diff options
| author | Dave Brolley <brolley@redhat.com> | 2010-02-02 14:08:31 -0500 |
|---|---|---|
| committer | Dave Brolley <brolley@redhat.com> | 2010-02-02 14:08:31 -0500 |
| commit | d2334a2233f4efd055dab021c603f7c046730a66 (patch) | |
| tree | c7400b7219c381d6a242f1e1bb987b7b6d279d69 | |
| parent | 495b9d7c310985f3c185f4ca642b521141d9b722 (diff) | |
| download | systemtap-steved-d2334a2233f4efd055dab021c603f7c046730a66.tar.gz systemtap-steved-d2334a2233f4efd055dab021c603f7c046730a66.tar.xz systemtap-steved-d2334a2233f4efd055dab021c603f7c046730a66.zip | |
Compile server logging and robustness.
Log certificate location and status when starting server.
Additional care in handling arguments in stap-serverd.
New test case discovered by fuzzing added and fixed.
| -rwxr-xr-x | stap-gen-cert | 43 | ||||
| -rwxr-xr-x | stap-serverd | 18 | ||||
| -rw-r--r-- | testsuite/systemtap.server/server_args.exp | 5 |
3 files changed, 40 insertions, 26 deletions
diff --git a/stap-gen-cert b/stap-gen-cert index 4f2650cd..4938817d 100755 --- a/stap-gen-cert +++ b/stap-gen-cert @@ -3,7 +3,7 @@ # Generate a certificate for the systemtap server and add it to the # database of trusted servers for the client. # -# Copyright (C) 2008, 2009 Red Hat Inc. +# Copyright (C) 2008-2010 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -14,61 +14,68 @@ . ${PKGLIBEXECDIR}stap-env # Obtain the certificate database directory name. -serverdb=$1 +serverdb="$1" if test "X$serverdb" = "X"; then - serverdb=$stap_ssl_db/server + serverdb="$stap_ssl_db/server" fi -rm -fr $serverdb +rm -fr "$serverdb" # Create the server's certificate database directory. -if ! mkdir -p -m 755 $serverdb; then +if ! mkdir -p -m 755 "$serverdb"; then echo "Unable to create the server certificate database directory: $serverdb" >&2 exit 1 fi # Create the certificate database password file. Care must be taken # that this file is only readable by the owner. -if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then +if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 exit 1 fi # Generate a random password. -mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \ -apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \ -(read -n20 password </dev/urandom; echo "$password" > $serverdb/pw) +mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \ +apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \ +(read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw") # Generate the server certificate database -if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then +if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then echo "Unable to initialize the server certificate database directory: $serverdb" >&2 exit 1 fi # We need some random noise for generating keys -dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null +dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null # Generate a request for the server's certificate. -certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null -rm -fr $serverdb/noise +certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \ + -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null +rm -fr "$serverdb/noise" # Create the certificate file first so that it always has the proper access permissions. -if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then +if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2 exit 1 fi -# Now generate the actual certificate. -certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +# Now generate the actual certificate. Make is valid for 1 year. +certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \ + -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 3 7 8 y EOF -rm -fr $serverdb/stap.req +rm -fr "$serverdb/stap.req" # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer -certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw +certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw" +# Print some information about the certificate. echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb" +certutil -L -d "$serverdb" -n stap-server | \ + awk '/Validity|Not After|Not Before/ { print $0 }' | \ + sed 's/^ */ /' + exit 0 diff --git a/stap-serverd b/stap-serverd index fc186233..eda9711e 100755 --- a/stap-serverd +++ b/stap-serverd @@ -81,12 +81,18 @@ function initialization { -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 fi - elif ! test -f $stap_ssl_db/client/cert8.db; then - # If the client's database does not exist, then initialize it with our certificate. - # Do this only if the client has been installed. - if test -f `which ${stap_exec_prefix}stap-client` -a \ - -x `which ${stap_exec_prefix}stap-client`; then - ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 + else + echo "Certificate found in database $ssl_db" >> $logfile + certutil -L -d "$ssl_db" -n stap-server | \ + awk '/Validity|Not After|Not Before/ { print $0 }' | \ + sed 's/^ */ /' >> $logfile + if ! test -f $stap_ssl_db/client/cert8.db; then + # If the client's database does not exist, then initialize it with our certificate. + # Do this only if the client has been installed. + if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \ + -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then + ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1 + fi fi fi fi diff --git a/testsuite/systemtap.server/server_args.exp b/testsuite/systemtap.server/server_args.exp index 926faf95..eac9074c 100644 --- a/testsuite/systemtap.server/server_args.exp +++ b/testsuite/systemtap.server/server_args.exp @@ -41,7 +41,7 @@ proc stap_direct_and_with_client {stap stap_client options} { # and will be prefixed for the client. if {[regexp "^ (.*)" $expected_line match data]} { # Special characters in the regexp need to be quoted. - regsub -all "\[\"\\\\;\]" $data {\\\0} data + regsub -all "\[\"\\\\;\*\]" $data {\\\0} data if {[regexp "^ tapsets.*/$data" $line]} { incr n continue @@ -60,7 +60,7 @@ proc stap_direct_and_with_client {stap stap_client options} { } else { if {[regexp "^Input file '(.*)' is empty or missing." $expected_line match data]} { # Special characters in the regexp need to be quoted. - regsub -all "\[\"\\\\;\]" $data {\\\0} data + regsub -all "\[\"\\\\;\*\]" $data {\\\0} data if {[regexp "^Input file 'script.*/$data' is empty or missing." $line]} { incr n continue @@ -114,6 +114,7 @@ if {[installtest_p]} then { # for debugging a currently failing case and helps to ensure that previously # fixed cases do not regress. set previously_fixed [list \ + "-p1 -I=\\w94\nbh -R'-1vo*w- -e -B9 -Dhfuo0iu7 -c" \ "-p1 -I8o\\2ie -Rtu\\\n -e'1\\ -B*3x8k\; -D\n\" -c" \ "-p1 -Ira\\3;c g -Rlr\"6/3ho -e0fle'qq -B -Dr/316k\\o8 -cjyoc\n3" \ "-p1 -I6p3 -Rk3g-t\n89 -elc -Bd -Dqgsgv' -c" \ |