diff options
| author | Dave Brolley <brolley@redhat.com> | 2010-02-17 16:18:10 -0500 |
|---|---|---|
| committer | Dave Brolley <brolley@redhat.com> | 2010-02-17 17:13:05 -0500 |
| commit | 2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7 (patch) | |
| tree | 42a9893d963b5d2ed7196410f51ce621b0fddf4d /stap-server-connect.c | |
| parent | d9f58253e30ea80e57d8f54e41e9cd114cc13973 (diff) | |
| download | systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.gz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.tar.xz systemtap-steved-2ba4c606b0e7ddbc38633a4f9d5b5ee9739a48a7.zip | |
Improved server certificate management. ulimit for stap-server only.
- Server now generates a new certificate when old one expires.
- Certificates now valid for 1 year.
- ulimit for stap-server-connect now only set for stap-server
user and only when override variable is not set.
Diffstat (limited to 'stap-server-connect.c')
| -rw-r--r-- | stap-server-connect.c | 35 |
1 files changed, 28 insertions, 7 deletions
diff --git a/stap-server-connect.c b/stap-server-connect.c index bbf5ade7..0f07d987 100644 --- a/stap-server-connect.c +++ b/stap-server-connect.c @@ -79,7 +79,9 @@ exitErr(char *function) /* Exit gracefully. */ /* ignoring return value of NSS_Shutdown as code exits with 1*/ (void) NSS_Shutdown(); +#if 0 /* PR_Cleanup is known to hang on some systems */ PR_Cleanup(); +#endif exit(1); } @@ -248,7 +250,7 @@ setupSSLSocket(PRFileDesc *tcpSocket) secStatus = SSL_SetPKCS11PinArg(sslSocket, password); if (secStatus != SECSuccess) { - errWarn("SSL_HandshakeCallback"); + errWarn("SSL_SetPKCS11PinArg"); goto loser; } @@ -837,9 +839,10 @@ accept_connection(PRFileDesc *listenSocket) PRNetAddr addr; PRStatus prStatus; PRFileDesc *tcpSocket; -#if 0 - SECStatus result; -#endif + SECStatus secStatus; + CERTCertDBHandle *dbHandle; + + dbHandle = CERT_GetDefaultCertDB(); while (PR_TRUE) { @@ -868,7 +871,7 @@ accept_connection(PRFileDesc *listenSocket) /* XXX: fork() or somesuch to handle concurrent requests. */ /* Accepted the connection, now handle it. */ - /*result =*/ handle_connection (tcpSocket); + handle_connection (tcpSocket); printf ("Request from %d.%d.%d.%d:%d complete\n", (addr.inet.ip ) & 0xff, @@ -877,15 +880,31 @@ accept_connection(PRFileDesc *listenSocket) (addr.inet.ip >> 24) & 0xff, addr.inet.port); fflush (stdout); + + /* If our certificate is no longer valid (e.g. has expired), + then exit. The daemon, (stap-serverd) will generate a new + certificate and restart the connection. */ + secStatus = CERT_VerifyCertNow(dbHandle, cert, PR_TRUE/*checkSig*/, + certUsageSSLServer, NULL/*wincx*/); + if (secStatus != SECSuccess) + { + errWarn ("CERT_VerifyCertNow"); + break; + } } #if DEBUG fprintf(stderr, "Closing listen socket.\n"); + fflush (stderr); #endif prStatus = PR_Close(listenSocket); if (prStatus != PR_SUCCESS) exitErr("PR_Close"); +#if DEBUG + fprintf(stderr, "Closed listen socket.\n"); + fflush (stderr); +#endif return SECSuccess; } @@ -896,7 +915,7 @@ accept_connection(PRFileDesc *listenSocket) * */ static void -server_main(unsigned short port, SECKEYPrivateKey *privKey, CERTCertificate *cert) +server_main(unsigned short port, SECKEYPrivateKey *privKey) { SECStatus secStatus; PRStatus prStatus; @@ -1090,11 +1109,13 @@ main(int argc, char **argv) SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); /* Launch server. */ - server_main(port, privKey, cert); + server_main(port, privKey); /* Shutdown NSS and exit NSPR gracefully. */ NSS_Shutdown(); +#if 0 /* PR_Cleanup is known to hang on some systems */ PR_Cleanup(); +#endif return 0; } |