[Cluster-devel] conga/luci conga_ssl/SSLClient.cpp conga_ssl/S ...

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kupcevic@sourceware.org <kupcevic@sourceware.org>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] conga/luci conga_ssl/SSLClient.cpp conga_ssl/S ...
Date: 21 Dec 2006 21:32:01 -0000	[thread overview]
Message-ID: <20061221213201.5352.qmail@sourceware.org> (raw)

CVSROOT:	/cvs/cluster
Module name:	conga
Changes by:	kupcevic at sourceware.org	2006-12-21 21:32:01

Modified files:
	luci/conga_ssl : SSLClient.cpp SSLClient.h conga_ssl_lib.cpp 
	luci/site/luci/Extensions: conga_ssl.py 
	luci/utils     : luci_admin 

Log message:
	riccis' ssls verification (bz201394): backup/restore of certs and hostname-cert relation

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/SSLClient.cpp.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/SSLClient.h.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/conga_ssl_lib.cpp.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/Extensions/conga_ssl.py.diff?cvsroot=cluster&r1=1.1&r2=1.2
http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.50&r2=1.51

--- conga/luci/conga_ssl/SSLClient.cpp	2006/12/06 22:34:09	1.1
+++ conga/luci/conga_ssl/SSLClient.cpp	2006/12/21 21:32:00	1.2
@@ -437,7 +437,7 @@
 }
 
 bool 
-SSLClient::trust_peer_cert()
+SSLClient::trust_peer_cert(const String& hostname)
 {
   MutexLocker l(global_lock);
   
@@ -447,35 +447,12 @@
   if (!peer_has_cert())
     throw String("peer did not present cert");
   
-  String f_name(_certs_store_dir);
-  f_name += "/peer_cert_XXXXXX";
-  int fd = -1;
-  char* buff = new char[f_name.size() + 1];
+  String filename(_certs_store_dir);
+  filename += "/" + hostname + "_cert_pub";
   try {
-    // pick a filename
-    strcpy(buff, f_name.c_str());
-    if ((fd = mkstemp(buff)) == -1)
-      throw String("unable to generate random file");
-    f_name = buff;
-    delete[] buff; buff = 0;
-    
-    String data(_cert_pem);
-    while (data.size()) {
-      ssize_t i = write(fd, data.c_str(), data.size());
-      if (i == -1) {
-	if (errno != EINTR)
-	  throw String("error writing certificate");
-      } else
-	data = data.substr(i);
-    }
-    while (close(fd) && errno == EINTR)
-      ;
+    File::create(filename).replace(_cert_pem);
   } catch ( ... ) {
-    delete[] buff;
-    if (fd != -1)
-      while (close(fd) && errno == EINTR)
-	;
-    unlink(f_name.c_str());
+    unlink(filename.c_str());
     return false;
   }
   
--- conga/luci/conga_ssl/SSLClient.h	2006/12/06 22:34:09	1.1
+++ conga/luci/conga_ssl/SSLClient.h	2006/12/21 21:32:00	1.2
@@ -56,7 +56,7 @@
   
   String peer_cert_fingerprint(String& digest);
   
-  bool trust_peer_cert();
+  bool trust_peer_cert(const String&);
   bool untrust_peer_cert();  // remove peer's cert from cert_store
   
   ClientSocket& socket();
--- conga/luci/conga_ssl/conga_ssl_lib.cpp	2006/12/06 22:34:09	1.1
+++ conga/luci/conga_ssl/conga_ssl_lib.cpp	2006/12/21 21:32:00	1.2
@@ -261,7 +261,8 @@
 conga_ssl_lib_trust(PyObject *self, PyObject *args)
 {
   int id;
-  if (!PyArg_ParseTuple(args, "i", &id))
+  const char* msg;
+  if (!PyArg_ParseTuple(args, "is", &id, &msg))
     return NULL;
   
   try {
@@ -273,7 +274,7 @@
     bool resp;
     {
       PythonThreadsAllower all;
-      resp = iter->second->trust_peer_cert();
+      resp = iter->second->trust_peer_cert(msg);
     }
     
