Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:164:   /*    * The privilege changer. Works like a mutex lock, but changes the UID/GID    * while held. Blocks all threads.    *    * Based on privs.pike,v 1.36.    */   int privs_level;      protected class Privs   { - #if efun(seteuid) + #if constant(seteuid)       int saved_uid;    int saved_gid;       int new_uid;    int new_gid;      #define LOGP (variables && variables->audit && variables->audit->query())      #if constant(geteuid) && constant(getegid) && constant(seteuid) && constant(setegid)
Roxen.git/server/base_server/roxen.pike:274: Inside #if defined(HAVE_EFFECTIVE_USER)
   }    }       if(LOGP)    report_notice(LOC_M(1, "Change to %s(%d):%d privs wanted (%s), from %s"),    (string)u[0], (int)uid, (int)gid,    (string)reason,    (string)dbt(backtrace()[-2]));       if (u[2]) { - #if efun(cleargroups) + #if constant(cleargroups)    if (mixed err = catch { cleargroups(); })    master()->handle_error (err);   #endif /* cleargroups */ - #if efun(initgroups) + #if constant(initgroups)    if (mixed err = catch { initgroups(u[0], u[3]); })    master()->handle_error (err);   #endif    }    gid = gid || getgid();    int err = (int)setegid(new_gid = gid);    if (err < 0) {    report_warning(LOC_M(2, "Privs: WARNING: Failed to set the "    "effective group id to %d!\n"    "Check that your password database is correct "
Roxen.git/server/base_server/roxen.pike:393: Inside #if defined(HAVE_EFFECTIVE_USER) and #if defined(PRIVS_DEBUG)
   int gid = getegid();    if (gid != new_gid) {    report_debug("Privs: GID #%d differs from expected #%d\n"    "%s\n",    gid, new_gid, describe_backtrace(backtrace()));    }   #endif /* PRIVS_DEBUG */       seteuid(0);    array u = getpwuid(saved_uid); - #if efun(cleargroups) + #if constant(cleargroups)    if (mixed err = catch { cleargroups(); })    master()->handle_error (err);   #endif /* cleargroups */    if(u && (sizeof(u) > 3)) {    if (mixed err = catch { initgroups(u[0], u[3]); })    master()->handle_error (err);    }    setegid(saved_gid);    seteuid(saved_uid);    enable_coredumps(1);   #endif /* HAVE_EFFECTIVE_USER */    } - #else /* efun(seteuid) */ + #else /* constant(seteuid) */    void create(string reason, int|string|void uid, int|string|void gid){} - #endif /* efun(seteuid) */ + #endif /* constant(seteuid) */   }      /* Used by read_config.pike, since there seems to be problems with    * overloading otherwise.    */   protected Privs PRIVS(string r, int|string|void u, int|string|void g)   {    return Privs(r, u, g);   }   
Roxen.git/server/base_server/roxen.pike:2319:    string msg = (MSG); \    array args = ({ARGS}); \    if (sizeof (args)) msg = sprintf (msg, @args); \    report_error ("TLS port %s: %s", get_url(), msg); \    (VAR)->add_warning (msg); \    cert_err_unbind(); \    cert_failure = 1; \    return; \    } while (0)    -  protected void filter_preferred_suites() { + #if constant(SSL.Constants.PROTOCOL_TLS_MAX) +  protected void set_version() +  { +  ctx->min_version = query("ssl_min_version"); +  } + #endif +  +  protected void filter_preferred_suites() +  { + #if constant(SSL.ServerConnection) +  int mode = query("ssl_suite_filter"); +  int bits = query("ssl_key_bits"); +  +  array(int) suites = ({}); +  +  if ((mode & 8) && !ctx->configure_suite_b) { +  // FIXME: Warn: Suite B suites not available. +  mode &= ~8; +  } +  +  if ((mode & 8) && ctx->configure_suite_b) { +  // Suite B. +  switch(mode) { +  case 15: +  // Strict mode. +  ctx->configure_suite_b(bits, 2); +  break; +  case 14: +  // Transitional mode. +  ctx->configure_suite_b(bits, 1); +  break; +  default: +  ctx->configure_suite_b(bits); +  break; +  } +  suites = ctx->preferred_suites; +  +  if (ctx->min_version < query("ssl_min_version")) { +  set_version(); +  } +  } else { +  suites = ctx->get_suites(bits); +  +  // Make sure the min version is restored in case we've +  // switched from Suite B. +  set_version(); +  } +  if (mode & 4) { +  // Ephemeral suites only. +  suites = filter(suites, +  lambda(int suite) { +  return (< +  SSL.Constants.KE_dhe_dss, +  SSL.Constants.KE_dhe_rsa, +  SSL.Constants.KE_ecdhe_ecdsa, +  SSL.Constants.KE_ecdhe_rsa, +  >)[(SSL.Constants.CIPHER_SUITES[suite]||({ -1 }))[0]]; +  }); +  } +  ctx->preferred_suites = suites; + #else   #ifndef ALLOW_WEAK_SSL    // Filter weak and really weak cipher suites.    ctx->preferred_suites -= ({    SSL.Constants.SSL_rsa_with_des_cbc_sha,    SSL.Constants.SSL_dhe_dss_with_des_cbc_sha,    SSL.Constants.SSL_rsa_export_with_rc4_40_md5,    SSL.Constants.TLS_rsa_with_null_sha256,    SSL.Constants.SSL_rsa_with_null_sha,    SSL.Constants.SSL_rsa_with_null_md5,    SSL.Constants.SSL_dhe_dss_export_with_des40_cbc_sha,    SSL.Constants.SSL_null_with_null_null,    });   #endif -  + #endif /* SSL.ServerConnection */    }       // NB: The TBS Tools.X509 API has been deprecated in Pike 8.0.   #pragma no_deprecation_warnings    void certificates_changed(Variable.Variable|void ignored,    void|int ignore_eaddrinuse)    {    int old_cert_failure = cert_failure;       string raw_keydata;
