert-file option */ | |
| 3070 | + int zTls =0; /* Internal - 1 = use a TLS/SSL cert that has been previously loaded by ssl-config load-cert command or 0 if no TLS / SSL has been loaeded */ | |
| 3071 | +#endif | |
| 3056 | 3072 | #if defined(_WIN32) |
| 3057 | 3073 | const char *zStopperFile; /* Name of file used to terminate server */ |
| 3058 | 3074 | zStopperFile = find_option("stopper", 0, 1); |
| 3059 | 3075 | #endif |
| 3060 | 3076 | |
| @@ -3096,14 +3112,22 @@ | ||
| 3096 | 3112 | if( zAltBase ){ |
| 3097 | 3113 | set_base_url(zAltBase); |
| 3098 | 3114 | } |
| 3099 | 3115 | g.sslNotAvailable = find_option("nossl", 0, 0)!=0 || isUiCmd; |
| 3100 | 3116 | fNoBrowser = find_option("nobrowser", 0, 0)!=0; |
| 3101 | - decode_ssl_options(); | |
| 3102 | - if( find_option("https",0,0)!=0 || g.httpUseSSL ){ | |
| 3103 | - cgi_replace_parameter("HTTPS","on"); | |
| 3117 | + | |
| 3118 | + /* | |
| 3119 | + ** get tls / ssl options, the calls that use these options need | |
| 3120 | + ** access to the repo database which has not been found yet. | |
| 3121 | + ** we get and store them now, as find_option removes them from | |
| 3122 | + ** argv | |
| 3123 | + */ | |
| 3124 | + zCertFile = find_option("tls-cert-file",0,1); | |
| 3125 | + if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){ | |
| 3126 | + zTls = 1; | |
| 3104 | 3127 | } |
| 3128 | + | |
| 3105 | 3129 | if( find_option("localhost", 0, 0)!=0 ){ |
| 3106 | 3130 | flags |= HTTP_SERVER_LOCALHOST; |
| 3107 | 3131 | } |
| 3108 | 3132 | g.zCkoutAlias = find_option("ckout-alias",0,1); |
| 3109 | 3133 | g.zMainMenuFile = find_option("mainmenu",0,1); |
| @@ -3127,13 +3151,10 @@ | ||
| 3127 | 3151 | } |
| 3128 | 3152 | /* We should be done with options.. */ |
| 3129 | 3153 | verify_all_options(); |
| 3130 | 3154 | |
| 3131 | 3155 | if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?"); |
| 3132 | - if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){ | |
| 3133 | - fossil_fatal("SCGI does not (yet) support TLS-encrypted connections"); | |
| 3134 | - } | |
| 3135 | 3156 | if( isUiCmd && 3==g.argc && file_isdir(g.argv[2], ExtFILE)>0 ){ |
| 3136 | 3157 | /* If REPOSITORY arg is the root of a checkout, |
| 3137 | 3158 | ** chdir to that checkout so that the current version |
| 3138 | 3159 | ** gets highlighted in the timeline by default. */ |
| 3139 | 3160 | const char * zDir = g.argv[2]; |
| @@ -3166,10 +3187,24 @@ | ||
| 3166 | 3187 | allowRepoList = 1; |
| 3167 | 3188 | } |
| 3168 | 3189 | if( !zRemote ){ |
| 3169 | 3190 | find_server_repository(findServerArg, fCreate); |
| 3170 | 3191 | } |
| 3192 | + /* | |
| 3193 | + ** We need call enable TLS / SSL here as we need query the | |
| 3194 | + ** repo database to access the certificate if its been loaded | |
| 3195 | + ** | |
| 3196 | + ** The database has only just been found and made available | |
| 3197 | + */ | |
| 3198 | + init_ssl_decoder(zCertFile, zTls); | |
| 3199 | + if( find_option("https",0,0)!=0 || g.httpUseSSL ){ | |
| 3200 | + cgi_replace_parameter("HTTPS","on"); | |
| 3201 | + } | |
| 3202 | + if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){ | |
| 3203 | + fossil_fatal("SCGI does not (yet) support TLS-encrypted connections"); | |
| 3204 | + } | |
| 3205 | + | |
| 3171 | 3206 | if( zInitPage==0 ){ |
| 3172 | 3207 | if( isUiCmd && g.localOpen ){ |
| 3173 | 3208 | zInitPage = "timeline?c=current"; |
| 3174 | 3209 | }else{ |
| 3175 | 3210 | zInitPage = ""; |
| 3176 | 3211 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -2589,10 +2589,26 @@ | |
| 2589 | } |
| 2590 | } |
| 2591 | #endif |
| 2592 | @ %d(GETPID()) |
| 2593 | } |
| 2594 | |
| 2595 | /* |
| 2596 | ** Check for options to "fossil server" or "fossil ui" that imply that |
