]>
Commit | Line | Data |
---|---|---|
3e150b00 DS |
1 | /* |
2 | Compile server client functions | |
73fcca6f | 3 | Copyright (C) 2010-2018 Red Hat Inc. |
3e150b00 DS |
4 | |
5 | This file is part of systemtap, and is free software. You can | |
6 | redistribute it and/or modify it under the terms of the GNU General | |
7 | Public License (GPL); either version 2, or (at your option) any | |
8 | later version. | |
9 | */ | |
10 | ||
11 | // Completely disable the client if NSS is not available. | |
12 | #include "config.h" | |
13 | #if HAVE_NSS | |
14 | #include "session.h" | |
15 | #include "cscommon.h" | |
16 | #include "csclient.h" | |
17 | #include "client-nss.h" | |
18 | #include "util.h" | |
19 | #include "stap-probe.h" | |
20 | ||
21 | #include <sys/times.h> | |
22 | #include <vector> | |
23 | #include <fstream> | |
24 | #include <sstream> | |
25 | #include <cassert> | |
26 | #include <cstdlib> | |
27 | #include <cstdio> | |
28 | #include <algorithm> | |
29 | ||
30 | extern "C" { | |
31 | #include <unistd.h> | |
32 | #include <linux/limits.h> | |
33 | #include <sys/time.h> | |
34 | #include <glob.h> | |
35 | #include <limits.h> | |
36 | #include <sys/socket.h> | |
37 | #include <sys/stat.h> | |
38 | #include <net/if.h> | |
39 | #include <netdb.h> | |
40 | #include <arpa/inet.h> | |
41 | #include <pwd.h> | |
42 | } | |
43 | ||
44 | #if HAVE_AVAHI | |
45 | extern "C" { | |
46 | #include <avahi-client/client.h> | |
47 | #include <avahi-client/lookup.h> | |
48 | ||
49 | #include <avahi-common/simple-watch.h> | |
50 | #include <avahi-common/malloc.h> | |
51 | #include <avahi-common/error.h> | |
52 | #include <avahi-common/timeval.h> | |
53 | } | |
54 | #endif // HAVE_AVAHI | |
55 | ||
56 | extern "C" { | |
57 | #include <ssl.h> | |
58 | #include <nspr.h> | |
59 | #include <nss.h> | |
60 | #include <certdb.h> | |
61 | #include <pk11pub.h> | |
62 | #include <prerror.h> | |
63 | #include <secerr.h> | |
64 | #include <sslerr.h> | |
65 | } | |
66 | ||
67 | #include "nsscommon.h" | |
68 | ||
69 | using namespace std; | |
70 | ||
71 | static PRIPv6Addr ©Address (PRIPv6Addr &PRin6, const in6_addr &in6); | |
72 | static PRNetAddr ©NetAddr (PRNetAddr &x, const PRNetAddr &y); | |
73 | bool operator!= (const PRNetAddr &x, const PRNetAddr &y); | |
74 | bool operator== (const PRNetAddr &x, const PRNetAddr &y); | |
75 | ||
76 | // Information about compile servers. | |
77 | compile_server_info::compile_server_info () | |
78 | : port(0), fully_specified(false) | |
79 | { | |
80 | memset (& address, 0, sizeof (address)); | |
81 | } | |
82 | ||
83 | bool | |
84 | compile_server_info::empty () const | |
85 | { | |
86 | return (this->host_name.empty () && ! this->hasAddress () | |
87 | && certinfo.empty ()); | |
88 | } | |
89 | ||
90 | bool | |
91 | compile_server_info::hasAddress () const | |
92 | { | |
93 | return this->address.raw.family != 0; | |
94 | } | |
95 | ||
96 | unsigned short | |
97 | compile_server_info::setAddressPort (unsigned short port) | |
98 | { | |
99 | if (this->address.raw.family == PR_AF_INET) | |
100 | return this->address.inet.port = htons (port); | |
101 | if (this->address.raw.family == PR_AF_INET6) | |
102 | return this->address.ipv6.port = htons (port); | |
103 | assert (0); | |
104 | return 0; | |
105 | } | |
106 | ||
107 | bool | |
108 | compile_server_info::isComplete () const | |
109 | { | |
110 | return this->hasAddress () && port != 0; | |
111 | } | |
112 | ||
eb3896ef DS |
113 | string |
114 | compile_server_info::host_specification () const | |
115 | { | |
116 | ostringstream host_spec; | |
117 | if (!this->isComplete()) | |
118 | return host_spec.str(); | |
119 | ||
120 | if (! this->host_name.empty ()) | |
121 | host_spec << this->host_name; | |
122 | else if (this->hasAddress()) | |
123 | { | |
124 | PRStatus prStatus; | |
125 | switch (this->address.raw.family) | |
126 | { | |
127 | case PR_AF_INET: | |
128 | case PR_AF_INET6: | |
129 | { | |
130 | #define MAX_NETADDR_SIZE 46 // from the NSPR API reference. | |
131 | char buf[MAX_NETADDR_SIZE]; | |
132 | prStatus = PR_NetAddrToString(&this->address, buf, sizeof (buf)); | |
133 | if (prStatus == PR_SUCCESS) { | |
134 | host_spec << buf; | |
135 | break; | |
136 | } | |
137 | } | |
138 | break; | |
139 | default: | |
140 | // Do nothing. | |
141 | break; | |
142 | } | |
143 | } | |
144 | if (! host_spec.str().empty()) | |
145 | host_spec << ":" << this->port; | |
146 | return host_spec.str(); | |
147 | } | |
148 | ||
3e150b00 DS |
149 | bool |
150 | compile_server_info::operator== (const compile_server_info &that) const | |
151 | { | |
152 | // If one item or the other has only a name, and possibly a port | |
153 | // specified, then allow a match by name and port only. This is so | |
154 | // that the user can specify names which are returned by avahi, but | |
155 | // are not dns resolvable. Otherwise, we will ignore the host_name. | |
156 | if ((! this->hasAddress() && this->version.empty () && | |
157 | this->sysinfo.empty () && this->certinfo.empty ()) || | |
158 | (! that.hasAddress() && that.version.empty () && | |
159 | that.sysinfo.empty () && that.certinfo.empty ())) | |
160 | { | |
161 | if (this->host_name != that.host_name) | |
162 | return false; | |
163 | } | |
164 | ||
165 | // Compare the other fields only if they have both been set. | |
166 | if (this->hasAddress() && that.hasAddress() && this->address != that.address) | |
167 | return false; | |
168 | if (this->port != 0 && that.port != 0 && this->port != that.port) | |
169 | return false; | |
170 | if (! this->version.empty () && ! that.version.empty () | |
171 | && this->version != that.version) | |
172 | return false; | |
173 | if (! this->sysinfo.empty () && ! that.sysinfo.empty () | |
174 | && this->sysinfo != that.sysinfo) | |
175 | return false; | |
176 | if (! this->certinfo.empty () && ! that.certinfo.empty () | |
177 | && this->certinfo != that.certinfo) | |
178 | return false; | |
179 | if (! this->mok_fingerprints.empty () && ! that.mok_fingerprints.empty () | |
180 | && this->mok_fingerprints != that.mok_fingerprints) | |
181 | return false; | |
182 | ||
183 | return true; // They are equal | |
184 | } | |
185 | ||
186 | // Used to sort servers by preference for order of contact. The | |
187 | // preferred server is "less" than the other one. | |
188 | bool compile_server_info::operator< (const compile_server_info &that) const | |
189 | { | |
190 | // Prefer servers with a later (higher) version number. | |
191 | cs_protocol_version this_version (this->version.c_str ()); | |
192 | cs_protocol_version that_version (that.version.c_str ()); | |
193 | return that_version < this_version; | |
194 | } | |
195 | ||
196 | ostream &operator<< (ostream &s, const compile_server_info &i); | |
197 | ostream &operator<< (ostream &s, const vector<compile_server_info> &v); | |
198 | ||
199 | static void | |
200 | preferred_order (vector<compile_server_info> &servers) | |
201 | { | |
202 | // Sort the given list of servers into the preferred order for contacting. | |
203 | // Don't bother if there are less than 2 servers in the list. | |
204 | if (servers.size () < 2) | |
205 | return; | |
206 | ||
207 | // Sort the list using compile_server_info::operator< | |
208 | sort (servers.begin (), servers.end ()); | |
209 | } | |
210 | ||
211 | struct resolved_host // see also PR16326, PR16342 | |
212 | { | |
213 | string host_name; | |
214 | PRNetAddr address; | |
215 | resolved_host(string chost_name, PRNetAddr caddress): | |
216 | host_name(chost_name), address(caddress) {} | |
217 | }; | |
218 | ||
219 | struct compile_server_cache | |
220 | { | |
221 | vector<compile_server_info> default_servers; | |
222 | vector<compile_server_info> specified_servers; | |
223 | vector<compile_server_info> trusted_servers; | |
224 | vector<compile_server_info> signing_servers; | |
225 | vector<compile_server_info> online_servers; | |
226 | vector<compile_server_info> all_servers; | |
227 | map<string,vector<resolved_host> > resolved_hosts; | |
228 | }; | |
229 | ||
230 | // For filtering queries. | |
231 | enum compile_server_properties { | |
232 | compile_server_all = 0x1, | |
233 | compile_server_trusted = 0x2, | |
234 | compile_server_online = 0x4, | |
235 | compile_server_compatible = 0x8, | |
236 | compile_server_signer = 0x10, | |
237 | compile_server_specified = 0x20 | |
238 | }; | |
239 | ||
240 | // Static functions. | |
241 | static compile_server_cache* cscache(systemtap_session& s); | |
242 | static void | |
243 | query_server_status (systemtap_session &s, const string &status_string); | |
244 | ||
245 | static void | |
246 | get_server_info (systemtap_session &s, int pmask, | |
247 | vector<compile_server_info> &servers); | |
248 | static void | |
249 | get_default_server_info (systemtap_session &s, | |
250 | vector<compile_server_info> &servers); | |
251 | ||
252 | static void | |
253 | merge_server_info (const compile_server_info &source, | |
254 | compile_server_info &target); | |
255 | ||
256 | static void | |
257 | resolve_host (systemtap_session& s, compile_server_info &server, | |
258 | vector<compile_server_info> &servers); | |
259 | ||
260 | // ----------------------------------------------------- | |
261 | // NSS related code used by the compile server client | |
262 | // ----------------------------------------------------- | |
263 | static void | |
264 | add_server_trust (systemtap_session &s, const string &cert_db_path, | |
265 | vector<compile_server_info> &server_list); | |
266 | static void | |
267 | revoke_server_trust (systemtap_session &s, const string &cert_db_path, | |
268 | const vector<compile_server_info> &server_list); | |
269 | ||
638abbd0 | 270 | void |
3e150b00 DS |
271 | get_server_info_from_db (systemtap_session &s, |
272 | vector<compile_server_info> &servers, | |
273 | const string &cert_db_path); | |
274 | ||
275 | string | |
276 | global_client_cert_db_path () | |
277 | { | |
278 | return SYSCONFDIR "/systemtap/ssl/client"; | |
279 | } | |
280 | ||
281 | static string | |
282 | private_ssl_cert_db_path () | |
283 | { | |
284 | return local_client_cert_db_path (); | |
285 | } | |
286 | ||
287 | string | |
288 | global_ssl_cert_db_path () | |
289 | { | |
290 | return global_client_cert_db_path (); | |
291 | } | |
292 | ||
638abbd0 | 293 | string |
3e150b00 DS |
294 | signing_cert_db_path () |
295 | { | |
296 | return SYSCONFDIR "/systemtap/staprun"; | |
297 | } | |
298 | ||
299 | /* Connection state. */ | |
300 | typedef struct connectionState_t | |
301 | { | |
302 | const char *hostName; | |
303 | PRNetAddr addr; | |
304 | const char *infileName; | |
305 | const char *outfileName; | |
306 | const char *trustNewServerMode; | |
307 | } connectionState_t; | |
308 | ||
309 | /* Add the server's certificate to our database of trusted servers. */ | |
310 | SECStatus | |
311 | nss_trustNewServer (CERTCertificate *serverCert) | |
312 | { | |
313 | SECStatus secStatus; | |
314 | CERTCertTrust *trust = NULL; | |
315 | PK11SlotInfo *slot = NULL; | |
316 | ||
317 | /* Import the certificate. */ | |
318 | slot = PK11_GetInternalKeySlot(); | |
319 | const char *nickname = server_cert_nickname (); | |
320 | secStatus = PK11_ImportCert(slot, serverCert, CK_INVALID_HANDLE, nickname, PR_FALSE); | |
321 | if (secStatus != SECSuccess) | |
322 | goto done; | |
323 | ||
324 | /* Make it a trusted peer. */ | |
325 | trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust)); | |
326 | if (! trust) | |
327 | { | |
328 | secStatus = SECFailure; | |