Roxen.git/server/base_server/roxen.pike:2490:    object dsa = Standards.PKCS.DSA.parse_private_key(key);    if (!dsa)    CERT_ERROR (KeyFile,    LOC_M(15,"Private dsa key not valid")+" (DER).\n");       SSL3_WERR(sprintf("Using DSA key."));       //dsa->use_random(ctx->random);    ctx->dsa = dsa;    /* Use default DH parameters */ - #if constant(SSL.Cipher) -  ctx->dh_params = SSL.Cipher.DHParameters(); - #else + #if constant(SSL.cipher)    ctx->dh_params = SSL.cipher()->dh_parameters();   #endif       ctx->dhe_dss_mode();    filter_preferred_suites();       // FIXME: Add cert <-> private key check.       ctx->certificates = certificates;    }
Roxen.git/server/base_server/roxen.pike:2561:    {    // Don't bind if we don't have correct certs.    if (!ctx->certificates) return;    ::bind (ignore_eaddrinuse);    }       void create(int pn, string i, void|int ignore_eaddrinuse)    {    ctx->random = Crypto.Random.random_string;    -  filter_preferred_suites(); -  +     set_up_ssl_variables( this_object() );    -  +  filter_preferred_suites(); +     ::setup(pn, i);       certificates_changed (0, ignore_eaddrinuse);       // Install the change callbacks here to avoid duplicate calls    // above.    // FIXME: Both variables ought to be updated on save before the    // changed callback is called. Currently you can get warnings    // that the files don't match if you update both variables    // at the same time.    getvar ("ssl_cert_file")->set_changed_callback (certificates_changed);    getvar ("ssl_key_file")->set_changed_callback (certificates_changed); -  +  + #if constant(SSL.ServerConnection) +  getvar("ssl_key_bits")->set_changed_callback(filter_preferred_suites); +  getvar("ssl_suite_filter")->set_changed_callback(filter_preferred_suites); + #endif + #if constant(SSL.Constants.PROTOCOL_TLS_MAX) +  getvar("ssl_min_version")->set_changed_callback(set_version); + #endif    }       string _sprintf( )    {    return "SSLProtocol(" + get_url() + ")";    }   }   #endif      mapping(string:program/*(Protocol)*/) build_protocols_mapping()
Roxen.git/server/base_server/roxen.pike:5603: Inside #if undefined(__NT__)
  #ifndef __NT__    if(getuid())    {    report_debug("It is impossible to chroot() if the server is not run as root.\n");    return;    }       if(!chroot(to))    {    report_debug("Roxen: Cannot chroot to "+to+": "); - #if efun(real_perror) + #if constant(real_perror)    real_perror();   #endif    return;    }    report_debug("Root is now "+to+".\n");   #endif   }      void create_pid_file(string where)   {
Roxen.git/server/base_server/roxen.pike:5661: Inside #if undefined(__NT__)
   })    report_debug("Cannot create the pid file %O: %s",    where, describe_error (err));   #endif   }      Pipe.pipe shuffle(Stdio.File from, Stdio.File to,    Stdio.File|void to2,    function(:void)|void callback)   { - #if efun(spider.shuffle) + #if constant(spider.shuffle)    if(!to2)    {    object p = fastpipe( );    p->input(from);    p->set_done_callback(callback);    p->output(to);    return p;    } else {   #endif    // 'fastpipe' does not support multiple outputs.    Pipe.pipe p = Pipe.pipe();    if (callback) p->set_done_callback(callback);    p->output(to);    if(to2) p->output(to2);    p->input(from);    return p; - #if efun(spider.shuffle) + #if constant(spider.shuffle)    }   #endif   }      // Dump all threads to the debug log.   void describe_all_threads (void|int ignored, // Might be the signal number.    void|object threads_disabled)   {    if (!threads_disabled)    // Disable all threads to avoid potential locking problems while we
Roxen.git/server/base_server/roxen.pike:6017:    argc = sizeof(argv);       fonts = ((program)"base_server/fonts.pike")();       DDUMP( "languages/abstract.pike" );    initiate_languages(query("locale"));       cache_clear_deltas();    set_locale();    - #if efun(syslog) + #if constant(syslog)    init_logger();   #endif    init_garber();       initiate_supports();    initiate_argcache();    init_configuserdb();    cache.init_session_cache();       protocols = build_protocols_mapping();