]>
Commit | Line | Data |
---|---|---|
aeb9cc10 DB |
1 | /* |
2 | SSL server program listens on a port, accepts client connection, reads | |
3 | the data into a temporary file, calls the systemtap translator and | |
4 | then transmits the resulting file back to the client. | |
5 | ||
6 | Copyright (C) 2011 Red Hat Inc. | |
7 | ||
8 | This file is part of systemtap, and is free software. You can | |
9 | redistribute it and/or modify it under the terms of the GNU General Public | |
10 | License as published by the Free Software Foundation; either version 2 of the | |
11 | License, or (at your option) any later version. | |
12 | ||
13 | This program is distributed in the hope that it will be useful, | |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | GNU General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with this program; if not, write to the Free Software | |
20 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
21 | */ | |
22 | #include "config.h" | |
23 | ||
24 | #include <string> | |
25 | #include <cerrno> | |
26 | #include <cassert> | |
27 | ||
28 | extern "C" { | |
29 | #include <getopt.h> | |
30 | #include <wordexp.h> | |
31 | #include <glob.h> | |
32 | #include <fcntl.h> | |
a6d72070 | 33 | #include <sys/resource.h> |
aeb9cc10 | 34 | #include <sys/stat.h> |
a6d72070 | 35 | #include <sys/time.h> |
aeb9cc10 DB |
36 | #include <sys/utsname.h> |
37 | ||
38 | #include <nspr.h> | |
39 | #include <ssl.h> | |
40 | #include <nss.h> | |
41 | #include <keyhi.h> | |
42 | ||
43 | #if HAVE_AVAHI | |
44 | #include <avahi-client/publish.h> | |
45 | #include <avahi-common/alternative.h> | |
46 | #include <avahi-common/simple-watch.h> | |
47 | #include <avahi-common/malloc.h> | |
48 | #include <avahi-common/error.h> | |
49 | #endif | |
50 | } | |
51 | ||
52 | #include "util.h" | |
53 | #include "nsscommon.h" | |
54 | ||
55 | using namespace std; | |
56 | ||
57 | static void cleanup (); | |
58 | static PRStatus spawn_and_wait (const vector<string> &argv, | |
59 | const char* fd0, const char* fd1, const char* fd2, const char *pwd); | |
60 | ||
61 | /* getopt variables */ | |
62 | extern int optind; | |
63 | ||
4a044a5e DB |
64 | /* File scope statics. Set during argument parsing and initialization. */ |
65 | static bool set_rlimits; | |
aeb9cc10 DB |
66 | static bool use_db_password; |
67 | static int port; | |
68 | static string cert_db_path; | |
69 | static string stap_options; | |
70 | static string uname_r; | |
71 | static string arch; | |
72 | static string cert_serial_number; | |
73 | static string B_options; | |
74 | static string I_options; | |
75 | static string R_option; | |
76 | static pthread_t avahi_thread = 0; | |
77 | ||
4a044a5e DB |
78 | // Used to save our resource limits for these categories and impose smaller |
79 | // limits on the translator while servicing a request. | |
80 | static struct rlimit save_RLIMIT_FSIZE; | |
81 | static struct rlimit save_RLIMIT_STACK; | |
82 | static struct rlimit save_RLIMIT_CPU; | |
83 | static struct rlimit save_RLIMIT_NPROC; | |
84 | static struct rlimit save_RLIMIT_AS; | |
85 | ||
86 | static struct rlimit translator_RLIMIT_FSIZE; | |
87 | static struct rlimit translator_RLIMIT_STACK; | |
88 | static struct rlimit translator_RLIMIT_CPU; | |
89 | static struct rlimit translator_RLIMIT_NPROC; | |
90 | static struct rlimit translator_RLIMIT_AS; | |
91 | ||
aeb9cc10 DB |
92 | // Message handling. Error messages occur during the handling of a request and |
93 | // are logged, printed to stderr and also to the client's stderr. | |
94 | extern "C" | |
95 | void | |
96 | nsscommon_error (const char *msg, int logit) | |
97 | { | |
98 | clog << msg << endl << flush; | |
99 | // Log it, but avoid repeated messages to the terminal. | |
100 | if (logit && log_ok ()) | |
101 | log (msg); | |
102 | } | |
103 | ||
104 | // Fatal errors are treated the same as errors but also result in termination | |
105 | // of the server. | |
106 | static void | |
107 | fatal (const string &msg) | |
108 | { | |
109 | nsscommon_error (msg, true/*logit*/); | |
110 | cleanup (); | |
111 | exit (1); | |
112 | } | |
113 | ||
114 | // Argument handling | |
115 | static void | |
116 | process_a (const string &arg) | |
117 | { | |
118 | arch = arg; | |
119 | stap_options += " -a " + arg; | |
120 | } | |
121 | ||
122 | static void | |
123 | process_r (const string &arg) | |
124 | { | |
125 | if (arg[0] == '/') // fully specified path | |
126 | uname_r = kernel_release_from_build_tree (arg); | |
127 | else | |
128 | uname_r = arg; | |
129 | stap_options += " -r " + arg; // Pass the argument to stap directly. | |
130 | } | |
131 | ||
132 | static void | |
133 | process_log (const char *arg) | |
134 | { | |
135 | start_log (arg); | |
136 | } | |
137 | ||
138 | static void | |
139 | parse_options (int argc, char **argv) | |
140 | { | |
141 | // Examine the command line. We need not do much checking, but we do need to | |
142 | // parse all options in order to discover the ones we're interested in. | |
143 | while (true) | |
144 | { | |
145 | int long_opt; | |
146 | char *num_endptr; | |
147 | #define LONG_OPT_PORT 1 | |
148 | #define LONG_OPT_SSL 2 | |
149 | #define LONG_OPT_LOG 3 | |
150 | static struct option long_options[] = { | |
151 | { "port", 1, & long_opt, LONG_OPT_PORT }, | |
152 | { "ssl", 1, & long_opt, LONG_OPT_SSL }, | |
153 | { "log", 1, & long_opt, LONG_OPT_LOG }, | |
154 | { NULL, 0, NULL, 0 } | |
155 | }; | |
156 | int grc = getopt_long (argc, argv, "a:B:I:Pr:R:", long_options, NULL); | |
157 | if (grc < 0) | |
158 | break; | |
159 | switch (grc) | |
160 | { | |
161 | case 'a': | |
162 | process_a (optarg); | |
163 | break; | |
164 | case 'B': | |
165 | B_options += optarg; | |
166 | stap_options += string (" -") + (char)grc + optarg; | |
167 | break; | |
168 | case 'I': | |
169 | I_options += optarg; | |
170 | stap_options += string (" -") + (char)grc + optarg; | |
171 | break; | |
172 | case 'P': | |
173 | use_db_password = true; | |
174 | break; | |
175 | case 'r': | |
176 | process_r (optarg); | |
177 | break; | |
178 | case 'R': | |
179 | R_option = optarg; | |
180 | stap_options += string (" -") + (char)grc + optarg; | |
181 | break; | |
182 | case '?': | |
183 | // Invalid/unrecognized option given. Message has already been issued. | |
184 | break; | |
185 | default: | |
186 | // Reached when one added a getopt option but not a corresponding switch/case: | |
187 | if (optarg) | |
188 | nsscommon_error (_F("%s: unhandled option '%c %s'", argv[0], (char)grc, optarg)); | |
189 | else | |
190 | nsscommon_error (_F("%s: unhandled option '%c'", argv[0], (char)grc)); | |
191 | break; | |
192 | case 0: | |
193 | switch (long_opt) | |
194 | { | |
195 | case LONG_OPT_PORT: | |
196 | port = (int) strtoul (optarg, &num_endptr, 10); | |
197 | break; | |
198 | case LONG_OPT_SSL: | |
199 | cert_db_path = optarg; | |
200 | break; | |
201 | case LONG_OPT_LOG: | |
202 | process_log (optarg); | |
203 | break; | |
204 | default: | |
205 | if (optarg) | |
206 | nsscommon_error (_F("%s: unhandled option '--%s=%s'", argv[0], | |
207 | long_options[long_opt - 1].name, optarg)); | |
208 | else | |
209 | nsscommon_error (_F("%s: unhandled option '--%s'", argv[0], | |
210 | long_options[long_opt - 1].name)); | |
211 | } | |
212 | break; | |
213 | } | |
214 | } | |
215 | ||
216 | for (int i = optind; i < argc; i++) | |
217 | nsscommon_error (_F("%s: unrecognized argument '%s'", argv[0], argv[i])); | |
