Beispiel #1
0
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
  if(NSS_IsInitialized())
    return CURLE_OK;

  if(cert_dir) {
    SECStatus rv;
    const bool use_sql = NSS_VersionCheck("3.12.0");
    char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
    if(!certpath)
      return CURLE_OUT_OF_MEMORY;

    infof(data, "Initializing NSS with certpath: %s\n", certpath);
    rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
    free(certpath);

    if(rv == SECSuccess)
      return CURLE_OK;

    infof(data, "Unable to initialize NSS database\n");
  }

  infof(data, "Initializing NSS with certpath: none\n");
  if(NSS_NoDB_Init(NULL) == SECSuccess)
    return CURLE_OK;

  infof(data, "Unable to initialize NSS\n");
  return CURLE_SSL_CACERT_BADFILE;
}
Beispiel #2
0
gboolean
sc_init_nss (const char *nss_dir, GError **error)
{
    SECStatus status = SECSuccess;
    static const guint32 flags = 
	NSS_INIT_READONLY| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | 
	NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT | 
	NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD;

    if (!nss_dir) {
        nss_dir = SC_NSS_NSS_DB;
    }

    sc_debug ("attempting to load NSS database '%s'",
	      SC_NSS_NSS_DB);

    status = NSS_Initialize (nss_dir, "", "", SECMOD_DB, flags);

    if (status != SECSuccess) {
        sc_debug ("NSS security system could not be initialized");
        sc_set_nss_error (error, _("NSS security system could not be initialized"));
        return FALSE;
    }

    sc_debug ("NSS database sucessfully loaded");
    return TRUE;
}
Beispiel #3
0
static bool pluto_init_nss(char *nssdb)
{
	SECStatus rv;
	char dbuf[1024];

	snprintf(dbuf, sizeof(dbuf), "sql:%s", nssdb);
	loglog(RC_LOG_SERIOUS, "NSS DB directory: %s", dbuf);
	rv = NSS_Initialize(dbuf, "", "", SECMOD_DB, NSS_INIT_READONLY);
	if (rv != SECSuccess) {
		loglog(RC_LOG_SERIOUS, "NSS readonly initialization (\"%s\") failed (err %d)\n",
			dbuf, PR_GetError());
		return FALSE;
	}

	libreswan_log("NSS initialized");
	PK11_SetPasswordFunc(getNSSPassword);

	/*
	 * This exists purely to make the BSI happy.
	 * We do not inflict this on other users
	 */
	if (pluto_nss_seedbits != 0) {
		int seedbytes = BYTES_FOR_BITS(pluto_nss_seedbits);
		unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");

		get_bsi_random(seedbytes, buf); /* much TLA, very blocking */
		rv = PK11_RandomUpdate(buf, seedbytes);
		libreswan_log("seeded %d bytes into the NSS PRNG", seedbytes);
		passert(rv == SECSuccess);
		messupn(buf, seedbytes);
		pfree(buf);
	}

	return TRUE;
}
Beispiel #4
0
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
#ifdef HAVE_NSS_INITCONTEXT
  NSSInitParameters initparams;

  if(nss_context != NULL)
    return CURLE_OK;

  memset((void *) &initparams, '\0', sizeof(initparams));
  initparams.length = sizeof(initparams);
#else /* HAVE_NSS_INITCONTEXT */
  SECStatus rv;

  if(NSS_IsInitialized())
    return CURLE_OK;
#endif

  if(cert_dir) {
    const bool use_sql = NSS_VersionCheck("3.12.0");
    char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
    if(!certpath)
      return CURLE_OUT_OF_MEMORY;

    infof(data, "Initializing NSS with certpath: %s\n", certpath);
#ifdef HAVE_NSS_INITCONTEXT
    nss_context = NSS_InitContext(certpath, "", "", "", &initparams,
            NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
    free(certpath);

    if(nss_context != NULL)
      return CURLE_OK;
#else /* HAVE_NSS_INITCONTEXT */
    rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
    free(certpath);

    if(rv == SECSuccess)
      return CURLE_OK;
#endif

    infof(data, "Unable to initialize NSS database\n");
  }

  infof(data, "Initializing NSS with certpath: none\n");
#ifdef HAVE_NSS_INITCONTEXT
  nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY
         | NSS_INIT_NOCERTDB   | NSS_INIT_NOMODDB       | NSS_INIT_FORCEOPEN
         | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
  if(nss_context != NULL)
    return CURLE_OK;
#else /* HAVE_NSS_INITCONTEXT */
  if(NSS_NoDB_Init(NULL) == SECSuccess)
    return CURLE_OK;
#endif

  infof(data, "Unable to initialize NSS\n");
  return CURLE_SSL_CACERT_BADFILE;
}
Beispiel #5
0
/**
 * Initializes the NSS context.
 *
 * @param NSSConfigDir The config dir containing the private key to use
 * @return 0 on success
 *         -1 on error
*/
int
NSSInitCryptoContext(const char *NSSConfigDir)
{
  SECStatus status = NSS_Initialize(NSSConfigDir,
                                    "", "", SECMOD_DB, NSS_INIT_READONLY);
  if (SECSuccess != status) {
    fprintf(stderr, "ERROR: Could not initialize NSS\n");
    return -1;
  }

  return 0;
}
Beispiel #6
0
static CURLcode init_nss(struct SessionHandle *data)
{
  char *cert_dir;
  struct_stat st;
  if(initialized)
    return CURLE_OK;