329 | goto done; | |
330 | } | |
331 | ||
332 | secStatus = CERT_DecodeTrustString(trust, "P,P,P"); | |
333 | if (secStatus != SECSuccess) | |
334 | goto done; | |
335 | ||
336 | secStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), serverCert, trust); | |
337 | ||
338 | done: | |
339 | if (slot) | |
340 | PK11_FreeSlot (slot); | |
341 | if (trust) | |
342 | PORT_Free(trust); | |
343 | return secStatus; | |
344 | } | |
345 | ||
346 | static bool | |
347 | isIPv6LinkLocal (const PRNetAddr &address) | |
348 | { | |
349 | // Link-local addresses are members of the address block fe80:: | |
350 | if (address.raw.family == PR_AF_INET6 && | |
351 | address.ipv6.ip.pr_s6_addr[0] == 0xfe && address.ipv6.ip.pr_s6_addr[1] == 0x80) | |
352 | return true; | |
353 | return false; | |
354 | } | |
355 | ||
356 | // Issue a status message for when a server's trust is already in place. | |
357 | static void | |
358 | trust_already_in_place ( | |
359 | const compile_server_info &server, | |
360 | const vector<compile_server_info> &server_list, | |
361 | const string cert_db_path, | |
362 | bool revoking | |
363 | ) | |
364 | { | |
365 | // What level of trust? | |
366 | string purpose; | |
367 | if (cert_db_path == signing_cert_db_path ()) | |
368 | purpose = _("as a module signer for all users"); | |
369 | else | |
370 | { | |
371 | purpose = _("as an SSL peer"); | |
372 | if (cert_db_path == global_ssl_cert_db_path ()) | |
373 | purpose += _(" for all users"); | |
374 | else | |
375 | purpose += _(" for the current user"); | |
376 | } | |
377 | ||
378 | // Issue a message for each server in the list with the same certificate. | |
379 | unsigned limit = server_list.size (); | |
380 | for (unsigned i = 0; i < limit; ++i) | |
381 | { | |
382 | if (server.certinfo != server_list[i].certinfo) | |
383 | continue; | |
384 | clog << server_list[i] << _(" is already "); | |
385 | if (revoking) | |
386 | clog << _("untrusted ") << purpose << endl; | |
387 | else | |
388 | clog << _("trusted ") << purpose << endl; | |
389 | } | |
390 | } | |
391 | ||
392 | // Add the given servers to the given database of trusted servers. | |
393 | static void | |
394 | add_server_trust ( | |
395 | systemtap_session &s, | |
396 | const string &cert_db_path, | |
397 | vector<compile_server_info> &server_list | |
398 | ) | |
399 | { | |
400 | // Get a list of servers already trusted. This opens the database, so do it | |
401 | // before we open it for our own purposes. | |
402 | vector<compile_server_info> already_trusted; | |
403 | get_server_info_from_db (s, already_trusted, cert_db_path); | |
404 | ||
405 | // Make sure the given path exists. | |
406 | if (create_dir (cert_db_path.c_str (), 0755) != 0) | |
407 | { | |
408 | clog << _F("Unable to find or create the client certificate database directory %s: ", cert_db_path.c_str()); | |
409 | perror (""); | |
410 | return; | |
411 | } | |
412 | ||
413 | // Must predeclare this because of jumps to cleanup: below. | |
414 | vector<string> processed_certs; | |
415 | ||
3580be16 DS |
416 | client_backend *backend = nss_get_client_backend (s); |
417 | if (backend->initialize () != 0) | |
418 | return; | |
419 | ||
3e150b00 DS |
420 | // Make sure NSPR is initialized. Must be done before NSS is initialized |
421 | s.NSPR_init (); | |
422 | ||
423 | // Initialize the NSS libraries -- read/write | |
424 | SECStatus secStatus = nssInit (cert_db_path.c_str (), 1/*readwrite*/); | |
425 | if (secStatus != SECSuccess) | |
426 | { | |
427 | // Message already issued. | |
428 | goto cleanup; | |
429 | } | |
430 | ||
431 | // Enable all cipher suites. | |
432 | // SSL_ClearSessionCache is required for the new settings to take effect. | |
433 | /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */ | |
434 | do { | |
435 | const PRUint16 *cipher; | |
436 | for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) | |
437 | SSL_CipherPolicySet(*cipher, SSL_ALLOWED); | |
438 | } while (0); | |
439 | SSL_ClearSessionCache (); | |
440 | ||
441 | // Iterate over the servers to become trusted. Contact each one and | |
442 | // add it to the list of trusted servers if it is not already trusted. | |
3580be16 | 443 | // trust_server_info() will issue any error messages. |
3e150b00 DS |
444 | for (vector<compile_server_info>::iterator server = server_list.begin(); |
445 | server != server_list.end (); | |
446 | ++server) | |
447 | { | |
448 | // Trust is based on certificates. We need only add trust in the | |
449 | // same certificate once. | |
450 | // | |
451 | // RHBZ 1075685: If the new server to be trusted is selected by address + port, | |
452 | // and there is no avahi assistance available, or the server is not known | |
453 | // to avahi, then its certificate serial number field will be empty. We | |
454 | // therefore have no basis for comparing it to the serial numbers on already-trusted | |
455 | // certificates. In this case, unconditionally contact the new server to obtain | |
456 | // its certificate. | |
457 | if (! server->certinfo.empty ()) | |
458 | { | |
459 | // We need not contact the server if it has already been processed. | |
460 | if (find (processed_certs.begin (), processed_certs.end (), | |
461 | server->certinfo) != processed_certs.end ()) | |
462 | continue; | |
463 | processed_certs.push_back (server->certinfo); | |
464 | ||
465 | // We need not contact the server if it is already trusted. | |
466 | if (find (already_trusted.begin (), already_trusted.end (), *server) != | |
467 | already_trusted.end ()) | |
468 | { | |
469 | if (s.verbose >= 2) | |
470 | trust_already_in_place (*server, server_list, cert_db_path, false/*revoking*/); | |
471 | continue; | |
472 | } | |
473 | } | |
474 | ||
475 | // At a minimum we need an ip_address along with a port | |
638abbd0 SC |
476 | // number in order to contact an nss server. |
477 | if (s.http_servers.empty ()) | |
478 | { | |
479 | if (! server->hasAddress() || server->port == 0) | |
480 | continue; | |
481 | // Set the port within the address. | |
482 | server->setAddressPort (server->port); | |
483 | } | |
3e150b00 | 484 | |
3580be16 | 485 | int rc = backend->trust_server_info (*server); |
3e150b00 DS |
486 | if (rc != NSS_SUCCESS) |
487 | { | |
a35d74db DS |
488 | // Notice no space before the '%s'? The compile_server_info |
489 | // '<<' operator always outputs a space. | |
490 | clog << _F("Unable to connect to%s", lex_cast(*server).c_str()) << endl; | |
3e150b00 DS |
491 | nssError (); |
492 | // Additional information: if the address is IPv6 and is link-local, then it must | |
493 | // have a scope_id. | |
494 | if (isIPv6LinkLocal (server->address) && server->address.ipv6.scope_id == 0) | |
495 | { | |
496 | clog << _(" The address is an IPv6 link-local address with no scope specifier.") | |
497 | << endl; | |
498 | } | |
499 | } | |
500 | } | |
501 | ||
502 | cleanup: | |
503 | // Shutdown NSS. | |
504 | // SSL_ClearSessionCache is required before shutdown for client applications. | |
505 | SSL_ClearSessionCache (); | |
506 | nssCleanup (cert_db_path.c_str ()); | |
507 | ||
508 | // Make sure the database files are readable. | |
509 | glob_t globbuf; | |
510 | string filespec = cert_db_path + "/*.db"; | |
511 | if (s.verbose >= 3) | |
512 | clog << _F("Searching \"%s\"\n", filespec.c_str()); | |
513 | int r = glob (filespec.c_str (), 0, NULL, & globbuf); | |
514 | if (r != GLOB_NOSPACE && r != GLOB_ABORTED && r != GLOB_NOMATCH) | |
515 | { | |
516 | for (unsigned i = 0; i < globbuf.gl_pathc; ++i) | |
517 | { | |
518 | string filename = globbuf.gl_pathv[i]; | |
519 | if (s.verbose >= 3) | |
520 | clog << _(" found ") << filename << endl; | |
521 | ||
522 | if (chmod (filename.c_str (), 0644) != 0) | |
523 | { | |
524 | s.print_warning("Unable to change permissions on " + filename + ": "); | |
525 | perror (""); | |
526 | } | |
527 | } | |
528 | globfree(& globbuf); | |
529 | } | |
530 | } | |
531 | ||
532 | // Remove the given servers from the given database of trusted servers. | |
533 | static void | |
534 | revoke_server_trust ( | |
535 | systemtap_session &s, | |
536 | const string &cert_db_path, | |
537 | const vector<compile_server_info> &server_list | |
538 | ) | |
539 | { | |
540 | // Make sure the given path exists. | |
541 | if (! file_exists (cert_db_path)) | |
542 | { | |
543 | if (s.verbose >= 5) | |
544 | { | |
545 | clog << _F("Certificate database '%s' does not exist", | |
546 | cert_db_path.c_str()) << endl; | |
547 | for (vector<compile_server_info>::const_iterator server = server_list.begin(); | |
548 | server != server_list.end (); | |
549 | ++server) | |
550 | trust_already_in_place (*server, server_list, cert_db_path, true/*revoking*/); | |
551 | } | |
552 | return; | |
553 | } | |
554 | ||
555 | // Must predeclare these because of jumps to cleanup: below. | |
556 | CERTCertDBHandle *handle; | |
557 | PRArenaPool *tmpArena = NULL; | |
558 | CERTCertList *certs = NULL; | |
559 | CERTCertificate *db_cert; | |
560 | vector<string> processed_certs; | |
561 | const char *nickname; | |
562 | ||
563 | // Make sure NSPR is initialized. Must be done before NSS is initialized | |
564 | s.NSPR_init (); | |
565 | ||
566 | // Initialize the NSS libraries -- read/write | |
567 | SECStatus secStatus = nssInit (cert_db_path.c_str (), 1/*readwrite*/); | |
568 | if (secStatus != SECSuccess) | |
569 | { | |
570 | // Message already issued | |
571 | goto cleanup; | |
572 | } | |
573 | handle = CERT_GetDefaultCertDB(); | |
574 | ||
575 | // A memory pool to work in | |
576 | tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
577 | if (! tmpArena) | |
578 | { | |
579 | clog << _("Out of memory:"); | |
580 | nssError (); | |
581 | goto cleanup; | |
582 | } | |
583 | ||
584 | // Iterate over the servers to become untrusted. | |
585 | nickname = server_cert_nickname (); | |
586 | for (vector<compile_server_info>::const_iterator server = server_list.begin(); | |
587 | server != server_list.end (); | |
588 | ++server) | |
589 | { | |
590 | // If the server's certificate serial number is unknown, then we can't | |
591 | // match it with one in the database. | |
592 | if (server->certinfo.empty ()) | |
593 | continue; | |
594 | ||
595 | // Trust is based on certificates. We need only revoke trust in the same | |
596 | // certificate once. | |
597 | if (find (processed_certs.begin (), processed_certs.end (), | |
598 | server->certinfo) != processed_certs.end ()) | |
599 | continue; | |
600 | processed_certs.push_back (server->certinfo); | |
601 | ||
602 | // Search the client-side database of trusted servers. | |
603 | db_cert = PK11_FindCertFromNickname (nickname, NULL); | |
604 | if (! db_cert) | |
605 | { | |
606 | // No trusted servers. Not an error, but issue a status message. | |
607 | if (s.verbose >= 2) | |
608 | trust_already_in_place (*server, server_list, cert_db_path, true/*revoking*/); | |
609 | continue; | |
610 | } | |
611 | ||
612 | // Here, we have one cert with the desired nickname. | |
613 | // Now, we will attempt to get a list of ALL certs | |
614 | // with the same subject name as the cert we have. That list | |
615 | // should contain, at a minimum, the one cert we have already found. | |
616 | // If the list of certs is empty (NULL), the libraries have failed. | |
617 | certs = CERT_CreateSubjectCertList (NULL, handle, & db_cert->derSubject, | |
618 | PR_Now (), PR_FALSE); | |
619 | CERT_DestroyCertificate (db_cert); | |
620 | if (! certs) | |
621 | { | |
622 | clog << _F("Unable to query certificate database %s: ", | |