218 | } | |
219 | ||
220 | // Signal handling. When an interrupt is received, kill any spawned processes | |
221 | // and exit. | |
222 | extern "C" | |
223 | void | |
224 | handle_interrupt (int sig) | |
225 | { | |
226 | log (_F("Received interrupt %d, exiting", sig)); | |
227 | kill_stap_spawn (sig); | |
228 | cleanup (); | |
229 | exit (0); | |
230 | } | |
231 | ||
232 | static void | |
233 | setup_signals (sighandler_t handler) | |
234 | { | |
235 | struct sigaction sa; | |
236 | ||
237 | sa.sa_handler = handler; | |
238 | sigemptyset (&sa.sa_mask); | |
239 | if (handler != SIG_IGN) | |
240 | { | |
241 | sigaddset (&sa.sa_mask, SIGHUP); | |
242 | sigaddset (&sa.sa_mask, SIGPIPE); | |
243 | sigaddset (&sa.sa_mask, SIGINT); | |
244 | sigaddset (&sa.sa_mask, SIGTERM); | |
245 | sigaddset (&sa.sa_mask, SIGTTIN); | |
246 | sigaddset (&sa.sa_mask, SIGTTOU); | |
247 | } | |
248 | sa.sa_flags = SA_RESTART; | |
249 | ||
250 | sigaction (SIGHUP, &sa, NULL); | |
251 | sigaction (SIGPIPE, &sa, NULL); | |
252 | sigaction (SIGINT, &sa, NULL); | |
253 | sigaction (SIGTERM, &sa, NULL); | |
254 | sigaction (SIGTTIN, &sa, NULL); | |
255 | sigaction (SIGTTOU, &sa, NULL); | |
256 | } | |
257 | ||
258 | #if HAVE_AVAHI | |
259 | static AvahiEntryGroup *avahi_group = NULL; | |
260 | static AvahiSimplePoll *avahi_simple_poll = NULL; | |
261 | static char *avahi_service_name = NULL; | |
262 | ||
263 | static void create_services (AvahiClient *c); | |
264 | ||
265 | static void | |
266 | entry_group_callback ( | |
267 | AvahiEntryGroup *g, | |
268 | AvahiEntryGroupState state, | |
269 | AVAHI_GCC_UNUSED void *userdata | |
270 | ) { | |
271 | assert(g == avahi_group || avahi_group == NULL); | |
272 | avahi_group = g; | |
273 | ||
274 | // Called whenever the entry group state changes. | |
275 | switch (state) | |
276 | { | |
277 | case AVAHI_ENTRY_GROUP_ESTABLISHED: | |
278 | // The entry group has been established successfully. | |
279 | log (_F("Service '%s' successfully established.", avahi_service_name)); | |
280 | break; | |
281 | ||
282 | case AVAHI_ENTRY_GROUP_COLLISION: { | |
283 | char *n; | |
284 | // A service name collision with a remote service. | |
285 | // happened. Let's pick a new name. | |
286 | n = avahi_alternative_service_name (avahi_service_name); | |
287 | avahi_free (avahi_service_name); | |
288 | avahi_service_name = n; | |
289 | nsscommon_error (_F("Avahi service name collision, renaming service to '%s'", avahi_service_name)); | |
290 | ||
291 | // And recreate the services. | |
292 | create_services (avahi_entry_group_get_client (g)); | |
293 | break; | |
294 | } | |
295 | ||
296 | case AVAHI_ENTRY_GROUP_FAILURE: | |
297 | nsscommon_error (_F("Avahi entry group failure: %s", | |
298 | avahi_strerror (avahi_client_errno (avahi_entry_group_get_client (g))))); | |
299 | // Some kind of failure happened while we were registering our services. | |
300 | avahi_simple_poll_quit (avahi_simple_poll); | |
301 | break; | |
302 | ||
303 | case AVAHI_ENTRY_GROUP_UNCOMMITED: | |
304 | case AVAHI_ENTRY_GROUP_REGISTERING: | |
305 | break; | |
306 | } | |
307 | } | |
308 | ||
309 | static void | |
310 | create_services (AvahiClient *c) { | |
311 | assert (c); | |
312 | ||
313 | // If this is the first time we're called, let's create a new | |
314 | // entry group if necessary. | |
315 | if (! avahi_group) | |
316 | if (! (avahi_group = avahi_entry_group_new (c, entry_group_callback, NULL))) | |
317 | { | |
318 | nsscommon_error (_F("avahi_entry_group_new () failed: %s", | |
319 | avahi_strerror (avahi_client_errno (c)))); | |
320 | goto fail; | |
321 | } | |
322 | ||
323 | // If the group is empty (either because it was just created, or | |
324 | // because it was reset previously, add our entries. | |
325 | if (avahi_entry_group_is_empty (avahi_group)) | |
326 | { | |
327 | log (_F("Adding service '%s'", avahi_service_name)); | |
328 | ||
329 | // Create the txt tags that will be registered with our service. | |
330 | string sysinfo = "sysinfo=" + uname_r + " " + arch; | |
331 | string certinfo = "certinfo=" + cert_serial_number; | |
332 | string optinfo = "optinfo="; | |
333 | string separator; | |
334 | if (! R_option.empty ()) | |
335 | { | |
336 | optinfo += R_option; | |
337 | separator = " "; | |
338 | } | |
339 | if (! B_options.empty ()) | |
340 | { | |
341 | optinfo += separator + B_options; | |
342 | separator = " "; | |
343 | } | |
344 | if (! I_options.empty ()) | |
345 | optinfo += separator + I_options; | |
346 | ||
347 | // We will now our service to the entry group. Only services with the | |
348 | // same name should be put in the same entry group. | |
349 | int ret; | |
350 | if ((ret = avahi_entry_group_add_service (avahi_group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, | |
351 | (AvahiPublishFlags)0, | |
352 | avahi_service_name, "_stap._tcp", NULL, NULL, port, | |
353 | sysinfo.c_str (), optinfo.c_str (), | |
354 | certinfo.c_str (), NULL)) < 0) | |
355 | { | |
356 | if (ret == AVAHI_ERR_COLLISION) | |
357 | goto collision; | |
358 | ||
359 | nsscommon_error (_F("Failed to add _ipp._tcp service: %s", avahi_strerror (ret))); | |
360 | goto fail; | |
361 | } | |
362 | ||
363 | // Tell the server to register the service. | |
364 | if ((ret = avahi_entry_group_commit (avahi_group)) < 0) | |
365 | { | |
366 | nsscommon_error (_F("Failed to commit avahi entry group: %s", avahi_strerror (ret))); | |
367 | goto fail; | |
368 | } | |
369 | } | |
370 | return; | |
371 | ||
372 | collision: | |
373 | // A service name collision with a local service happened. Let's | |
374 | // pick a new name. | |
375 | char *n; | |
376 | n = avahi_alternative_service_name (avahi_service_name); | |
377 | avahi_free(avahi_service_name); | |
378 | avahi_service_name = n; | |
379 | nsscommon_error (_F("Avahi service name collision, renaming service to '%s'", avahi_service_name)); | |
380 | avahi_entry_group_reset (avahi_group); | |
381 | create_services (c); | |
382 | return; | |
383 | ||
384 | fail: | |
385 | avahi_simple_poll_quit (avahi_simple_poll); | |
386 | } | |
387 | ||
388 | static void | |
389 | client_callback (AvahiClient *c, AvahiClientState state, AVAHI_GCC_UNUSED void * userdata) | |
390 | { | |
391 | assert(c); | |
392 | ||
393 | // Called whenever the client or server state changes. | |
394 | switch (state) | |
395 | { | |
396 | case AVAHI_CLIENT_S_RUNNING: | |
397 | // The server has startup successfully and registered its host | |
398 | // name on the network, so it's time to create our services. | |
399 | create_services (c); | |
400 | break; | |
401 | ||
402 | case AVAHI_CLIENT_FAILURE: | |
403 | nsscommon_error (_F("Avahi client failure: %s", avahi_strerror (avahi_client_errno (c)))); | |
404 | avahi_simple_poll_quit (avahi_simple_poll); | |
405 | break; | |
406 | ||
407 | case AVAHI_CLIENT_S_COLLISION: | |
408 | // Let's drop our registered services. When the server is back | |
409 | // in AVAHI_SERVER_RUNNING state we will register them | |
410 | // again with the new host name. | |
411 | // Fall through ... | |
412 | case AVAHI_CLIENT_S_REGISTERING: | |
413 | // The server records are now being established. This | |
414 | // might be caused by a host name change. We need to wait | |
415 | // for our own records to register until the host name is | |
416 | // properly esatblished. | |
417 | if (avahi_group) | |
418 | avahi_entry_group_reset (avahi_group); | |
