diff options
| -rw-r--r-- | ChangeLog | 38 | ||||
| -rw-r--r-- | Makefile.am | 20 | ||||
| -rw-r--r-- | Makefile.in | 38 | ||||
| -rw-r--r-- | aclocal.m4 | 60 | ||||
| -rw-r--r-- | doc/Makefile.in | 17 | ||||
| -rw-r--r-- | doc/SystemTap_Tapset_Reference/Makefile.in | 19 | ||||
| -rwxr-xr-x | stap-add-server-cert | 16 | ||||
| -rwxr-xr-x | stap-client | 50 | ||||
| -rw-r--r-- | stap-client-connect.c | 103 | ||||
| -rwxr-xr-x | stap-find-or-start-server | 2 | ||||
| -rwxr-xr-x | stap-gen-server-cert | 8 | ||||
| -rwxr-xr-x | stap-server | 4 | ||||
| -rw-r--r-- | stap-server-connect.c | 23 | ||||
| -rwxr-xr-x | stap-serverd | 18 | ||||
| -rwxr-xr-x | stap-start-server | 15 | ||||
| -rw-r--r-- | testsuite/ChangeLog | 4 | ||||
| -rw-r--r-- | testsuite/lib/systemtap.exp | 10 |
17 files changed, 274 insertions, 171 deletions
@@ -1,3 +1,41 @@ +2009-01-09 Dave Brolley <brolley@redhat.com> + + * Makefile.am (stamp-ssl): Removed. + (ssl/server/stap-server.cert): Removed. + (install-data-local): Don't install $(builddir)/ssl. + (stap-add-server-cert): Create database directory if it does not + exist. Ensure the database is readable by others. + * stap-client (initialization): Initialize local_ssl_dbs and + public_ssl_dbs. Don't initialize ssl_db. + (parse_options): Concatenate additional_local_ssl_dbs with + local_ssl_dbs. + (process_ssl): Build up additional_local_ssl_dbs in the order + specified on the command line. + (choose_server): Set server for non-local domains. Print + $tmpdir_client/connect to stderr if we can't connect. + (send_receive): Try connecting to the given server using all of the + databases in $local_ssl_dbs and $public_ssl_dbs. Keep log in + $tmpdir_client/connect. + (interrupt): Use SIGTERM to kill stap-client-connect. + * stap-client-connect.c (prerror.h,secerror.h): #include them. + (errWarn): Try to the the error text from NSPR. Handle specific errors + manually otherwise. + (handle_connection): Stop processing on write error of the local file. + (do_connect): Cleanup on error. Call SSL_ForceHandshake to catch + authentication errors here. + * stap-gen-server-cert: Don't create the client's database directory. + * stap-server: Redirect the output of signtool to /dev/null. + * stap-server-connect.c (handle_connect): Call SSL_ForceHandshake to catch + authentication errors here. Clean up temp files on error. + (accept_connection): Don't close the socket on error. + stap-serverd (initialization): Print a message if the given socket is busy. + Search for a local certificate database. Create and initialize one if not + found. + (listen): Don't discard stderr fomr stap-server-connect. + * stap-start-server: Check for existence of local certificate database as + evidence that the server is listening. + * Makefile.in: Regenerated. + 2009-01-08 William Cohen <wcohen@redhat.com> * configure.ac: Check for xmlto that generates pdf. diff --git a/Makefile.am b/Makefile.am index 3ce1762d..38a2edaf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -113,16 +113,6 @@ install-elfutils: install-exec-local: install-elfutils endif -if BUILD_SERVER -#BUILT_SOURCES += stamp-ssl -CLEANFILES += stamp-ssl -stamp-ssl: config.status - $(srcdir)/stap-gen-server-cert ssl - touch $@ -#stap_DEPENDENCIES += ssl/server/stap-server.cert -ssl/server/stap-server.cert: stamp-ssl ; -endif - staprun_SOURCES = runtime/staprun/staprun.c runtime/staprun/staprun_funcs.c\ runtime/staprun/ctl.c runtime/staprun/common.c @@ -210,16 +200,6 @@ install-data-local: i_cmd="$(INSTALL_PROGRAM)"; else \ i_cmd="$(INSTALL_DATA)"; fi; \ $$i_cmd -D $$f $(DESTDIR)$(docdir)/examples/$$f; done) - if test -d "$(builddir)/ssl"; then \ - (cd $(builddir)/ssl/server; for f in pw; \ - do $(INSTALL) -m 600 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.cert; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/client; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/client/$$f; done); \ - fi TEST_COV_DIR = coverage diff --git a/Makefile.in b/Makefile.in index e025b1ad..37afdcdc 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -49,9 +49,6 @@ bin_PROGRAMS = stap$(EXEEXT) staprun$(EXEEXT) $(am__EXEEXT_1) @BUILD_ELFUTILS_TRUE@am__append_7 = stamp-elfutils @BUILD_ELFUTILS_TRUE@am__append_8 = lib-elfutils/libdw.so @BUILD_ELFUTILS_TRUE@am__append_9 = install-elfutils - -#BUILT_SOURCES += stamp-ssl -@BUILD_SERVER_TRUE@am__append_10 = stamp-ssl pkglibexec_PROGRAMS = stapio$(EXEEXT) noinst_PROGRAMS = loc2c-test$(EXEEXT) subdir = . @@ -330,8 +327,7 @@ stap_LDADD = @stap_LIBS@ @sqlite3_LIBS@ # instead of foo_SOURCES prevents shipping git_version.h in dist tarballs, # which may cause false GIT_FOO readings. BUILT_SOURCES = git_version.stamp $(am__append_6) -CLEANFILES = git_version.h $(am__append_7) $(am__append_10) \ - $(pkglibexec_PROGRAMS) +CLEANFILES = git_version.h $(am__append_7) $(pkglibexec_PROGRAMS) stap_DEPENDENCIES = $(am__append_8) GIT_VERSION_CMD = $(SHELL) $(top_srcdir)/git_version.sh stap_CXXFLAGS = $(AM_CXXFLAGS) @@ -1279,8 +1275,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -1305,8 +1301,8 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) config.in $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -1316,12 +1312,13 @@ ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) config.in $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) config.in $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique @@ -1504,11 +1501,6 @@ cscope: @BUILD_ELFUTILS_TRUE@ $(INSTALL_PROGRAM) $$file $(DESTDIR)$(pkglibdir); \ @BUILD_ELFUTILS_TRUE@ done @BUILD_ELFUTILS_TRUE@install-exec-local: install-elfutils -@BUILD_SERVER_TRUE@stamp-ssl: config.status -@BUILD_SERVER_TRUE@ $(srcdir)/stap-gen-server-cert ssl -@BUILD_SERVER_TRUE@ touch $@ -#stap_DEPENDENCIES += ssl/server/stap-server.cert -@BUILD_SERVER_TRUE@ssl/server/stap-server.cert: stamp-ssl ; install-exec-hook: if [ `id -u` -eq 0 ]; then chmod 04111 "$(DESTDIR)$(bindir)/staprun"; fi @@ -1548,16 +1540,6 @@ install-data-local: i_cmd="$(INSTALL_PROGRAM)"; else \ i_cmd="$(INSTALL_DATA)"; fi; \ $$i_cmd -D $$f $(DESTDIR)$(docdir)/examples/$$f; done) - if test -d "$(builddir)/ssl"; then \ - (cd $(builddir)/ssl/server; for f in pw; \ - do $(INSTALL) -m 600 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/server; for f in *.cert; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/server/$$f; done); \ - (cd $(builddir)/ssl/client; for f in *.db; \ - do $(INSTALL) -m 664 -D $$f $(DESTDIR)$(sysconfdir)/systemtap/ssl/client/$$f; done); \ - fi gcov: @-$(MAKE) clean CXXFLAGS="-g -fprofile-arcs -ftest-coverage" all check @@ -1,7 +1,7 @@ -# generated automatically by aclocal 1.10.1 -*- Autoconf -*- +# generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -11,13 +11,10 @@ # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(AC_AUTOCONF_VERSION, [2.61],, -[m4_warning([this file was generated for autoconf 2.61. -You have another version of autoconf. It may work, but is not guaranteed to. -If you have problems, you may need to regenerate the build system entirely. -To do so, use the procedure documented by the package, typically `autoreconf'.])]) +m4_if(m4_PACKAGE_VERSION, [2.61],, +[m4_fatal([this file was generated for autoconf 