| 2597 | ** SSL should be used, and initialize the SSL decoder. |
| 2598 | */ |
| @@ -2599,16 +2615,14 @@ | |
| 2599 | static void decode_ssl_options(void){ |
| 2600 | #if FOSSIL_ENABLE_SSL |
| 2601 | const char *zCertFile = 0; |
| 2602 | zCertFile = find_option("tls-cert-file",0,1); |
| 2603 | if( zCertFile ){ |
| 2604 | g.httpUseSSL = 1; |
| 2605 | ssl_init_server(zCertFile, zCertFile); |
| 2606 | } |
| 2607 | if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){ |
| 2608 | g.httpUseSSL = 1; |
| 2609 | ssl_init_server(0,0); |
| 2610 | } |
| 2611 | #endif |
| 2612 | } |
| 2613 | |
| 2614 | /* |
| @@ -3049,12 +3063,14 @@ | |
| 3049 | const char *zInitPage = 0; /* Start on this page. --page option */ |
| 3050 | int findServerArg = 2; /* argv index for find_server_repository() */ |
| 3051 | char *zRemote = 0; /* Remote host on which to run "fossil ui" */ |
| 3052 | const char *zJsMode; /* The --jsmode parameter */ |
| 3053 | const char *zFossilCmd =0; /* Name of "fossil" binary on remote system */ |
| 3054 | |
| 3055 | |
| 3056 | #if defined(_WIN32) |
| 3057 | const char *zStopperFile; /* Name of file used to terminate server */ |
| 3058 | zStopperFile = find_option("stopper", 0, 1); |
| 3059 | #endif |
| 3060 | |
| @@ -3096,14 +3112,22 @@ | |
| 3096 | if( zAltBase ){ |
| 3097 | set_base_url(zAltBase); |
| 3098 | } |
| 3099 | g.sslNotAvailable = find_option("nossl", 0, 0)!=0 || isUiCmd; |
| 3100 | fNoBrowser = find_option("nobrowser", 0, 0)!=0; |
| 3101 | decode_ssl_options(); |
| 3102 | if( find_option("https",0,0)!=0 || g.httpUseSSL ){ |
| 3103 | cgi_replace_parameter("HTTPS","on"); |
| 3104 | } |
| 3105 | if( find_option("localhost", 0, 0)!=0 ){ |
| 3106 | flags |= HTTP_SERVER_LOCALHOST; |
| 3107 | } |
| 3108 | g.zCkoutAlias = find_option("ckout-alias",0,1); |
| 3109 | g.zMainMenuFile = find_option("mainmenu",0,1); |
| @@ -3127,13 +3151,10 @@ | |
| 3127 | } |
| 3128 | /* We should be done with options.. */ |
| 3129 | verify_all_options(); |
| 3130 | |
| 3131 | if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?"); |
| 3132 | if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){ |
| 3133 | fossil_fatal("SCGI does not (yet) support TLS-encrypted connections"); |
| 3134 | } |
| 3135 | if( isUiCmd && 3==g.argc && file_isdir(g.argv[2], ExtFILE)>0 ){ |
| 3136 | /* If REPOSITORY arg is the root of a checkout, |
| 3137 | ** chdir to that checkout so that the current version |
| 3138 | ** gets highlighted in the timeline by default. */ |
| 3139 | const char * zDir = g.argv[2]; |
| @@ -3166,10 +3187,24 @@ | |
| 3166 | allowRepoList = 1; |
| 3167 | } |
| 3168 | if( !zRemote ){ |
| 3169 | find_server_repository(findServerArg, fCreate); |
| 3170 | } |
| 3171 | if( zInitPage==0 ){ |
| 3172 | if( isUiCmd && g.localOpen ){ |
| 3173 | zInitPage = "timeline?c=current"; |
| 3174 | }else{ |
| 3175 | zInitPage = ""; |
| 3176 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -2589,10 +2589,26 @@ | |
| 2589 | } |
| 2590 | } |
| 2591 | #endif |
| 2592 | @ %d(GETPID()) |
| 2593 | } |
| 2594 | |
| 2595 | /* |
| 2596 | ** Initialize the SSL decoder. |
| 2597 | */ |
| 2598 | static void init_ssl_decoder(const char *zCertFile, int tls){ |
| 2599 | #if FOSSIL_ENABLE_SSL |
| 2600 | if( zCertFile ){ |
| 2601 | g.httpUseSSL = 1; |
| 2602 | ssl_init_server(zCertFile, zCertFile); |
| 2603 | } |
| 2604 | if( 1 == tls ){ |
| 2605 | g.httpUseSSL = 1; |
| 2606 | ssl_init_server(0,0); |
| 2607 | } |
| 2608 | #endif |
| 2609 | } |
| 2610 | |
| 2611 | /* |
| 2612 | ** Check for options to "fossil server" or "fossil ui" that imply that |
| 2613 | ** SSL should be used, and initialize the SSL decoder. |
| 2614 | */ |
| @@ -2599,16 +2615,14 @@ | |