419 | break; | |
420 | ||
421 | case AVAHI_CLIENT_CONNECTING: | |
422 | break; | |
423 | } | |
424 | } | |
425 | ||
426 | // The entry point for the avahi client thread. | |
427 | static void * | |
428 | avahi_publish_service (void *arg) | |
429 | { | |
430 | CERTCertificate *cert = (CERTCertificate *)arg; | |
431 | cert_serial_number = get_cert_serial_number (cert); | |
432 | ||
433 | string buf = "Systemtap Compile Server, pid=" + lex_cast (getpid ()); | |
434 | avahi_service_name = avahi_strdup (buf.c_str ()); | |
435 | ||
436 | AvahiClient *client = 0; | |
437 | ||
438 | // Allocate main loop object. | |
439 | if (! (avahi_simple_poll = avahi_simple_poll_new ())) | |
440 | { | |
441 | nsscommon_error (_("Failed to create avahi simple poll object.")); | |
442 | goto done; | |
443 | } | |
444 | ||
445 | // Allocate a new client. | |
446 | int error; | |
447 | client = avahi_client_new (avahi_simple_poll_get (avahi_simple_poll), (AvahiClientFlags)0, | |
448 | client_callback, NULL, & error); | |
449 | ||
450 | // Check wether creating the client object succeeded. | |
451 | if (! client) | |
452 | { | |
453 | nsscommon_error (_F("Failed to create avahi client: %s", avahi_strerror(error))); | |
454 | goto done; | |
455 | } | |
456 | ||
457 | // Run the main loop. | |
458 | avahi_simple_poll_loop (avahi_simple_poll); | |
459 | ||
460 | done: | |
461 | // Cleanup. | |
462 | if (client) | |
463 | avahi_client_free (client); | |
464 | if (avahi_simple_poll) | |
465 | avahi_simple_poll_free (avahi_simple_poll); | |
466 | avahi_free (avahi_service_name); | |
467 | return NULL; | |
468 | } | |
469 | #endif // HAVE_AVAHI | |
470 | ||
471 | static void | |
472 | advertise_presence (CERTCertificate *cert __attribute ((unused))) | |
473 | { | |
474 | #if HAVE_AVAHI | |
475 | // The avahi client must run on its own thread, since the poll loop does not | |
476 | // exit. The avahi thread will be cancelled automatically when the main thread | |
477 | // finishes. Run the thread as joinable to the main thread, so that we can know, when we | |
478 | // cancel it, that it actually was cancelled. | |
479 | pthread_attr_t attr; | |
480 | pthread_attr_init (& attr); | |
481 | pthread_attr_setdetachstate (& attr, PTHREAD_CREATE_JOINABLE); | |
482 | int rc = pthread_create (& avahi_thread, & attr, avahi_publish_service, (void *)cert); | |
483 | if (rc == EAGAIN) | |
484 | { | |
485 | nsscommon_error (_("Could not create a thread for the avahi client")); | |
486 | avahi_thread = 0; | |
487 | } | |
488 | #else | |
489 | nsscommon_error (_("Unable to advertise presence on the network. Avahi is not available")); | |
490 | #endif | |
491 | } | |
492 | ||
493 | static void | |
494 | unadvertise_presence () | |
495 | { | |
496 | #if HAVE_AVAHI | |
497 | if (avahi_thread) | |
498 | { | |
499 | pthread_cancel (avahi_thread); | |
500 | pthread_join (avahi_thread, NULL); | |
501 | avahi_thread = 0; | |
502 | avahi_group = NULL; | |
503 | avahi_simple_poll = NULL; | |
504 | avahi_service_name = NULL; | |
505 | } | |
506 | #endif | |
507 | } | |
508 | ||
509 | static void | |
510 | initialize (int argc, char **argv) { | |
511 | setup_signals (& handle_interrupt); | |
512 | ||
513 | // PR11197: security prophylactics. | |
514 | // 1) Reject use as root, except via a special environment variable. | |
515 | if (! getenv ("STAP_PR11197_OVERRIDE")) { | |
516 | if (geteuid () == 0) | |
517 | fatal ("For security reasons, invocation of stap-serverd as root is not supported."); | |
518 | } | |
519 | // 2) resource limits should be set if the user is the 'stap-server' daemon. | |
520 | string login = getlogin (); | |
4a044a5e DB |
521 | if (login == "stap-server") { |
522 | // First obtain the current limits. | |
523 | int rc = getrlimit (RLIMIT_FSIZE, & save_RLIMIT_FSIZE); | |
524 | rc |= getrlimit (RLIMIT_STACK, & save_RLIMIT_STACK); | |
525 | rc |= getrlimit (RLIMIT_CPU, & save_RLIMIT_CPU); | |
526 | rc |= getrlimit (RLIMIT_NPROC, & save_RLIMIT_NPROC); | |
527 | rc |= getrlimit (RLIMIT_AS, & save_RLIMIT_AS); | |
528 | if (rc != 0) | |
529 | fatal (_F("Unable to obtain current resource limits: %s", strerror (errno))); | |
530 | ||
531 | // Now establish limits for the translator. Make sure these limits do not exceed the current | |
532 | // limits. | |
533 | #define TRANSLATOR_LIMIT(category, limit) \ | |
534 | do { \ | |
535 | translator_RLIMIT_##category = save_RLIMIT_##category; \ | |
536 | if (translator_RLIMIT_##category.rlim_cur > (limit)) \ | |
537 | translator_RLIMIT_##category.rlim_cur = (limit); \ | |
538 | } while (0); | |
539 | TRANSLATOR_LIMIT (FSIZE, 50000); | |
540 | TRANSLATOR_LIMIT (STACK, 1000); | |
541 | TRANSLATOR_LIMIT (CPU, 60); | |
542 | TRANSLATOR_LIMIT (NPROC, 20); | |
543 | TRANSLATOR_LIMIT (AS, 500000); | |
544 | set_rlimits = true; | |
545 | #undef TRANSLATOR_LIMIT | |
546 | } | |
aeb9cc10 | 547 | else |
4a044a5e | 548 | set_rlimits = false; |
aeb9cc10 DB |
549 | |
550 | // Seed the random number generator. Used to generate noise used during key generation. | |
551 | srand (time (NULL)); | |
552 | ||
553 | // Initial values. | |
554 | use_db_password = false; | |
555 | port = 0; | |
556 | struct utsname utsname; | |
557 | uname (& utsname); | |
558 | uname_r = utsname.release; | |
559 | arch = normalize_machine (utsname.machine); | |
560 | ||
561 | // Parse the arguments. | |
562 | parse_options (argc, argv); | |
563 | ||
564 | pid_t pid = getpid (); | |
565 | log (_F("===== compile server pid %d starting", pid)); | |
566 | ||
567 | // Where is the ssl certificate/key database? | |
568 | if (cert_db_path.empty ()) | |
569 | cert_db_path = server_cert_db_path (); | |
570 | ||
571 | // Make sure NSPR is initialized. Must be done before NSS is initialized | |
572 | PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); | |
573 | /* Set the cert database password callback. */ | |
574 | PK11_SetPasswordFunc (nssPasswordCallback); | |
575 | } | |
576 | ||
577 | static void | |
578 | cleanup () | |
579 | { | |
580 | unadvertise_presence (); | |
581 | end_log (); | |
582 | } | |
583 | ||
584 | /* Function: readDataFromSocket() | |
585 | * | |
586 | * Purpose: Read data from the socket into a temporary file. | |
587 | * | |
588 | */ | |
589 | static PRInt32 | |
590 | readDataFromSocket(PRFileDesc *sslSocket, const char *requestFileName) | |
591 | { | |
592 | PRFileDesc *local_file_fd = 0; | |
593 | PRInt32 numBytesExpected; | |
594 | PRInt32 numBytesRead; | |
595 | PRInt32 numBytesWritten; | |
4a044a5e | 596 | PRInt32 totalBytes = 0; |
aeb9cc10 DB |
597 | #define READ_BUFFER_SIZE 4096 |
598 | char buffer[READ_BUFFER_SIZE]; | |
599 | ||
600 | /* Read the number of bytes to be received. */ | |
601 | /* XXX: impose a limit to prevent disk space consumption DoS */ | |
602 | numBytesRead = PR_Read (sslSocket, & numBytesExpected, sizeof (numBytesExpected)); | |
603 | if (numBytesRead == 0) /* EOF */ | |
604 | { | |
605 | nsscommon_error (_("Error reading size of request file")); | |
606 | goto done; | |
607 | } | |
608 | if (numBytesRead < 0) | |
609 | { | |
610 | nsscommon_error (_("Error in PR_Read")); | |
611 | nssError (); | |
612 | goto done; | |
613 | } | |
614 | ||
615 | /* Convert numBytesExpected from network byte order to host byte order. */ | |
616 | numBytesExpected = ntohl (numBytesExpected); | |
617 | ||
618 | /* If 0 bytes are expected, then we were contacted only to obtain our certificate. | |