2.61. +You have another version of autoconf. If you want to use that, +you should regenerate the build system entirely.], [63])]) # pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- # @@ -87,14 +84,16 @@ fi]) # _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) # --------------------------------------------- m4_define([_PKG_CONFIG], -[if test -n "$$1"; then - pkg_cv_[]$1="$$1" - elif test -n "$PKG_CONFIG"; then - PKG_CHECK_EXISTS([$3], - [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], - [pkg_failed=yes]) - else - pkg_failed=untried +[if test -n "$PKG_CONFIG"; then + if test -n "$$1"; then + pkg_cv_[]$1="$$1" + else + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + fi +else + pkg_failed=untried fi[]dnl ])# _PKG_CONFIG @@ -138,9 +137,9 @@ See the pkg-config man page for more details.]) if test $pkg_failed = yes; then _PKG_SHORT_ERRORS_SUPPORTED if test $_pkg_short_errors_supported = yes; then - $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "$2" 2>&1` + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"` else - $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors "$2" 2>&1` + $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"` fi # Put the nasty error message in config.log where it belongs echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD @@ -175,7 +174,7 @@ else fi[]dnl ])# PKG_CHECK_MODULES -# Copyright (C) 2002, 2003, 2005, 2006, 2007 Free Software Foundation, Inc. +# Copyright (C) 2002, 2003, 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -190,7 +189,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.10' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.10.1], [], +m4_if([$1], [1.10], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -206,10 +205,8 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AC_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.10.1])dnl -m4_ifndef([AC_AUTOCONF_VERSION], - [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -_AM_AUTOCONF_VERSION(AC_AUTOCONF_VERSION)]) +[AM_AUTOMAKE_VERSION([1.10])dnl +_AM_AUTOCONF_VERSION(m4_PACKAGE_VERSION)]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- @@ -504,7 +501,7 @@ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. - if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + if sed 10q "$mf" | grep '^#.*generated by automake' > /dev/null 2>&1; then dirpart=`AS_DIRNAME("$mf")` else continue @@ -552,13 +549,13 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, -# 2005, 2006, 2008 Free Software Foundation, Inc. +# 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. -# serial 13 +# serial 12 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. @@ -663,17 +660,16 @@ AC_PROVIDE_IFELSE([AC_PROG_OBJC], # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. -_am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in - $_am_arg | $_am_arg:* ) + $1 | $1:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done -echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) +echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. # @@ -1034,7 +1030,7 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])]) # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- -# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. +# Prevent Automake from outputing VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) diff --git a/doc/Makefile.in b/doc/Makefile.in index e7716e63..776381d8 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -279,8 +279,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -305,8 +305,8 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -316,12 +316,13 @@ ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique diff --git a/doc/SystemTap_Tapset_Reference/Makefile.in b/doc/SystemTap_Tapset_Reference/Makefile.in index 09fcf2dc..f840d8c5 100644 --- a/doc/SystemTap_Tapset_Reference/Makefile.in +++ b/doc/SystemTap_Tapset_Reference/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -46,7 +46,7 @@ PROGRAMS = $(noinst_PROGRAMS) docproc_SOURCES = docproc.c docproc_OBJECTS = docproc.