From 98f552c28ebbed982e96be5798a8454c7220925a Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Thu, 12 Mar 2009 13:38:51 -0400 Subject: 2009-03-12 Dave Brolley * util.cxx (remove_file_or_dir): New function. * util.h (remove_file_or_dir): New function. * systemtap.spec (stap): Add stap-env, stap-gen-cert, stap-authorize-cert, and stap-authorize-signing-cert. (stap-client): Remove stap-find-or-start-server, stap-add-server-cert. Add stap-authorize-server-cert. (stap-server): Add stap-find-servers, stap-find-or-start-server, stap-authorize-server-cert. Remove stap-gen-server-cert. * stap-find-servers: Source stap-env. Use $stap_avahi_service_tag. (initialization): Set timeout to 10. (find_servers): Run avahi-browse in the background and wait for it. Use a temp file for the output of avahi-browse. Kill avahi-browse if the timeout expires. (match_server): Set read timeout. (fatal): New function. * stap-find-or-start-server: Source stap-env. Use $stap_exec_prefix. Always exit with 0. * stap-start-server: Source stap-env. Check for the server PID as a running process and for avahi-publish-service running as a child in order to verify that the server is ready. * stap-add-server-cert: Renamed to stap-authorize-server-cert. Source stap-env. Call stap-authorize-cert. * stap-client: Source stap-env. Use $stap_user_ssl_db and $stap_root_ssl_db. Use $stap_tmpdir_prefix_client, $stap_tmpdir_prefix_server. Use $stap_exec_prefix. (configuration): Removed. (staprun_running): Removed. (interrupt): Don't kill staprun. * stap-server: Source stap-env. Use $stap_user_ssl_db and $stap_root_ssl_db. Use $stap_tmpdir_prefix_client, $stap_tmpdir_prefix_server. Use $stap_exec_prefix. (configuration): Removed. * session.h (systemtap_session): Add cert_db_path. * runtime/staprun/staprun_funcs.c (config.h): #include it. (modverify.h): #include it. (check_signature): New function. (check_groups): New function extracted from check_permissions. (check_permissions): Call check_groups and check_signature. * runtime/staprun/mainloop.c (cleanup_and_exit): Pass modpath to staprun, not modname. * main.cxx (main): Initialize cert_db_path. Handle LONG_OPT_SIGN_MODULE. Save the module signature if the module was signed and is being saved. (LONG_OPT_SIGN_MODULE): #define it. (long_options): Add --sign-module. * cache.cxx (config.h): #include it. (add_to_cache): Add the module signature file to the cache if the module has been signed. * buildrun.cxx (modsign.h): #include it. (compile_pass): Call sign_module, if requested. * configure.ac: Define HAVE_NSS if NSS libraries are available. * Makefile.am (AM_CPPFLAGS): Add -DSYSCONFDIR. (bin_SCRIPTS): Add stap-env, stap-gen-cert, stap-authorize-cert, stap-authorize-signing-cert, stap-authorize-server-cert. Remove stap-gen-server-cert, stap-add-server-cert. (stap_SOURCES): Add nsscommon.c, modsign.cxx (stap_CPPFLAGS): Add $(nss_CFLAGS), $(nspr_CFLAGS). (stap_LDADD): Add -lnss3. (staprun_SOURCES): Add nsscommon.c. * modsign.cxx: New file. * modsign.h: New file. * nsscommon.c: New file. * nsscommon.h: New file. * runtime/staprun/modverify.c: New file. * runtime/staprun/modverify.h: New file. * stap-authorize-cert: New file. * stap-authorize-signing-cert: New file. * stap-env: New file. * Makefile.in: Regenerated. * aclocal.m4: Regenerated. * config.in: Regenerated. * configure: Regenerated. * doc/Makefile.in: Regenerated. * doc/SystemTap_Tapset_Reference/Makefile.in: Regenerated. * testsuite/Makefile.in: Regenerated. * testsuite/aclocal.m4: Regenerated. --- nsscommon.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 nsscommon.c (limited to 'nsscommon.c') diff --git a/nsscommon.c b/nsscommon.c new file mode 100644 index 00000000..1837969f --- /dev/null +++ b/nsscommon.c @@ -0,0 +1,80 @@ +/* + Common functions used by the NSS-aware code in systemtap. + + Copyright (C) 2009 Red Hat Inc. + + This file is part of systemtap, and is free software. You can + redistribute it and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either version 2 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +*/ + +#include + +#include +#include +#include +#include +#include + +void +nssError (void) +{ + PRErrorCode errorNumber; + PRInt32 errorTextLength; + PRInt32 rc; + char *errorText; + + /* See if PR_GetErrorText can tell us what the error is. */ + errorNumber = PR_GetError (); + if (errorNumber >= PR_NSPR_ERROR_BASE && errorNumber <= PR_MAX_ERROR) + { + errorTextLength = PR_GetErrorTextLength (); + if (errorTextLength != 0) { + errorText = PORT_Alloc (errorTextLength); + rc = PR_GetErrorText (errorText); + if (rc != 0) + fprintf (stderr, "%s\n", errorText); + PR_Free (errorText); + if (rc != 0) + return; + } + } + + /* Otherwise handle common errors ourselves. */ + switch (errorNumber) + { + case SEC_ERROR_CA_CERT_INVALID: + fputs ("The issuer's certificate is invalid.\n", stderr); + break; + case SEC_ERROR_BAD_DATABASE: + fputs ("The specified certificate database does not exist or is not valid.\n", stderr); + break; + case SSL_ERROR_BAD_CERT_DOMAIN: + fputs ("The requested domain name does not match the server's certificate.\n", stderr); + break; + case PR_CONNECT_RESET_ERROR: + fputs ("Connection reset by peer.\n", stderr); + break; + default: + fputs ("Unknown NSS error.\n", stderr); + break; + } +} + +void +nssCleanup (void) +{ + /* Shutdown NSS and exit NSPR gracefully. */ + NSS_Shutdown (); + PR_Cleanup (); +} -- cgit