Fossil

Check-in [81c486badf]
Login

Check-in [81c486badf]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:tls: fix reading a loaded cert to be used with fossil server --tls repo.fossil talked about in forum thread https://fossil-scm.org/forum/forumpost/46f7dfc63f
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | tls-server-fix
Files: files | file ages | folders
SHA3-256: 81c486badfaa806b6bd00bdf62ab1b7f4b887b48bf6c2bc249c5fe68b30c46e9
User & Date: rdb 2022-01-15 16:44:32.457
Original Comment: tls: fix reading a loaded cert to be used with fossil server --tls repo.fossil
Context
2022-01-15
16:49
add FOSSIL_ENABLE_SSL guards to new code ... (check-in: 9c68e9f8ca user: rdb tags: tls-server-fix)
16:44
tls: fix reading a loaded cert to be used with fossil server --tls repo.fossil talked about in forum thread https://fossil-scm.org/forum/forumpost/46f7dfc63f ... (check-in: 81c486badf user: rdb tags: tls-server-fix)
08:33
tls: fixes fossil ssl-config load-cert --filename so that the cert and keys are combined and stored in the config table. fossil ui --tls and fossil server --tls now reads the certificate from the config table field ssl-cert. ... (check-in: c2562490d4 user: rdb tags: tls-server-fix)
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/main.c. 
2587
2588
2589
2590
2591
2592
2593
















2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616

        return;
      }
    }
  }
#endif
  @ %d(GETPID())
}

















/*
** Check for options to "fossil server" or "fossil ui" that imply that
** SSL should be used, and initialize the SSL decoder.
*/
static void decode_ssl_options(void){
#if FOSSIL_ENABLE_SSL
  const char *zCertFile = 0;
  zCertFile = find_option("tls-cert-file",0,1);
  if( zCertFile ){
    g.httpUseSSL = 1;
    ssl_init_server(zCertFile, zCertFile);
  }
  if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){
    g.httpUseSSL = 1;
    ssl_init_server(0,0);
  }
#endif
}

/*
** COMMAND: http*
**








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>










<
|


<
|








2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619

2620
2621
2622

2623
2624
2625
2626
2627
2628
2629
2630

        return;
      }
    }
  }
#endif
  @ %d(GETPID())
}

/*
** Initialize the SSL decoder.
*/
static void init_ssl_decoder(const char *zCertFile, int tls){
#if FOSSIL_ENABLE_SSL
  if( zCertFile ){
    g.httpUseSSL = 1;
    ssl_init_server(zCertFile, zCertFile);
  }
  if( 1 == tls ){
    g.httpUseSSL = 1;
    ssl_init_server(0,0);
  }
#endif
}

/*
** Check for options to "fossil server" or "fossil ui" that imply that
** SSL should be used, and initialize the SSL decoder.
*/
static void decode_ssl_options(void){
#if FOSSIL_ENABLE_SSL
  const char *zCertFile = 0;
  zCertFile = find_option("tls-cert-file",0,1);
  if( zCertFile ){

    init_ssl_decoder(zCertFile, 0);
  }
  if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){

    init_ssl_decoder(0, 1);
  }
#endif
}

/*
** COMMAND: http*
**

3047
3048
3049
3050
3051
3052
3053
3054
3055


3056
3057
3058
3059
3060
3061
3062

  int fCreate = 0;           /* The --create flag */
  int fNoBrowser = 0;        /* Do not auto-launch web-browser */
  const char *zInitPage = 0; /* Start on this page.  --page option */
  int findServerArg = 2;     /* argv index for find_server_repository() */
  char *zRemote = 0;         /* Remote host on which to run "fossil ui" */
  const char *zJsMode;       /* The --jsmode parameter */
  const char *zFossilCmd =0; /* Name of "fossil" binary on remote system */
  



#if defined(_WIN32)
  const char *zStopperFile;    /* Name of file used to terminate server */
  zStopperFile = find_option("stopper", 0, 1);
#endif

  if( g.zErrlog==0 ){
    g.zErrlog = "-";








|
|
>
>








3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078

  int fCreate = 0;           /* The --create flag */
  int fNoBrowser = 0;        /* Do not auto-launch web-browser */
  const char *zInitPage = 0; /* Start on this page.  --page option */
  int findServerArg = 2;     /* argv index for find_server_repository() */
  char *zRemote = 0;         /* Remote host on which to run "fossil ui" */
  const char *zJsMode;       /* The --jsmode parameter */
  const char *zFossilCmd =0; /* Name of "fossil" binary on remote system */
#if FOSSIL_ENABLE_SSL 
  const char *zCertFile =0;  /* Internal - TLS/SSL cert filename of the --tls-cert-file option */
  int zTls =0;               /* Internal - 1 = use a TLS/SSL cert that has been previously loaded by ssl-config load-cert command or 0 if no TLS / SSL has been loaeded  */
#endif
#if defined(_WIN32)
  const char *zStopperFile;    /* Name of file used to terminate server */
  zStopperFile = find_option("stopper", 0, 1);
#endif

  if( g.zErrlog==0 ){
    g.zErrlog = "-";