623 | cert_db_path.c_str()) << endl; | |
624 | PORT_SetError (SEC_ERROR_LIBRARY_FAILURE); | |
625 | nssError (); | |
626 | goto cleanup; | |
627 | } | |
628 | ||
629 | // Find the certificate matching the one belonging to our server. | |
630 | CERTCertListNode *node; | |
631 | for (node = CERT_LIST_HEAD (certs); | |
632 | ! CERT_LIST_END (node, certs); | |
633 | node = CERT_LIST_NEXT (node)) | |
634 | { | |
635 | // The certificate we're working with. | |
636 | db_cert = node->cert; | |
637 | ||
638 | // Get the serial number. | |
639 | string serialNumber = get_cert_serial_number (db_cert); | |
640 | ||
641 | // Does the serial number match that of the current server? | |
642 | if (serialNumber != server->certinfo) | |
643 | continue; // goto next certificate | |
644 | ||
645 | // All is ok! Remove the certificate from the database. | |
646 | break; | |
647 | } // Loop over certificates in the database | |
648 | ||
649 | // Was a certificate matching the server found? */ | |
650 | if (CERT_LIST_END (node, certs)) | |
651 | { | |
652 | // Not found. Server is already untrusted. | |
653 | if (s.verbose >= 2) | |
654 | trust_already_in_place (*server, server_list, cert_db_path, true/*revoking*/); | |
655 | } | |
656 | else | |
657 | { | |
658 | secStatus = SEC_DeletePermCertificate (db_cert); | |
659 | if (secStatus != SECSuccess) | |
660 | { | |
661 | clog << _F("Unable to remove certificate from %s: ", | |
662 | cert_db_path.c_str()) << endl; | |
663 | nssError (); | |
664 | } | |
665 | } | |
666 | CERT_DestroyCertList (certs); | |
667 | certs = NULL; | |
668 | } // Loop over servers | |
669 | ||
670 | cleanup: | |
671 | assert(!certs); | |
672 | if (tmpArena) | |
673 | PORT_FreeArena (tmpArena, PR_FALSE); | |
674 | ||
675 | nssCleanup (cert_db_path.c_str ()); | |
676 | } | |
677 | ||
678 | // Obtain information about servers from the certificates in the given database. | |
638abbd0 | 679 | void |
3e150b00 | 680 | get_server_info_from_db ( |
638abbd0 SC |
681 | systemtap_session &s, |
682 | vector<compile_server_info> &servers, | |
683 | const string &cert_db_path | |
684 | ) | |
3e150b00 DS |
685 | { |
686 | // Make sure the given path exists. | |
687 | if (! file_exists (cert_db_path)) | |
688 | { | |
689 | if (s.verbose >= 5) | |
690 | clog << _F("Certificate database '%s' does not exist.", | |
691 | cert_db_path.c_str()) << endl; | |
692 | return; | |
693 | } | |
694 | ||
695 | // Make sure NSPR is initialized. Must be done before NSS is initialized | |
696 | s.NSPR_init (); | |
697 | ||
698 | // Initialize the NSS libraries -- readonly | |
699 | SECStatus secStatus = nssInit (cert_db_path.c_str ()); | |
700 | if (secStatus != SECSuccess) | |
701 | { | |
702 | // Message already issued. | |
703 | return; | |
704 | } | |
705 | ||
3e150b00 DS |
706 | CERTCertList *certs = get_cert_list_from_db (server_cert_nickname ()); |
707 | if (! certs) | |
708 | { | |
709 | if (s.verbose >= 5) | |
710 | clog << _F("No certificate found in database %s", cert_db_path.c_str ()) << endl; | |
711 | goto cleanup; | |
712 | } | |
713 | ||
3e150b00 DS |
714 | for (CERTCertListNode *node = CERT_LIST_HEAD (certs); |
715 | ! CERT_LIST_END (node, certs); | |
716 | node = CERT_LIST_NEXT (node)) | |
717 | { | |
718 | compile_server_info server_info; | |
719 | ||
720 | // The certificate we're working with. | |
721 | CERTCertificate *db_cert = node->cert; | |
722 | ||
638abbd0 SC |
723 | if (get_host_name (db_cert, server_info.host_name) == false) |
724 | continue; | |
3e150b00 DS |
725 | |
726 | // Get the serial number. | |
727 | server_info.certinfo = get_cert_serial_number (db_cert); | |
728 | ||
729 | // Our results will at a minimum contain this server. | |
730 | nss_add_server_info (server_info, servers); | |
731 | ||
732 | // Augment the list by querying all online servers and keeping the ones | |
733 | // with the same cert serial number. | |
734 | vector<compile_server_info> online_servers; | |
735 | nss_get_or_keep_online_server_info (s, online_servers, false/*keep*/); | |
736 | nss_keep_server_info_with_cert_and_port (s, server_info, online_servers); | |
737 | nss_add_server_info (online_servers, servers); | |
738 | } | |
739 | ||
740 | cleanup: | |
741 | if (certs) | |
742 | CERT_DestroyCertList (certs); | |
3e150b00 DS |
743 | |
744 | nssCleanup (cert_db_path.c_str ()); | |
745 | } | |
746 | ||
747 | // Utility Functions. | |
748 | //----------------------------------------------------------------------- | |
749 | ostream &operator<< (ostream &s, const compile_server_info &i) | |
750 | { | |
751 | // Don't print empty information | |
752 | if (i.empty ()) | |
753 | return s; | |
754 | ||
755 | s << " host="; | |
756 | if (! i.host_name.empty ()) | |
757 | s << i.host_name; | |
758 | else | |
759 | s << "unknown"; | |
760 | s << " address="; | |
761 | if (i.hasAddress()) | |
762 | { | |
763 | PRStatus prStatus; | |
764 | switch (i.address.raw.family) | |
765 | { | |
766 | case PR_AF_INET: | |
767 | case PR_AF_INET6: | |
768 | { | |
769 | #define MAX_NETADDR_SIZE 46 // from the NSPR API reference. | |
770 | char buf[MAX_NETADDR_SIZE]; | |
771 | prStatus = PR_NetAddrToString(& i.address, buf, sizeof (buf)); | |
772 | if (prStatus == PR_SUCCESS) { | |
773 | s << buf; | |
774 | break; | |
775 | } | |
776 | } | |
777 | // Fall through | |
778 | default: | |
779 | s << "offline"; | |
780 | break; | |
781 | } | |
782 | } | |
783 | else | |
784 | s << "offline"; | |
785 | s << " port="; | |
786 | if (i.port != 0) | |
787 | s << i.port; | |
788 | else | |
789 | s << "unknown"; | |
790 | s << " sysinfo=\""; | |
791 | if (! i.sysinfo.empty ()) | |
792 | s << i.sysinfo << '"'; | |
793 | else | |
794 | s << "unknown\""; | |
795 | s << " version="; | |
796 | if (! i.version.empty ()) | |
797 | s << i.version; | |
798 | else | |
799 | s << "unknown"; | |
800 | s << " certinfo=\""; | |
801 | if (! i.certinfo.empty ()) | |
802 | s << i.certinfo << '"'; | |
803 | else | |
804 | s << "unknown\""; | |
805 | if (! i.mok_fingerprints.empty ()) | |
806 | { | |
807 | // FIXME: Yikes, this output is ugly. Perhaps the server output | |
808 | // needs a more structured approach. | |
809 | s << " mok_fingerprints=\""; | |
810 | vector<string>::const_iterator it; | |
811 | for (it = i.mok_fingerprints.begin (); it != i.mok_fingerprints.end (); | |
812 | it++) | |
813 | { | |
814 | if (it != i.mok_fingerprints.begin ()) | |
815 | s << ", "; | |
816 | s << *it; | |
817 | } | |
818 | s << "\""; | |
819 | } | |
820 | return s; | |
821 | } | |
822 | ||
823 | ostream &operator<< (ostream &s, const vector<compile_server_info> &v) | |
824 | { | |
825 | // Indicate an empty list. | |
826 | if (v.size () == 0 || (v.size () == 1 && v[0].empty())) | |
827 | s << "No Servers" << endl; | |
828 | else | |
829 | { | |
830 | for (unsigned i = 0; i < v.size(); ++i) | |
831 | { | |
832 | // Don't print empty items. | |
833 | if (! v[i].empty()) | |
834 | s << v[i] << endl; | |
835 | } | |
836 | } | |
837 | return s; | |
838 | } | |
839 | ||
840 | PRNetAddr & | |
841 | copyNetAddr (PRNetAddr &x, const PRNetAddr &y) | |
842 | { | |
843 | PRUint32 saveScope = 0; | |
844 | ||
845 | // For IPv6 addresses, don't overwrite the scope_id of x unless x is uninitialized or it is 0. | |
846 | if (x.raw.family == PR_AF_INET6) | |
847 | saveScope = x.ipv6.scope_id; | |
848 | ||
849 | x = y; | |
850 | ||
851 | if (saveScope != 0) | |
852 | x.ipv6.scope_id = saveScope; | |
853 | ||
854 | return x; | |
855 | } | |
856 | ||
857 | bool | |
858 | operator== (const PRNetAddr &x, const PRNetAddr &y) | |
859 | { | |
860 | // Same address family? | |
861 | if (x.raw.family != y.raw.family) | |
862 | return false; | |
863 | ||
864 | switch (x.raw.family) | |
865 | { | |
866 | case PR_AF_INET6: | |
867 | // If both scope ids are set, compare them. | |
868 | if (x.ipv6.scope_id != 0 && y.ipv6.scope_id != 0 && x.ipv6.scope_id != y.ipv6.scope_id) | |
869 | return false; // not equal | |
870 | // Scope is not a factor. Compare the address bits | |
871 | return memcmp (& x.ipv6.ip, & y.ipv6.ip, sizeof(x.ipv6.ip)) == 0; | |
872 | case PR_AF_INET: | |
873 | return x.inet.ip == y.inet.ip; | |
874 | default: | |
875 | break; | |
876 | } | |
877 | return false; | |
878 | } | |
879 | ||
880 | bool | |
881 | operator!= (const PRNetAddr &x, const PRNetAddr &y) | |
882 | { | |
883 | return !(x == y); | |
884 | } | |
885 | ||
886 | static PRIPv6Addr & | |
887 | copyAddress (PRIPv6Addr &PRin6, const in6_addr &in6) | |
888 | { | |
889 | // The NSPR type is a typedef of struct in6_addr, but C++ won't let us copy it | |
890 | assert (sizeof (PRin6) == sizeof (in6)); | |
891 | memcpy (& PRin6, & in6, sizeof (PRin6)); | |
892 | return PRin6; | |
893 | } | |
894 | ||
895 | // Return the default server specification, used when none is given on the | |
896 | // command line. | |
897 | static string | |
898 | default_server_spec (const systemtap_session &s) | |
899 | { | |
900 | // If --privilege=X has been used, where X is not stapdev, | |
901 | // the default is online,trusted,compatible,signer | |
902 | // otherwise | |
903 | // the default is online,trusted,compatible | |
904 | // | |
905 | // Having said that, | |
906 | // 'online' and 'compatible' will only succeed if we have avahi | |
907 | // 'trusted' and 'signer' will only succeed if we have NSS | |
908 | // | |
909 | string working_string = "online,trusted,compatible"; | |
910 | if (! pr_contains (s.privilege, pr_stapdev)) | |
911 | working_string += ",signer"; | |
912 | return working_string; | |
913 | } | |
914 | ||
915 | static int | |
916 | server_spec_to_pmask (const string &server_spec) | |
917 | { | |
918 | // Construct a mask of the server properties that have been requested. | |
919 | // The available properties are: | |
920 | // trusted - servers which are trusted SSL peers. | |
921 | // online - online servers. | |
922 | // compatible - servers which compile for the current kernel release | |
923 | // and architecture. | |
924 | // signer - servers which are trusted module signers. | |
925 | // specified - servers which have been specified using --use-server=XXX. | |
926 | // If no servers have been specified, then this is | |
927 | // equivalent to --list-servers=trusted,online,compatible. | |
928 | // all - all trusted servers, trusted module signers, | |
929 | // servers currently online and specified servers. | |
930 | string working_spec = server_spec; | |
931 | vector<string> properties; | |
932 | tokenize (working_spec, properties, ","); | |
933 | int pmask = 0; | |
934 | unsigned limit = properties.size (); | |
935 | for (unsigned i = 0; i < limit; ++i) | |
936 | { | |
937 | const string &property = properties[i]; | |
938 | // Tolerate (and ignore) empty properties. | |
939 | if (property.empty ()) | |
940 | continue; | |
941 | if (property == "all") | |
942 | { | |
943 | pmask |= compile_server_all; | |
944 | } | |
945 | else if (property == "specified") | |
946 | { | |
947 | pmask |= compile_server_specified; | |
948 | } | |
949 | else if (property == "trusted") | |
950 | { | |
951 | pmask |= compile_server_trusted; | |
952 | } | |
953 | else if (property == "online") | |
954 | { | |
955 | pmask |= compile_server_online; | |
956 | } | |
957 | else if (property == "compatible") | |
958 | { | |
959 | pmask |= compile_server_compatible; | |
960 | } | |
961 | else if (property == "signer") | |
962 | { | |
963 | pmask |= compile_server_signer; | |
964 | } | |
965 | else | |
966 | { | |
