|
|
e7e179 |
diff -upN --recursive mod_revocator-1.0.3/crlhelper.cpp mod_revocator-1.0.3-kill/crlhelper.cpp
|
|
|
e7e179 |
--- mod_revocator-1.0.3/crlhelper.cpp 2010-04-13 10:11:12.000000000 -0400
|
|
|
e7e179 |
+++ mod_revocator-1.0.3-kill/crlhelper.cpp 2010-11-17 13:53:07.000000000 -0500
|
|
|
e7e179 |
@@ -18,6 +18,7 @@
|
|
|
e7e179 |
#include <sys/types.h>
|
|
|
e7e179 |
#include <sys/ipc.h>
|
|
|
e7e179 |
#include <sys/sem.h>
|
|
|
e7e179 |
+#include <signal.h>
|
|
|
e7e179 |
#include <nss.h>
|
|
|
e7e179 |
#include <nspr.h>
|
|
|
e7e179 |
#include <secitem.h>
|
|
|
e7e179 |
@@ -107,6 +108,7 @@ int main(int argc, char ** argv)
|
|
|
e7e179 |
PRPollDesc pd;
|
|
|
e7e179 |
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT;
|
|
|
e7e179 |
int semid;
|
|
|
e7e179 |
+ pid_t parent_pid;
|
|
|
e7e179 |
union semun semarg;
|
|
|
e7e179 |
char buf[4096];
|
|
|
e7e179 |
char url[4096];
|
|
|
e7e179 |
@@ -124,18 +126,19 @@ int main(int argc, char ** argv)
|
|
|
e7e179 |
while (fd < fdlimit)
|
|
|
e7e179 |
close(fd++);
|
|
|
e7e179 |
|
|
|
e7e179 |
- if (argc < 3 || argc > 4) {
|
|
|
e7e179 |
- fprintf(stderr, "Usage: crlhelper <semid> <directory> <prefix>\n");
|
|
|
e7e179 |
+ if (argc < 4 || argc > 5) {
|
|
|
e7e179 |
+ fprintf(stderr, "Usage: crlhelper <semid> <parentpid> <directory> <prefix>\n");
|
|
|
e7e179 |
exit(1);
|
|
|
e7e179 |
}
|
|
|
e7e179 |
|
|
|
e7e179 |
semid = strtol(argv[1], NULL, 10);
|
|
|
e7e179 |
+ parent_pid = strtol(argv[2], NULL, 10);
|
|
|
e7e179 |
|
|
|
e7e179 |
/* Initialize NSPR */
|
|
|
e7e179 |
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
|
|
|
e7e179 |
|
|
|
e7e179 |
/* Initialize NSS and open the certificate database read-only. */
|
|
|
e7e179 |
- rv = NSS_Initialize(argv[2], argc == 4 ? argv[3] : NULL, argc == 4 ? argv[3] : NULL, "secmod.db", NSS_INIT_READONLY);
|
|
|
e7e179 |
+ rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
|
|
|
e7e179 |
|
|
|
e7e179 |
if (rv != SECSuccess) {
|
|
|
e7e179 |
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
|
|
|
e7e179 |
@@ -187,6 +190,10 @@ int main(int argc, char ** argv)
|
|
|
e7e179 |
continue;
|
|
|
e7e179 |
}
|
|
|
e7e179 |
#endif
|
|
|
e7e179 |
+ if (!(strcmp(url, "kill"))) {
|
|
|
e7e179 |
+ kill(parent_pid, SIGTERM);
|
|
|
e7e179 |
+ continue;
|
|
|
e7e179 |
+ }
|
|
|
e7e179 |
|
|
|
e7e179 |
/*
|
|
|
e7e179 |
* TODO:
|
|
|
e7e179 |
diff -upN --recursive mod_revocator-1.0.3/crlmanager.cpp mod_revocator-1.0.3-kill/crlmanager.cpp
|
|
|
e7e179 |
--- mod_revocator-1.0.3/crlmanager.cpp 2010-04-13 10:11:11.000000000 -0400
|
|
|
e7e179 |
+++ mod_revocator-1.0.3-kill/crlmanager.cpp 2010-11-17 13:53:07.000000000 -0500
|
|
|
e7e179 |
@@ -66,13 +66,19 @@ RevStatus CRLInstance :: DownloadCRL(con
|
|
|
e7e179 |
sb.sem_op = -1;
|
|
|
e7e179 |
sb.sem_flg = SEM_UNDO;
|
|
|
e7e179 |
