Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:527:   {    if(shutdown_recurse >= 4)    {    if (mixed err =    catch (report_notice("Exiting roxen (spurious signals received).\n")) ||    catch (stop_all_configurations()))    master()->handle_error (err);    // Zap some of the remaining caches.    destruct(argcache);    destruct(cache); +  stop_scan_certs();    stop_hourly_maintenance();   #ifdef THREADS   #if constant(Filesystem.Monitor.basic)    stop_fsgarb();   #endif    if (mixed err = catch (stop_handler_threads()))    master()->handle_error (err);   #endif /* THREADS */    roxenloader.real_exit(exit_code);    }
Roxen.git/server/base_server/roxen.pike:2492:    array args = ({ARGS}); \    if (sizeof (args)) msg = sprintf (msg, @args); \    report_error ("TLS port %s: %s", get_url(), msg); \    (VAR)->add_warning (msg); \    cert_err_unbind(); \    cert_failure = 1; \    return; \    } while (0)      #if constant(SSL.Constants.PROTOCOL_TLS_MAX) -  protected void set_version() +  protected void set_version(SSLContext|void ctx)    { -  +  if (!ctx) ctx = this_program::ctx;    ctx->min_version = query("ssl_min_version");    }   #endif    -  protected void filter_preferred_suites() +  protected void filter_preferred_suites(SSLContext|void ctx)    { -  +  if (!ctx) ctx = this_program::ctx;   #if constant(SSL.ServerConnection)    int mode = query("ssl_suite_filter");    int bits = query("ssl_key_bits");       /* Suite filter encoding:    *    * Bit Mask Meaning    * 0 1 Strict suite B    * 1 2 Transitional suite B    * 2 4 Ephemeral only
Roxen.git/server/base_server/roxen.pike:2556: Inside #if constant(SSL.ServerConnection)
   // Transitional mode.    ctx->configure_suite_b(bits, 1);    break;    default:    ctx->configure_suite_b(bits);    break;    }    suites = ctx->preferred_suites;       if (ctx->min_version < query("ssl_min_version")) { -  set_version(); +  set_version(ctx);    }    } else {    suites = ctx->get_suites(bits, 1);       // Make sure the min version is restored in case we've    // switched from Suite B. -  set_version(); +  set_version(ctx);    }    if (mode & 4) {    // Ephemeral suites only.    suites = filter(suites,    lambda(int suite) {    return (<    SSL.Constants.KE_dhe_dss,    SSL.Constants.KE_dhe_rsa,    SSL.Constants.KE_ecdhe_ecdsa,    SSL.Constants.KE_ecdhe_rsa,
Roxen.git/server/base_server/roxen.pike:2652:    report_error ("TLS port %s: %s", get_url(),    LOC_M(63,"No certificates found.\n"));    cert_err_unbind();    cert_failure = 1;    return;    }    }       // FIXME: Only do this if there are certs loaded?    // We must reset the set of certificates. -  // NB: Race condition here where the new SSLContext is -  // live before it has been configured completely. -  ctx = SSLContext(); -  set_version(); -  filter_preferred_suites(); +  SSLContext ctx = SSLContext(); +  ctx->random = Crypto.Random.random_string; +  set_version(ctx); +  filter_preferred_suites(ctx);       foreach(keypairs, int keypair_id) {    array(Crypto.Sign.State|array(string)) keypair =    CertDB.get_keypair(keypair_id);    if (!keypair) continue;       [Crypto.Sign.State private_key, array(string) certs] = keypair;    ctx->add_cert(private_key, certs, ({ name, "*" }));    }   
Roxen.git/server/base_server/roxen.pike:2680: Inside #if 0
   CERT_ERROR(Certificates,    LOC_M(71,"No matching keys and certificates found.\n"));    report_error ("TLS port %s: %s", get_url(),    LOC_M(71,"No matching keys and certificates found.\n"));    cert_err_unbind();    cert_failure = 1;    return;    }   #endif    +  this_program::ctx = ctx; +     if (!bound) {    bind (ignore_eaddrinuse);    if (old_cert_failure && bound)    report_notice (LOC_M(64, "TLS port %s opened.\n"), get_url());    if (!bound)    report_notice("Failed to bind port %s.\n", get_url());    }    }       class CertificateKeyChoiceVariable
Roxen.git/server/base_server/roxen.pike:2963:    {    ctx->random = Crypto.Random.random_string;       set_up_ssl_variables( this_object() );       // NB: setup() calls restore() which initializes the variables    // created above.    ::setup(pn, i);      #if constant(SSL.Constants.PROTOCOL_TLS_MAX) -  set_version(); +  set_version(ctx);   #endif    -  filter_preferred_suites(); +  filter_preferred_suites(ctx);       certificates_changed (0, ignore_eaddrinuse);       // Install the change callbacks here to avoid duplicate calls    // above.    // FIXME: Both variables ought to be updated on save before the    // changed callback is called. Currently you can get warnings    // that the files don't match if you update both variables    // at the same time.    getvar ("ssl_keys")->set_changed_callback(certificates_changed);
Roxen.git/server/base_server/roxen.pike:6540: Inside #if defined(SSL3_DEBUG)
   foreach(glob(base, paths), string fname) {   #ifdef SSL3_DEBUG    werror("Found PEM file %O, matching %O.\n",    Stdio.append_path(dir, fname), glob_pattern);   #endif    CertDB.register_pem_file(Stdio.append_path(dir, fname));    }    }    }    } -  CertDB.refresh_all_pem_files(force); +     -  call_out(scan_certs, 600); // Scan for new certs every 10 minutes. +  if (CertDB.refresh_all_pem_files(force)) { +  +  // Update all open SSL/TLS ports with the new certificates. +  foreach(open_ports || ([]); ; mapping(string:mapping(int:Protocol)) ips) { +  foreach(ips || ([]); ; mapping(int:Protocol) ports) { +  foreach(ports || ([]); ; Protocol prot) { +  if (prot->certificates_changed) { +  prot->certificates_changed(UNDEFINED, !prot->bound);    } -  +  } +  } +  } +  } + }    -  + protected BackgroundProcess scan_certs_process;    -  + // Start a background process that scan for new certs every 10 minutes. + protected void start_scan_certs() + { +  if (scan_certs_process) return; +  +  scan_certs_process = BackgroundProcess(600, scan_certs); + } +  + protected void stop_scan_certs() + { +  if (scan_certs_process) { +  scan_certs_process->stop(); +  scan_certs_process = UNDEFINED; +  } + } +    protected class GCTimestamp   {    array self_ref;    protected void create() {self_ref = ({this_object()});}    protected void destroy() {    werror ("GC runs at %s", ctime(time()));    GCTimestamp();    }   }   
Roxen.git/server/base_server/roxen.pike:6990:    c->enable_all_modules();   #endif // RUN_SELF_TEST      #ifdef THREADS    start_handler_threads();   #if constant(Filesystem.Monitor.basic)    start_fsgarb();   #endif   #endif /* THREADS */    +  start_scan_certs();    start_hourly_maintenance();      #ifdef TEST_EUID_CHANGE    if (test_euid_change) {    Stdio.File f = Stdio.File();    if (f->open ("rootonly", "r") && f->read())    werror ("Backend thread can read rootonly\n");    else    werror ("Backend thread can't read rootonly\n");    }