619 | There is no client request. */ | |
620 | if (numBytesExpected == 0) | |
621 | return 0; | |
622 | ||
623 | /* Open the output file. */ | |
624 | local_file_fd = PR_Open(requestFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, | |
625 | PR_IRUSR | PR_IWUSR); | |
626 | if (local_file_fd == NULL) | |
627 | { | |
628 | nsscommon_error (_F("Could not open output file %s", requestFileName)); | |
629 | nssError (); | |
630 | return -1; | |
631 | } | |
632 | ||
633 | /* Read until EOF or until the expected number of bytes has been read. */ | |
634 | for (totalBytes = 0; totalBytes < numBytesExpected; totalBytes += numBytesRead) | |
635 | { | |
636 | numBytesRead = PR_Read(sslSocket, buffer, READ_BUFFER_SIZE); | |
637 | if (numBytesRead == 0) | |
638 | break; /* EOF */ | |
639 | if (numBytesRead < 0) | |
640 | { | |
641 | nsscommon_error (_("Error in PR_Read")); | |
642 | nssError (); | |
643 | goto done; | |
644 | } | |
645 | ||
646 | /* Write to the request file. */ | |
647 | numBytesWritten = PR_Write(local_file_fd, buffer, numBytesRead); | |
648 | if (numBytesWritten < 0 || (numBytesWritten != numBytesRead)) | |
649 | { | |
650 | nsscommon_error (_F("Could not write to output file %s", requestFileName)); | |
651 | nssError (); | |
652 | goto done; | |
653 | } | |
654 | } | |
655 | ||
656 | if (totalBytes != numBytesExpected) | |
657 | { | |
658 | nsscommon_error (_F("Expected %d bytes, got %d while reading client request from socket", | |
659 | numBytesExpected, totalBytes)); | |
660 | goto done; | |
661 | } | |
662 | ||
663 | done: | |
664 | if (local_file_fd) | |
665 | PR_Close (local_file_fd); | |
666 | return totalBytes; | |
667 | } | |
668 | ||
669 | /* Function: setupSSLSocket() | |
670 | * | |
671 | * Purpose: Configure a socket for SSL. | |
672 | * | |
673 | * | |
674 | */ | |
675 | static PRFileDesc * | |
676 | setupSSLSocket (PRFileDesc *tcpSocket, CERTCertificate *cert, SECKEYPrivateKey *privKey) | |
677 | { | |
678 | PRFileDesc *sslSocket; | |
679 | SSLKEAType certKEA; | |
680 | SECStatus secStatus; | |
681 | ||
682 | /* Inport the socket into SSL. */ | |
683 | sslSocket = SSL_ImportFD (NULL, tcpSocket); | |
684 | if (sslSocket == NULL) | |
685 | { | |
686 | nsscommon_error (_("Could not import socket into SSL")); | |
687 | nssError (); | |
688 | return NULL; | |
689 | } | |
690 | ||
691 | /* Set the appropriate flags. */ | |
692 | secStatus = SSL_OptionSet (sslSocket, SSL_SECURITY, PR_TRUE); | |
693 | if (secStatus != SECSuccess) | |
694 | { | |
695 | nsscommon_error (_("Error setting SSL security for socket")); | |
696 | nssError (); | |
697 | return NULL; | |
698 | } | |
699 | ||
700 | secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE); | |
701 | if (secStatus != SECSuccess) | |
702 | { | |
703 | nsscommon_error (_("Error setting handshake as server for socket")); | |
704 | nssError (); | |
705 | return NULL; | |
706 | } | |
707 | ||
708 | secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, PR_FALSE); | |
709 | if (secStatus != SECSuccess) | |
710 | { | |
711 | nsscommon_error (_("Error setting SSL client authentication mode for socket")); | |
712 | nssError (); | |
713 | return NULL; | |
714 | } | |
715 | ||
716 | secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, PR_FALSE); | |
717 | if (secStatus != SECSuccess) | |
718 | { | |
719 | nsscommon_error (_("Error setting SSL client authentication mode for socket")); | |
720 | nssError (); | |
721 | return NULL; | |
722 | } | |
723 | ||
724 | /* Set the appropriate callback routines. */ | |
725 | #if 0 /* use the default */ | |
726 | secStatus = SSL_AuthCertificateHook (sslSocket, myAuthCertificate, CERT_GetDefaultCertDB()); | |
727 | if (secStatus != SECSuccess) | |
728 | { | |
729 | nssError (); | |
730 | nsscommon_error (_("Error in SSL_AuthCertificateHook")); | |
731 | return NULL; | |
732 | } | |
733 | #endif | |
734 | #if 0 /* Use the default */ | |
735 | secStatus = SSL_BadCertHook(sslSocket, (SSLBadCertHandler)myBadCertHandler, &certErr); | |
736 | if (secStatus != SECSuccess) | |
737 | { | |
738 | nssError (); | |
739 | nsscommon_error (_("Error in SSL_BadCertHook")); | |
740 | return NULL; | |
741 | } | |
742 | #endif | |
743 | #if 0 /* no handshake callback */ | |
744 | secStatus = SSL_HandshakeCallback(sslSocket, myHandshakeCallback, NULL); | |
745 | if (secStatus != SECSuccess) | |
746 | { | |
747 | nsscommon_error (_("Error in SSL_HandshakeCallback")); | |
748 | nssError (); | |
749 | return NULL; | |
750 | } | |
751 | #endif | |
752 | ||
753 | certKEA = NSS_FindCertKEAType (cert); | |
754 | ||
755 | secStatus = SSL_ConfigSecureServer (sslSocket, cert, privKey, certKEA); | |
756 | if (secStatus != SECSuccess) | |
757 | { | |
758 | nsscommon_error (_("Error configuring SSL server")); | |
759 | nssError (); | |
760 | return NULL; | |
761 | } | |
762 | ||
763 | return sslSocket; | |
764 | } | |
765 | ||
766 | #if 0 /* No client authentication (for now) and not authenticating after each transaction. */ | |
767 | /* Function: authenticateSocket() | |
768 | * | |
769 | * Purpose: Perform client authentication on the socket. | |
770 | * | |
771 | */ | |
772 | static SECStatus | |
773 | authenticateSocket (PRFileDesc *sslSocket, PRBool requireCert) | |
774 | { | |
775 | CERTCertificate *cert; | |
776 | SECStatus secStatus; | |
777 | ||
778 | /* Returns NULL if client authentication is not enabled or if the | |
779 | * client had no certificate. */ | |
780 | cert = SSL_PeerCertificate(sslSocket); | |
781 | if (cert) | |
782 | { | |
783 | /* Client had a certificate, so authentication is through. */ | |
784 | CERT_DestroyCertificate(cert); | |
785 | return SECSuccess; | |
786 | } | |
787 | ||
788 | /* Request client to authenticate itself. */ | |
789 | secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, PR_TRUE); | |
790 | if (secStatus != SECSuccess) | |
791 | { | |
792 | nsscommon_error (_("Error in SSL_OptionSet:SSL_REQUEST_CERTIFICATE")); | |
793 | nssError (); | |
794 | return SECFailure; | |
795 | } | |
796 | ||
797 | /* If desired, require client to authenticate itself. Note | |
798 | * SSL_REQUEST_CERTIFICATE must also be on, as above. */ | |
799 | secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, requireCert); | |
800 | if (secStatus != SECSuccess) | |
801 | { | |
802 | nsscommon_error (_("Error in SSL_OptionSet:SSL_REQUIRE_CERTIFICATE")); | |
803 | nssError (); | |
804 | return SECFailure; | |
805 | } | |
806 | ||
807 | /* Having changed socket configuration parameters, redo handshake. */ | |
808 | secStatus = SSL_ReHandshake(sslSocket, PR_TRUE); | |
809 | if (secStatus != SECSuccess) | |
810 | { | |
811 | nsscommon_error (_("Error in SSL_ReHandshake")); | |
812 | nssError (); | |
813 | return SECFailure; | |
814 | } | |
815 | ||
816 | /* Force the handshake to complete before moving on. */ | |
817 | secStatus = SSL_ForceHandshake(sslSocket); | |
818 | if (secStatus != SECSuccess) | |
819 | { | |
820 | nsscommon_error (_("Error in SSL_ForceHandshake")); | |
821 | nssError (); | |
822 | return SECFailure; | |
823 | } | |
824 | ||
825 | return SECSuccess; | |
826 | } | |
827 | #endif /* No client authentication and not authenticating after each transaction. */ | |
828 | ||
829 | /* Function: writeDataToSocket | |
830 | * | |
831 | * Purpose: Write the server's response back to the socket. | |
832 | * | |
833 | */ | |
834 | static SECStatus | |
