From mboxrd@z Thu Jan 1 00:00:00 1970 From: kupcevic@sourceware.org Date: 21 Dec 2006 21:32:01 -0000 Subject: [Cluster-devel] conga/luci conga_ssl/SSLClient.cpp conga_ssl/S ... Message-ID: <20061221213201.5352.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: conga Changes by: kupcevic at sourceware.org 2006-12-21 21:32:01 Modified files: luci/conga_ssl : SSLClient.cpp SSLClient.h conga_ssl_lib.cpp luci/site/luci/Extensions: conga_ssl.py luci/utils : luci_admin Log message: riccis' ssls verification (bz201394): backup/restore of certs and hostname-cert relation Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/SSLClient.cpp.diff?cvsroot=cluster&r1=1.1&r2=1.2 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/SSLClient.h.diff?cvsroot=cluster&r1=1.1&r2=1.2 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/conga_ssl/conga_ssl_lib.cpp.diff?cvsroot=cluster&r1=1.1&r2=1.2 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/site/luci/Extensions/conga_ssl.py.diff?cvsroot=cluster&r1=1.1&r2=1.2 http://sourceware.org/cgi-bin/cvsweb.cgi/conga/luci/utils/luci_admin.diff?cvsroot=cluster&r1=1.50&r2=1.51 --- conga/luci/conga_ssl/SSLClient.cpp 2006/12/06 22:34:09 1.1 +++ conga/luci/conga_ssl/SSLClient.cpp 2006/12/21 21:32:00 1.2 @@ -437,7 +437,7 @@ } bool -SSLClient::trust_peer_cert() +SSLClient::trust_peer_cert(const String& hostname) { MutexLocker l(global_lock); @@ -447,35 +447,12 @@ if (!peer_has_cert()) throw String("peer did not present cert"); - String f_name(_certs_store_dir); - f_name += "/peer_cert_XXXXXX"; - int fd = -1; - char* buff = new char[f_name.size() + 1]; + String filename(_certs_store_dir); + filename += "/" + hostname + "_cert_pub"; try { - // pick a filename - strcpy(buff, f_name.c_str()); - if ((fd = mkstemp(buff)) == -1) - throw String("unable to generate random file"); - f_name = buff; - delete[] buff; buff = 0; - - String data(_cert_pem); - while (data.size()) { - ssize_t i = write(fd, data.c_str(), data.size()); - if (i == -1) { - if (errno != EINTR) - throw String("error writing certificate"); - } else - data = data.substr(i); - } - while (close(fd) && errno == EINTR) - ; + File::create(filename).replace(_cert_pem); } catch ( ... ) { - delete[] buff; - if (fd != -1) - while (close(fd) && errno == EINTR) - ; - unlink(f_name.c_str()); + unlink(filename.c_str()); return false; } --- conga/luci/conga_ssl/SSLClient.h 2006/12/06 22:34:09 1.1 +++ conga/luci/conga_ssl/SSLClient.h 2006/12/21 21:32:00 1.2 @@ -56,7 +56,7 @@ String peer_cert_fingerprint(String& digest); - bool trust_peer_cert(); + bool trust_peer_cert(const String&); bool untrust_peer_cert(); // remove peer's cert from cert_store ClientSocket& socket(); --- conga/luci/conga_ssl/conga_ssl_lib.cpp 2006/12/06 22:34:09 1.1 +++ conga/luci/conga_ssl/conga_ssl_lib.cpp 2006/12/21 21:32:00 1.2 @@ -261,7 +261,8 @@ conga_ssl_lib_trust(PyObject *self, PyObject *args) { int id; - if (!PyArg_ParseTuple(args, "i", &id)) + const char* msg; + if (!PyArg_ParseTuple(args, "is", &id, &msg)) return NULL; try { @@ -273,7 +274,7 @@ bool resp; { PythonThreadsAllower all; - resp = iter->second->trust_peer_cert(); + resp = iter->second->trust_peer_cert(msg); } PyObject* resp_p = Py_BuildValue("i", (resp)?1:0); --- conga/luci/site/luci/Extensions/conga_ssl.py 2006/12/06 22:34:09 1.1 +++ conga/luci/site/luci/Extensions/conga_ssl.py 2006/12/21 21:32:00 1.2 @@ -20,6 +20,7 @@ timeout): self.__id = -1 self.__id = conga_ssl_lib.connect(hostname, port, timeout) + self.__hostname = hostname pass def __del__(self): self.disconnect() @@ -37,7 +38,7 @@ def trust(self): if self.trusted(): return True - return conga_ssl_lib.trust(self.__id) == 1 + return conga_ssl_lib.trust(self.__id, self.__hostname) == 1 def untrust(self): return conga_ssl_lib.untrust(self.__id) == 1 --- conga/luci/utils/luci_admin 2006/10/13 06:56:32 1.50 +++ conga/luci/utils/luci_admin 2006/12/21 21:32:00 1.51 @@ -40,6 +40,7 @@ LUCI_HOME_DIR = '/var/lib/luci' LUCI_DB_PATH = LUCI_HOME_DIR + '/var/Data.fs' LUCI_CERT_DIR = LUCI_HOME_DIR + '/var/certs/' +LUCI_PEERS_DIR = LUCI_CERT_DIR + 'peers/' LUCI_BACKUP_DIR = LUCI_HOME_DIR + '/var' LUCI_BACKUP_PATH = LUCI_BACKUP_DIR + '/luci_backup.xml' LUCI_ADMIN_SET_PATH = LUCI_HOME_DIR + '/.default_password_has_been_reset' @@ -57,12 +58,34 @@ SSL_KEYCONFIG_PATH = LUCI_CERT_DIR + SSL_KEYCONFIG_NAME ssl_key_data = [ - { 'id': SSL_PRIVKEY_PATH, 'name': SSL_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 }, - { 'id': SSL_HTTPS_PRIVKEY_PATH, 'name': SSL_HTTPS_PRIVKEY_NAME, 'type': 'private', 'mode': 0600 }, - { 'id': SSL_PUBKEY_PATH, 'name': SSL_PUBKEY_NAME, 'type': 'public', 'mode': 0644 }, - { 'id': SSL_HTTPS_PUBKEY_PATH, 'name': SSL_HTTPS_PUBKEY_NAME, 'type': 'public', 'mode': 0644 }, - { 'id': SSL_KEYCONFIG_PATH, 'name': SSL_KEYCONFIG_NAME, 'type': 'config', 'mode': 0644 } + { 'id' : SSL_PRIVKEY_PATH, + 'name': SSL_PRIVKEY_NAME, + 'type': 'private', + 'mode': 0600 }, + { 'id' : SSL_HTTPS_PRIVKEY_PATH, + 'name': SSL_HTTPS_PRIVKEY_NAME, + 'type': 'private', + 'mode': 0600 }, + { 'id' : SSL_PUBKEY_PATH, + 'name': SSL_PUBKEY_NAME, + 'type': 'public', + 'mode': 0644 }, + { 'id' : SSL_HTTPS_PUBKEY_PATH, + 'name': SSL_HTTPS_PUBKEY_NAME, + 'type': 'public', + 'mode': 0644 }, + { 'id' : SSL_KEYCONFIG_PATH, + 'name': SSL_KEYCONFIG_NAME, + 'type': 'config', + 'mode': 0644 } ] +for name in os.listdir(LUCI_PEERS_DIR): + path = LUCI_PEERS_DIR + name + if stat.S_ISREG(os.stat(path).st_mode): + ssl_key_data.append({'id' : path, + 'name' : path.lstrip(LUCI_CERT_DIR), + 'type' : 'public', + 'mode' : 0644}) #null = file(os.devnull, 'rwb+', 0) - available on python 2.4 and above!!! null = file('/dev/null', 'rwb+', 0)