$(OBJEXT) docproc_LDADD = $(LDADD) -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +DEFAULT_INCLUDES = -I. -I$(top_builddir)@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ @@ -241,8 +241,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ mkid -fID $$unique tags: TAGS @@ -254,8 +254,8 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ @@ -265,12 +265,13 @@ ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) tags=; \ + here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ test -z "$(CTAGS_ARGS)$$tags$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$tags $$unique diff --git a/stap-add-server-cert b/stap-add-server-cert index 6d788160..5f17f165 100755 --- a/stap-add-server-cert +++ b/stap-add-server-cert @@ -3,7 +3,7 @@ # Add an existing server certificate to the # database of trusted servers for the client. # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -26,13 +26,23 @@ if test "X$2" = "X"; then exit 1 fi if ! test -d $2; then - echo "Cannot find certificate database directory $2" >&2 - exit 1 + if ! mkdir -p $2; then + echo "Unable to find or create the client certificate database directory: $2" >&2 + exit 1 + fi fi +# Add the certificate if ! certutil -A -n stap-server -d $2 -i $1 -t "P,P,P" > /dev/null; then echo "Unable to add $1 to the client certificate database $2" >&2 exit 1 fi +# Ensure that the database is readable by others +if ! chmod +r $2/*.db; then + echo "Unable to make the client certificate database $2 readable by others" >&2 + exit 1 +fi + + exit 0 diff --git a/stap-client b/stap-client index d700a675..69bd935c 100755 --- a/stap-client +++ b/stap-client @@ -2,7 +2,7 @@ # Compile server client for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -38,8 +38,14 @@ function initialization { umask 0 staprun_running=0 + # Default location for server certificates if we're not root + if test $EUID != 0; then + local_ssl_dbs="$HOME/.systemtap/ssl/client" + fi + # Additional location for all users. + public_ssl_dbs="`dirname $0`/../etc/systemtap/ssl/client" + # Default options settings - ssl_db=/etc/systemtap/ssl/client p_phase=5 v_level=0 keep_temps=0 @@ -222,6 +228,8 @@ function parse_options { else cmdline="$cmdline1 $cmdline2" fi + + local_ssl_dbs="$additional_local_ssl_dbs $local_ssl_dbs" } # function: get_arg FIRSTWORD SECONDWORD @@ -255,7 +263,7 @@ function process_ssl { test "X$db" != "X" || \ fatal "Missing argument to --ssl" - ssl_db=$db + additional_local_ssl_dbs="$additional_local_ssl_dbs $db" } # function: process_c ARGUMENT @@ -461,7 +469,6 @@ function unpack_response { else # Make sure we own the systemtap temp directory if we are root. test $EUID = 0 && chown $EUID:$EUID $tmpdir_server/$tmpdir_stap - # The temp directory will be moved to here below. fi fi } @@ -502,7 +509,7 @@ function choose_server { if test "X$server_host_name$server_domain_name" = "X$our_host_name$our_domain_name"; then server=localhost else - server=$name + server=$server_host_name$server_domain_name fi if test "X$server" = "X"; then @@ -522,6 +529,7 @@ function choose_server { fatal "ERROR: unable to find a server" fi + cat $tmpdir_client/connect >&2 fatal "ERROR: unable to connect to a server" } @@ -533,11 +541,32 @@ function send_receive { jar_server=`mktemp -t $tmpdir_prefix_client.server.jar.XXXXXX` || \ fatal "ERROR: cannot create temporary file " $jar_server - # Send the request and receive the response using stap-client-connect - stap-client-connect -i $zip_client -o $jar_server -d $ssl_db -p $port -h $server & - wait '%stap-client-connect' + # If the server is local, try to connect using each of the given local + # certificate databases in turn for verification. + if test "X$server" = "Xlocalhost"; then + for db in $local_ssl_dbs + do + # Send the request and receive the response using stap-client-connect + echo "Attempting connection with $server using certificate database in '$db'" >> $tmpdir_client/connect + stap-client-connect -i $zip_client -o $jar_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%stap-client-connect' + test $? = 0 && ssl_db=$db && return 0 + sleep 1 + done + fi + + # We can try the public certificate databases for all servers. + for db in $public_ssl_dbs + do + # Send the request and receive the response using stap-client-connect + echo "Attempting connection with $server using certificate database in '$db'" >> $tmpdir_client/connect + stap-client-connect -i $zip_client -o $jar_server -d $db -p $port -h $server >> $tmpdir_client/connect 2>&1 & + wait '%stap-client-connect' + test $? = 0 && ssl_db=$db && return 0 + sleep 1 + done - test $? = 0 && return 0 + # Could not connect using any of the certificate databases return 1 } @@ -718,7 +747,8 @@ function interrupt { fi # Kill any stap-client-connect job - kill -s SIGINT '%stap-client-connect' + # SIGINT won't do it. + kill -s SIGTERM '%stap-client-connect' # If staprun was not running, then exit. cleanup diff --git a/stap-client-connect.c b/stap-client-connect.c index 29a8e18d..9466b566 100644 --- a/stap-client-connect.c +++ b/stap-client-connect.c @@ -2,7 +2,7 @@ SSL client program that sets up a connection to a SSL server, transmits the given input file and then writes the reply to the given output file. - Copyright (C) 2008 Red Hat Inc. + Copyright (C) 2008, 2009 Red Hat Inc. This file is part of systemtap, and is free software. You can redistribute it and/or modify it under the terms of the GNU General Public @@ -25,9 +25,10 @@ #include <nspr.h> #include <plgetopt.h> #include <nss.h> +#include <prerror.h> +#include <secerr.h> #define READ_BUFFER_SIZE (60 * 1024) - static char *hostName = NULL; static unsigned short port = 0; static const char *infileName = NULL; @@ -44,9 +45,42 @@ Usage(const char *progName) static void errWarn(char *function) { - PRErrorCode errorNumber = PR_GetError(); + PRErrorCode errorNumber; + PRInt32 errorTextLength; + PRInt32 rc; + char *errorText; + + errorNumber = PR_GetError(); + fprintf(stderr, "Error in function %s: %d: ", function, errorNumber); + + /* See if PR_GetErrorText can tell us what the error is. */ + if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR) + { + errorTextLength = PR_GetErrorTextLength (); + if (errorTextLength != 0) { + errorText = PORT_Alloc(errorTextLength); + rc = PR_GetErrorText (errorText); + if (rc != 0) + fprintf (stderr, "%s\n", errorText); + PR_Free (errorText); + if (rc != 0) + return; + } + } - printf("Error in function %s: %d\n\n", function, errorNumber); + /* Otherwise handle common errors ourselves. */ + switch (errorNumber) + { + case SEC_ERROR_CA_CERT_INVALID: + fputs ("The issuer's certificate is invalid\n", stderr); + break; + case PR_CONNECT_RESET_ERROR: + fputs ("Connection reset by peer\n", stderr); + break; + default: + fputs ("Unknown error\n", stderr); + break; + } } static void @@ -190,10 +224,9 @@ handle_connection(PRFileDesc *sslSocket) /* Send the file size first, so the server knows when it has the entire file. */ numBytes = PR_Write(sslSocket, & info.size, sizeof (info.size)); - /* Error in transmission? */ if (numBytes < 0) { - errWarn("PR_TransmitFile"); + errWarn("PR_Write"); return SECFailure; } @@ -202,7 +235,6 @@ handle_connection(PRFileDesc *sslSocket) NULL, 0, PR_TRANSMITFILE_KEEP_OPEN, PR_INTERVAL_NO_TIMEOUT); - /* Error in transmission? */ if (numBytes < 0) { errWarn("PR_TransmitFile"); @@ -212,7 +244,7 @@ handle_connection(PRFileDesc *sslSocket) #if DEBUG /* Transmitted bytes successfully. */ fprintf(stderr, "PR_TransmitFile wrote %d bytes from %s\n", - numBytes, "stdin"); + numBytes, infileName); #endif PR_Close(local_file_fd); @@ -248,13 +280,14 @@ handle_connection(PRFileDesc *sslSocket) if (numBytes < 0) { fprintf (stderr, "could not write to %s\n", outfileName); + break; + } #if DEBUG - fprintf(stderr, "***** Connection read %d bytes (%d total).\n", - numBytes, countRead ); - readBuffer[numBytes] = '\0'; - fprintf(stderr, "************\n%s\n************\n", readBuffer); + fprintf(stderr, "***** Connection read %d bytes (%d total).\n", + numBytes, countRead ); + readBuffer[numBytes] = '\0'; + fprintf(stderr, "************\n%s\n************\n", readBuffer); #endif - } } PR_Free(readBuffer); @@ -280,6 +313,8 @@ do_connect(PRNetAddr *addr) PRIntn hostenum; SECStatus secStatus; + secStatus = SECSuccess; + /* Set up SSL secure socket. */ sslSocket = setupSSLSocket(); if (sslSocket == NULL) @@ -293,7 +328,7 @@ do_connect(PRNetAddr *addr) if (secStatus != SECSuccess) { errWarn("SSL_SetPKCS11PinArg"); - return secStatus; + goto done; } #endif @@ -301,7 +336,7 @@ do_connect(PRNetAddr *addr) if (secStatus != SECSuccess) { errWarn("SSL_SetURL"); - return secStatus; + goto done; } /* Prepare and setup network connection. */ @@ -309,52 +344,56 @@ do_connect(PRNetAddr *addr) if (prStatus != PR_SUCCESS) { errWarn("PR_GetHostByName"); - return SECFailure; + secStatus = SECFailure; + goto done; } hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr); if (hostenum == -1) { errWarn("PR_EnumerateHostEnt"); - return SECFailure; + secStatus = SECFailure; + goto done; } prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT); if (prStatus != PR_SUCCESS) { errWarn("PR_Connect"); - return SECFailure; + secStatus = SECFailure; + goto done; } /* Established SSL connection, ready to send data. */ -#if 0 /* Not necessary? */ - secStatus = SSL_ForceHandshake(sslSocket); + secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); if (secStatus != SECSuccess) { - errWarn("SSL_ForceHandshake"); - return secStatus; + errWarn("SSL_ResetHandshake"); + goto done; } -#endif - secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); + /* This is normally done automatically on the first I/O operation, + but doing it here catches any authentication problems early. */ + secStatus = SSL_ForceHandshake(sslSocket); if (secStatus != SECSuccess) { - errWarn("SSL_ResetHandshake"); - prStatus = PR_Close(sslSocket); - if (prStatus != PR_SUCCESS) - errWarn("PR_Close"); - return secStatus; + errWarn("SSL_ForceHandshake"); + goto done; } secStatus = handle_connection(sslSocket); if (secStatus != SECSuccess) { errWarn("handle_connection"); - return secStatus; + goto done; } - PR_Close(sslSocket); - return SECSuccess; + done: + prStatus = PR_Close(sslSocket); + if (prStatus != PR_SUCCESS) + errWarn("PR_Close"); + + return secStatus; } static void diff --git a/stap-find-or-start-server b/stap-find-or-start-server index 108ac6ed..beef05fc 100755 --- a/stap-find-or-start-server +++ b/stap-find-or-start-server @@ -28,5 +28,5 @@ if test $? = 0; then fi # Could not find or start a server -echo -1 +echo "-1" exit 1 diff --git a/stap-gen-server-cert b/stap-gen-server-cert index 9cc15b3f..fe40db90 100755 --- a/stap-gen-server-cert +++ b/stap-gen-server-cert @@ -86,12 +86,6 @@ rm -fr $1/stap-server.req # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw -# Now create a directory for the client's certificate database -clientdb=$1/client -if ! mkdir -p $clientdb; then - echo "Unable to create the client certificate database directory: $clientdb" >&2 - exit 1 -fi - # Now add the server's certificate to the client's database, making it a trusted peer. +clientdb=$1/client `dirname $0`/stap-add-server-cert $serverdb/stap-server.cert $clientdb diff --git a/stap-server b/stap-server index 0a63d98e..857a9025 100755 --- a/stap-server +++ b/stap-server @@ -2,7 +2,7 @@ # Compile server for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -367,7 +367,7 @@ function package_response { #chmod +r $jar_server # Generate the jar file - signtool -d $ssl_db -k $nss_cert -p `cat $nss_pw` -Z $jar_server $tmpdir_server + signtool -d $ssl_db -k $nss_cert -p `cat $nss_pw` -Z $jar_server $tmpdir_server >/dev/null } # function: fatal [ MESSAGE ] diff --git a/stap-server-connect.c b/stap-server-connect.c index 388c5d96..37b44a9b 100644 --- a/stap-server-connect.c +++ b/stap-server-connect.c @@ -3,7 +3,7 @@ the data into a temporary file, calls the systemtap server script and then transmits the resulting fileback to the client. - Copyright (C) 2008 Red Hat Inc. + Copyright (C) 2008, 2009 Red Hat Inc. This file is part of systemtap, and is free software. You can redistribute it and/or modify it under the terms of the GNU General Public @@ -399,6 +399,14 @@ handle_connection(PRFileDesc *tcpSocket) goto cleanup; } + /* Force the handshake to complete before moving on. */ + secStatus = SSL_ForceHandshake(sslSocket); + if (secStatus != SECSuccess) + { + errWarn("SSL_ForceHandshake"); + goto cleanup; + } + /* Create a temporary files and directories. */ memcpy (requestFileName + sizeof (requestFileName) - 1 - 6, "XXXXXX", 6); rc = mkstemp(requestFileName); @@ -428,6 +436,11 @@ handle_connection(PRFileDesc *tcpSocket) fprintf (stderr, "Could not create temporary file %s\n", responseJarName); perror (""); secStatus = SECFailure; + + /* Remove this so that the other temp files will get removed in cleanup. */ + prStatus = PR_RmDir (responseDirName); + if (prStatus != PR_SUCCESS) + errWarn ("PR_RmDir"); goto cleanup; } @@ -475,7 +488,6 @@ handle_connection(PRFileDesc *tcpSocket) secStatus = writeDataToSocket(sslSocket); cleanup: - /* Close down the socket. */ prStatus = PR_Close(tcpSocket); if (prStatus != PR_SUCCESS) @@ -508,7 +520,9 @@ accept_connection(PRFileDesc *listenSocket) PRNetAddr addr; PRStatus prStatus; PRFileDesc *tcpSocket; +#if 0 SECStatus result; +#endif while (PR_TRUE) { @@ -525,8 +539,8 @@ accept_connection(PRFileDesc *listenSocket) } /* Accepted the connection, now handle it. */ - result = handle_connection (tcpSocket); - + /*result =*/ handle_connection (tcpSocket); +#if 0 /* Not necessary */ if (result != SECSuccess) { prStatus = PR_Close(tcpSocket); @@ -534,6 +548,7 @@ accept_connection(PRFileDesc *listenSocket) exitErr("PR_Close"); break; } +#endif } #if DEBUG diff --git a/stap-serverd b/stap-serverd index 094f4ca4..bd1c27db 100755 --- a/stap-serverd +++ b/stap-serverd @@ -2,7 +2,7 @@ # Compile