835 | writeDataToSocket(PRFileDesc *sslSocket, const char *responseFileName) | |
836 | { | |
837 | PRFileDesc *local_file_fd = PR_Open (responseFileName, PR_RDONLY, 0); | |
838 | if (local_file_fd == NULL) | |
839 | { | |
840 | nsscommon_error (_F("Could not open input file %s", responseFileName)); | |
841 | nssError (); | |
842 | return SECFailure; | |
843 | } | |
844 | ||
845 | /* Transmit the local file across the socket. | |
846 | */ | |
847 | int numBytes = PR_TransmitFile (sslSocket, local_file_fd, | |
848 | NULL, 0, | |
849 | PR_TRANSMITFILE_KEEP_OPEN, | |
850 | PR_INTERVAL_NO_TIMEOUT); | |
851 | ||
852 | /* Error in transmission. */ | |
853 | SECStatus secStatus = SECSuccess; | |
854 | if (numBytes < 0) | |
855 | { | |
856 | nsscommon_error (_("Error writing response to socket")); | |
857 | nssError (); | |
858 | secStatus = SECFailure; | |
859 | } | |
860 | ||
861 | PR_Close (local_file_fd); | |
862 | return secStatus; | |
863 | } | |
864 | ||
865 | ||
866 | /* Run the translator on the data in the request directory, and produce output | |
867 | in the given output directory. */ | |
868 | static void | |
869 | handleRequest (const char* requestDirName, const char* responseDirName) | |
870 | { | |
871 | char stapstdout[PATH_MAX]; | |
872 | char stapstderr[PATH_MAX]; | |
873 | char staprc[PATH_MAX]; | |
874 | char stapsymvers[PATH_MAX]; | |
875 | vector<string> stapargv; | |
876 | int rc; | |
877 | wordexp_t words; | |
878 | unsigned u; | |
879 | unsigned i; | |
880 | FILE* f; | |
881 | int unprivileged = 0; | |
882 | struct stat st; | |
883 | ||
884 | stapargv.push_back ((char *)(getenv ("SYSTEMTAP_STAP") ?: STAP_PREFIX "/bin/stap")); | |
885 | ||
886 | /* Transcribe stap_options. We use plain wordexp(3), since these | |
887 | options are coming from the local trusted user, so malicious | |
888 | content is not a concern. */ | |
889 | // TODO: Use tokenize here. | |
890 | rc = wordexp (stap_options.c_str (), & words, WRDE_NOCMD|WRDE_UNDEF); | |
891 | if (rc) | |
892 | { | |
893 | nsscommon_error (_("Cannot parse stap options")); | |
894 | return; | |
895 | } | |
896 | ||
897 | for (u=0; u<words.we_wordc; u++) | |
898 | stapargv.push_back (words.we_wordv[u]); | |
899 | ||
900 | stapargv.push_back ("-k"); /* Need to keep temp files in order to package them up again. */ | |
901 | ||
902 | /* Process the saved command line arguments. Avoid quoting/unquoting errors by | |
903 | transcribing literally. */ | |
904 | stapargv.push_back ("--client-options"); | |
905 | ||
906 | for (i=1 ; ; i++) | |
907 | { | |
908 | char stapargfile[PATH_MAX]; | |
909 | FILE* argfile; | |
910 | struct stat st; | |
911 | char *arg; | |
912 | ||
913 | snprintf (stapargfile, PATH_MAX, "%s/argv%d", requestDirName, i); | |
914 | ||
915 | rc = stat(stapargfile, & st); | |
916 | if (rc) break; | |
917 | ||
918 | arg = (char *)malloc (st.st_size+1); | |
919 | if (!arg) | |
920 | { | |
921 | nsscommon_error (_("Out of memory")); | |
922 | return; | |
923 | } | |
924 | ||
925 | argfile = fopen(stapargfile, "r"); | |
926 | if (! argfile) | |
927 | { | |
928 | nsscommon_error (_F("Error opening %s: %s", stapargfile, strerror (errno))); | |
929 | return; | |
930 | } | |
931 | ||
932 | rc = fread(arg, 1, st.st_size, argfile); | |
933 | if (rc != st.st_size) | |
934 | { | |
935 | nsscommon_error (_F("Error reading %s: %s", stapargfile, strerror (errno))); | |
936 | return; | |
937 | } | |
938 | ||
939 | arg[st.st_size] = '\0'; | |
940 | stapargv.push_back (arg); | |
941 | free (arg); | |
942 | fclose (argfile); | |
943 | } | |
944 | ||
945 | snprintf (stapstdout, PATH_MAX, "%s/stdout", responseDirName); | |
946 | snprintf (stapstderr, PATH_MAX, "%s/stderr", responseDirName); | |
947 | ||
948 | /* Check for the unprivileged flag; we need this so that we can decide to sign the module. */ | |
949 | for (i=0; i < stapargv.size (); i++) | |
950 | { | |
951 | if (stapargv[i] == "--unprivileged") | |
952 | { | |
953 | unprivileged=1; | |
954 | break; | |
955 | } | |
956 | } | |
957 | /* NB: but it's not that easy! What if an attacker passes | |
958 | --unprivileged as some sort of argument-parameter, so that the | |
959 | translator does not interpret it as an --unprivileged mode flag, | |
960 | but something else? Then it could generate unrestrained modules, | |
961 | but silly we might still sign it, and let the attacker get away | |
962 | with murder. And yet we don't want to fully getopt-parse the | |
963 | args here for duplication of effort. | |
964 | ||
965 | So let's do a hack: forcefully add --unprivileged to stapargv[] | |
966 | near the front in this case, something which a later option | |
967 | cannot undo. */ | |
968 | if (unprivileged) | |
969 | { | |
970 | stapargv.insert (stapargv.begin () + 1, "--unprivileged"); /* better not be resettable by later option */ | |
971 | } | |
972 | ||
4a044a5e DB |
973 | /* All ready, let's run the translator! |
974 | Set resource limits while the translator is running in order to prevent | |
975 | DOS. spawn_and_wait ultimately uses posix_spawp which behaves like | |
976 | fork (according to the man page), so the limits we set here will be | |
977 | respected. */ | |
978 | int srlrc = 0; | |
979 | if (set_rlimits) { | |
4a044a5e DB |
980 | srlrc = setrlimit (RLIMIT_FSIZE, & translator_RLIMIT_FSIZE); |
981 | srlrc |= setrlimit (RLIMIT_STACK, & translator_RLIMIT_STACK); | |
982 | srlrc |= setrlimit (RLIMIT_CPU, & translator_RLIMIT_CPU); | |
983 | srlrc |= setrlimit (RLIMIT_NPROC, & translator_RLIMIT_NPROC); | |
984 | srlrc |= setrlimit (RLIMIT_AS, & translator_RLIMIT_AS); | |
985 | } | |
986 | if (srlrc == 0) | |
987 | rc = spawn_and_wait (stapargv, "/dev/null", stapstdout, stapstderr, requestDirName); | |
988 | else | |
989 | nsscommon_error (_F("Unable to set resource limits for stap: %s", strerror (errno))); | |
990 | if (set_rlimits) { | |
a6d72070 | 991 | int rrlrc = setrlimit (RLIMIT_FSIZE, & save_RLIMIT_FSIZE); |
4a044a5e DB |
992 | rrlrc |= setrlimit (RLIMIT_STACK, & save_RLIMIT_STACK); |
993 | rrlrc |= setrlimit (RLIMIT_CPU, & save_RLIMIT_CPU); | |
994 | rrlrc |= setrlimit (RLIMIT_NPROC, & save_RLIMIT_NPROC); | |
995 | rrlrc |= setrlimit (RLIMIT_AS, & save_RLIMIT_AS); | |
996 | if (rrlrc != 0) | |
997 | log (_F("Unable to restore resource limits: %s", strerror (errno))); | |
998 | } | |
999 | if (srlrc != 0) | |
1000 | return; // Translator was not run but we needed to restore our rlimits first. | |
aeb9cc10 DB |
1001 | |
1002 | /* Save the RC */ | |
1003 | snprintf (staprc, PATH_MAX, "%s/rc", responseDirName); | |
1004 | f = fopen(staprc, "w"); | |
1005 | if (f) | |
1006 | { | |
1007 | /* best effort basis */ | |
1008 | fprintf(f, "%d", rc); | |
1009 | fclose(f); | |
1010 | } | |
1011 | ||
1012 | /* Parse output to extract the -k-saved temporary directory. | |
1013 | XXX: bletch. */ | |
1014 | f = fopen(stapstderr, "r"); | |
1015 | if (!f) | |
1016 | { | |
1017 | nsscommon_error (_("Error in stap stderr open")); | |
1018 | return; | |
1019 | } | |
1020 | ||
1021 | while (1) | |
1022 | { | |
1023 | char line[PATH_MAX]; | |
1024 | char *l = fgets(line, PATH_MAX, f); /* NB: normally includes \n at end */ | |
1025 | if (!l) break; | |
1026 | char key[]="Keeping temporary directory \""; | |
1027 | ||
1028 | /* Look for line from main.cxx: s.keep_tmpdir */ | |
1029 | if (strncmp(l, key, strlen(key)) == 0 && | |
1030 | l[strlen(l)-2] == '"') /* "\n */ | |
1031 | { | |