| 2615 | static void decode_ssl_options(void){ |
| 2616 | #if FOSSIL_ENABLE_SSL |
| 2617 | const char *zCertFile = 0; |
| 2618 | zCertFile = find_option("tls-cert-file",0,1); |
| 2619 | if( zCertFile ){ |
| 2620 | init_ssl_decoder(zCertFile, 0); |
| 2621 | } |
| 2622 | if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){ |
| 2623 | init_ssl_decoder(0, 1); |
| 2624 | } |
| 2625 | #endif |
| 2626 | } |
| 2627 | |
| 2628 | /* |
| @@ -3049,12 +3063,14 @@ | |
| 3063 | const char *zInitPage = 0; /* Start on this page. --page option */ |
| 3064 | int findServerArg = 2; /* argv index for find_server_repository() */ |
| 3065 | char *zRemote = 0; /* Remote host on which to run "fossil ui" */ |
| 3066 | const char *zJsMode; /* The --jsmode parameter */ |
| 3067 | const char *zFossilCmd =0; /* Name of "fossil" binary on remote system */ |
| 3068 | #if FOSSIL_ENABLE_SSL |
| 3069 | const char *zCertFile =0; /* Internal - TLS/SSL cert filename of the --tls-cert-file option */ |
| 3070 | int zTls =0; /* Internal - 1 = use a TLS/SSL cert that has been previously loaded by ssl-config load-cert command or 0 if no TLS / SSL has been loaeded */ |
| 3071 | #endif |
| 3072 | #if defined(_WIN32) |
| 3073 | const char *zStopperFile; /* Name of file used to terminate server */ |
| 3074 | zStopperFile = find_option("stopper", 0, 1); |
| 3075 | #endif |
| 3076 | |
| @@ -3096,14 +3112,22 @@ | |
| 3112 | if( zAltBase ){ |
| 3113 | set_base_url(zAltBase); |
| 3114 | } |
| 3115 | g.sslNotAvailable = find_option("nossl", 0, 0)!=0 || isUiCmd; |
| 3116 | fNoBrowser = find_option("nobrowser", 0, 0)!=0; |
| 3117 | |
| 3118 | /* |
| 3119 | ** get tls / ssl options, the calls that use these options need |
| 3120 | ** access to the repo database which has not been found yet. |
| 3121 | ** we get and store them now, as find_option removes them from |
| 3122 | ** argv |
| 3123 | */ |
| 3124 | zCertFile = find_option("tls-cert-file",0,1); |
| 3125 | if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){ |
| 3126 | zTls = 1; |
| 3127 | } |
| 3128 | |
| 3129 | if( find_option("localhost", 0, 0)!=0 ){ |
| 3130 | flags |= HTTP_SERVER_LOCALHOST; |
| 3131 | } |
| 3132 | g.zCkoutAlias = find_option("ckout-alias",0,1); |
| 3133 | g.zMainMenuFile = find_option("mainmenu",0,1); |
| @@ -3127,13 +3151,10 @@ | |
| 3151 | } |
| 3152 | /* We should be done with options.. */ |
| 3153 | verify_all_options(); |
| 3154 | |
| 3155 | if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?"); |
| 3156 | if( isUiCmd && 3==g.argc && file_isdir(g.argv[2], ExtFILE)>0 ){ |
| 3157 | /* If REPOSITORY arg is the root of a checkout, |
| 3158 | ** chdir to that checkout so that the current version |
| 3159 | ** gets highlighted in the timeline by default. */ |
| 3160 | const char * zDir = g.argv[2]; |
| @@ -3166,10 +3187,24 @@ | |
| 3187 | allowRepoList = 1; |
| 3188 | } |
| 3189 | if( !zRemote ){ |
| 3190 | find_server_repository(findServerArg, fCreate); |
| 3191 | } |
| 3192 | /* |
| 3193 | ** We need call enable TLS / SSL here as we need query the |
| 3194 | ** repo database to access the certificate if its been loaded |
| 3195 | ** |
| 3196 | ** The database has only just been found and made available |
| 3197 | */ |
| 3198 | init_ssl_decoder(zCertFile, zTls); |
| 3199 | if( find_option("https",0,0)!=0 || g.httpUseSSL ){ |
| 3200 | cgi_replace_parameter("HTTPS","on"); |
| 3201 | } |
| 3202 | if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){ |
| 3203 | fossil_fatal("SCGI does not (yet) support TLS-encrypted connections"); |
| 3204 | } |
| 3205 | |
| 3206 | if( zInitPage==0 ){ |
| 3207 | if( isUiCmd && g.localOpen ){ |
| 3208 | zInitPage = "timeline?c=current"; |
| 3209 | }else{ |
| 3210 | zInitPage = ""; |
| 3211 |