2009-03-12 Dave Brolley <brolley@redhat.com>

        * util.cxx (remove_file_or_dir): New function.
        * util.h (remove_file_or_dir): New function.
        * systemtap.spec (stap): Add stap-env, stap-gen-cert, stap-authorize-cert,
        and stap-authorize-signing-cert.
        (stap-client): Remove stap-find-or-start-server, stap-add-server-cert.
        Add stap-authorize-server-cert.
        (stap-server): Add stap-find-servers, stap-find-or-start-server,
        stap-authorize-server-cert. Remove stap-gen-server-cert.
        * stap-find-servers: Source stap-env. Use $stap_avahi_service_tag.
        (initialization): Set timeout to 10.
        (find_servers): Run avahi-browse in the background and wait for it.
        Use a temp file for the output of avahi-browse. Kill avahi-browse if
        the timeout expires.
        (match_server): Set read timeout.
        (fatal): New function.
        * stap-find-or-start-server: Source stap-env. Use $stap_exec_prefix. Always
        exit with 0.
        * stap-start-server: Source stap-env. Check for the server PID as a running
        process and for avahi-publish-service running as a child in order to
        verify that the server is ready.
        * stap-add-server-cert: Renamed to stap-authorize-server-cert. Source
        stap-env. Call stap-authorize-cert.
        * stap-client: Source stap-env. Use $stap_user_ssl_db and
        $stap_root_ssl_db. Use $stap_tmpdir_prefix_client,
        $stap_tmpdir_prefix_server. Use $stap_exec_prefix.
        (configuration): Removed.
        (staprun_running): Removed.
        (interrupt): Don't kill staprun.
        * stap-server: Source stap-env. Use $stap_user_ssl_db and
        $stap_root_ssl_db. Use $stap_tmpdir_prefix_client,
        $stap_tmpdir_prefix_server. Use $stap_exec_prefix.
        (configuration): Removed.
        * session.h (systemtap_session): Add cert_db_path.
        * runtime/staprun/staprun_funcs.c (config.h): #include it.
        (modverify.h): #include it.
        (check_signature): New function.
        (check_groups): New function extracted from check_permissions.
        (check_permissions): Call check_groups and check_signature.
        * runtime/staprun/mainloop.c (cleanup_and_exit): Pass modpath to staprun,
        not modname.
        * main.cxx (main): Initialize cert_db_path. Handle LONG_OPT_SIGN_MODULE.
        Save the module signature if the module was signed and is being saved.
        (LONG_OPT_SIGN_MODULE): #define it.
        (long_options): Add --sign-module.
        * cache.cxx (config.h): #include it.
        (add_to_cache): Add the module signature file to the cache if the module
        has been signed.
        * buildrun.cxx (modsign.h): #include it.
        (compile_pass): Call sign_module, if requested.
        * configure.ac: Define HAVE_NSS if NSS libraries are available.
        * Makefile.am (AM_CPPFLAGS): Add -DSYSCONFDIR.
        (bin_SCRIPTS): Add stap-env, stap-gen-cert, stap-authorize-cert,
        stap-authorize-signing-cert, stap-authorize-server-cert. Remove
        stap-gen-server-cert, stap-add-server-cert.
        (stap_SOURCES): Add nsscommon.c, modsign.cxx
        (stap_CPPFLAGS): Add $(nss_CFLAGS), $(nspr_CFLAGS).
        (stap_LDADD): Add -lnss3.
        (staprun_SOURCES): Add nsscommon.c.
        * modsign.cxx: New file.
        * modsign.h: New file.
        * nsscommon.c: New file.
        * nsscommon.h: New file.
        * runtime/staprun/modverify.c: New file.
        * runtime/staprun/modverify.h: New file.
        * stap-authorize-cert: New file.
        * stap-authorize-signing-cert: New file.
        * stap-env: New file.
        * Makefile.in: Regenerated.
        * aclocal.m4: Regenerated.
        * config.in: Regenerated.
        * configure: Regenerated.
        * doc/Makefile.in: Regenerated.
        * doc/SystemTap_Tapset_Reference/Makefile.in: Regenerated.
        * testsuite/Makefile.in: Regenerated.
        * testsuite/aclocal.m4: Regenerated.

1 files changed, 80 insertions, 0 deletions

diff --git a/nsscommon.c b/nsscommon.c
new file mode 100644
index 00000000..1837969f
--- /dev/null
+++ b/nsscommon.c
@@ -0,0 +1,80 @@
+/*
+  Common functions used by the NSS-aware code in systemtap.
+
+  Copyright (C) 2009 Red Hat Inc.
+
+  This file is part of systemtap, and is free software.  You can
+  redistribute it and/or modify it under the terms of the GNU General Public
+  License as published by the Free Software Foundation; either version 2 of the
+  License, or (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+*/
+
+#include <stdio.h>
+
+#include <nss.h>
+#include <nspr.h>
+#include <prerror.h>
+#include <secerr.h>
+#include <sslerr.h>
+
+void
+nssError (void)
+{
+  PRErrorCode errorNumber;
+  PRInt32 errorTextLength;
+  PRInt32 rc;
+  char *errorText;
+  
+  /* See if PR_GetErrorText can tell us what the error is.  */
+  errorNumber = PR_GetError ();
+  if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR)
+    {
+      errorTextLength = PR_GetErrorTextLength ();
+      if (errorTextLength != 0) {
+	errorText = PORT_Alloc (errorTextLength);
+	rc = PR_GetErrorText (errorText);
+	if (rc != 0)
+	  fprintf (stderr, "%s\n", errorText);
+	PR_Free (errorText);
+	if (rc != 0)
+	  return;
+      }
+    }
+
+  /* Otherwise handle common errors ourselves.  */
+  switch (errorNumber)
+    {
+    case SEC_ERROR_CA_CERT_INVALID:
+      fputs ("The issuer's certificate is invalid.\n", stderr);
+      break;
+    case SEC_ERROR_BAD_DATABASE:
+      fputs ("The specified certificate database does not exist or is not valid.\n", stderr);
+      break;
+    case SSL_ERROR_BAD_CERT_DOMAIN:
+      fputs ("The requested domain name does not match the server's certificate.\n", stderr);
+      break;
+    case PR_CONNECT_RESET_ERROR:
+      fputs ("Connection reset by peer.\n", stderr);
+      break;
+    default:
+      fputs ("Unknown NSS error.\n", stderr);
+      break;
+    }
+}
+
+void
+nssCleanup (void)
+{
+  /* Shutdown NSS and exit NSPR gracefully. */
+  NSS_Shutdown ();
+  PR_Cleanup ();
+}