967 | // XXX PR13274 needs-session to use print_warning() | |
968 | clog << _F("WARNING: unsupported compile server property: %s", property.c_str()) | |
969 | << endl; | |
970 | } | |
971 | } | |
972 | return pmask; | |
973 | } | |
974 | ||
975 | void | |
976 | nss_client_query_server_status (systemtap_session &s) | |
977 | { | |
978 | unsigned limit = s.server_status_strings.size (); | |
979 | for (unsigned i = 0; i < limit; ++i) | |
980 | query_server_status (s, s.server_status_strings[i]); | |
981 | } | |
982 | ||
983 | static void | |
984 | query_server_status (systemtap_session &s, const string &status_string) | |
985 | { | |
986 | // If this string is empty, then the default is "specified" | |
987 | string working_string = status_string; | |
988 | if (working_string.empty ()) | |
989 | working_string = "specified"; | |
990 | ||
991 | // If the query is "specified" and no servers have been specified | |
eb3896ef DS |
992 | // (i.e. '--use-server' and/or '--use-http-server' not used or used |
993 | // with no argument), then use the default query. | |
994 | // | |
3e150b00 DS |
995 | // TODO: This may not be necessary. The underlying queries should handle |
996 | // "specified" properly. | |
eb3896ef DS |
997 | if (working_string == "specified" |
998 | && (s.specified_servers.empty () | |
999 | || (s.specified_servers.size () == 1 | |
1000 | && s.specified_servers[0].empty ())) | |
1001 | && (s.http_servers.empty() | |
1002 | || (s.http_servers.size () == 1 | |
1003 | && s.http_servers[0].empty ()))) | |
3e150b00 DS |
1004 | working_string = default_server_spec (s); |
1005 | ||
1006 | int pmask = server_spec_to_pmask (working_string); | |
1007 | ||
1008 | // Now obtain a list of the servers which match the criteria. | |
1009 | vector<compile_server_info> raw_servers; | |
1010 | get_server_info (s, pmask, raw_servers); | |
1011 | ||
1012 | // Augment the listing with as much information as possible by adding | |
1013 | // information from known servers. | |
1014 | vector<compile_server_info> servers; | |
1015 | nss_get_all_server_info (s, servers); | |
1016 | nss_keep_common_server_info (raw_servers, servers); | |
1017 | ||
1018 | // Sort the list of servers into a preferred order. | |
1019 | preferred_order (servers); | |
1020 | ||
1021 | // Print the server information. Skip the empty entry at the head of the list. | |
1022 | clog << _F("Systemtap Compile Server Status for '%s'", working_string.c_str()) << endl; | |
1023 | bool found = false; | |
1024 | unsigned limit = servers.size (); | |
1025 | for (unsigned i = 0; i < limit; ++i) | |
1026 | { | |
1027 | assert (! servers[i].empty ()); | |
1028 | // Don't list servers with no cert information. They may not actually | |
1029 | // exist. | |
1030 | // TODO: Could try contacting the server and obtaining its cert | |
1031 | if (servers[i].certinfo.empty ()) | |
1032 | continue; | |
1033 | clog << servers[i] << endl; | |
1034 | found = true; | |
1035 | } | |
1036 | if (! found) | |
1037 | clog << _("No servers found") << endl; | |
1038 | } | |
1039 | ||
1040 | // Add or remove trust of the servers specified on the command line. | |
1041 | void | |
1042 | nss_client_manage_server_trust (systemtap_session &s) | |
1043 | { | |
1044 | // This function should do nothing if we don't have NSS. | |
1045 | // Nothing to do if --trust-servers was not specified. | |
1046 | if (s.server_trust_spec.empty ()) | |
1047 | return; | |
1048 | ||
1049 | // Break up and analyze the trust specification. Recognized components are: | |
1050 | // ssl - trust the specified servers as ssl peers | |
1051 | // signer - trust the specified servers as module signers | |
1052 | // revoke - revoke the requested trust | |
1053 | // all-users - apply/revoke the requested trust for all users | |
1054 | // no-prompt - don't prompt the user for confirmation | |
1055 | vector<string>components; | |
1056 | tokenize (s.server_trust_spec, components, ","); | |
1057 | bool ssl = false; | |
1058 | bool signer = false; | |
1059 | bool revoke = false; | |
1060 | bool all_users = false; | |
1061 | bool no_prompt = false; | |
1062 | bool error = false; | |
1063 | for (vector<string>::const_iterator i = components.begin (); | |
1064 | i != components.end (); | |
1065 | ++i) | |
1066 | { | |
1067 | if (*i == "ssl") | |
1068 | ssl = true; | |
1069 | else if (*i == "signer") | |
1070 | { | |
1071 | if (geteuid () != 0) | |
1072 | { | |
1073 | clog << _("Only root can specify 'signer' on --trust-servers") << endl; | |
1074 | error = true; | |
1075 | } | |
1076 | else | |
1077 | signer = true; | |
1078 | } | |
1079 | else if (*i == "revoke") | |
1080 | revoke = true; | |
1081 | else if (*i == "all-users") | |
1082 | { | |
1083 | if (geteuid () != 0) | |
1084 | { | |
1085 | clog << _("Only root can specify 'all-users' on --trust-servers") << endl; | |
1086 | error = true; | |
1087 | } | |
1088 | else | |
1089 | all_users = true; | |
1090 | } | |
1091 | else if (*i == "no-prompt") | |
1092 | no_prompt = true; | |
1093 | else | |
1094 | s.print_warning("Unrecognized server trust specification: " + *i); | |
1095 | } | |
1096 | if (error) | |
1097 | return; | |
1098 | ||
1099 | // Make sure NSPR is initialized | |
1100 | s.NSPR_init (); | |
1101 | ||
1102 | // Now obtain the list of specified servers. | |
1103 | vector<compile_server_info> server_list; | |
1104 | nss_get_specified_server_info (s, server_list, true/*no_default*/); | |
1105 | ||
1106 | // Did we identify any potential servers? | |
1107 | unsigned limit = server_list.size (); | |
1108 | if (limit == 0) | |
1109 | { | |
1110 | clog << _("No servers identified for trust") << endl; | |
1111 | return; | |
1112 | } | |
1113 | ||
1114 | // Create a string representing the request in English. | |
1115 | // If neither 'ssl' or 'signer' was specified, the default is 'ssl'. | |
1116 | if (! ssl && ! signer) | |
1117 | ssl = true; | |
1118 | ostringstream trustString; | |
1119 | if (ssl) | |
1120 | { | |
1121 | trustString << _("as an SSL peer"); | |
1122 | if (all_users) | |
1123 | trustString << _(" for all users"); | |
1124 | else | |
1125 | trustString << _(" for the current user"); | |
1126 | } | |
1127 | if (signer) | |
1128 | { | |
1129 | if (ssl) | |
1130 | trustString << _(" and "); | |
1131 | trustString << _("as a module signer for all users"); | |
1132 | } | |
1133 | ||
1134 | // Prompt the user to confirm what's about to happen. | |
1135 | if (no_prompt) | |
1136 | { | |
1137 | if (revoke) | |
1138 | clog << _("Revoking trust "); | |
1139 | else | |
1140 | clog << _("Adding trust "); | |
1141 | } | |
1142 | else | |
1143 | { | |
1144 | if (revoke) | |
1145 | clog << _("Revoke trust "); | |
1146 | else | |
1147 | clog << _("Add trust "); | |
1148 | } | |
1149 | clog << _F("in the following servers %s", trustString.str().c_str()); | |
1150 | if (! no_prompt) | |
1151 | clog << '?'; | |
1152 | clog << endl; | |
1153 | for (unsigned i = 0; i < limit; ++i) | |
1154 | clog << " " << server_list[i] << endl; | |
1155 | if (! no_prompt) | |
1156 | { | |
1157 | clog << "[y/N] " << flush; | |
1158 | ||
1159 | // Only carry out the operation if the response is "yes" | |
1160 | string response; | |
1161 | cin >> response; | |
1162 | if (response[0] != 'y' && response [0] != 'Y') | |
1163 | { | |
1164 | clog << _("Server trust unchanged") << endl; | |
1165 | return; | |
1166 | } | |
1167 | } | |
1168 | ||
1169 | // Now add/revoke the requested trust. | |
1170 | string cert_db_path; | |
1171 | if (ssl) | |
1172 | { | |
1173 | if (all_users) | |
1174 | cert_db_path = global_ssl_cert_db_path (); | |
1175 | else | |
1176 | cert_db_path = private_ssl_cert_db_path (); | |
1177 | if (revoke) | |
1178 | revoke_server_trust (s, cert_db_path, server_list); | |
1179 | else | |
1180 | add_server_trust (s, cert_db_path, server_list); | |
1181 | } | |
1182 | if (signer) | |
1183 | { | |
1184 | cert_db_path = signing_cert_db_path (); | |
1185 | if (revoke) | |
1186 | revoke_server_trust (s, cert_db_path, server_list); | |
1187 | else | |
1188 | add_server_trust (s, cert_db_path, server_list); | |
1189 | } | |
1190 | } | |
1191 | ||
1192 | static compile_server_cache* | |
1193 | cscache(systemtap_session& s) | |
1194 | { | |
1195 | if (!s.server_cache) | |
1196 | s.server_cache = new compile_server_cache(); | |
1197 | return s.server_cache; | |
1198 | } | |
1199 | ||
1200 | static void | |
1201 | get_server_info ( | |
1202 | systemtap_session &s, | |
1203 | int pmask, | |
1204 | vector<compile_server_info> &servers | |
1205 | ) | |
1206 | { | |
1207 | // Get information on compile servers matching the requested criteria. | |
1208 | // The order of queries is significant. Accumulating queries must go first | |
1209 | // followed by accumulating/filtering queries. | |
1210 | bool keep = false; | |
1211 | if (((pmask & compile_server_all))) | |
1212 | { | |
1213 | nss_get_all_server_info (s, servers); | |
1214 | keep = true; | |
1215 | } | |
1216 | // Add the specified servers, if requested | |
1217 | if ((pmask & compile_server_specified)) | |
1218 | { | |
1219 | nss_get_specified_server_info (s, servers); | |
1220 | keep = true; | |
1221 | } | |
1222 | // Now filter or accumulate the list depending on whether a query has | |
1223 | // already been made. | |
1224 | if ((pmask & compile_server_online)) | |
1225 | { | |
1226 | nss_get_or_keep_online_server_info (s, servers, keep); | |
1227 | keep = true; | |
1228 | } | |
1229 | if ((pmask & compile_server_trusted)) | |
1230 | { | |
1231 | nss_get_or_keep_trusted_server_info (s, servers, keep); | |
1232 | keep = true; | |
1233 | } | |
1234 | if ((pmask & compile_server_signer)) | |
1235 | { | |
1236 | nss_get_or_keep_signing_server_info (s, servers, keep); | |
1237 | keep = true; | |
1238 | } | |
1239 | if ((pmask & compile_server_compatible)) | |
1240 | { | |
1241 | nss_get_or_keep_compatible_server_info (s, servers, keep); | |
1242 | keep = true; | |
1243 | } | |
1244 | } | |
1245 | ||
1246 | // Get information about all online servers as well as servers trusted | |
1247 | // as SSL peers and servers trusted as signers. | |
1248 | void | |
1249 | nss_get_all_server_info ( | |
1250 | systemtap_session &s, | |
1251 | vector<compile_server_info> &servers | |
1252 | ) | |
1253 | { | |
1254 | // We only need to obtain this once per session. This is a good thing(tm) | |
1255 | // since obtaining this information is expensive. | |
1256 | vector<compile_server_info>& all_servers = cscache(s)->all_servers; | |
1257 | if (all_servers.empty ()) | |
1258 | { | |
1259 | nss_get_or_keep_online_server_info (s, all_servers, false/*keep*/); | |
1260 | nss_get_or_keep_trusted_server_info (s, all_servers, false/*keep*/); | |
1261 | nss_get_or_keep_signing_server_info (s, all_servers, false/*keep*/); | |
1262 | ||
1263 | if (s.verbose >= 4) | |
1264 | { | |
1265 | clog << _("All known servers:") << endl; | |
1266 | clog << all_servers; | |
1267 | } | |
1268 | } | |
1269 | ||
1270 | // Add the information, but not duplicates. | |
1271 | nss_add_server_info (all_servers, servers); | |
1272 | } | |
1273 | ||
1274 | static void | |
1275 | get_default_server_info ( | |
1276 | systemtap_session &s, | |
1277 | vector<compile_server_info> &servers | |
1278 | ) | |
1279 | { | |
1280 | if (s.verbose >= 3) | |
1281 | clog << _("Using the default servers") << endl; | |
1282 | ||
1283 | // We only need to obtain this once per session. This is a good thing(tm) | |
1284 | // since obtaining this information is expensive. | |
