diff options
| -rw-r--r-- | ChangeLog | 38 | ||||
| -rw-r--r-- | Makefile.am | 18 | ||||
| -rw-r--r-- | Makefile.in | 20 | ||||
| -rwxr-xr-x | stap-add-server-cert | 16 | ||||
| -rwxr-xr-x | stap-client | 50 | ||||
| -rw-r--r-- | stap-client-connect.c | 103 | ||||
| -rwxr-xr-x | stap-find-or-start-server | 2 | ||||
| -rwxr-xr-x | stap-gen-server-cert | 8 | ||||
| -rwxr-xr-x | stap-server | 4 | ||||
| -rw-r--r-- | stap-server-connect.c | 23 | ||||
| -rwxr-xr-x | stap-serverd | 18 | ||||
| -rwxr-xr-x | stap-start-server | 15 | ||||
| -rw-r--r-- | testsuite/ChangeLog | 4 | ||||
| -rw-r--r-- | testsuite/lib/systemtap.exp | 10 |
14 files changed, 218 insertions, 111 deletions
@@ -1,3 +1,41 @@ +2009-01-09 Dave Brolley <brolley@redhat.com> + + * Makefile.am (stamp-ssl): Removed. + (ssl/server/stap-server.cert): Removed. + (install-data-local): Don't install $(builddir)/ssl. + (stap-add-server-cert): Create database directory if it does not + exist. Ensure the database is readable by others. + * stap-client (initialization): Initialize local_ssl_dbs and + public_ssl_dbs. Don't initialize ssl_db. + (parse_options): Concatenate additional_local_ssl_dbs with + local_ssl_dbs. + (process_ssl): Build up additional_local_ssl_dbs in the order + specified on the command line. + (choose_server): Set server for non-local domains. Print + $tmpdir_client/connect to stderr if we can't connect. + (send_receive): Try connecting to the given server using all of the + databases in $local_ssl_dbs and $public_ssl_dbs. Keep log in + $tmpdir_client/connect. + (interrupt): Use SIGTERM to kill stap-client-connect. + * stap-client-connect.c (prerror.h,secerror.h): #include them. + (errWarn): Try to the the error text from NSPR. Handle specific errors + manually otherwise. + (handle_connection): Stop processing on write error of the local file. + (do_connect): Cleanup on error. Call SSL_ForceHandshake to catch + authentication errors here. + * stap-gen-server-cert: Don't create the client's database directory. + * stap-server: Redirect the output of signtool to /dev/null. + * stap-server-connect.c (handle_connect): Call SSL_ForceHandshake to catch + authentication errors here. Clean up temp files on error. + (accept_connection): Don't close the socket on error. + stap-serverd (initialization): Print a message if the given socket is busy. + Search for a local certificate database. Create and initialize one if not + found. + (listen): Don't discard stderr fomr stap-server-connect. + * stap-start-server: Check for existence of local certificate database as + evidence that the server is listening. + * Makefile.in: Regenerated. + 2009-01-05 Dave Brolley <brolley@redhat.com> PR9702 diff --git a/Makefile.am b/Makefile.am index 6b5200dd..76968a49 100644 --- a/Makefile.am +++ b/Makefile.am @@ -105,14 +105,6 @@ install-elfutils: install-exec-local: install-elfutils endif -#BUILT_SOURCES += stamp-ssl -CLEANFILES += stamp-ssl -stamp-ssl: config.status - $(srcdir)/stap-gen-server-cert ssl - touch $@ -#stap_DEPENDENCIES += ssl/server/stap-server.cert -ssl/server/stap-server.cert: stamp-ssl ; - staprun_SOURCES = runtime/staprun/staprun.c runtime/staprun/staprun_funcs.c\ runtime/staprun/ctl.c runtime/staprun/common.c @@ -198,16 +190,6 @@ install-data-local: i_cmd="$(INSTALL_PROGRAM)"; else \ i_cmd="$(INSTALL_DATA)"; fi; \ $$i_cmd -D $$f $(DESTDIR)$(docdir)/examples/$$f; done) - if test -d "$(builddir)/ssl"; then \ - (cd $(builddir)/ssl/server; for f in pw; \ - do $(INSTALL) -m 600 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.cert; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/client; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/client/$$f; done); \ - fi TEST_COV_DIR = coverage diff --git a/Makefile.in b/Makefile.in index dc5a9f86..c1791c84 100644 --- a/Makefile.in +++ b/Makefile.in @@ -317,10 +317,7 @@ stap_LDADD = @stap_LIBS@ @sqlite3_LIBS@ # instead of foo_SOURCES prevents shipping git_version.h in dist tarballs, # which may cause false GIT_FOO readings. BUILT_SOURCES = git_version.stamp $(am__append_3) - -#BUILT_SOURCES += stamp-ssl -CLEANFILES = git_version.h $(am__append_4) stamp-ssl \ - $(pkglibexec_PROGRAMS) +CLEANFILES = git_version.h $(am__append_4) $(pkglibexec_PROGRAMS) stap_DEPENDENCIES = $(am__append_5) GIT_VERSION_CMD = $(SHELL) $(top_srcdir)/git_version.sh stap_CXXFLAGS = $(AM_CXXFLAGS) @@ -1494,11 +1491,6 @@ cscope: @BUILD_ELFUTILS_TRUE@ $(INSTALL_PROGRAM) $$file $(DESTDIR)$(pkglibdir); \ @BUILD_ELFUTILS_TRUE@ done @BUILD_ELFUTILS_TRUE@install-exec-local: install-elfutils -stamp-ssl: config.status - $(srcdir)/stap-gen-server-cert ssl - touch $@ -#stap_DEPENDENCIES += ssl/server/stap-server.cert -ssl/server/stap-server.cert: stamp-ssl ; install-exec-hook: if [ `id -u` -eq 0 ]; then chmod 04111 "$(DESTDIR)$(bindir)/staprun"; fi @@ -1538,16 +1530,6 @@ install-data-local: i_cmd="$(INSTALL_PROGRAM)"; else \ i_cmd="$(INSTALL_DATA)"; fi; \ $$i_cmd -D $$f $(DESTDIR)$(docdir)/examples/$$f; done) - if test -d "$(builddir)/ssl"; then \ - (cd $(builddir)/ssl/server; for f in pw; \ - do $(INSTALL) -m 600 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.cert; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/client; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/client/$$f; done); \ - fi gcov: @-$(MAKE) clean CXXFLAGS="-g -fprofile-arcs -ftest-coverage" all check diff --git a/stap-add-server-cert b/stap-add-server-cert index 6d788160..5f17f165 100755 --- a/stap-add-server-cert +++ b/stap-add-server-cert @@ -3,7 +3,7 @@ # Add an existing server certificate to the # database of trusted servers for the client. # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -26,13 +26,23 @@ if test "X$2" = "X"; then exit 1 fi if ! test -d $2; then - echo "Cannot find certificate database directory $2" >&2 - exit 1 + if ! mkdir -p $2; then + echo "Unable to find or create the client certificate database directory: $2" >&2 + exit 1 + fi fi +# Add the certificate if ! certutil -A -n stap-server -d $2 -i $1 -t "P,P,P" > /dev/null; then echo "Unable to add $1 to the client certificate database $2" >&2 exit 1 fi +# Ensure that the database is readable by others +if ! chmod +r $2/*.db; then + echo "Unable to make the client certificate database $2 readable by others" >&2 + exit 1 +fi + + exit 0 diff --git a/stap-client b/stap-client index d700a675..69bd935c 100755 --- a/stap-client +++ b/stap-client @@ -2,7 +2,7 @@ # Compile server client for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -38,8 +38,14 @@ function initialization { umask 0 staprun_running=0 + # Default location for server certificates if we're not root + if test $EUID != 0; then + local_ssl_dbs="$HOME/.systemtap/ssl/client" + fi + # Additional location for all users. + public_ssl_dbs="`dirname $0`/../etc/systemtap/ssl/client" + # Default options settings - ssl_db=/etc/systemtap/ssl/client p_phase=5 v_level=0 keep_temps=0 @@ -222,6 +228,8 @@ function parse_options { else cmdline="$cmdline1 $cmdline2" fi + + local_ssl_dbs="$additional_local_ssl_dbs $local_ssl_dbs" } # function: get_arg FIRSTWORD SECONDWORD @@ -255,7 +263,7 @@ function process_ssl { test "X$db" != "X" || \ fatal "Missing argument to --ssl" - ssl_db=$db + additional_local_ssl_dbs="$additional_local_ssl_dbs $db" } # function: process_c ARGUMENT @@ -461,7 +469,6 @@ function unpack_response { else # Make sure we own the systemtap