3094
3095
3096
3097
3098
3099
3100
3101



3102
3103




3104

3105
3106
3107
3108
3109
3110
3111

  fCreate = find_option("create",0,0)!=0;
  if( find_option("scgi", 0, 0)!=0 ) flags |= HTTP_SERVER_SCGI;
  if( zAltBase ){
    set_base_url(zAltBase);
  }
  g.sslNotAvailable = find_option("nossl", 0, 0)!=0 || isUiCmd;
  fNoBrowser = find_option("nobrowser", 0, 0)!=0;
  decode_ssl_options();



  if( find_option("https",0,0)!=0 || g.httpUseSSL ){
    cgi_replace_parameter("HTTPS","on");




  }

  if( find_option("localhost", 0, 0)!=0 ){
    flags |= HTTP_SERVER_LOCALHOST;
  }
  g.zCkoutAlias = find_option("ckout-alias",0,1);
  g.zMainMenuFile = find_option("mainmenu",0,1);
  if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
    fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);








|
>
>
>
|
|
>
>
>
>

>








3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135

  fCreate = find_option("create",0,0)!=0;
  if( find_option("scgi", 0, 0)!=0 ) flags |= HTTP_SERVER_SCGI;
  if( zAltBase ){
    set_base_url(zAltBase);
  }
  g.sslNotAvailable = find_option("nossl", 0, 0)!=0 || isUiCmd;
  fNoBrowser = find_option("nobrowser", 0, 0)!=0;

  /* 
  ** get tls / ssl options, the calls that use these options need 
  ** access to the repo database which has not been found yet.
  ** we get and store them now, as find_option removes them from
  ** argv
  */
  zCertFile = find_option("tls-cert-file",0,1);
  if( find_option("tls",0,0)!=0 || find_option("ssl",0,0)!=0 ){
    zTls = 1;
  }

  if( find_option("localhost", 0, 0)!=0 ){
    flags |= HTTP_SERVER_LOCALHOST;
  }
  g.zCkoutAlias = find_option("ckout-alias",0,1);
  g.zMainMenuFile = find_option("mainmenu",0,1);
  if( g.zMainMenuFile!=0 && file_size(g.zMainMenuFile,ExtFILE)<0 ){
    fossil_fatal("Cannot read --mainmenu file %s", g.zMainMenuFile);

3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141

    zTimeout = "100000000";
#endif
  }
  /* We should be done with options.. */
  verify_all_options();

  if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?");
  if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){
    fossil_fatal("SCGI does not (yet) support TLS-encrypted connections");
  }
  if( isUiCmd && 3==g.argc && file_isdir(g.argv[2], ExtFILE)>0 ){
    /* If REPOSITORY arg is the root of a checkout,
    ** chdir to that checkout so that the current version
    ** gets highlighted in the timeline by default. */
    const char * zDir = g.argv[2];
    if(dir_has_ckout_db(zDir)){
      if(0!=file_chdir(zDir, 0)){








<
<
<








3149
3150
3151
3152
3153
3154
3155



3156
3157
3158
3159
3160
3161
3162

    zTimeout = "100000000";
#endif
  }
  /* We should be done with options.. */
  verify_all_options();

  if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?");



  if( isUiCmd && 3==g.argc && file_isdir(g.argv[2], ExtFILE)>0 ){
    /* If REPOSITORY arg is the root of a checkout,
    ** chdir to that checkout so that the current version
    ** gets highlighted in the timeline by default. */
    const char * zDir = g.argv[2];
    if(dir_has_ckout_db(zDir)){
      if(0!=file_chdir(zDir, 0)){

3164
3165
3166
3167
3168
3169
3170














3171
3172
3173
3174
3175
3176
3177

    flags |= HTTP_SERVER_LOCALHOST|HTTP_SERVER_REPOLIST;
    g.useLocalauth = 1;
    allowRepoList = 1;
  }
  if( !zRemote ){
    find_server_repository(findServerArg, fCreate);
  }














  if( zInitPage==0 ){
    if( isUiCmd && g.localOpen ){
      zInitPage = "timeline?c=current";
    }else{
      zInitPage = "";
    }
  }








>
>
>
>
>
>
>
>
>
>
>
>
>
>








3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212

    flags |= HTTP_SERVER_LOCALHOST|HTTP_SERVER_REPOLIST;
    g.useLocalauth = 1;
    allowRepoList = 1;
  }
  if( !zRemote ){
    find_server_repository(findServerArg, fCreate);
  }
  /* 
  ** We need call enable TLS / SSL here as we need query the 
  ** repo database to access the certificate if its been loaded
  **     
  ** The database has only just been found and made available
  */
  init_ssl_decoder(zCertFile, zTls);
  if( find_option("https",0,0)!=0 || g.httpUseSSL ){
    cgi_replace_parameter("HTTPS","on");
  }
  if( g.httpUseSSL && (flags & HTTP_SERVER_SCGI)!=0 ){
    fossil_fatal("SCGI does not (yet) support TLS-encrypted connections");
  }

  if( zInitPage==0 ){
    if( isUiCmd && g.localOpen ){
      zInitPage = "timeline?c=current";
    }else{
      zInitPage = "";
    }
  }