1285 | vector<compile_server_info>& default_servers = cscache(s)->default_servers; | |
1286 | if (default_servers.empty ()) | |
1287 | { | |
1288 | // Get the required information. | |
1289 | // get_server_info will add an empty entry at the beginning to indicate | |
1290 | // that the search has been performed, in case the search comes up empty. | |
1291 | int pmask = server_spec_to_pmask (default_server_spec (s)); | |
1292 | get_server_info (s, pmask, default_servers); | |
1293 | ||
1294 | if (s.verbose >= 3) | |
1295 | { | |
1296 | clog << _("Default servers are:") << endl; | |
1297 | clog << default_servers; | |
1298 | } | |
1299 | } | |
1300 | ||
1301 | // Add the information, but not duplicates. | |
1302 | nss_add_server_info (default_servers, servers); | |
1303 | } | |
1304 | ||
1305 | static bool | |
1306 | isPort (const char *pstr, compile_server_info &server_info) | |
1307 | { | |
1308 | errno = 0; | |
1309 | char *estr; | |
1310 | unsigned long p = strtoul (pstr, & estr, 10); | |
1311 | if (errno != 0 || *estr != '\0' || p > USHRT_MAX) | |
1312 | { | |
1313 | clog << _F("Invalid port number specified: %s", pstr) << endl; | |
1314 | return false; | |
1315 | } | |
1316 | server_info.port = p; | |
1317 | server_info.fully_specified = true; | |
1318 | return true; | |
1319 | } | |
1320 | ||
1321 | static bool | |
1322 | isIPv6 (const string &server, compile_server_info &server_info) | |
1323 | { | |
1324 | // An IPv6 address is 8 hex components separated by colons. | |
1325 | // One contiguous block of zero segments in the address may be elided using ::. | |
1326 | // An interface may be specified by appending %IF_NAME to the address (e.g. %eth0). | |
1327 | // A port may be specified by enclosing the ip address in [] and adding :<port>. | |
1328 | // Allow a bracketed address without a port. | |
1329 | assert (! server.empty()); | |
1330 | string ip; | |
1331 | string::size_type portIx; | |
1332 | if (server[0] == '[') | |
1333 | { | |
1334 | string::size_type endBracket = server.find (']'); | |
1335 | if (endBracket == string::npos) | |
1336 | return false; // Not a valid IPv6 address | |
1337 | // Extract the address. | |
1338 | ip = server.substr (1, endBracket - 1); | |
1339 | portIx = endBracket + 1; | |
1340 | } | |
1341 | else | |
1342 | { | |
1343 | ip = server; | |
1344 | portIx = string::npos; | |
1345 | } | |
1346 | ||
1347 | // Find out how many components there are. The maximum is 8 | |
1348 | unsigned empty = 0; | |
1349 | vector<string> components; | |
1350 | tokenize_full (ip, components, ":"); | |
1351 | if (components.size() > 8) | |
1352 | return false; // Not a valid IPv6 address | |
1353 | ||
1354 | // The components must be either hex values between 0 and 0xffff, or must be empty. | |
1355 | // There can be only one empty component. | |
1356 | string interface; | |
1357 | for (unsigned i = 0; i < components.size(); ++i) | |
1358 | { | |
1359 | if (components[i].empty()) | |
1360 | { | |
1361 | if (++empty > 1) | |
1362 | return false; // Not a valid IPv6 address | |
1363 | } | |
1364 | // If it's the final component, see if it specifies the interface. If so, strip it from the | |
1365 | // component in order to simplify parsing. It still remains as part of the original ip address | |
1366 | // string. | |
1367 | if (i == components.size() - 1) | |
1368 | { | |
1369 | size_t ix = components[i].find ('%'); | |
1370 | if (ix != string::npos) | |
1371 | { | |
1372 | interface = components[i].substr(ix); | |
1373 | components[i] = components[i].substr(0, ix); | |
1374 | } | |
1375 | } | |
1376 | // Skip leading zeroes. | |
1377 | unsigned j; | |
1378 | for (j = 0; j < components[i].size(); ++j) | |
1379 | { | |
1380 | if (components[i][j] != '0') | |
1381 | break; | |
1382 | } | |
1383 | // Max of 4 hex digits | |
1384 | if (components[i].size() - j > 4) | |
1385 | return false; // Not a valid IPv6 address | |
1386 | for (/**/; j < components[i].size(); ++j) | |
1387 | { | |
1388 | if (! isxdigit (components[i][j])) | |
1389 | return false; // Not a valid IPv6 address | |
1390 | } | |
1391 | } | |
1392 | // If there is no empty component, then there must be exactly 8 components. | |
1393 | if (! empty && components.size() != 8) | |
1394 | return false; // Not a valid IPv6 address | |
1395 | ||
1396 | // Try to convert the string to an address. | |
1397 | PRStatus prStatus = PR_StringToNetAddr (ip.c_str(), & server_info.address); | |
1398 | if (prStatus != PR_SUCCESS) | |
1399 | return false; | |
1400 | ||
1401 | // Examine the optional port | |
1402 | if (portIx != string::npos) | |
1403 | { | |
1404 | string port = server.substr (portIx); | |
1405 | if (port.size() != 0) | |
1406 | { | |
1407 | if (port.size() < 2 || port[0] != ':') | |
1408 | return false; // Not a valid Port | |
1409 | ||
1410 | port = port.substr (1); | |
1411 | if (! isPort (port.c_str(), server_info)) | |
1412 | return false; // not a valid port | |
1413 | } | |
1414 | } | |
1415 | else | |
1416 | server_info.port = 0; | |
1417 | ||
1418 | return true; // valid IPv6 address. | |
1419 | } | |
1420 | ||
1421 | static bool | |
1422 | isIPv4 (const string &server, compile_server_info &server_info) | |
1423 | { | |
1424 | // An IPv4 address is 4 decimal components separated by periods with an | |
1425 | // additional optional decimal port separated from the address by a colon. | |
1426 | assert (! server.empty()); | |
1427 | ||
1428 | // Find out how many components there are. The maximum is 8 | |
1429 | vector<string> components; | |
1430 | tokenize (server, components, ":"); | |
1431 | if (components.size() > 2) | |
1432 | return false; // Not a valid IPv4 address | |
1433 | ||
1434 | // Separate the address from the port (if any). | |
1435 | string addr; | |
1436 | string port; | |
1437 | if (components.size() <= 1) | |
1438 | addr = server; | |
1439 | else { | |
1440 | addr = components[0]; | |
1441 | port = components[1]; | |
1442 | } | |
1443 | ||
1444 | // Separate the address components. | |
1445 | // There must be exactly 4 components. | |
1446 | components.clear (); | |
1447 | tokenize (addr, components, "."); | |
1448 | if (components.size() != 4) | |
1449 | return false; // Not a valid IPv4 address | |
1450 | ||
1451 | // The components must be decimal values between 0 and 255. | |
1452 | for (unsigned i = 0; i < components.size(); ++i) | |
1453 | { | |
1454 | if (components[i].empty()) | |
1455 | return false; // Not a valid IPv4 address | |
1456 | errno = 0; | |
1457 | char *estr; | |
1458 | long p = strtol (components[i].c_str(), & estr, 10); | |
1459 | if (errno != 0 || *estr != '\0' || p < 0 || p > 255) | |
1460 | return false; // Not a valid IPv4 address | |
1461 | } | |
1462 | ||
1463 | // Try to convert the string to an address. | |
1464 | PRStatus prStatus = PR_StringToNetAddr (addr.c_str(), & server_info.address); | |
1465 | if (prStatus != PR_SUCCESS) | |
1466 | return false; | |
1467 | ||
1468 | // Examine the optional port | |
1469 | if (! port.empty ()) { | |
1470 | if (! isPort (port.c_str(), server_info)) | |
1471 | return false; // not a valid port | |
1472 | } | |
1473 | else | |
1474 | server_info.port = 0; | |
1475 | ||
1476 | return true; // valid IPv4 address. | |
1477 | } | |
1478 | ||
1479 | static bool | |
1480 | isCertSerialNumber (const string &server, compile_server_info &server_info) | |
1481 | { | |
1482 | // This function assumes that we have already ruled out the server spec being an IPv6 address. | |
1483 | // Certificate serial numbers are 5 fields separated by colons plus an optional 6th decimal | |
1484 | // field specifying a port. | |
1485 | assert (! server.empty()); | |
1486 | string host = server; | |
1487 | vector<string> components; | |
1488 | tokenize (host, components, ":"); | |
1489 | switch (components.size ()) | |
1490 | { | |
1491 | case 6: | |
1492 | if (! isPort (components.back().c_str(), server_info)) | |
1493 | return false; // not a valid port | |
1494 | host = host.substr (0, host.find_last_of (':')); | |
1495 | // fall through | |
1496 | case 5: | |
1497 | server_info.certinfo = host; | |
1498 | break; | |
1499 | default: | |
1500 | return false; // not a cert serial number | |
1501 | } | |
1502 | ||
1503 | return true; // valid cert serial number and optional port | |
1504 | } | |
1505 | ||
1506 | static bool | |
1507 | isDomain (const string &server, compile_server_info &server_info) | |
1508 | { | |
1509 | // Accept one or two components separated by a colon. The first will be the domain name and | |
1510 | // the second must a port number. | |
1511 | assert (! server.empty()); | |
1512 | string host = server; | |
1513 | vector<string> components; | |
638abbd0 SC |
1514 | unsigned scheme_offset = 0; |
1515 | if (host.substr (0, 6) == "https:") | |
1516 | scheme_offset = 1; | |
3e150b00 DS |
1517 | tokenize (host, components, ":"); |
1518 | switch (components.size ()) | |
1519 | { | |
638abbd0 | 1520 | case 3: |
3e150b00 DS |
1521 | case 2: |
1522 | if (! isPort (components.back().c_str(), server_info)) | |
1523 | return false; // not a valid port | |
638abbd0 | 1524 | host = components[(0 + scheme_offset)].substr (scheme_offset * 2); |
3e150b00 DS |
1525 | // fall through |
1526 | case 1: | |
1527 | server_info.host_name = host; | |
1528 | break; | |
1529 | default: | |
1530 | return false; // not a valid domain name | |
1531 | } | |
1532 | ||
1533 | return true; | |
1534 | } | |
1535 | ||
1536 | void | |
1537 | nss_get_specified_server_info ( | |
1538 | systemtap_session &s, | |
1539 | vector<compile_server_info> &servers, | |
1540 | bool no_default | |
1541 | ) | |
1542 | { | |
1543 | // We only need to obtain this once per session. This is a good thing(tm) | |
1544 | // since obtaining this information is expensive. | |
1545 | vector<compile_server_info>& specified_servers = cscache(s)->specified_servers; | |
1546 | if (specified_servers.empty ()) | |
1547 | { | |
1548 | // Maintain an empty entry to indicate that this search has been | |
1549 | // performed, in case the search comes up empty. | |
1550 | specified_servers.push_back (compile_server_info ()); | |
1551 | ||
1552 | // If --use-server was not specified at all, then return info for the | |
1553 | // default server list. | |
eb3896ef | 1554 | if (s.specified_servers.empty () && s.http_servers.empty ()) |
3e150b00 DS |
1555 | { |
1556 | if (s.verbose >= 3) | |
1557 | clog << _("No servers specified") << endl; | |
1558 | if (! no_default) | |
1559 | get_default_server_info (s, specified_servers); | |
1560 | } | |
1561 | else | |
1562 | { | |
eb3896ef DS |
1563 | // Iterate over the specified servers. For each |
1564 | // specification, add to the list of servers. | |
1565 | vector<string> &server_list = (! s.http_servers.empty () | |
1566 | ? s.http_servers | |
1567 | : s.specified_servers); | |
1568 | client_backend *backend = nss_get_client_backend (s); | |
1569 | if (backend->initialize () != 0) | |
1570 | return; | |
1571 | ||
1572 | for (auto it = server_list.begin (); it != server_list.end (); ++it) | |
3e150b00 | 1573 | { |
eb3896ef | 1574 | string &server = *it; |
3e150b00 | 1575 | |
eb3896ef DS |
1576 | // If no specific server(s) specified, then use the |
1577 | // default servers. | |
3e150b00 DS |
1578 | if (server.empty ()) |
1579 | { | |
1580 | if (s.verbose >= 3) | |
1581 | clog << _("No servers specified") << endl; | |
1582 | if (! no_default) | |
1583 | get_default_server_info (s, specified_servers); | |
1584 | continue; | |
1585 | } | |
1586 | ||
eb3896ef DS |