server manager for systemtap # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -30,12 +30,24 @@ function initialization { while netstat -atn | awk '{print $4}' | cut -f2 -d: | egrep -q "^$port\$"; do # Whoops, the port is busy; try another one. + echo "$0: Port $port is busy" port=$((1024+($port + $RANDOM)%64000)) done # Where is the ssl certificate/key database? ssl_db=$2 - test "X$ssl_db" = "X" && ssl_db=/etc/systemtap/ssl/server + if test "X$ssl_db" = "X"; then + # If no certificate/key database has been specified, then find/create + # a local one. + if test $EUID = 0; then + ssl_db=`dirname $0`/../etc/systemtap/ssl/server + else + ssl_db=$HOME/.systemtap/ssl/server + fi + if ! test -f $ssl_db/stap-server.cert; then + stap-gen-server-cert `dirname $ssl_db` || exit 1 + fi + fi nss_pw=$ssl_db/pw nss_cert=stap-server } @@ -62,7 +74,7 @@ function advertise_presence { function listen { # The stap-server-connect program will listen forever # accepting requests. - stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw > /dev/null 2>&1 & + stap-server-connect -p $port -n $nss_cert -d $ssl_db -w $nss_pw 2>&1 & wait '%stap-server-connect' >/dev/null 2>&1 } diff --git a/stap-start-server b/stap-start-server index 5bc97c22..04a3e2d3 100755 --- a/stap-start-server +++ b/stap-start-server @@ -2,7 +2,7 @@ # Start a systemtap server # -# Copyright (C) 2008 Red Hat Inc. +# Copyright (C) 2008, 2009 Red Hat Inc. # # This file is part of systemtap, and is free software. You can # redistribute it and/or modify it under the terms of the GNU General @@ -19,8 +19,17 @@ server_pid=$! # Make sure the server is started for ((attempt=0; $attempt < 5; ++attempt)) do - (ps -a | grep $server_pid) >/dev/null 2>&1 && echo $server_pid && exit 0 - sleep 1 + if test $EUID = 0; then + if ! test -f `dirname $0`/../etc/systemtap/ssl/server/stap-server.cert; then + sleep 1 + continue; + fi + elif ! test -f $HOME/.systemtap/ssl/server/stap-server.cert; then + sleep 1 + continue + fi + (ps -a | grep $server_pid) >/dev/null 2>&1 && echo $server_pid && exit 0 + sleep 1 done exit 1 # server did not start diff --git a/testsuite/ChangeLog b/testsuite/ChangeLog index 17990756..27cd27b5 100644 --- a/testsuite/ChangeLog +++ b/testsuite/ChangeLog @@ -1,3 +1,7 @@ +2009-01-09 Dave Brolley <brolley@redhat.com> + + * lib/systemtap.exp: Remove ssl_server_path and ssl_client_path. + 2009-01-06 Frank Ch. Eigler <fche@elastic.org> PR 9699: diff --git a/testsuite/lib/systemtap.exp b/testsuite/lib/systemtap.exp index 9219e977..f399073e 100644 --- a/testsuite/lib/systemtap.exp +++ b/testsuite/lib/systemtap.exp @@ -64,15 +64,10 @@ proc setup_systemtap_environment {} { if {! [installtest_p]} then { # Make sure the server management scripts are on the $PATH. set env(PATH) "$srcdir/..:$env(PATH)" - set ssl_server_path [exec pwd]/../ssl/server - set ssl_client_path [exec pwd]/../ssl/client - } else { - set ssl_server_path "" - set ssl_client_path "" } # Try to find or start the server. - set server_pid [exec stap-find-or-start-server 65000 $ssl_server_path] + set server_pid [exec stap-find-or-start-server] if { $server_pid == -1 } then { print "Cannot find or start a systemtap server" set server_pid 0 @@ -90,9 +85,6 @@ proc setup_systemtap_environment {} { exec /bin/cp -p [exec which stap-client] $net_path/stap } else { exec /bin/cp -p $srcdir/../stap-client $net_path/stap - # Make sure the client picks up the proper certificates for - # server verification. - exec sed -i s,/etc/systemtap/ssl/client,$ssl_client_path, $net_path/stap } set env(PATH) "$net_path:$env(PATH)" } |