temp directory if we are root. test $EUID = 0 && chown $EUID:$EUID $tmpdir_server/$tmpdir_stap - # The temp directory will be moved to here below. fi fi } @@ -502,7 +509,7 @@ function choose_server { if test "X$server_host_name$server_domain_name" = "X$our_host_name$our_domain_name"; then server=localhost else - server=$name + server=$server_host_name$server_domain_name fi if test "X$server" = "X"; then @@ -522,6 +529,7 @@ function choose_server { fatal "ERROR: unable to find a server" fi + cat $tmpdir_client/connect >&2 fatal "ERROR: unable to connect to a server" } @@ -533,11 +541,32 @@ function send_receive { jar_server=`mktemp -t $tmpdir_prefix_client.server.jar.XXXXXX` || \ fatal "ERROR: cannot create temporary file " $jar_server - # Send the request and receive the response using stap-client-connect - stap-client-connect -i $zip_client -o $jar_server -d $ssl_db -p $port -h $server & - wait '%stap-client-connect' + # If the server is local, try to connect using each of the given local + # certificate databases in turn for verification. + if test "X$server" = "Xlocalhost"; then + for db in $local_ssl_dbs + do + # Send the request and receive the response using stap-client-connect + echo "Attempting connection with $server using certificate database in '$db'" >> $tmpdir_client/connect + stap-client-connect -i $zip_client -o $jar_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%stap-client-connect' + test $? = 0 && ssl_db=$db && return 0 + sleep 1 + done + fi + + # We can try the public certificate databases for all servers. + for db in $public_ssl_dbs + do + # Send the request and receive the response using stap-client-connect + echo "Attempting connection with $server using certificate database in '$db'" >> $tmpdir_client/connect + stap-client-connect -i $zip_client -o $jar_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%stap-client-connect' + test $? = 0 && ssl_db=$db && return 0 + sleep 1 + done - test $? = 0 && return 0 + # Could not connect using any of the certificate databases return 1 } @@ -718,7 +747,8 @@ function interrupt { fi # Kill any stap-client-connect job - kill -s SIGINT '%stap-client-connect' + # SIGINT won't do it. + kill -s SIGTERM '%stap-client-connect' # If staprun was not running, then exit. cleanup diff --git a/stap-client-connect.c b/stap-client-connect.c index 29a8e18d..9466b566 100644 --- a/stap-client-connect.c +++ b/stap-client-connect.c @@ -2,7 +2,7 @@ SSL client program that sets up a connection to a SSL server, transmits the given input file and then writes the reply to the given output file. - Copyright (C) 2008 Red Hat Inc. + Copyright (C) 2008, 2009 Red Hat Inc. This file is part of systemtap, and is free software. You can redistribute it and/or modify it under the terms of the GNU General Public @@ -25,9 +25,10 @@ #include <nspr.h> #include <plgetopt.h> #include <nss.h> +#include <prerror.h> +#include <secerr.h> #define READ_BUFFER_SIZE (60 * 1024) - static char *hostName = NULL; static unsigned short port = 0; static const char *infileName = NULL; @@ -44,9 +45,42 @@ Usage(const char *progName) static void errWarn(char *function) { - PRErrorCode errorNumber = PR_GetError(); + PRErrorCode errorNumber; + PRInt32 errorTextLength; + PRInt32 rc; + char *errorText; + + errorNumber = PR_GetError(); + fprintf(stderr, "Error in function %s: %d: ", function, errorNumber); + + /* See if PR_GetErrorText can tell us what the error is. */ + if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR) + { + errorTextLength = PR_GetErrorTextLength (); + if (errorTextLength != 0) { + errorText = PORT_Alloc(errorTextLength); + rc = PR_GetErrorText (errorText); + if (rc != 0) + fprintf (stderr, "%s\n", errorText); + PR_Free (errorText); + if (rc != 0) + return; + } + } - printf("Error in function %s: %d\n\n", function, errorNumber); + /* Otherwise handle common errors ourselves. */ + switch (errorNumber) + { + case SEC_ERROR_CA_CERT_INVALID: + fputs ("The issuer's certificate is invalid\n", stderr); + break; + case PR_CONNECT_RESET_ERROR: + fputs ("Connection reset by peer\n", stderr); + break; + default: + fputs ("Unknown error\n", stderr); + break; + } } static void @@ -190,10 +224,9 @@ handle_connection(PRFileDesc *sslSocket) /* Send the file size first, so the server knows when it has the entire file. */ numBytes = PR_Write(sslSocket, & info.size, sizeof (info.size)); - /* Error in transmission? */ if (numBytes < 0) { - errWarn("PR_TransmitFile"); + errWarn("PR_Write"); return SECFailure; } @@ -202,7 +235,6 @@ handle_connection(PRFileDesc *sslSocket) NULL, 0, PR_TRANSMITFILE_KEEP_OPEN, PR_INTERVAL_NO_TIMEOUT); - /* Error in transmission? */ if (numBytes < 0) { errWarn("PR_TransmitFile"); @@ -212,7 +244,7 @@ handle_connection(PRFileDesc *sslSocket) #if DEBUG /* Transmitted bytes successfully. */ fprintf(stderr, "PR_TransmitFile wrote %d bytes from %s\n", - numBytes, "stdin"); + numBytes, infileName); #endif PR_Close(local_file_fd); @@ -248,13 +280,14 @@ handle_connection(PRFileDesc *sslSocket) if (numBytes < 0) { fprintf (stderr, "could not write to %s\n", outfileName); + break; + } #if DEBUG - fprintf(stderr, "***** Connection read %d bytes (%d total).\n", - numBytes, countRead ); - readBuffer[numBytes] = '\0'; - fprintf(stderr, "************\n%s\n************\n", readBuffer); + fprintf(stderr, "***** Connection read %d bytes (%d total).\n", + numBytes, countRead ); + readBuffer[numBytes] = '\0'; + fprintf(stderr, "************\n%s\n************\n", readBuffer); #endif - } } PR_Free(readBuffer); @@ -280,6 +313,8 @@ do_connect(PRNetAddr *addr) PRIntn hostenum; SECStatus secStatus; + secStatus = SECSuccess; + /* Set up SSL secure socket. */ sslSocket = setupSSLSocket(); if (sslSocket == NULL) @@ -293,7 +328,7 @@ do_connect(PRNetAddr *addr) if (secStatus != SECSuccess) { errWarn("SSL_SetPKCS11PinArg"); - return secStatus; + goto done; } #endif @@ -301,7 +336,7 @@ do_connect(PRNetAddr *addr) if (secStatus != SECSuccess) { errWarn("SSL_SetURL"); - return secStatus; + goto done; } /* Prepare and setup network connection. */ @@ -309,52 +344,56 @@ do_connect(PRNetAddr *addr) if (prStatus != PR_SUCCESS) { errWarn("PR_GetHostByName"); - return SECFailure; + secStatus = SECFailure; + goto done; } hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr); if (hostenum == -1) { errWarn("PR_EnumerateHostEnt"); - return SECFailure; + secStatus = SECFailure; + goto done; } prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT); if (prStatus != PR_SUCCESS) { errWarn("PR_Connect"); - return SECFailure; + secStatus = SECFailure; + goto done; } /* Established SSL connection, ready to send data. */ -#if 0 /* Not necessary? */ - secStatus = SSL_ForceHandshake(sslSocket); + secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); if (secStatus != SECSuccess) { - errWarn("SSL_ForceHandshake"); - return secStatus; + errWarn("SSL_ResetHandshake"); + goto done; } -#endif - secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); + /* This is normally done automatically on the first I/O operation, + but doing it here catches any authentication problems early. */ + secStatus = SSL_ForceHandshake(sslSocket); if (secStatus != SECSuccess) { - errWarn("SSL_ResetHandshake"); - prStatus = PR_Close(sslSocket); - if (prStatus != PR_SUCCESS) - errWarn("PR_Close"); - return secStatus; + errWarn("SSL_ForceHandshake"); + goto