1032 | /* Move this directory under responseDirName. We don't have to | |
1033 | preserve the exact stapXXXXXX suffix part, since stap-client | |
1034 | will accept anything ("stap......" regexp), and rewrite it | |
1035 | to a client-local string. | |
1036 | ||
1037 | We don't just symlink because then we'd have to | |
1038 | remember to delete it later anyhow. */ | |
1039 | vector<string> mvargv; | |
1040 | char *orig_staptmpdir = & l[strlen(key)]; | |
1041 | char new_staptmpdir[PATH_MAX]; | |
1042 | ||
1043 | orig_staptmpdir[strlen(orig_staptmpdir)-2] = '\0'; /* Kill the closing "\n */ | |
1044 | snprintf(new_staptmpdir, PATH_MAX, "%s/stap000000", responseDirName); | |
1045 | mvargv.push_back ("mv"); | |
1046 | mvargv.push_back (orig_staptmpdir); | |
1047 | mvargv.push_back (new_staptmpdir); | |
1048 | rc = stap_system (0, mvargv); | |
1049 | if (rc != PR_SUCCESS) | |
1050 | nsscommon_error (_("Error in stap tmpdir move")); | |
1051 | ||
1052 | /* In unprivileged mode, if we have a module built, we need to | |
1053 | sign the sucker. */ | |
1054 | if (unprivileged) | |
1055 | { | |
1056 | glob_t globber; | |
1057 | char pattern[PATH_MAX]; | |
1058 | snprintf (pattern,PATH_MAX,"%s/*.ko", new_staptmpdir); | |
1059 | rc = glob (pattern, GLOB_ERR, NULL, &globber); | |
1060 | if (rc) | |
1061 | nsscommon_error (_F("Unable to find a module in %s", new_staptmpdir)); | |
1062 | else if (globber.gl_pathc != 1) | |
1063 | nsscommon_error (_F("Too many modules (%zu) in %s", globber.gl_pathc, new_staptmpdir)); | |
1064 | else | |
1065 | { | |
1066 | sign_file (cert_db_path, server_cert_nickname (), | |
1067 | globber.gl_pathv[0], string (globber.gl_pathv[0]) + ".sgn"); | |
1068 | } | |
1069 | } | |
1070 | ||
1071 | /* If uprobes.ko is required, then we need to return it to the client. | |
1072 | uprobes.ko was required if the file "Module.symvers" is not empty in | |
1073 | the temp directory. */ | |
1074 | snprintf (stapsymvers, PATH_MAX, "%s/Module.symvers", new_staptmpdir); | |
1075 | rc = stat (stapsymvers, & st); | |
1076 | if (rc == 0 && st.st_size != 0) | |
1077 | { | |
1078 | /* uprobes.ko is required. Link to it from the response directory. */ | |
1079 | vector<string> lnargv; | |
1080 | lnargv.push_back ("/bin/ln"); | |
1081 | lnargv.push_back ("-s"); | |
1082 | lnargv.push_back (PKGDATADIR "/runtime/uprobes/uprobes.ko"); | |
1083 | lnargv.push_back (responseDirName); | |
1084 | rc = stap_system (0, lnargv); | |
1085 | if (rc != PR_SUCCESS) | |
1086 | nsscommon_error (_F("Could not link to %s from %s", lnargv[2].c_str (), lnargv[3].c_str ())); | |
1087 | ||
1088 | /* In unprivileged mode, we need to return the signature as well. */ | |
1089 | if (unprivileged) | |
1090 | { | |
1091 | lnargv[2] = PKGDATADIR "/runtime/uprobes/uprobes.ko.sgn"; | |
1092 | rc = stap_system (0, lnargv); | |
1093 | if (rc != PR_SUCCESS) | |
1094 | nsscommon_error (_F("Could not link to %s from %s", lnargv[2].c_str (), lnargv[3].c_str ())); | |
1095 | } | |
1096 | } | |
1097 | } | |
1098 | } | |
1099 | ||
1100 | /* Free up all the arg string copies. Note that the first few were alloc'd | |
1101 | by wordexp(), which wordfree() frees; others were hand-set to literal strings. */ | |
1102 | wordfree (& words); | |
1103 | ||
1104 | /* Sorry about the inconvenience. C string/file processing is such a pleasure. */ | |
1105 | } | |
1106 | ||
1107 | ||
1108 | /* A front end for stap_spawn that handles stdin, stdout, stderr, switches to a working | |
1109 | directory and returns overall success or failure. */ | |
1110 | static PRStatus | |
1111 | spawn_and_wait (const vector<string> &argv, | |
1112 | const char* fd0, const char* fd1, const char* fd2, const char *pwd) | |
1113 | { | |
1114 | pid_t pid; | |
1115 | int rc; | |
1116 | posix_spawn_file_actions_t actions; | |
1117 | int dotfd = -1; | |
1118 | ||
1119 | #define CHECKRC(msg) do { if (rc) { nsscommon_error (_(msg)); return PR_FAILURE; } } while (0) | |
1120 | ||
1121 | rc = posix_spawn_file_actions_init (& actions); | |
1122 | CHECKRC ("Error in spawn file actions ctor"); | |
1123 | if (fd0) { | |
1124 | rc = posix_spawn_file_actions_addopen(& actions, 0, fd0, O_RDONLY, 0600); | |
1125 | CHECKRC ("Error in spawn file actions fd0"); | |
1126 | } | |
1127 | if (fd1) { | |
1128 | rc = posix_spawn_file_actions_addopen(& actions, 1, fd1, O_WRONLY|O_CREAT, 0600); | |
1129 | CHECKRC ("Error in spawn file actions fd1"); | |
1130 | } | |
1131 | if (fd2) { | |
1132 | rc = posix_spawn_file_actions_addopen(& actions, 2, fd2, O_WRONLY|O_CREAT, 0600); | |
1133 | CHECKRC ("Error in spawn file actions fd2"); | |
1134 | } | |
1135 | ||
1136 | /* change temporarily to a directory if requested */ | |
1137 | if (pwd) | |
1138 | { | |
1139 | dotfd = open (".", O_RDONLY); | |
1140 | if (dotfd < 0) | |
1141 | { | |
1142 | nsscommon_error (_("Error in spawn getcwd")); | |
1143 | return PR_FAILURE; | |
1144 | } | |
1145 | ||
1146 | rc = chdir (pwd); | |
1147 | CHECKRC ("Error in spawn chdir"); | |
1148 | } | |
1149 | ||
1150 | pid = stap_spawn (0, argv, & actions); | |
1151 | /* NB: don't react to pid==-1 right away; need to chdir back first. */ | |
1152 | ||
1153 | if (pwd && dotfd >= 0) | |
1154 | { | |
1155 | int subrc; | |
1156 | subrc = fchdir (dotfd); | |
1157 | subrc |= close (dotfd); | |
1158 | if (subrc) | |
1159 | nsscommon_error (_("Error in spawn unchdir")); | |
1160 | } | |
1161 | ||
1162 | if (pid == -1) | |
1163 | { | |
1164 | nsscommon_error (_("Error in spawn")); | |
1165 | return PR_FAILURE; | |
1166 | } | |
1167 | ||
1168 | rc = stap_waitpid (0, pid); | |
1169 | if (rc == -1) | |
1170 | { | |
1171 | nsscommon_error (_("Error in waitpid")); | |
1172 | return PR_FAILURE; | |
1173 | } | |
1174 | ||
1175 | rc = posix_spawn_file_actions_destroy (&actions); | |
1176 | CHECKRC ("Error in spawn file actions dtor"); | |
1177 | ||
1178 | return PR_SUCCESS; | |
1179 | #undef CHECKRC | |
1180 | } | |
1181 | ||
1182 | /* Function: int handle_connection() | |
1183 | * | |
1184 | * Purpose: Handle a connection to a socket. Copy in request zip | |
1185 | * file, process it, copy out response. Temporary directories are | |
1186 | * created & destroyed here. | |
1187 | */ | |
1188 | static SECStatus | |
1189 | handle_connection (PRFileDesc *tcpSocket, CERTCertificate *cert, SECKEYPrivateKey *privKey) | |
1190 | { | |
1191 | PRFileDesc * sslSocket = NULL; | |
1192 | SECStatus secStatus = SECFailure; | |
1193 | PRSocketOptionData socketOption; | |
1194 | int rc; | |
1195 | char *rc1; | |
1196 | char tmpdir[PATH_MAX]; | |
1197 | char requestFileName[PATH_MAX]; | |
1198 | char requestDirName[PATH_MAX]; | |
1199 | char responseDirName[PATH_MAX]; | |
1200 | char responseFileName[PATH_MAX]; | |
1201 | vector<string> argv; | |
1202 | PRInt32 bytesRead; | |
1203 | ||
1204 | tmpdir[0]='\0'; /* prevent cleanup-time /bin/rm of uninitialized directory */ | |
1205 | ||
1206 | /* Make sure the socket is blocking. */ | |
1207 | socketOption.option = PR_SockOpt_Nonblocking; | |
1208 | socketOption.value.non_blocking = PR_FALSE; | |
1209 | PR_SetSocketOption (tcpSocket, &socketOption); | |
1210 | ||
1211 | secStatus = SECFailure; | |
1212 | sslSocket = setupSSLSocket (tcpSocket, cert, privKey); | |
1213 | if (sslSocket == NULL) | |
1214 | { | |
1215 | // Message already issued. | |
1216 | goto cleanup; | |
1217 | } | |
1218 | ||
1219 | secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_TRUE); | |