1587 | // Determine what has been specified. Servers may be |
1588 | // specified by: | |
3e150b00 DS |
1589 | // - domain{:port} |
1590 | // - certificate-serial-number{:port} | |
1591 | // - IPv4-address{:port} | |
1592 | // - IPv6-address{:port} | |
1593 | // where items within {} are optional. | |
eb3896ef DS |
1594 | // |
1595 | // Check for IPv6 addresses first. It reduces the amount | |
1596 | // of checking necessary for certificate serial numbers. | |
3e150b00 DS |
1597 | compile_server_info server_info; |
1598 | vector<compile_server_info> resolved_servers; | |
eb3896ef DS |
1599 | if (isIPv6 (server, server_info) |
1600 | || isIPv4 (server, server_info) | |
1601 | || isCertSerialNumber (server, server_info)) | |
3e150b00 DS |
1602 | { |
1603 | // An address or cert serial number has been specified. | |
1604 | // No resolution is needed. | |
1605 | resolved_servers.push_back (server_info); | |
1606 | } | |
1607 | else if (isDomain (server, server_info)) | |
1608 | { | |
1609 | // Try to resolve the given name. | |
1610 | resolve_host (s, server_info, resolved_servers); | |
1611 | } | |
1612 | else | |
1613 | { | |
eb3896ef | 1614 | clog << _F("Invalid server specification: %s", server.c_str()) |
3e150b00 DS |
1615 | << endl; |
1616 | continue; | |
1617 | } | |
1618 | ||
eb3896ef DS |
1619 | // Now examine the server(s) identified and add them to |
1620 | // the list of specified servers. | |
3e150b00 DS |
1621 | vector<compile_server_info> known_servers; |
1622 | vector<compile_server_info> new_servers; | |
eb3896ef | 1623 | for (auto i = resolved_servers.begin(); |
3e150b00 DS |
1624 | i != resolved_servers.end(); |
1625 | ++i) | |
1626 | { | |
1627 | // If this item was fully specified, then just add it. | |
638abbd0 | 1628 | if (i->fully_specified || ! s.http_servers.empty ()) { |
eb3896ef DS |
1629 | // In this instance, "fully specified" means |
1630 | // address and port. At this point we haven't | |
1631 | // tried to contact the server to get online | |
1632 | // information, certificate information, | |
1633 | // etc. Certain server types need us to connect to | |
1634 | // the server directly to get this information. | |
638abbd0 | 1635 | // Assume http servers are fully specified |
eb3896ef DS |
1636 | if (backend) |
1637 | backend->fill_in_server_info (*i); | |
3e150b00 | 1638 | nss_add_server_info (*i, new_servers); |
eb3896ef | 1639 | } |
3e150b00 DS |
1640 | else { |
1641 | // It was not fully specified, so we need additional info. Try | |
1642 | // to get it by matching what we have against other known servers. | |
1643 | if (known_servers.empty ()) | |
1644 | nss_get_all_server_info (s, known_servers); | |
1645 | ||
1646 | // See if this server spec matches that of a known server | |
1647 | vector<compile_server_info> matched_servers = known_servers; | |
1648 | nss_keep_common_server_info (*i, matched_servers); | |
1649 | ||
1650 | // If this server spec matches one or more known servers, then add the | |
1651 | // augmented info to the specified_servers. Otherwise, if this server | |
1652 | // spec is complete, then add it directly. Otherwise this server spec | |
1653 | // is incomplete. | |
1654 | if (! matched_servers.empty()) | |
1655 | nss_add_server_info (matched_servers, new_servers); | |
1656 | else if (i->isComplete ()) | |
1657 | nss_add_server_info (*i, new_servers); | |
1658 | else if (s.verbose >= 3) | |
1659 | clog << _("Incomplete server spec: ") << *i << endl; | |
1660 | } | |
1661 | } | |
1662 | ||
1663 | if (s.verbose >= 3) | |
1664 | { | |
1665 | clog << _F("Servers matching %s: ", server.c_str()) << endl; | |
1666 | clog << new_servers; | |
1667 | } | |
1668 | ||
1669 | // Add the newly identified servers to the list. | |
1670 | if (! new_servers.empty()) | |
1671 | nss_add_server_info (new_servers, specified_servers); | |
1672 | } // Loop over --use-server options | |
1673 | } // -- use-server specified | |
1674 | ||
1675 | if (s.verbose >= 2) | |
1676 | { | |
1677 | clog << _("All specified servers:") << endl; | |
1678 | clog << specified_servers; | |
1679 | } | |
1680 | } // Server information is not cached | |
1681 | ||
1682 | // Add the information, but not duplicates. | |
1683 | nss_add_server_info (specified_servers, servers); | |
1684 | } | |
1685 | ||
1686 | void | |
1687 | nss_get_or_keep_trusted_server_info ( | |
1688 | systemtap_session &s, | |
1689 | vector<compile_server_info> &servers, | |
1690 | bool keep | |
1691 | ) | |
1692 | { | |
1693 | // If we're filtering the list and it's already empty, then | |
1694 | // there's nothing to do. | |
1695 | if (keep && servers.empty ()) | |
1696 | return; | |
1697 | ||
1698 | // We only need to obtain this once per session. This is a good thing(tm) | |
1699 | // since obtaining this information is expensive. | |
1700 | vector<compile_server_info>& trusted_servers = cscache(s)->trusted_servers; | |
1701 | if (trusted_servers.empty ()) | |
1702 | { | |
1703 | // Maintain an empty entry to indicate that this search has been | |
1704 | // performed, in case the search comes up empty. | |
1705 | trusted_servers.push_back (compile_server_info ()); | |
1706 | ||
1707 | // Check the private database first. | |
1708 | string cert_db_path = private_ssl_cert_db_path (); | |
1709 | get_server_info_from_db (s, trusted_servers, cert_db_path); | |
1710 | ||
1711 | // Now check the global database. | |
1712 | cert_db_path = global_ssl_cert_db_path (); | |
1713 | get_server_info_from_db (s, trusted_servers, cert_db_path); | |
1714 | ||
1715 | if (s.verbose >= 5) | |
1716 | { | |
1717 | clog << _("All servers trusted as ssl peers:") << endl; | |
1718 | clog << trusted_servers; | |
1719 | } | |
1720 | } // Server information is not cached | |
1721 | ||
1722 | if (keep) | |
1723 | { | |
1724 | // Filter the existing vector by keeping the information in common with | |
1725 | // the trusted_server vector. | |
1726 | nss_keep_common_server_info (trusted_servers, servers); | |
1727 | } | |
1728 | else | |
1729 | { | |
1730 | // Add the information, but not duplicates. | |
1731 | nss_add_server_info (trusted_servers, servers); | |
1732 | } | |
1733 | } | |
1734 | ||
1735 | void | |
1736 | nss_get_or_keep_signing_server_info ( | |
1737 | systemtap_session &s, | |
1738 | vector<compile_server_info> &servers, | |
1739 | bool keep | |
1740 | ) | |
1741 | { | |
1742 | // If we're filtering the list and it's already empty, then | |
1743 | // there's nothing to do. | |
1744 | if (keep && servers.empty ()) | |
1745 | return; | |
1746 | ||
1747 | // We only need to obtain this once per session. This is a good thing(tm) | |
1748 | // since obtaining this information is expensive. | |
1749 | vector<compile_server_info>& signing_servers = cscache(s)->signing_servers; | |
1750 | if (signing_servers.empty ()) | |
1751 | { | |
1752 | // Maintain an empty entry to indicate that this search has been | |
1753 | // performed, in case the search comes up empty. | |
1754 | signing_servers.push_back (compile_server_info ()); | |
1755 | ||
1756 | // For all users, check the global database. | |
1757 | string cert_db_path = signing_cert_db_path (); | |
1758 | get_server_info_from_db (s, signing_servers, cert_db_path); | |
1759 | ||
1760 | if (s.verbose >= 5) | |
1761 | { | |
1762 | clog << _("All servers trusted as module signers:") << endl; | |
1763 | clog << signing_servers; | |
1764 | } | |
1765 | } // Server information is not cached | |
1766 | ||
1767 | if (keep) | |
1768 | { | |
1769 | // Filter the existing vector by keeping the information in common with | |
1770 | // the signing_server vector. | |
1771 | nss_keep_common_server_info (signing_servers, servers); | |
1772 | } | |
1773 | else | |
1774 | { | |
1775 | // Add the information, but not duplicates. | |
1776 | nss_add_server_info (signing_servers, servers); | |
1777 | } | |
1778 | } | |
1779 | ||
1780 | void | |
1781 | nss_get_or_keep_compatible_server_info ( | |
1782 | systemtap_session &s, | |
1783 | vector<compile_server_info> &servers, | |
1784 | bool keep | |
1785 | ) | |
1786 | { | |
1787 | #if HAVE_AVAHI | |
1788 | // If we're filtering the list and it's already empty, then | |
1789 | // there's nothing to do. | |
1790 | if (keep && servers.empty ()) | |
1791 | return; | |
1792 | ||
1793 | // Remove entries for servers incompatible with the host environment | |
1794 | // from the given list of servers. | |
1795 | // A compatible server compiles for the kernel release and architecture | |
1796 | // of the host environment. | |
1797 | // | |
1798 | // Compatibility can only be determined for online servers. So, augment | |
1799 | // and filter the information we have with information for online servers. | |
1800 | vector<compile_server_info> online_servers; | |
1801 | nss_get_or_keep_online_server_info (s, online_servers, false/*keep*/); | |
1802 | if (keep) | |
1803 | nss_keep_common_server_info (online_servers, servers); | |
1804 | else | |
1805 | nss_add_server_info (online_servers, servers); | |
1806 | ||
1807 | // Now look to see which ones are compatible. | |
1808 | // The vector can change size as we go, so be careful!! | |
1809 | for (unsigned i = 0; i < servers.size (); /**/) | |
1810 | { | |
1811 | // Retain empty entries. | |
1812 | assert (! servers[i].empty ()); | |
1813 | ||
1814 | // Check the target of the server. | |
eb3896ef | 1815 | if (servers[i].sysinfo != s.kernel_release + " " + s.architecture |
29d15c7f | 1816 | && servers[i].sysinfo != s.architecture) |
3e150b00 DS |
1817 | { |
1818 | // Target platform mismatch. | |
1819 | servers.erase (servers.begin () + i); | |
1820 | continue; | |
1821 | } | |
1822 | ||
1823 | // If the client requires secure boot signing, make sure the | |
1824 | // server has the right MOK. | |
1825 | if (! s.mok_fingerprints.empty ()) | |
1826 | { | |
1827 | // This server has no MOKs. | |
1828 | if (servers[i].mok_fingerprints.empty ()) | |
1829 | { | |
1830 | servers.erase (servers.begin () + i); | |
1831 | continue; | |
1832 | } | |
1833 | ||
1834 | // Make sure the server has at least one MOK in common with | |
1835 | // the client. | |
1836 | vector<string>::const_iterator it; | |
1837 | bool mok_found = false; | |
1838 | for (it = s.mok_fingerprints.begin(); it != s.mok_fingerprints.end(); it++) | |
1839 | { | |
1840 | if (find(servers[i].mok_fingerprints.begin(), | |
1841 | servers[i].mok_fingerprints.end(), *it) | |
1842 | != servers[i].mok_fingerprints.end ()) | |
1843 | { | |
1844 | mok_found = true; | |
1845 | break; | |
1846 | } | |
1847 | } | |
1848 | ||
1849 | // This server has no MOK in common with the client. | |
1850 | if (! mok_found) | |
1851 | { | |
1852 | servers.erase (servers.begin () + i); | |
1853 | continue; | |
1854 | } | |
1855 | } | |
1856 | ||
1857 | // The server is compatible. Leave it in the list. | |
1858 | ++i; | |
1859 | } | |
1860 | #else // ! HAVE_AVAHI | |
1861 | // Without Avahi, we can't obtain the target platform of the server. | |
1862 | // Issue a warning. | |
1863 | if (s.verbose >= 2) | |
1864 | clog << _("Unable to detect server compatibility without avahi") << endl; | |
1865 | if (keep) | |
1866 | servers.clear (); | |
1867 | #endif | |
1868 | } | |
1869 | ||
1870 | void | |
1871 | nss_keep_server_info_with_cert_and_port ( | |
1872 | systemtap_session &, | |
1873 | const compile_server_info &server, | |
1874 | vector<compile_server_info> &servers | |
1875 | ) | |
1876 | { | |
1877 | assert (! server.certinfo.empty ()); | |
1878 | ||