if (semop(crlm->semid, &sb, 1) == -1) {
|
|
|
e7e179 |
- perror("semop reserve resource");
|
|
|
e7e179 |
+ mystatus.setDetailedError(REV_ERROR_SEMAPHORE_ERROR,
|
|
|
e7e179 |
+ "Unable to reserve semaphore resource");
|
|
|
e7e179 |
+ return mystatus;
|
|
|
e7e179 |
+ /* perror("semop reserve resource"); */
|
|
|
e7e179 |
}
|
|
|
e7e179 |
void* data = get_crl(crlm->infd, crlm->outfd, inurl, timeout, lastfetchtime, &len, mystatus);
|
|
|
e7e179 |
/* unlock the pipe */
|
|
|
e7e179 |
sb.sem_op = 1;
|
|
|
e7e179 |
if (semop(crlm->semid, &sb, 1) == -1) {
|
|
|
e7e179 |
- perror("semop free resource id");
|
|
|
e7e179 |
+ mystatus.setDetailedError(REV_ERROR_SEMAPHORE_ERROR,
|
|
|
e7e179 |
+ "Unable to free semaphore resource");
|
|
|
e7e179 |
+ return mystatus;
|
|
|
e7e179 |
+ /* perror("semop free resource id"); */
|
|
|
e7e179 |
}
|
|
|
e7e179 |
|
|
|
e7e179 |
/* We have a special case. If we have an HTTP request and the server
|
|
|
e7e179 |
diff -upN --recursive mod_revocator-1.0.3/mod_rev.c mod_revocator-1.0.3-kill/mod_rev.c
|
|
|
e7e179 |
--- mod_revocator-1.0.3/mod_rev.c 2010-04-13 10:11:11.000000000 -0400
|
|
|
e7e179 |
+++ mod_revocator-1.0.3-kill/mod_rev.c 2010-11-19 18:43:08.000000000 -0500
|
|
|
e7e179 |
@@ -58,6 +58,8 @@ SECStatus ShutdownRevocation(void *data)
|
|
|
e7e179 |
|
|
|
e7e179 |
static pid_t parent_pid;
|
|
|
e7e179 |
|
|
|
e7e179 |
+int infd, outfd; /* file descriptors for our semaphore-controlled pipe */
|
|
|
e7e179 |
+
|
|
|
e7e179 |
apr_status_t rev_module_kill(void *data)
|
|
|
e7e179 |
{
|
|
|
e7e179 |
server_rec *s = (server_rec *)data;
|
|
|
e7e179 |
@@ -70,6 +72,12 @@ apr_status_t rev_module_kill(void *data)
|
|
|
e7e179 |
return APR_SUCCESS;
|
|
|
e7e179 |
}
|
|
|
e7e179 |
|
|
|
e7e179 |
+static void kill_apache(void) {
|
|
|
e7e179 |
+ char buffer[1024];
|
|
|
e7e179 |
+ PR_snprintf(buffer, sizeof(buffer), "%lld %s", 0, "kill");
|
|
|
e7e179 |
+ write(outfd, buffer, strlen(buffer));
|
|
|
e7e179 |
+}
|
|
|
e7e179 |
+
|
|
|
e7e179 |
/*
|
|
|
e7e179 |
* Create the global config
|
|
|
e7e179 |
*/
|
|
|
e7e179 |
@@ -196,6 +204,7 @@ PRBool NESRevocationFailureNotification(
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
|
|
|
e7e179 |
"%s : %s %s",
|
|
|
e7e179 |
errMsg, url, subject ? subject : "");
|
|
|
e7e179 |
+ return PR_TRUE;
|
|
|
e7e179 |
} else {
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
e7e179 |
"Error updating CRL %s %s : %s",
|
|
|
e7e179 |
@@ -208,8 +217,8 @@ PRBool NESRevocationFailureNotification(
|
|
|
e7e179 |
if (critical && revocatorInitialized)
|
|
|
e7e179 |
{
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
e7e179 |
- "Critical CRL update failure. Shutting down server. %d", parent_pid);
|
|
|
e7e179 |
- kill(parent_pid, 15);
|
|
|
e7e179 |
+ "Critical CRL update failure. Shutting down server pid %d", parent_pid);