done; } secStatus = handle_connection(sslSocket); if (secStatus != SECSuccess) { errWarn("handle_connection"); - return secStatus; + goto done; } - PR_Close(sslSocket); - return SECSuccess; + done: + prStatus = PR_Close(sslSocket); + if (prStatus != PR_SUCCESS) + errWarn("PR_Close"); + + return secStatus; } static void diff --git a/stap-find-or-start-server b/stap-find-or-start-server index 108ac6ed..beef05fc 100755 --- a/stap-find-or-start-server +++ b/stap-find-or-start-server @@ -28,5 +28,5 @@ if test $? = 0; then fi # Could not find or start a server -echo -1 +echo "-1" exit 1 diff --git a/stap-gen-server-cert b/stap-gen-server-cert index 9cc15b3f..fe40db90 100755 --- a/stap-gen-server-cert +++ b/stap-gen-server-cert @@ -86,12 +86,6 @@ rm -fr $1/stap-server.req # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw -# Now create a directory for the client's certificate database -clientdb=$1/client -if ! mkdir -p $clientdb; then - echo "Unable to create the client certificate database directory: $clientdb" >&2 - exit 1 -fi - # Now add the server's certificate to the client's database, making it a trusted peer. +clientdb=$1/client `dirname $0`/stap-add-server-cert $serverdb/stap-server.cert $clientdb diff --git a/stap-server b/stap-server index 0a63d98e..857a9025 100755 --- a/stap-server +++ b/stap-server @@ -2,7 +2,7 @@ # Compile server for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -367,7 +367,7 @@ function package_response { #chmod +r $jar_server # Generate the jar file - signtool -d $ssl_db -k $nss_cert -p `cat $nss_pw` -Z $jar_server $tmpdir_server + signtool -d $ssl_db -k $nss_cert -p `cat $nss_pw` -Z $jar_server $tmpdir_server >/dev/null } # function: fatal [ MESSAGE ] diff --git a/stap-server-connect.c b/stap-server-connect.c index 388c5d96..37b44a9b 100644 --- a/stap-server-connect.c +++ b/stap-server-connect.c @@ -3,7 +3,7 @@ the data into a temporary file, calls the systemtap server script and then transmits the resulting fileback to the client. - Copyright (C) 2008 Red Hat Inc. + Copyright (C) 2008, 2009 Red Hat Inc. This file is part of systemtap, and is free software. You can redistribute it and/or modify it under the terms of the GNU General Public @@ -399,6 +399,14 @@ handle_connection(PRFileDesc *tcpSocket) goto cleanup; } + /* Force the handshake to complete before moving on. */ + secStatus = SSL_ForceHandshake(sslSocket); + if (secStatus != SECSuccess) + { + errWarn("SSL_ForceHandshake"); + goto cleanup; + } + /* Create a temporary files and directories. */ memcpy (requestFileName + sizeof (requestFileName) - 1 - 6, "XXXXXX", 6); rc = mkstemp(requestFileName); @@ -428,6 +436,11 @@ handle_connection(PRFileDesc *tcpSocket) fprintf (stderr, "Could not create temporary file %s\n", responseJarName); perror (""); secStatus = SECFailure; + + /* Remove this so that the other temp files will get removed in cleanup. */ + prStatus = PR_RmDir (responseDirName); + if (prStatus != PR_SUCCESS) + errWarn ("PR_RmDir"); goto cleanup; } @@ -475,7 +488,6 @@ handle_connection(PRFileDesc *tcpSocket) secStatus = writeDataToSocket(sslSocket); cleanup: - /* Close down the socket. */ prStatus = PR_Close(tcpSocket); if (prStatus != PR_SUCCESS) @@ -508,7 +520,9 @@ accept_connection(PRFileDesc *listenSocket) PRNetAddr addr; PRStatus prStatus; PRFileDesc *tcpSocket; +#if 0 SECStatus result; +#endif while (PR_TRUE) { @@ -525,8 +539,8 @@ accept_connection(PRFileDesc *listenSocket) } /* Accepted the connection, now handle it. */ - result = handle_connection (tcpSocket); - + /*result =*/ handle_connection (tcpSocket); +#if 0 /* Not necessary */ if (result != SECSuccess) { prStatus = PR_Close(tcpSocket); @@ -534,6 +548,7 @@ accept_connection(PRFileDesc *listenSocket) exitErr("PR_Close"); break; } +#endif } #if DEBUG diff --git a/stap-serverd b/stap-serverd index 094f4ca4..bd1c27db 100755 --- a/stap-serverd +++ b/stap-serverd @@ -2,7 +2,7 @@ # Compile server manager for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -30,12 +30,24 @@ function initialization { while netstat -atn | awk '{print $4}' | cut -f2 -d: | egrep -q "^$port\$"; do # Whoops, the port is busy; try another one. + echo "$0: Port $port is busy" port=$((1024+($port + $RANDOM)%64000)) done # Where is the ssl certificate/key database? ssl_db=$2 - test "X$ssl_db" = "X" && ssl_db=/etc/systemtap/ssl/server + if test "X$ssl_db" = "X"; then + # If no certificate/key database has been specified, then find/create + # a local one. + if test $EUID = 0; then + ssl_db=`dirname $0`/../etc/systemtap/ssl/server + else + ssl_db=$HOME/.systemtap/ssl/server + fi + if ! test -f $ssl_db/stap-server.cert; then + stap-gen-server-cert `dirname $ssl_db` || exit 1 + fi + fi nss_pw=$ssl_db/pw nss_cert=stap-server } @@ -62,7 +74,7 @@ function advertise_presence { function listen { # The stap-server-connect program will listen forever # accepting requests. - stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw > /dev/null 2>&1 & + stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw 2>&1 & wait '%stap-server-connect' >/dev/null 2>&1 } diff --git a/stap-start-server b/stap-start-server index 5bc97c22..04a3e2d3 100755 --- a/stap-start-server +++ b/stap-start-server @@ -2,7 +2,7 @@ # Start a systemtap server # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -19,8 +19,17 @@ server_pid=$! # Make sure the server is started for ((attempt=0; $attempt < 5; ++attempt)) do - (ps -a | grep $server_pid) >/dev/null 2>&1 && echo $server_pid && exit 0 - sleep 1 + if test $EUID = 0; then + if ! test -f `dirname $0`/../etc/systemtap/ssl/server/stap-server.cert; then + sleep 1 + continue; + fi + elif ! test -f $HOME/.systemtap/ssl/server/stap-server.cert; then + sleep 1 + continue + fi + (ps -a | grep $server_pid) >/dev/null 2>&1 && echo $server_pid && exit 0 + sleep 1 done exit 1 # server did not start diff --git a/testsuite/ChangeLog b/testsuite/ChangeLog index 7180bb56..293c007f 100644 --- a/testsuite/ChangeLog +++ b/testsuite/ChangeLog @@ -1,3 +1,7 @@ +2009-01-09 Dave Brolley <brolley@redhat.com> + + * lib/systemtap.exp: Remove ssl_server_path and ssl_client_path. + 2008-12-24 Dave Brolley <brolley@redhat.com> * lib/systemtap.exp: Rename client_path to net_path. diff --git a/testsuite/lib/systemtap.exp b/testsuite/lib/systemtap.exp index 9219e977..f399073e 100644 --- a/testsuite/lib/systemtap.exp +++ b/testsuite/lib/systemtap.exp @@ -64,15 +64,10 @@ proc setup_systemtap_environment {} { if {! [installtest_p]} then { # Make sure the server management scripts are on the $PATH. set env(PATH) "$srcdir/..:$env(PATH)" - set ssl_server_path [exec pwd]/../ssl/server - set ssl_client_path [exec pwd]/../ssl/client - } else { - set ssl_server_path "" - set ssl_client_path "" } # Try to find or start the server. - set server_pid [exec stap-find-or-start-server 65000 $ssl_server_path] + set server_pid [exec stap-find-or-start-server] if { $server_pid == -1 } then { print "Cannot find or start a systemtap server" set server_pid 0 @@ -90,9 +85,6 @@ proc setup_systemtap_environment {} { exec /bin/cp -p [exec which stap-client] $net_path/stap } else { exec /bin/cp -p $srcdir/../stap-client $net_path/stap - # Make sure the client picks up the proper certificates for - # server verification. - exec sed -i s,/etc/systemtap/ssl/client,$ssl_client_path, $net_path/stap } set env(PATH) "$net_path:$env(PATH)" } |