From f7a0393bba312bf5a25c1f6151f668adb6829f49 Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@citadel.org>
Date: Tue, 27 Apr 2004 03:16:31 +0000
Subject: [PATCH] * When running on the same host as Citadel, if no key/cert
 are found,   symlink to Citadel's if possible. * One server binary now forks
 to start both http and https servers.

---
 webcit/ChangeLog   |  6 ++++++
 webcit/README.txt  | 13 ++++++++++---
 webcit/crypto.c    | 20 +++++++++++++++++++-
 webcit/webserver.c | 19 +++++++++++++++----
 4 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/webcit/ChangeLog b/webcit/ChangeLog
index 684084e92..5061f6e6d 100644
--- a/webcit/ChangeLog
+++ b/webcit/ChangeLog
@@ -1,4 +1,9 @@
 $Log$
+Revision 506.11  2004/04/27 03:16:31  ajc
+* When running on the same host as Citadel, if no key/cert are found,
+  symlink to Citadel's if possible.
+* One server binary now forks to start both http and https servers.
+
 Revision 506.10  2004/04/21 03:43:39  ajc
 * Completed remaining SSL fixes.  Works in Moz, aIEeee, Konq; self-signed
   certs are also no longer invalid.
@@ -1794,3 +1799,4 @@ Sun Dec  6 19:50:55 EST 1998 Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>
 
 1998-12-03 Nathan Bryant <bryant@cs.usm.maine.edu>
 	* webserver.c: warning fix
+
diff --git a/webcit/README.txt b/webcit/README.txt
index 7ade27983..68bd06a33 100644
--- a/webcit/README.txt
+++ b/webcit/README.txt
@@ -66,21 +66,28 @@ something like this:
  Several command-line options are also available.  Here's the usage for
 the "webserver" program:
   
- webserver [-p localport] [-t tracefile] [-c] [remotehost [remoteport]]
+ webserver [-p http_port] [-s https_port] [-t tracefile]
+           [-c] [remotehost [remoteport]]
  
    *or*
  
- webserver [-p localport] [-t tracefile] [-c] uds /your/citadel/directory
+ webserver [-p http_port] [-s https_port] [-t tracefile]
+           [-c] uds /your/citadel/directory
  
  Explained: 
   
-  -> localport: the TCP port on which you wish your WebCit server to run.
+  -> http_port: the TCP port on which you wish your WebCit server to run.
      this can be any port number at all; there is no standard.  Naturally,
      you'll want to create a link to this port on your system's regular web
      pages (presumably on an Apache server running on port 80).  Or, if you
      are installing WebCit on a dedicated server, then you might choose to
      use port 80 after all.
  
+  -> https_port: an optional TCP port on which you wish your WebCit server
+     to run an SSL-encrypted web service.  The standard port number for this
+     is 443, and if you're not already running a secure web server you might
+     choose to use that port.  Otherwise, select any free port number.
+ 
   -> tracefile: where you want WebCit to log to.  This can be a file, a
      virtual console, or /dev/null to suppress logging altogether.
  
diff --git a/webcit/crypto.c b/webcit/crypto.c
index d74c6b17d..36e7f8427 100644
--- a/webcit/crypto.c
+++ b/webcit/crypto.c
@@ -48,6 +48,7 @@ void init_ssl(void)
 	EVP_PKEY *req_pkey = NULL;
 	X509_NAME *name = NULL;
 	FILE *fp;
+	char buf[SIZ];
 
 	if (!access("/var/run/egd-pool", F_OK))
 		RAND_egd("/var/run/egd-pool");
@@ -127,7 +128,24 @@ void init_ssl(void)
 	mkdir(CTDL_CRYPTO_DIR, 0700);
 
 	/*
-	 * Generate a key pair if we don't have one.
+	 * Before attempting to generate keys/certificates, first try
+	 * link to them from the Citadel server if it's on the same host.
+	 * We ignore any error return because it either meant that there
+	 * was nothing in Citadel to link from (in which case we just
+	 * generate new files) or the target files already exist (which
+	 * is not fatal either).
+	 */
+	if (!strcasecmp(ctdlhost, "uds")) {
+		sprintf(buf, "%s/keys/citadel.key", ctdlport);
+		symlink(buf, CTDL_KEY_PATH);
+		sprintf(buf, "%s/keys/citadel.csr", ctdlport);
+		symlink(buf, CTDL_CSR_PATH);
+		sprintf(buf, "%s/keys/citadel.cer", ctdlport);
+		symlink(buf, CTDL_CER_PATH);
+	}
+
+	/*
+	 * If we still don't have a private key, generate one.
 	 */
 	if (access(CTDL_KEY_PATH, R_OK) != 0) {
 		lprintf(5, "Generating RSA key pair.\n");
diff --git a/webcit/webserver.c b/webcit/webserver.c
index 07e10504f..507d0ac84 100644
--- a/webcit/webserver.c
+++ b/webcit/webserver.c
@@ -246,11 +246,12 @@ int main(int argc, char **argv)
 	pthread_attr_t attr;	/* Thread attributes */
 	int a, i;		/* General-purpose variables */
 	int port = PORT_NUM;	/* Port to listen on */
+	int https_port = (-1);
 	char tracefile[PATH_MAX];
 
 	/* Parse command line */
 #ifdef HAVE_OPENSSL
-	while ((a = getopt(argc, argv, "hp:t:cs")) != EOF)
+	while ((a = getopt(argc, argv, "hp:t:cs:")) != EOF)
 #else
 	while ((a = getopt(argc, argv, "hp:t:c")) != EOF)
 #endif
@@ -281,13 +282,13 @@ int main(int argc, char **argv)
 			}
 			break;
 		case 's':
-			is_https = 1;
+			https_port = atoi(optarg);
 			break;
 		default:
-			fprintf(stderr, "usage: webserver [-p localport] "
+			fprintf(stderr, "usage: webserver [-p http_port] "
 				"[-t tracefile] [-c] "
 #ifdef HAVE_OPENSSL
-				"[-s] "
+				"[-s https_port] "
 #endif
 				"[remotehost [remoteport]]\n");
 			return 1;
@@ -307,6 +308,16 @@ int main(int argc, char **argv)
 	if (chdir(WEBCITDIR) != 0)
 		perror("chdir");
 
+	/*
+	 * If an HTTPS port was specified, fork an HTTPS server.
+	 */
+	if (https_port > 0) {
+		if (fork() == 0) {
+			is_https = 1;
+			port = https_port;
+		}
+	}
+
         /*
          * Set up a place to put thread-specific data.
          * We only need a single pointer per thread - it points to the
-- 
2.30.2