|
|
|
e7e179 |
+ kill_apache();
|
|
|
e7e179 |
}
|
|
|
e7e179 |
}
|
|
|
e7e179 |
return PR_TRUE;
|
|
|
e7e179 |
@@ -298,11 +307,11 @@ PRBool NESRevocationDownloadNotification
|
|
|
e7e179 |
{
|
|
|
e7e179 |
/* this CRL is outdated, log it */
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
|
|
|
e7e179 |
- "CRL %s %s is outdated. Shutting down server. %d",
|
|
|
e7e179 |
+ "CRL %s %s is outdated. Shutting down server pid %d",
|
|
|
e7e179 |
url, subject, parent_pid);
|
|
|
e7e179 |
|
|
|
e7e179 |
/* we have to shut down the web server */
|
|
|
e7e179 |
- kill(parent_pid, 15);
|
|
|
e7e179 |
+ kill_apache();
|
|
|
e7e179 |
}
|
|
|
e7e179 |
}
|
|
|
e7e179 |
|
|
|
e7e179 |
@@ -335,6 +344,25 @@ init_Module(apr_pool_t *p, apr_pool_t *p
|
|
|
e7e179 |
|
|
|
e7e179 |
sc->nInitCount++;
|
|
|
e7e179 |
|
|
|
e7e179 |
+ if (sc->nInitCount == 1) {
|
|
|
e7e179 |
+ struct sembuf sb;
|
|
|
e7e179 |
+ sc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
|
|
|
e7e179 |
+ if (sc->semid == -1) {
|
|
|
e7e179 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
e7e179 |
+ "Unable to obtain semaphore.");
|
|
|
e7e179 |
+ nss_die();
|
|
|
e7e179 |
+ }
|
|
|
e7e179 |
+
|
|
|
e7e179 |
+ /* Initialize the semaphore */
|
|
|
e7e179 |
+ sb.sem_num = 0;
|
|
|
e7e179 |
+ sb.sem_op = 1;
|
|
|
e7e179 |
+ sb.sem_flg = 0;
|
|
|
e7e179 |
+ if ((semop(sc->semid, &sb, 1)) == -1) {
|
|
|
e7e179 |
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
e7e179 |
+ "Unable to initialize semaphore.");
|
|
|
e7e179 |
+ nss_die();
|
|
|
e7e179 |
+ }
|
|
|
e7e179 |
+
|
|
|
e7e179 |
/* The first pass through this function will create the semaphore that
|
|
|
e7e179 |
* will be used to lock the pipe. The user is still root at that point
|
|
|
e7e179 |
* so for any later calls the semaphore ops will fail with permission
|
|
|
e7e179 |
@@ -345,12 +373,11 @@ init_Module(apr_pool_t *p, apr_pool_t *p
|
|
|
e7e179 |
status.sem_perm.uid = user_id;
|
|
|
e7e179 |
semctl(sc->semid,0,IPC_SET,&status);
|
|
|
e7e179 |
}
|
|
|
e7e179 |
-
|
|
|
e7e179 |
- if (sc->nInitCount == 1) {
|
|
|
e7e179 |
+ } else if (sc->nInitCount == 2) {
|
|
|
e7e179 |
const char * child_argv[5];
|
|
|
e7e179 |
apr_status_t rv;
|
|
|
e7e179 |
- struct sembuf sb;
|
|
|
e7e179 |
char sembuf[32];
|
|
|
e7e179 |
+ char pidbuf[32];
|
|
|
e7e179 |
|
|
|
e7e179 |
if (sc->crlhelper == NULL) {
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
e7e179 |
@@ -358,29 +385,16 @@ init_Module(apr_pool_t *p, apr_pool_t *p
|
|
|
e7e179 |
nss_die();
|
|
|
e7e179 |
}
|
|
|
e7e179 |
|
|
|
e7e179 |
- sc->semid = semget(IPC_PRIVATE, 1, IPC_CREAT | IPC_EXCL | 0600);
|
|
|
e7e179 |
- if (sc->semid == -1) {
|
|
|
e7e179 |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
e7e179 |
- "Unable to obtain semaphore.");
|
|
|
e7e179 |
- nss_die();
|
|
|
e7e179 |
- }
|
|
