Fossil

** at a time.  State information is stored in static variables.  The identity
** of the server is held in global variables that are set by url_parse().
**
** SSL support is abstracted out into this module because Fossil can
** be compiled without SSL support (which requires OpenSSL library)
*/

#include "config.h"

#ifdef FOSSIL_ENABLE_SSL

#include <openssl/bio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>





#include "http_ssl.h"
#include <assert.h>
















#include <sys/types.h>


/*
** There can only be a single OpenSSL IO connection open at a time.
** State information about that IO is stored in the following
** local variables:
*/
static int sslIsInit = 0;    /* True after global initialization */

    total += got;
    N -= got;
    pContent = (void*)&((char*)pContent)[got];
  }
  return total;
}

#if 0
/*
** Read client certificate and key, if set, and store them in the SSL context
** to allow communication with servers which are configured to verify client
** certificates and certificate chains.
** We only support PEM and don't support password protected keys.
**
** Always try the environment variables first, and if they aren't set, then
** use the global config.
*/
void ssl_load_client_authfiles(void){
  char *cafile;
  char *capath;
  char *certfile;
  char *keyfile;

  cafile = ssl_get_and_set_file_ref("FOSSIL_CAFILE", "cafile");
  capath = ssl_get_and_set_file_ref("FOSSIL_CAPATH", "capath");

  if( cafile || capath ){
    /* The OpenSSL documentation warns that if several CA certificates match
    ** the same name, key identifier and serial number conditions, only the
    ** first will be examined. The caveat situation is when one stores an
    ** expired CA certificate among the valid ones.
    ** Simply put: Do not mix expired and valid certificates.
    */
    if( SSL_CTX_load_verify_locations(sslCtx, cafile, capath) == 0){
      fossil_fatal("SSL: Unable to load CA verification file/path");
    }
  }else{
    fossil_warning("SSL: CA file/path missing for certificate verification.");
  }

  certfile = ssl_get_and_set_file_ref("FOSSIL_CCERT", "ccert");
  if( !certfile ){
     free(capath);
     free(cafile);
     return;
  }

  keyfile = ssl_get_and_set_file_ref("FOSSIL_CKEY", "ckey");

  /* Assume the key is in the certificate file if key file was not specified */
  if( certfile && !keyfile ){
    keyfile = certfile;
  }

  if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM) <= 0 ){
    fossil_fatal("SSL: Unable to open client certificate in %s.", certfile);
  }
  if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM) <= 0 ){
    fossil_fatal("SSL: Unable to open client key in %s.", keyfile);
  }

  if( !SSL_CTX_check_private_key(sslCtx) ){
    fossil_fatal("SSL: Private key does not match the certificate public "
        "key.");
  }

  free(keyfile);
  free(certfile);
  free(capath);
  free(cafile);
}
#endif

/*
** If an certgroup has been specified on the command line, then use it to look
** up certificates and keys, and then store the URL-certgroup association in
** the global database. If no certgroup has been specified on the command line,
** see if there's an entry for the url in global_config, and use it if
** applicable.
*/

  }
  if( !zGroupName ){
    /* No cert group specified or found cached */
    return;
  }

  db_swap_connections();

  cafile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                      " AND type='cafile'", zGroupName);
  capath = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                      " AND type='capath'", zGroupName);
  db_swap_connections();

  if( cafile || capath ){

  }

  free(keyfile);
  free(certfile);
  free(capath);
  free(cafile);
}

#if 0
/*
** Get SSL authentication file reference from environment variable. If set,
** then store varaible in global config. If environment variable was not set,
** attempt to get variable from global config.
**/
char *ssl_get_and_set_file_ref(const char *envvar, const char *dbvar){
  char *zVar;
  char *zTmp;

  zTmp = mprintf("%s:%s", dbvar, g.urlName);

  zVar = getenv(envvar);
  if( zVar ){
    zVar = strdup(zVar);
    if( zVar == NULL ){
      fossil_fatal("Unable to allocate memory for %s value.", envvar);
    }
    db_set(zTmp, zVar, 1);
  }else{
    zVar = db_get(zTmp, NULL);
  }
  free(zTmp);

  return zVar;
}
#endif

/*
** COMMAND: cert
**
** Usage: %fossil cert SUBCOMMAND ...
**
** Manage/group PKI keys/certificates to be able to use client

     */
    if( !zCKey && zCCert ){
      zCKey = zCCert;
    }

    db_open_config(0);
    db_swap_connections();
    if( db_exists(
        "SELECT 1 FROM certs"
        " WHERE name='%q'",
        zContainer)!=0 ){
      fossil_fatal("certificate group \"%s\" already exists", zContainer);
    }
    db_begin_transaction();
    if( zCKey ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'ckey',%Q)",
          zContainer, zCKey);
    }
    if( zCCert ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "

    db_swap_connections();
  }else if(strncmp(zCmd, "list", n)==0){
    Stmt q;
    char *grp = NULL;

    db_open_config(0);
    db_swap_connections();


    db_prepare(&q, "SELECT name,type,filepath FROM certs"
                   " WHERE type NOT IN ('server')"
                   " ORDER BY name,type");
    while( db_step(&q)==SQLITE_ROW ){
      const char *zCont = db_column_text(&q, 0);
      const char *zType = db_column_text(&q, 1);

      usage("disassociate URL");
    }
    zURL = g.argv[3];

    db_open_config(0);
    db_swap_connections();
    db_begin_transaction();

    db_multi_exec("DELETE FROM global_config WHERE name='certgroup:%q'",
        zURL);
    if( db_changes() == 0 ){
      fossil_warning("No certificate group associated with URL \"%s\".",
          zURL);
    }else{
      printf("%s disassociated from its certificate group.\n", zURL);

    db_end_transaction(0);
    db_swap_connections();
  }else{
    fossil_panic("cert subcommand should be one of: "
                 "add list disassociate delete");
  }
}

#endif /* FOSSIL_ENABLE_SSL */

@ -- This file contains the schema for the database that is kept in the
@ -- ~/.fossil file and that stores information about the users setup.
@ --
@ CREATE TABLE global_config(
@   name TEXT PRIMARY KEY,
@   value TEXT
@ );
@ CREATE TABLE certs(
@   name TEXT NOT NULL,
@   type TEXT NOT NULL,
@   filepath TEXT NOT NULL,
@   PRIMARY KEY(name, type),
@   UNIQUE(name, type)
@ );
;

#if INTERFACE
/*
** The content tables have a content version number which rarely
** changes.  The aux tables have an arbitrary version number (typically
** a date) which can change frequently.  When the content schema changes,