From d2334a2233f4efd055dab021c603f7c046730a66 Mon Sep 17 00:00:00 2001
From: Dave Brolley <brolley@redhat.com>
Date: Tue, 2 Feb 2010 14:08:31 -0500
Subject: Compile server logging and robustness.

Log certificate location and status when starting server.
Additional care in handling arguments in stap-serverd.
New test case discovered by fuzzing added and fixed.
---
 stap-gen-cert                              | 43 +++++++++++++++++-------------
 stap-serverd                               | 18 ++++++++-----
 testsuite/systemtap.server/server_args.exp |  5 ++--
 3 files changed, 40 insertions(+), 26 deletions(-)

diff --git a/stap-gen-cert b/stap-gen-cert
index 4f2650cd..4938817d 100755
--- a/stap-gen-cert
+++ b/stap-gen-cert
@@ -3,7 +3,7 @@
 # Generate a certificate for the systemtap server and add it to the
 # database of trusted servers for the client.
 #
-# Copyright (C) 2008, 2009 Red Hat Inc.
+# Copyright (C) 2008-2010 Red Hat Inc.
 #
 # This file is part of systemtap, and is free software.  You can
 # redistribute it and/or modify it under the terms of the GNU General
@@ -14,61 +14,68 @@
 . ${PKGLIBEXECDIR}stap-env
 
 # Obtain the certificate database directory name.
-serverdb=$1
+serverdb="$1"
 if  test "X$serverdb" = "X"; then
-    serverdb=$stap_ssl_db/server
+    serverdb="$stap_ssl_db/server"
 fi
-rm -fr $serverdb
+rm -fr "$serverdb"
 
 # Create the server's certificate database directory.
-if ! mkdir -p -m 755 $serverdb; then
+if ! mkdir -p -m 755 "$serverdb"; then
     echo "Unable to create the server certificate database directory: $serverdb" >&2
     exit 1
 fi
 
 # Create the certificate database password file. Care must be taken
 # that this file is only readable by the owner.
-if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then
+if ! (touch "$serverdb/pw" && chmod 600 "$serverdb/pw"); then
     echo "Unable to create the server certificate database password file: $serverdb/pw" >&2
     exit 1
 fi
 
 # Generate a random password.
-mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \
-apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \
-(read -n20 password </dev/urandom; echo "$password" > $serverdb/pw)
+mkpasswd -l 20 > "$serverdb/pw" 2>/dev/null || \
+apg -a 1 -n 1 -m 20 -x 20 > "$serverdb/pw" 2>/dev/null || \
+(read -n20 password </dev/urandom; echo "$password" > "$serverdb/pw")
 
 # Generate the server certificate database
-if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then
+if ! certutil -N -d "$serverdb" -f "$serverdb/pw" > /dev/null; then
     echo "Unable to initialize the server certificate database directory: $serverdb" >&2
     exit 1
 fi
 
 # We need some random noise for generating keys
-dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null
+dd bs=123 count=1 < /dev/urandom > "$serverdb/noise" 2> /dev/null
 
 # Generate a request for the server's certificate.
-certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap.req -z $serverdb/noise 2> /dev/null
-rm -fr $serverdb/noise
+certutil -R -d "$serverdb" -f "$serverdb/pw" -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" \
+         -o "$serverdb/stap.req" -z "$serverdb/noise" 2> /dev/null
+rm -fr "$serverdb/noise"
 
 # Create the certificate file first so that it always has the proper access permissions.
-if ! (touch $serverdb/$stap_certfile && chmod 644 $serverdb/$stap_certfile); then
+if ! (touch "$serverdb/$stap_certfile" && chmod 644 "$serverdb/$stap_certfile"); then
     echo "Unable to create the server certificate file: $serverdb/$stap_certfile" >&2
     exit 1
 fi
 
-# Now generate the actual certificate.
-certutil -C -i $serverdb/stap.req -o $serverdb/$stap_certfile -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
+# Now generate the actual certificate. Make is valid for 1 year.
+certutil -C -i "$serverdb/stap.req" -o "$serverdb/$stap_certfile" -x -d "$serverdb" \
+         -f "$serverdb/pw" -v 12 -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF
 1
 3
 7
 8
 y
 EOF
-rm -fr $serverdb/stap.req
+rm -fr "$serverdb/stap.req"
 
 # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer
-certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/$stap_certfile -d $serverdb -f $serverdb/pw
+certutil -A -n stap-server -t "PCu,,PCu" -i "$serverdb/$stap_certfile" -d "$serverdb" -f "$serverdb/pw"
 
+# Print some information about the certificate.
 echo "Certificate $serverdb/$stap_certfile created and added to database $serverdb"
+certutil -L -d "$serverdb" -n stap-server | \
+  awk '/Validity|Not After|Not Before/ { print $0 }' | \
+  sed 's/^ */  /'
+
 exit 0
diff --git a/stap-serverd b/stap-serverd
index fc186233..eda9711e 100755
--- a/stap-serverd
+++ b/stap-serverd
@@ -81,12 +81,18 @@ function initialization {
 		    -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
 		${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
 	    fi
-	elif ! test -f $stap_ssl_db/client/cert8.db; then
-	    # If the client's database does not exist, then initialize it with our certificate.
-	    # Do this only if the client has been installed.
-	    if test -f `which ${stap_exec_prefix}stap-client` -a \
-                    -x `which ${stap_exec_prefix}stap-client`; then
-		${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
+	else
+	    echo "Certificate found in database $ssl_db" >> $logfile
+	    certutil -L -d "$ssl_db" -n stap-server | \
+		awk '/Validity|Not After|Not Before/ { print $0 }' | \
+		sed 's/^ */  /' >> $logfile
+	    if ! test -f $stap_ssl_db/client/cert8.db; then
+		# If the client's database does not exist, then initialize it with our certificate.
+		# Do this only if the client has been installed.
+		if test -f `which ${stap_exec_prefix}stap-client 2>/dev/null` -a \
+                    -x `which ${stap_exec_prefix}stap-client 2>/dev/null`; then
+		    ${stap_exec_prefix}stap-authorize-server-cert $ssl_db/$stap_certfile >> $logfile 2>&1
+		fi
 	    fi
 	fi
     fi
diff --git a/testsuite/systemtap.server/server_args.exp b/testsuite/systemtap.server/server_args.exp
index 926faf95..eac9074c 100644
--- a/testsuite/systemtap.server/server_args.exp
+++ b/testsuite/systemtap.server/server_args.exp
@@ -41,7 +41,7 @@ proc stap_direct_and_with_client {stap stap_client options} {
 	# and will be prefixed for the client.
 	if {[regexp "^              (.*)" $expected_line match data]} {
 	    # Special characters in the regexp need to be quoted.
-	    regsub -all "\[\"\\\\;\]" $data {\\\0} data
+	    regsub -all "\[\"\\\\;\*\]" $data {\\\0} data
 	    if {[regexp "^              tapsets.*/$data" $line]} {
 		incr n
 		continue
@@ -60,7 +60,7 @@ proc stap_direct_and_with_client {stap stap_client options} {
 	} else {
 	    if {[regexp "^Input file '(.*)' is empty or missing." $expected_line match data]} {
 		# Special characters in the regexp need to be quoted.
-		regsub -all "\[\"\\\\;\]" $data {\\\0} data
+		regsub -all "\[\"\\\\;\*\]" $data {\\\0} data
 		if {[regexp "^Input file 'script.*/$data' is empty or missing." $line]} {
 		    incr n
 		    continue
@@ -114,6 +114,7 @@ if {[installtest_p]} then {
 # for debugging a currently failing case and helps to ensure that previously
 # fixed cases do not regress.
 set previously_fixed [list \
+  "-p1 -I=\\w94\nbh -R'-1vo*w- -e -B9  -Dhfuo0iu7 -c" \
   "-p1 -I8o\\2ie -Rtu\\\n -e'1\\ -B*3x8k\; -D\n\" -c" \
   "-p1 -Ira\\3;c g -Rlr\"6/3ho -e0fle'qq -B -Dr/316k\\o8 -cjyoc\n3" \
   "-p1 -I6p3 -Rk3g-t\n89 -elc -Bd -Dqgsgv' -c" \
-- 
cgit