1220 | if (secStatus != SECSuccess) | |
1221 | { | |
1222 | nsscommon_error (_("Error resetting SSL handshake")); | |
1223 | nssError (); | |
1224 | goto cleanup; | |
1225 | } | |
1226 | ||
1227 | #if 0 // The client authenticates the server, so the client initiates the handshake | |
1228 | /* Force the handshake to complete before moving on. */ | |
1229 | secStatus = SSL_ForceHandshake(sslSocket); | |
1230 | if (secStatus != SECSuccess) | |
1231 | { | |
1232 | nsscommon_error (_("Error forcing SSL handshake")); | |
1233 | nssError (); | |
1234 | goto cleanup; | |
1235 | } | |
1236 | #endif | |
1237 | ||
1238 | secStatus = SECFailure; | |
1239 | snprintf(tmpdir, PATH_MAX, "%s/stap-server.XXXXXX", getenv("TMPDIR") ?: "/tmp"); | |
1240 | rc1 = mkdtemp(tmpdir); | |
1241 | if (! rc1) | |
1242 | { | |
1243 | nsscommon_error (_F("Could not create temporary directory %s: %s", tmpdir, strerror(errno))); | |
1244 | tmpdir[0]=0; /* prevent /bin/rm */ | |
1245 | goto cleanup; | |
1246 | } | |
1247 | ||
1248 | /* Create a temporary files names and directories. */ | |
1249 | snprintf (requestFileName, PATH_MAX, "%s/request.zip", tmpdir); | |
1250 | ||
1251 | snprintf (requestDirName, PATH_MAX, "%s/request", tmpdir); | |
1252 | rc = mkdir(requestDirName, 0700); | |
1253 | if (rc) | |
1254 | { | |
1255 | nsscommon_error (_F("Could not create temporary directory %s: %s", requestDirName, strerror (errno))); | |
1256 | goto cleanup; | |
1257 | } | |
1258 | ||
1259 | snprintf (responseDirName, PATH_MAX, "%s/response", tmpdir); | |
1260 | rc = mkdir(responseDirName, 0700); | |
1261 | if (rc) | |
1262 | { | |
1263 | nsscommon_error (_F("Could not create temporary directory %s: %s", responseDirName, strerror (errno))); | |
1264 | goto cleanup; | |
1265 | } | |
1266 | ||
1267 | snprintf (responseFileName, PATH_MAX, "%s/response.zip", tmpdir); | |
1268 | ||
1269 | /* Read data from the socket. | |
1270 | * If the user is requesting/requiring authentication, authenticate | |
1271 | * the socket. */ | |
1272 | bytesRead = readDataFromSocket(sslSocket, requestFileName); | |
1273 | if (bytesRead < 0) // Error | |
1274 | goto cleanup; | |
1275 | if (bytesRead == 0) // No request -- not an error | |
1276 | { | |
1277 | secStatus = SECSuccess; | |
1278 | goto cleanup; | |
1279 | } | |
1280 | ||
1281 | #if 0 /* Don't authenticate after each transaction */ | |
1282 | if (REQUEST_CERT_ALL) | |
1283 | { | |
1284 | secStatus = authenticateSocket(sslSocket); | |
1285 | if (secStatus != SECSuccess) | |
1286 | goto cleanup; | |
1287 | } | |
1288 | #endif | |
1289 | ||
1290 | /* Unzip the request. */ | |
1291 | secStatus = SECFailure; | |
1292 | argv.push_back ("unzip"); | |
1293 | argv.push_back ("-q"); | |
1294 | argv.push_back ("-d"); | |
1295 | argv.push_back (requestDirName); | |
1296 | argv.push_back (requestFileName); | |
1297 | rc = stap_system (0, argv); | |
1298 | if (rc != PR_SUCCESS) | |
1299 | { | |
1300 | nsscommon_error (_("Unable to extract client request")); | |
1301 | goto cleanup; | |
1302 | } | |
1303 | ||
1304 | /* Handle the request zip file. An error therein should still result | |
1305 | in a response zip file (containing stderr etc.) so we don't have to | |
1306 | have a result code here. */ | |
1307 | handleRequest(requestDirName, responseDirName); | |
1308 | ||
1309 | /* Zip the response. */ | |
1310 | argv.clear (); | |
1311 | argv.push_back ("zip"); | |
1312 | argv.push_back ("-q"); | |
1313 | argv.push_back ("-r"); | |
1314 | argv.push_back (responseFileName); | |
1315 | argv.push_back ("."); | |
1316 | rc = spawn_and_wait (argv, NULL, NULL, NULL, responseDirName); | |
1317 | if (rc != PR_SUCCESS) | |
1318 | { | |
1319 | nsscommon_error (_("Unable to compress server response")); | |
1320 | goto cleanup; | |
1321 | } | |
1322 | ||
1323 | secStatus = writeDataToSocket (sslSocket, responseFileName); | |
1324 | ||
1325 | cleanup: | |
1326 | if (sslSocket) | |
1327 | if (PR_Close (sslSocket) != PR_SUCCESS) | |
1328 | { | |
1329 | nsscommon_error (_("Error closing ssl socket")); | |
1330 | nssError (); | |
1331 | } | |
1332 | if (tmpdir[0]) | |
1333 | { | |
1334 | /* Remove the whole tmpdir and all that lies beneath. */ | |
1335 | argv.clear (); | |
1336 | argv.push_back ("rm"); | |
1337 | argv.push_back ("-r"); | |
1338 | argv.push_back (tmpdir); | |
1339 | rc = stap_system (0, argv); | |
1340 | if (rc != PR_SUCCESS) | |
1341 | nsscommon_error (_("Error in tmpdir cleanup")); | |
1342 | } | |
1343 | ||
1344 | return secStatus; | |
1345 | } | |
1346 | ||
1347 | /* Function: int accept_connection() | |
1348 | * | |
1349 | * Purpose: Accept a connection to the socket. | |
1350 | * | |
1351 | */ | |
1352 | static SECStatus | |
1353 | accept_connections (PRFileDesc *listenSocket, CERTCertificate *cert) | |
1354 | { | |
1355 | PRNetAddr addr; | |
1356 | PRFileDesc *tcpSocket; | |
1357 | SECStatus secStatus; | |
1358 | CERTCertDBHandle *dbHandle; | |
1359 | time_t now; | |
1360 | ||
1361 | dbHandle = CERT_GetDefaultCertDB (); | |
1362 | ||
1363 | // cert_db_path gets passed to nssPasswordCallback. | |
1364 | SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert (cert, (void*)cert_db_path.c_str ()); | |
1365 | if (privKey == NULL) | |
1366 | { | |
1367 | nsscommon_error (_("Unable to obtain certificate private key")); | |
1368 | nssError (); | |
1369 | return SECFailure; | |
1370 | } | |
1371 | ||
1372 | while (PR_TRUE) | |
1373 | { | |
1374 | /* Accept a connection to the socket. */ | |
1375 | tcpSocket = PR_Accept (listenSocket, &addr, PR_INTERVAL_NO_TIMEOUT); | |
1376 | if (tcpSocket == NULL) | |
1377 | { | |
1378 | nsscommon_error (_("Error accepting client connection")); | |
1379 | break; | |
1380 | } | |
1381 | ||
1382 | /* Log the accepted connection. */ | |
1383 | time (& now); | |
1384 | log (_F("%sAccepted connection from %d.%d.%d.%d:%d", | |
1385 | ctime (& now), | |
1386 | (addr.inet.ip ) & 0xff, | |
1387 | (addr.inet.ip >> 8) & 0xff, | |
1388 | (addr.inet.ip >> 16) & 0xff, | |
1389 | (addr.inet.ip >> 24) & 0xff, | |
1390 | addr.inet.port)); | |
1391 | ||
1392 | /* XXX: alarm() or somesuch to set a timeout. */ | |
1393 | /* XXX: fork() or somesuch to handle concurrent requests. */ | |
1394 | ||
1395 | /* Accepted the connection, now handle it. */ | |
1396 | secStatus = handle_connection (tcpSocket, cert, privKey); | |
1397 | if (secStatus != SECSuccess) | |
1398 | nsscommon_error (_("Error processing client request")); | |
1399 | ||
1400 | // Log the end of the request. | |
1401 | time (& now); | |
1402 | log (_F("%sRequest from %d.%d.%d.%d:%d complete", | |
1403 | ctime (& now), | |
1404 | (addr.inet.ip ) & 0xff, | |
1405 | (addr.inet.ip >> 8) & 0xff, | |
1406 | (addr.inet.ip >> 16) & 0xff, | |
1407 | (addr.inet.ip >> 24) & 0xff, | |
1408 | addr.inet.port)); | |
1409 | ||
1410 | // If our certificate is no longer valid (e.g. has expired), then exit. | |
1411 | secStatus = CERT_VerifyCertNow (dbHandle, cert, PR_TRUE/*checkSig*/, | |
1412 | certUsageSSLServer, NULL/*wincx*/); | |
1413 | if (secStatus != SECSuccess) | |
1414 | { | |
1415 | // Not an error. Exit the loop so a new cert can be generated. | |
1416 | break; | |
1417 | } | |
1418 | } | |
1419 | ||
1420 | SECKEY_DestroyPrivateKey (privKey); | |
1421 | return SECSuccess; | |
1422 | } | |
1423 | ||
1424 | /* Function: void server_main() | |
1425 | * | |
1426 | * Purpose: This is the server's main function. It configures a socket | |