1879 | // Search the list of servers for ones matching the | |
1880 | // serial number specified. | |
1881 | // The vector can change size as we go, so be careful!! | |
1882 | for (unsigned i = 0; i < servers.size (); /**/) | |
1883 | { | |
1884 | // Retain empty entries. | |
1885 | if (servers[i].empty ()) | |
1886 | { | |
1887 | ++i; | |
1888 | continue; | |
1889 | } | |
1890 | if (servers[i].certinfo == server.certinfo && | |
1891 | (servers[i].port == 0 || server.port == 0 || | |
1892 | servers[i].port == server.port)) | |
1893 | { | |
1894 | // If the server is not online, then use the specified | |
1895 | // port, if any. | |
1896 | if (servers[i].port == 0) | |
1897 | { | |
1898 | servers[i].port = server.port; | |
1899 | servers[i].fully_specified = server.fully_specified; | |
1900 | } | |
1901 | ++i; | |
1902 | continue; | |
1903 | } | |
1904 | // The item does not match. Delete it. | |
1905 | servers.erase (servers.begin () + i); | |
1906 | } | |
1907 | } | |
1908 | ||
1909 | // Obtain missing host name or ip address, if any. Return 0 on success. | |
1910 | static void | |
1911 | resolve_host ( | |
1912 | systemtap_session& s, | |
1913 | compile_server_info &server, | |
1914 | vector<compile_server_info> &resolved_servers | |
1915 | ) | |
1916 | { | |
1917 | vector<resolved_host>& cached_hosts = cscache(s)->resolved_hosts[server.host_name]; | |
1918 | if (cached_hosts.empty ()) | |
1919 | { | |
1920 | // The server's host_name member is a string containing either a host name or an ip address. | |
1921 | // Either is acceptable for lookup. | |
1922 | const char *lookup_name = server.host_name.c_str(); | |
1923 | if (s.verbose >= 6) | |
1924 | clog << _F("Looking up %s", lookup_name) << endl; | |
1925 | ||
1926 | struct addrinfo hints; | |
1927 | memset(& hints, 0, sizeof (hints)); | |
1928 | hints.ai_family = AF_UNSPEC; // AF_INET or AF_INET6 to force version | |
1929 | struct addrinfo *addr_info = 0; | |
1930 | int rc = getaddrinfo (lookup_name, NULL, & hints, & addr_info); | |
1931 | ||
1932 | // Failure to resolve will result in an appropriate message later, if other methods fail. | |
1933 | if (rc != 0) | |
1934 | { | |
1935 | if (s.verbose >= 6) | |
1936 | clog << _F("%s not found: %s", lookup_name, gai_strerror (rc)) << endl; | |
1937 | } | |
1938 | else | |
1939 | { | |
1940 | // Loop over the results collecting information. | |
1941 | assert (addr_info); | |
1942 | for (const struct addrinfo *ai = addr_info; ai != NULL; ai = ai->ai_next) | |
1943 | { | |
1944 | PRNetAddr new_address; | |
1945 | ||
1946 | // We support IPv4 and IPv6, Ignore other protocols, | |
1947 | if (ai->ai_family == AF_INET) | |
1948 | { | |
1949 | // IPv4 Address | |
1950 | struct sockaddr_in *ip = (struct sockaddr_in *)ai->ai_addr; | |
1951 | new_address.inet.family = PR_AF_INET; | |
1952 | new_address.inet.ip = ip->sin_addr.s_addr; | |
1953 | } | |
1954 | else if (ai->ai_family == AF_INET6) | |
1955 | { | |
1956 | // IPv6 Address | |
1957 | struct sockaddr_in6 *ip = (struct sockaddr_in6 *)ai->ai_addr; | |
1958 | new_address.ipv6.family = PR_AF_INET6; | |
1959 | new_address.ipv6.scope_id = ip->sin6_scope_id; | |
1960 | copyAddress (new_address.ipv6.ip, ip->sin6_addr); | |
1961 | } | |
1962 | else | |
1963 | continue; | |
1964 | ||
1965 | // Try to obtain a host name. Otherwise, leave it empty. | |
1966 | char hbuf[NI_MAXHOST]; | |
1967 | int status = getnameinfo (ai->ai_addr, ai->ai_addrlen, hbuf, sizeof (hbuf), NULL, 0, | |
1968 | NI_NAMEREQD | NI_IDN); | |
1969 | if (status != 0) | |
1970 | hbuf[0] = '\0'; | |
1971 | ||
1972 | cached_hosts.push_back(resolved_host(hbuf, new_address)); | |
1973 | } | |
1974 | } | |
1975 | if (addr_info) | |
1976 | freeaddrinfo (addr_info); // free the linked list | |
1977 | } | |
1978 | ||
1979 | // If no addresses were resolved, then return the info we were given. | |
1980 | if (cached_hosts.empty()) | |
1981 | nss_add_server_info (server, resolved_servers); | |
1982 | else { | |
1983 | // We will add a new server for each address resolved | |
1984 | vector<compile_server_info> new_servers; | |
1985 | for (vector<resolved_host>::const_iterator it = cached_hosts.begin(); | |
1986 | it != cached_hosts.end(); ++it) | |
1987 | { | |
1988 | // Start with the info we were given | |
1989 | compile_server_info new_server = server; | |
1990 | ||
1991 | // NB: do not overwrite port info | |
1992 | if (it->address.raw.family == AF_INET) | |
1993 | { | |
1994 | new_server.address.inet.family = PR_AF_INET; | |
1995 | new_server.address.inet.ip = it->address.inet.ip; | |
1996 | } | |
1997 | else // AF_INET6 | |
1998 | { | |
1999 | new_server.address.ipv6.family = PR_AF_INET6; | |
2000 | new_server.address.ipv6.scope_id = it->address.ipv6.scope_id; | |
2001 | new_server.address.ipv6.ip = it->address.ipv6.ip; | |
2002 | } | |
2003 | if (!it->host_name.empty()) | |
638abbd0 SC |
2004 | { |
2005 | new_server.unresolved_host_name = new_server.host_name; | |
2006 | new_server.host_name = it->host_name; | |
2007 | } | |
3e150b00 DS |
2008 | nss_add_server_info (new_server, new_servers); |
2009 | } | |
2010 | ||
2011 | if (s.verbose >= 6) | |
2012 | { | |
2013 | clog << _F("%s resolves to:", server.host_name.c_str()) << endl; | |
2014 | clog << new_servers; | |
2015 | } | |
2016 | ||
2017 | nss_add_server_info (new_servers, resolved_servers); | |
2018 | } | |
2019 | } | |
2020 | ||
2021 | #if HAVE_AVAHI | |
2022 | // Avahi API Callbacks. | |
2023 | //----------------------------------------------------------------------- | |
2024 | struct browsing_context { | |
2025 | AvahiSimplePoll *simple_poll; | |
2026 | AvahiClient *client; | |
2027 | vector<compile_server_info> *servers; | |
2028 | }; | |
2029 | ||
2030 | // Get the value of the requested key from the Avahi string list. | |
2031 | static string | |
2032 | get_value_from_avahi_string_list (AvahiStringList *strlst, const string &key) | |
2033 | { | |
2034 | AvahiStringList *p = avahi_string_list_find (strlst, key.c_str ()); | |
2035 | if (p == NULL) | |
2036 | { | |
2037 | // Key not found. | |
2038 | return ""; | |
2039 | } | |
2040 | ||
2041 | char *k, *v; | |
2042 | int rc = avahi_string_list_get_pair(p, &k, &v, NULL); | |
2043 | if (rc < 0 || v == NULL) | |
2044 | { | |
2045 | avahi_free (k); | |
2046 | return ""; | |
2047 | } | |
2048 | ||
2049 | string value = v; | |
2050 | avahi_free (k); | |
2051 | avahi_free (v); | |
2052 | return value; | |
2053 | } | |
2054 | ||
2055 | // Get a vector of values of the requested key from the Avahi string | |
2056 | // list. This is for multiple values having the same key. | |
2057 | static void | |
2058 | get_values_from_avahi_string_list (AvahiStringList *strlst, const string &key, | |
2059 | vector<string> &value_vector) | |
2060 | { | |
2061 | AvahiStringList *p; | |
2062 | ||
2063 | value_vector.clear(); | |
2064 | p = avahi_string_list_find (strlst, key.c_str ()); | |
2065 | for (; p != NULL; p = avahi_string_list_get_next(p)) | |
2066 | { | |
2067 | char *k, *v; | |
2068 | int rc = avahi_string_list_get_pair(p, &k, &v, NULL); | |
2069 | if (rc < 0 || v == NULL) | |
2070 | { | |
2071 | avahi_free (k); | |
2072 | break; | |
2073 | } | |
2074 | ||
2075 | value_vector.push_back(v); | |
2076 | avahi_free (k); | |
2077 | avahi_free (v); | |
2078 | } | |
2079 | return; | |
2080 | } | |
2081 | ||
2082 | extern "C" | |
2083 | void resolve_callback( | |
2084 | AvahiServiceResolver *r, | |
2085 | AvahiIfIndex interface, | |
2086 | AvahiProtocol protocol, | |
2087 | AvahiResolverEvent event, | |
2088 | const char *name, | |
2089 | const char *type, | |
2090 | const char *domain, | |
2091 | const char *host_name, | |
2092 | const AvahiAddress *address, | |
2093 | uint16_t port, | |
2094 | AvahiStringList *txt, | |
2095 | AvahiLookupResultFlags /*flags*/, | |
2096 | AVAHI_GCC_UNUSED void* userdata) | |
2097 | { | |
2098 | PRStatus prStatus; | |
2099 | ||
2100 | assert(r); | |
2101 | const browsing_context *context = (browsing_context *)userdata; | |
2102 | vector<compile_server_info> *servers = context->servers; | |
2103 | ||
2104 | // Called whenever a service has been resolved successfully or timed out. | |
2105 | ||
2106 | switch (event) { | |
2107 | case AVAHI_RESOLVER_FAILURE: | |
2108 | clog << _F("Failed to resolve service '%s' of type '%s' in domain '%s': %s", | |
2109 | name, type, domain, | |
2110 | avahi_strerror(avahi_client_errno(avahi_service_resolver_get_client(r)))) << endl; | |
2111 | break; | |
2112 | ||
2113 | case AVAHI_RESOLVER_FOUND: { | |
2114 | compile_server_info info; | |
2115 | ||
2116 | // Decode the address. | |
2117 | char a[AVAHI_ADDRESS_STR_MAX]; | |
2118 | avahi_address_snprint(a, sizeof(a), address); | |
2119 | prStatus = PR_StringToNetAddr (a, & info.address); | |
2120 | if (prStatus != PR_SUCCESS) { | |
2121 | clog << _F("Invalid address '%s' from avahi", a) << endl; | |
2122 | break; | |
2123 | } | |
2124 | ||
2125 | // We support both IPv4 and IPv6. Ignore other protocols. | |
2126 | if (protocol == AVAHI_PROTO_INET6) { | |
2127 | info.address.ipv6.family = PR_AF_INET6; | |
2128 | info.address.ipv6.scope_id = interface; | |
2129 | info.port = port; | |
2130 | } | |
2131 | else if (protocol == AVAHI_PROTO_INET) { | |
2132 | info.address.inet.family = PR_AF_INET; | |
2133 | info.port = port; | |
2134 | } | |
2135 | else | |
2136 | break; | |
2137 | ||
2138 | // Save the host name. | |
2139 | info.host_name = host_name; | |
2140 | ||
2141 | // Save the text tags. | |
2142 | info.sysinfo = get_value_from_avahi_string_list (txt, "sysinfo"); | |
2143 | info.certinfo = get_value_from_avahi_string_list (txt, "certinfo"); | |
2144 | info.version = get_value_from_avahi_string_list (txt, "version"); | |
2145 | if (info.version.empty ()) | |
2146 | info.version = "1.0"; // default version is 1.0 | |
2147 | ||
2148 | // The server might provide one or more MOK certificate's | |
2149 | // info. | |
2150 | get_values_from_avahi_string_list(txt, "mok_info", | |
2151 | info.mok_fingerprints); | |
2152 | ||
2153 | // Add this server to the list of discovered servers. | |
2154 | nss_add_server_info (info, *servers); | |
2155 | break; | |
2156 | } | |
2157 | default: | |
2158 | break; | |
2159 | } | |
2160 | ||
2161 | avahi_service_resolver_free(r); | |
2162 | } | |
2163 | ||
2164 | extern "C" | |
2165 | void browse_callback( | |
2166 | AvahiServiceBrowser *b, | |
2167 | AvahiIfIndex interface, | |
2168 | AvahiProtocol protocol, | |
2169 | AvahiBrowserEvent event, | |
2170 | const char *name, | |
2171 | const char *type, | |
2172 | const char *domain, | |
2173 | AVAHI_GCC_UNUSED AvahiLookupResultFlags flags, | |
2174 | void* userdata) { | |
2175 | ||
2176 | browsing_context *context = (browsing_context *)userdata; | |
2177 | AvahiClient *c = context->client; | |
2178 | AvahiSimplePoll *simple_poll = context->simple_poll; | |
2179 | assert(b); | |
2180 | ||
2181 | // Called whenever a new services becomes available on the LAN or is removed from the LAN. | |
2182 | ||
2183 | switch (event) { | |
2184 | case AVAHI_BROWSER_FAILURE: | |
2185 | clog << _F("Avahi browse failed: %s", | |
2186 | avahi_strerror(avahi_client_errno(avahi_service_browser_get_client(b)))) | |
2187 | << endl; | |
2188 | avahi_simple_poll_quit(simple_poll); | |
2189 | break; | |
2190 | ||
2191 | case AVAHI_BROWSER_NEW: | |
2192 | // We ignore the returned resolver object. In the callback | |
2193 | // function we free it. If the server is terminated before | |
2194 | // the callback function is called the server will free | |