     PyObject* resp_p = Py_BuildValue("i", (resp)?1:0);
--- conga/luci/site/luci/Extensions/conga_ssl.py	2006/12/06 22:34:09	1.1
+++ conga/luci/site/luci/Extensions/conga_ssl.py	2006/12/21 21:32:00	1.2
@@ -20,6 +20,7 @@
                  timeout):
         self.__id = -1
         self.__id = conga_ssl_lib.connect(hostname, port, timeout)
+        self.__hostname = hostname
         pass
     def __del__(self):
         self.disconnect()
@@ -37,7 +38,7 @@
     def trust(self):
         if self.trusted():
             return True
-        return conga_ssl_lib.trust(self.__id) == 1
+        return conga_ssl_lib.trust(self.__id, self.__hostname) == 1
     def untrust(self):
         return conga_ssl_lib.untrust(self.__id) == 1
     
--- conga/luci/utils/luci_admin	2006/10/13 06:56:32	1.50
+++ conga/luci/utils/luci_admin	2006/12/21 21:32:00	1.51
@@ -40,6 +40,7 @@
 LUCI_HOME_DIR       = '/var/lib/luci'
 LUCI_DB_PATH        = LUCI_HOME_DIR + '/var/Data.fs'
 LUCI_CERT_DIR       = LUCI_HOME_DIR + '/var/certs/'
+LUCI_PEERS_DIR      = LUCI_CERT_DIR + 'peers/'
 LUCI_BACKUP_DIR     = LUCI_HOME_DIR + '/var'
 LUCI_BACKUP_PATH    = LUCI_BACKUP_DIR + '/luci_backup.xml'
 LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.default_password_has_been_reset'
@@ -57,12 +58,34 @@
 SSL_KEYCONFIG_PATH     = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME
 
 ssl_key_data = [
-	{ 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 },
-	{ 'id': SSL_HTTPS_PRIVKEY_PATH, 'name': SSL_HTTPS_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 },
-	{ 'id': SSL_PUBKEY_PATH, 'name': SSL_PUBKEY_NAME, 'type': 'public', 'mode': 0644 },
-	{ 'id': SSL_HTTPS_PUBKEY_PATH, 'name': SSL_HTTPS_PUBKEY_NAME, 'type': 'public', 'mode': 0644 },
-	{ 'id': SSL_KEYCONFIG_PATH, 'name': SSL_KEYCONFIG_NAME, 'type': 'config', 'mode': 0644 }
+	{ 'id'  : SSL_PRIVKEY_PATH,
+	  'name': SSL_PRIVKEY_NAME,
+	  'type': 'private',
+	  'mode': 0600 },
+	{ 'id'  : SSL_HTTPS_PRIVKEY_PATH,
+	  'name': SSL_HTTPS_PRIVKEY_NAME,
+	  'type': 'private',
+	  'mode': 0600 },
+	{ 'id'  : SSL_PUBKEY_PATH,
+	  'name': SSL_PUBKEY_NAME,
+	  'type': 'public',
+	  'mode': 0644 },
+	{ 'id'  : SSL_HTTPS_PUBKEY_PATH,
+	  'name': SSL_HTTPS_PUBKEY_NAME,
+	  'type': 'public',
+	  'mode': 0644 },
+	{ 'id'  : SSL_KEYCONFIG_PATH,
+	  'name': SSL_KEYCONFIG_NAME,
+	  'type': 'config',
+	  'mode': 0644 }
 ]
+for name in os.listdir(LUCI_PEERS_DIR):
+	path = LUCI_PEERS_DIR + name
+	if stat.S_ISREG(os.stat(path).st_mode):
+		ssl_key_data.append({'id'   : path, 
+				     'name' : path.lstrip(LUCI_CERT_DIR), 
+				     'type' : 'public', 
+				     'mode' : 0644})
 
 #null = file(os.devnull, 'rwb+', 0)   - available on python 2.4 and above!!!
 null = file('/dev/null', 'rwb+', 0)

                 reply	other threads:[~2006-12-21 21:32 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20061221213201.5352.qmail@sourceware.org \
    --to=kupcevic@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.