|
e7e179 |
-
|
|
|
e7e179 |
- /* Initialize the semaphore */
|
|
|
e7e179 |
- sb.sem_num = 0;
|
|
|
e7e179 |
- sb.sem_op = 1;
|
|
|
e7e179 |
- sb.sem_flg = 0;
|
|
|
e7e179 |
- if ((semop(sc->semid, &sb, 1)) == -1) {
|
|
|
e7e179 |
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
|
|
|
e7e179 |
- "Unable to initialize semaphore.");
|
|
|
e7e179 |
- nss_die();
|
|
|
e7e179 |
- }
|
|
|
e7e179 |
-
|
|
|
e7e179 |
PR_snprintf(sembuf, 32, "%d", sc->semid);
|
|
|
e7e179 |
+ PR_snprintf(pidbuf, 32, "%d", parent_pid);
|
|
|
e7e179 |
child_argv[0] = sc->crlhelper;
|
|
|
e7e179 |
child_argv[1] = sembuf;
|
|
|
e7e179 |
- child_argv[2] = sc->database;
|
|
|
e7e179 |
- child_argv[3] = sc->dbprefix;
|
|
|
e7e179 |
- child_argv[4] = NULL;
|
|
|
e7e179 |
+ child_argv[2] = pidbuf;
|
|
|
e7e179 |
+ child_argv[3] = sc->database;
|
|
|
e7e179 |
+ child_argv[4] = sc->dbprefix;
|
|
|
e7e179 |
+ child_argv[5] = NULL;
|
|
|
e7e179 |
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
|
|
|
e7e179 |
+ "Parent PID is %d", parent_pid);
|
|
|
e7e179 |
|
|
|
e7e179 |
rv = apr_procattr_create(&sc->procattr, s->process->pool);
|
|
|
e7e179 |
|
|
|
e7e179 |
@@ -428,7 +442,6 @@ InitRevocation(apr_pool_t *p, server_rec
|
|
|
e7e179 |
void* critical = (void *)sc->crlcritical;
|
|
|
e7e179 |
Rev_SetFailureCallbackEntryPoint setfcb = NULL;
|
|
|
e7e179 |
Rev_SetDownloadCallbackEntryPoint setncb = NULL;
|
|
|
e7e179 |
- int infd, outfd;
|
|
|
e7e179 |
|
|
|
e7e179 |
/* Do nothing until Apache is ready to run */
|
|
|
e7e179 |
if (sc->nInitCount < 2) return APR_SUCCESS;
|
|
|
e7e179 |
@@ -499,7 +512,10 @@ InitRevocation(apr_pool_t *p, server_rec
|
|
|
e7e179 |
free(configstring);
|
|
|
e7e179 |
apr_dso_unload(dlh);
|
|
|
e7e179 |
ap_log_error(APLOG_MARK, APLOG_ERR, 0, base_server,
|
|
|
e7e179 |
- "Unable to load secmod module: %d", PR_GetError());
|
|
|
e7e179 |
+ "Unable to load Revocation module, NSS error %d. %s", PR_GetError(), critical ? "" : "CRL retrieval will be disabled.");
|
|
|
e7e179 |
+ if (critical) {
|
|
|
e7e179 |
+ kill_apache();
|
|
|
e7e179 |
+ }
|
|
|
e7e179 |
return APR_EGENERAL;
|
|
|
e7e179 |
}
|
|
|
e7e179 |
free(configstring);
|
|
|
e7e179 |
diff -upN --recursive mod_revocator-1.0.3/reverror.h mod_revocator-1.0.3-kill/reverror.h
|
|
|
e7e179 |
--- mod_revocator-1.0.3/reverror.h 2007-06-05 10:38:58.000000000 -0400
|
|
|
e7e179 |
+++ mod_revocator-1.0.3-kill/reverror.h 2010-11-17 13:53:07.000000000 -0500
|
|
|
e7e179 |
@@ -54,6 +54,7 @@ const PRInt32 REV_ERROR_BAD_ISSUER_USAGE
|
|
|
e7e179 |
const PRInt32 REV_ERROR_MISSING_CRL_DATA = 1014;
|
|
|
e7e179 |
const PRInt32 REV_ERROR_BAD_ISSUER_TRUST = 1015;
|
|
|
e7e179 |
const PRInt32 REV_ERROR_NOUPDATE_AVAILABLE = 1016;
|
|
|
e7e179 |
+const PRInt32 REV_ERROR_SEMAPHORE_ERROR = 1017;
|
|
|
e7e179 |
|
|
|
e7e179 |
#endif
|
|
|
e7e179 |
|