2195 | // the resolver for us. | |
2196 | if (!(avahi_service_resolver_new(c, interface, protocol, name, type, domain, | |
2197 | AVAHI_PROTO_UNSPEC, (AvahiLookupFlags)0, resolve_callback, context))) { | |
2198 | clog << _F("Failed to resolve service '%s': %s", | |
2199 | name, avahi_strerror(avahi_client_errno(c))) << endl; | |
2200 | } | |
2201 | break; | |
2202 | ||
2203 | case AVAHI_BROWSER_REMOVE: | |
2204 | case AVAHI_BROWSER_ALL_FOR_NOW: | |
2205 | case AVAHI_BROWSER_CACHE_EXHAUSTED: | |
2206 | break; | |
2207 | } | |
2208 | } | |
2209 | ||
2210 | extern "C" | |
2211 | void client_callback(AvahiClient *c, AvahiClientState state, AVAHI_GCC_UNUSED void * userdata) { | |
2212 | assert(c); | |
2213 | browsing_context *context = (browsing_context *)userdata; | |
2214 | AvahiSimplePoll *simple_poll = context->simple_poll; | |
2215 | ||
2216 | // Called whenever the client or server state changes. | |
2217 | ||
2218 | if (state == AVAHI_CLIENT_FAILURE) { | |
2219 | clog << _F("Avahi Server connection failure: %s", avahi_strerror(avahi_client_errno(c))) << endl; | |
2220 | avahi_simple_poll_quit(simple_poll); | |
2221 | } | |
2222 | } | |
2223 | ||
2224 | extern "C" | |
2225 | void timeout_callback(AVAHI_GCC_UNUSED AvahiTimeout *e, AVAHI_GCC_UNUSED void *userdata) { | |
2226 | browsing_context *context = (browsing_context *)userdata; | |
2227 | AvahiSimplePoll *simple_poll = context->simple_poll; | |
2228 | avahi_simple_poll_quit(simple_poll); | |
2229 | } | |
2230 | #endif // HAVE_AVAHI | |
2231 | ||
2232 | void | |
2233 | nss_get_or_keep_online_server_info ( | |
2234 | systemtap_session &s, | |
2235 | vector<compile_server_info> &servers, | |
2236 | bool keep | |
2237 | ) | |
2238 | { | |
2239 | // If we're filtering the list and it's already empty, then | |
2240 | // there's nothing to do. | |
2241 | if (keep && servers.empty ()) | |
2242 | return; | |
2243 | ||
2244 | // We only need to obtain this once per session. This is a good thing(tm) | |
2245 | // since obtaining this information is expensive. | |
2246 | vector<compile_server_info>& online_servers = cscache(s)->online_servers; | |
638abbd0 | 2247 | if (online_servers.empty () && s.http_servers.empty ()) |
3e150b00 DS |
2248 | { |
2249 | // Maintain an empty entry to indicate that this search has been | |
2250 | // performed, in case the search comes up empty. | |
2251 | online_servers.push_back (compile_server_info ()); | |
2252 | #if HAVE_AVAHI | |
2253 | // Must predeclare these due to jumping on error to fail: | |
2254 | vector<compile_server_info> avahi_servers; | |
2255 | ||
2256 | // Initialize. | |
2257 | AvahiClient *client = NULL; | |
2258 | AvahiServiceBrowser *sb = NULL; | |
2259 | ||
2260 | // Allocate main loop object. | |
2261 | AvahiSimplePoll *simple_poll; | |
2262 | if (!(simple_poll = avahi_simple_poll_new())) | |
2263 | { | |
2264 | clog << _("Failed to create Avahi simple poll object") << endl; | |
2265 | goto fail; | |
2266 | } | |
2267 | browsing_context context; | |
2268 | context.simple_poll = simple_poll; | |
2269 | context.servers = & avahi_servers; | |
2270 | ||
2271 | // Allocate a new Avahi client | |
2272 | int error; | |
2273 | client = avahi_client_new (avahi_simple_poll_get (simple_poll), | |
2274 | (AvahiClientFlags)0, | |
2275 | client_callback, & context, & error); | |
2276 | ||
2277 | // Check whether creating the client object succeeded. | |
2278 | if (! client) | |
2279 | { | |
2280 | clog << _F("Failed to create Avahi client: %s", | |
2281 | avahi_strerror(error)) << endl; | |
2282 | goto fail; | |
2283 | } | |
2284 | context.client = client; | |
2285 | ||
2286 | // Create the service browser. | |
2287 | if (!(sb = avahi_service_browser_new (client, AVAHI_IF_UNSPEC, | |
2288 | AVAHI_PROTO_UNSPEC, "_stap._tcp", | |
2289 | NULL, (AvahiLookupFlags)0, | |
2290 | browse_callback, & context))) | |
2291 | { | |
2292 | clog << _F("Failed to create Avahi service browser: %s", | |
2293 | avahi_strerror(avahi_client_errno(client))) << endl; | |
2294 | goto fail; | |
2295 | } | |
2296 | ||
2297 | // Timeout after 0.5 seconds. | |
2298 | struct timeval tv; | |
2299 | avahi_simple_poll_get(simple_poll)->timeout_new( | |
2300 | avahi_simple_poll_get(simple_poll), | |
2301 | avahi_elapse_time(&tv, 1000/2, 0), | |
2302 | timeout_callback, | |
2303 | & context); | |
2304 | ||
2305 | // Run the main loop. | |
2306 | avahi_simple_poll_loop(simple_poll); | |
2307 | ||
2308 | if (s.verbose >= 6) | |
2309 | { | |
2310 | clog << _("Avahi reports the following servers online:") << endl; | |
2311 | clog << avahi_servers; | |
2312 | } | |
2313 | ||
2314 | // Merge with the list of servers, as obtained by avahi. | |
2315 | nss_add_server_info (avahi_servers, online_servers); | |
2316 | ||
2317 | fail: | |
2318 | // Cleanup. | |
2319 | if (client) { | |
2320 | // Also frees the service browser | |
2321 | avahi_client_free(client); | |
2322 | } | |
2323 | if (simple_poll) | |
2324 | avahi_simple_poll_free(simple_poll); | |
2325 | #else // ! HAVE_AVAHI | |
2326 | // Without Avahi, we can't detect online servers. Issue a warning. | |
2327 | if (s.verbose >= 2) | |
2328 | clog << _("Unable to detect online servers without avahi") << endl; | |
2329 | #endif // ! HAVE_AVAHI | |
2330 | ||
2331 | if (s.verbose >= 5) | |
2332 | { | |
2333 | clog << _("All online servers:") << endl; | |
2334 | clog << online_servers; | |
2335 | } | |
2336 | } // Server information is not cached. | |
2337 | ||
638abbd0 SC |
2338 | if (!s.http_servers.empty ()) |
2339 | { | |
2340 | // http server does not depend on avahi, so discover which servers are online by | |
2341 | // getting a list of potential servers and trying to connect to them | |
2342 | vector<compile_server_info>& specified_servers = cscache(s)->specified_servers; | |
2343 | ||
2344 | nss_get_specified_server_info (s, specified_servers); | |
2345 | ||
2346 | for (vector<compile_server_info>::const_iterator i = specified_servers.begin (); | |
2347 | i != specified_servers.end (); | |
2348 | ++i) | |
2349 | { | |
2350 | client_backend *backend = nss_get_client_backend (s); | |
2351 | if (backend) | |
2352 | backend->fill_in_server_info ((compile_server_info&)*i); | |
2353 | } | |
2354 | } | |
2355 | ||
3e150b00 DS |
2356 | if (keep) |
2357 | { | |
2358 | // Filter the existing vector by keeping the information in common with | |
2359 | // the online_server vector. | |
2360 | nss_keep_common_server_info (online_servers, servers); | |
2361 | } | |
2362 | else | |
2363 | { | |
2364 | // Add the information, but not duplicates. | |
2365 | nss_add_server_info (online_servers, servers); | |
2366 | } | |
2367 | } | |
2368 | ||
2369 | // Add server info to a list, avoiding duplicates. Merge information from | |
2370 | // two duplicate items. | |
2371 | void | |
2372 | nss_add_server_info ( | |
2373 | const compile_server_info &info, vector<compile_server_info>& target | |
2374 | ) | |
2375 | { | |
2376 | if (info.empty ()) | |
2377 | return; | |
2378 | ||
2379 | bool found = false; | |
2380 | for (vector<compile_server_info>::iterator i = target.begin (); | |
2381 | i != target.end (); | |
2382 | ++i) | |
2383 | { | |
2384 | if (info == *i) | |
2385 | { | |
2386 | // Duplicate. Merge the two items. | |
2387 | merge_server_info (info, *i); | |
2388 | found = true; | |
2389 | } | |
2390 | } | |
2391 | if (! found) | |
2392 | target.push_back (info); | |
2393 | } | |
2394 | ||
2395 | // Add server info from one vector to another. | |
2396 | void | |
2397 | nss_add_server_info ( | |
2398 | const vector<compile_server_info> &source, | |
2399 | vector<compile_server_info> &target | |
2400 | ) | |
2401 | { | |
2402 | for (vector<compile_server_info>::const_iterator i = source.begin (); | |
2403 | i != source.end (); | |
2404 | ++i) | |
2405 | { | |
2406 | nss_add_server_info (*i, target); | |
2407 | } | |
2408 | } | |
2409 | ||
2410 | // Filter the vector by keeping information in common with the item. | |
2411 | void | |
2412 | nss_keep_common_server_info ( | |
2413 | const compile_server_info &info_to_keep, | |
2414 | vector<compile_server_info> &filtered_info | |
2415 | ) | |
2416 | { | |
2417 | assert (! info_to_keep.empty ()); | |
2418 | ||
2419 | // The vector may change size as we go. Be careful!! | |
2420 | for (unsigned i = 0; i < filtered_info.size (); /**/) | |
2421 | { | |
2422 | // Retain empty entries. | |
2423 | if (filtered_info[i].empty ()) | |
2424 | { | |
2425 | ++i; | |
2426 | continue; | |
2427 | } | |
2428 | if (info_to_keep == filtered_info[i]) | |
2429 | { | |
2430 | merge_server_info (info_to_keep, filtered_info[i]); | |
2431 | ++i; | |
2432 | continue; | |
2433 | } | |
2434 | // The item does not match. Delete it. | |
2435 | filtered_info.erase (filtered_info.begin () + i); | |
2436 | continue; | |
2437 | } | |
2438 | } | |
2439 | ||
2440 | // Filter the second vector by keeping information in common with the first | |
2441 | // vector. | |
2442 | void | |
2443 | nss_keep_common_server_info ( | |
2444 | const vector<compile_server_info> &info_to_keep, | |
2445 | vector<compile_server_info> &filtered_info | |
2446 | ) | |
2447 | { | |
2448 | // The vector may change size as we go. Be careful!! | |
2449 | for (unsigned i = 0; i < filtered_info.size (); /**/) | |
2450 | { | |
2451 | // Retain empty entries. | |
2452 | if (filtered_info[i].empty ()) | |
2453 | { | |
2454 | ++i; | |
2455 | continue; | |
2456 | } | |
2457 | bool found = false; | |
2458 | for (unsigned j = 0; j < info_to_keep.size (); ++j) | |
2459 | { | |
2460 | if (filtered_info[i] == info_to_keep[j]) | |
2461 | { | |
2462 | merge_server_info (info_to_keep[j], filtered_info[i]); | |
2463 | found = true; | |
2464 | } | |
2465 | } | |
2466 | ||
2467 | // If the item was not found. Delete it. Otherwise, advance to the next | |
2468 | // item. | |
2469 | if (found) | |
2470 | ++i; | |
2471 | else | |
2472 | filtered_info.erase (filtered_info.begin () + i); | |
2473 | } | |
2474 | } | |
2475 | ||
2476 | // Merge two compile server info items. | |
2477 | static void | |
2478 | merge_server_info ( | |
2479 | const compile_server_info &source, | |
2480 | compile_server_info &target | |
2481 | ) | |
2482 | { | |
2483 | // Copy the host name if the source has one. | |
2484 | if (! source.host_name.empty()) | |
2485 | target.host_name = source.host_name; | |
2486 | // Copy the address unconditionally, if the source has an address, even if they are already | |
2487 | // equal. The source address may be an IPv6 address with a scope_id that the target is missing. | |
2488 | assert (! target.hasAddress () || ! source.hasAddress () || source.address == target.address); | |
2489 | if (source.hasAddress ()) | |
2490 | copyNetAddr (target.address, source.address); | |
2491 | if (target.port == 0) | |
2492 | { | |
2493 | target.port = source.port; | |
2494 | target.fully_specified = source.fully_specified; | |
2495 | } | |
2496 | if (target.sysinfo.empty ()) | |
2497 | target.sysinfo = source.sysinfo; | |
2498 | if (target.version.empty ()) | |
2499 | target.version = source.version; | |
2500 | if (target.certinfo.empty ()) | |
2501 | target.certinfo = source.certinfo; | |
2502 | } | |
2503 | ||
eb3896ef DS |
2504 | void |
2505 | nss_add_online_server_info (systemtap_session &s, | |
2506 | const compile_server_info &info) | |
2507 | { | |
2508 | nss_add_server_info (info, cscache(s)->online_servers); | |
2509 | } | |
3e150b00 DS |
2510 | #endif // HAVE_NSS |
2511 | ||
2512 | /* vim: set sw=2 ts=8 cino=>4,n-2,{2,^-2,t0,(0,u0,w1,M1 : */ |