1427 | * and listens to it. | |
1428 | * | |
1429 | */ | |
1430 | static SECStatus | |
1431 | server_main () | |
1432 | { | |
1433 | SECStatus secStatus; | |
1434 | PRStatus prStatus; | |
1435 | PRFileDesc * listenSocket; | |
1436 | PRNetAddr addr; | |
1437 | PRSocketOptionData socketOption; | |
1438 | ||
1439 | /* Create a new socket. */ | |
1440 | listenSocket = PR_NewTCPSocket(); | |
1441 | if (listenSocket == NULL) | |
1442 | { | |
1443 | nsscommon_error (_("Error creating socket")); | |
1444 | nssError (); | |
1445 | return SECFailure; | |
1446 | } | |
1447 | ||
1448 | /* Set socket to be blocking - | |
1449 | * on some platforms the default is nonblocking. | |
1450 | */ | |
1451 | socketOption.option = PR_SockOpt_Nonblocking; | |
1452 | socketOption.value.non_blocking = PR_FALSE; | |
1453 | ||
1454 | // Predeclare to keep C++ happy about jumps to 'done'. | |
1455 | CERTCertificate *cert = NULL; | |
1456 | ||
1457 | secStatus = SECFailure; | |
1458 | prStatus = PR_SetSocketOption (listenSocket, &socketOption); | |
1459 | if (prStatus != PR_SUCCESS) | |
1460 | { | |
1461 | nsscommon_error (_("Error setting socket properties")); | |
1462 | nssError (); | |
1463 | goto done; | |
1464 | } | |
1465 | ||
1466 | /* Configure the network connection. */ | |
1467 | addr.inet.family = PR_AF_INET; | |
1468 | addr.inet.ip = PR_INADDR_ANY; | |
1469 | ||
1470 | // Bind the socket to an address. Retry if the selected port is busy. | |
1471 | for (;;) | |
1472 | { | |
1473 | // if (port == 0) | |
1474 | // port = IPPORT_USERRESERVED + (rand () % (64000 - IPPORT_USERRESERVED)); | |
1475 | addr.inet.port = PR_htons (port); | |
1476 | ||
1477 | /* Bind the address to the listener socket. */ | |
1478 | prStatus = PR_Bind (listenSocket, & addr); | |
1479 | if (prStatus == PR_SUCCESS) | |
1480 | break; | |
1481 | ||
1482 | // If the selected port is busy. Try another. | |
1483 | PRErrorCode errorNumber = PR_GetError (); | |
1484 | switch (errorNumber) | |
1485 | { | |
1486 | case PR_ADDRESS_NOT_AVAILABLE_ERROR: | |
1487 | nsscommon_error (_F("Network port %d is unavailable. Trying another port", port)); | |
1488 | port = 0; // Will automatically select an available port | |
1489 | continue; | |
1490 | case PR_ADDRESS_IN_USE_ERROR: | |
1491 | nsscommon_error (_F("Network port %d is busy. Trying another port", port)); | |
1492 | port = 0; // Will automatically select an available port | |
1493 | continue; | |
1494 | default: | |
1495 | nsscommon_error (_("Error setting socket address")); | |
1496 | nssError (); | |
1497 | goto done; | |
1498 | } | |
1499 | } | |
1500 | ||
1501 | // Query the socket for the port that was assigned. | |
1502 | prStatus = PR_GetSockName (listenSocket, &addr); | |
1503 | if (prStatus != PR_SUCCESS) | |
1504 | { | |
1505 | nsscommon_error (_("Unable to obtain socket address")); | |
1506 | nssError (); | |
1507 | goto done; | |
1508 | } | |
1509 | port = PR_ntohs (addr.inet.port); | |
1510 | log (_F("Using network port %d", port)); | |
1511 | ||
1512 | /* Listen for connection on the socket. The second argument is | |
1513 | * the maximum size of the queue for pending connections. | |
1514 | */ | |
1515 | prStatus = PR_Listen (listenSocket, 5); | |
1516 | if (prStatus != PR_SUCCESS) | |
1517 | { | |
1518 | nsscommon_error (_("Error listening on socket")); | |
1519 | nssError (); | |
1520 | goto done; | |
1521 | } | |
1522 | ||
1523 | /* Get own certificate. */ | |
1524 | cert = PK11_FindCertFromNickname (server_cert_nickname (), NULL); | |
1525 | if (cert == NULL) | |
1526 | { | |
1527 | nsscommon_error (_F("Unable to find our certificate in the database at %s", | |
1528 | cert_db_path.c_str ())); | |
1529 | nssError (); | |
1530 | goto done; | |
1531 | } | |
1532 | ||
1533 | // Tell the world that we're listening. | |
1534 | advertise_presence (cert); | |
1535 | ||
1536 | /* Handle connections to the socket. */ | |
1537 | secStatus = accept_connections (listenSocket, cert); | |
1538 | ||
1539 | // Tell the world we're no longer listening. | |
1540 | unadvertise_presence (); | |
1541 | ||
1542 | done: | |
1543 | if (PR_Close (listenSocket) != PR_SUCCESS) | |
1544 | { | |
1545 | nsscommon_error (_("Error closing listen socket")); | |
1546 | nssError (); | |
1547 | } | |
1548 | if (cert) | |
1549 | CERT_DestroyCertificate (cert); | |
1550 | ||
1551 | return secStatus; | |
1552 | } | |
1553 | ||
1554 | static void | |
1555 | listen () | |
1556 | { | |
1557 | // Listen forever, unless a fatal error occurs. | |
1558 | for (;;) | |
1559 | { | |
1560 | // Ensure that our certificate is valid. Generate a new one if not. | |
1561 | if (check_cert (cert_db_path, server_cert_nickname (), use_db_password) != 0) | |
1562 | { | |
1563 | // Message already issued | |
1564 | return; | |
1565 | } | |
1566 | ||
1567 | // Ensure that our certificate is trusted by our local client. | |
1568 | // Construct the client database path relative to the server database path. | |
1569 | SECStatus secStatus = add_client_cert (server_cert_file (), | |
1570 | local_client_cert_db_path ()); | |
1571 | if (secStatus != SECSuccess) | |
1572 | { | |
1573 | nsscommon_error (_("Unable to authorize certificate for the local client")); | |
1574 | return; | |
1575 | } | |
1576 | ||
1577 | /* Initialize NSS. */ | |
1578 | secStatus = nssInit (cert_db_path.c_str ()); | |
1579 | if (secStatus != SECSuccess) | |
1580 | { | |
1581 | // Message already issued. | |
1582 | return; | |
1583 | } | |
1584 | ||
1585 | // Enable cipher suites which are allowed by U.S. export regulations. | |
1586 | // NB: The NSS docs say that SSL_ClearSessionCache is required for the new settings to take | |
1587 | // effect, however, calling it puts NSS in a state where it will not shut down cleanly. | |
1588 | // We need to be able to shut down NSS cleanly if we are to generate a new certificate when | |
1589 | // ours expires. It should be noted however, thet SSL_ClearSessionCache only clears the | |
1590 | // client cache, and we are a server. | |
1591 | secStatus = NSS_SetExportPolicy (); | |
1592 | // SSL_ClearSessionCache (); | |
1593 | if (secStatus != SECSuccess) | |
1594 | { | |
1595 | nsscommon_error (_("Unable to set NSS export policy")); | |
1596 | nssError (); | |
1597 | nssCleanup (cert_db_path.c_str ()); | |
1598 | return; | |
1599 | } | |
1600 | ||
1601 | // Configure the SSL session cache for a single process server with the default settings. | |
1602 | secStatus = SSL_ConfigServerSessionIDCache (0, 0, 0, NULL); | |
1603 | if (secStatus != SECSuccess) | |
1604 | { | |
1605 | nsscommon_error (_("Unable to configure SSL server session ID cache")); | |
1606 | nssError (); | |
1607 | nssCleanup (cert_db_path.c_str ()); | |
1608 | return; | |
1609 | } | |
1610 | ||
1611 | /* Launch server. */ | |
1612 | secStatus = server_main (); | |
1613 | ||
1614 | // Shutdown NSS | |
1615 | if (SSL_ShutdownServerSessionIDCache () != SECSuccess) | |
1616 | { | |
1617 | nsscommon_error (_("Unable to shut down server session ID cache")); | |
1618 | nssError (); | |
1619 | } | |
1620 | nssCleanup (cert_db_path.c_str ()); | |
1621 | if (secStatus != SECSuccess) | |
1622 | { | |
1623 | // Message already issued. | |
1624 | return; | |
1625 | } | |
1626 | } // loop forever | |
1627 | } | |
1628 | ||
1629 | int | |
1630 | main (int argc, char **argv) { | |
1631 | initialize (argc, argv); | |
1632 | listen (); | |
1633 | cleanup (); | |
1634 | return 0; | |
1635 | } |