  /* First we check if $SSL_DIR points to a valid dir */
  cert_dir = getenv("SSL_DIR");
  if(cert_dir) {
    if((stat(cert_dir, &st) != 0) ||
        (!S_ISDIR(st.st_mode))) {
      cert_dir = NULL;
    }
  }

  /* Now we check if the default location is a valid dir */
  if(!cert_dir) {
    if((stat(SSL_DIR, &st) == 0) &&
        (S_ISDIR(st.st_mode))) {
      cert_dir = (char *)SSL_DIR;
    }
  }

  if(!NSS_IsInitialized()) {
    SECStatus rv;
    initialized = 1;
    infof(data, "Initializing NSS with certpath: %s\n",
          cert_dir ? cert_dir : "none");
    if(!cert_dir) {
      rv = NSS_NoDB_Init(NULL);
    }
    else {
      char *certpath =
        PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", cert_dir);
      rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
      PR_smprintf_free(certpath);
    }
    if(rv != SECSuccess) {
      infof(data, "Unable to initialize NSS database\n");
      initialized = 0;
      return CURLE_SSL_CACERT_BADFILE;
    }
  }

  if(num_enabled_ciphers() == 0)
    NSS_SetDomesticPolicy();

  return CURLE_OK;
}
Beispiel #7
0
SECStatus
InitializeNSS(const char* nssCertDBDir)
{
  // Try initializing an existing DB.
  if (NSS_Init(nssCertDBDir) == SECSuccess) {
    return SECSuccess;
  }

  // Create a new DB if there is none...
  SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
  if (rv != SECSuccess) {
    return rv;
  }

  // ...and load all certificates into it.
  return LoadCertificatesAndKeys(nssCertDBDir);
}
static void
load_nss (GsdSmartcardManager *self)
{
        GsdSmartcardManagerPrivate *priv = self->priv;
        SECStatus status = SECSuccess;
        static const guint32 flags = NSS_INIT_READONLY
                                   | NSS_INIT_FORCEOPEN
                                   | NSS_INIT_NOROOTINIT
                                   | NSS_INIT_OPTIMIZESPACE
                                   | NSS_INIT_PK11RELOAD;

        g_debug ("attempting to load NSS database '%s'",
                 GSD_SMARTCARD_MANAGER_NSS_DB);

        PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);

        status = NSS_Initialize (GSD_SMARTCARD_MANAGER_NSS_DB,
                                 "", "", SECMOD_DB, flags);

        if (status != SECSuccess) {
                gsize error_message_size;
                char *error_message;

                error_message_size = PR_GetErrorTextLength ();

                if (error_message_size == 0) {
                        g_debug ("NSS security system could not be initialized");
                } else {
                        error_message = g_alloca (error_message_size);
                        PR_GetErrorText (error_message);

                        g_debug ("NSS security system could not be initialized - %s",
                                 error_message);
                }
                priv->nss_is_loaded = FALSE;
                return;

        }

        g_debug ("NSS database '%s' loaded", GSD_SMARTCARD_MANAGER_NSS_DB);
        priv->nss_is_loaded = TRUE;
}
Beispiel #9
0
static Error
init_crypto(PRBool create, PRBool readOnly)
{

    PRUint32 flags = 0;
    SECStatus rv;
    Error retval;
    /* Open/create key database */

    if (readOnly)
        flags |= NSS_INIT_READONLY;
    if (nocertdb)
        flags |= NSS_INIT_NOCERTDB;
    rv = NSS_Initialize(SECU_ConfigDirectory(NULL), dbprefix, dbprefix,
                        secmodName, flags);
    if (rv != SECSuccess) {
        SECU_PrintPRandOSError(progName);
        retval = NSS_INITIALIZE_FAILED_ERR;
    } else
        retval = SUCCESS;

    return retval;
}
Beispiel #10
0
bool lsw_nss_setup(const char *configdir, unsigned setup_flags,
		   PK11PasswordFunc get_password, lsw_nss_buf_t err)
{
	/*
	 * save for cleanup
	 */
	flags = setup_flags;

	/*
	 * According to the manual, not needed, and all parameters are
	 * ignored.  Does no harm?
	 */
	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);

	libreswan_log("Initializing NSS");
	if (configdir) {
		const char sql[] = "sql:";
		char *nssdb;
		if (strncmp(sql, configdir, strlen(sql)) == 0) {
			nssdb = strdup(configdir);
		} else {
			nssdb = alloc_bytes(strlen(configdir) + strlen(sql) + 1, "nssdb");
			strcpy(nssdb, sql);
			strcat(nssdb, configdir);
		}
		libreswan_log("Opening NSS database \"%s\" %s", nssdb,
			      (flags & LSW_NSS_READONLY) ? "read-only" : "read-write");
		SECStatus rv = NSS_Initialize(nssdb, "", "", SECMOD_DB,
					      (flags & LSW_NSS_READONLY) ? NSS_INIT_READONLY : 0);
		if (rv != SECSuccess) {
			snprintf(err, sizeof(lsw_nss_buf_t),
				 "Initialization of NSS with %s database \"%s\" failed (%d)",
				 (flags & LSW_NSS_READONLY) ? "read-only" : "read-write",
				 nssdb, PR_GetError());
			pfree(nssdb);
			return FALSE;
		}
	} else {
		NSS_NoDB_Init(".");
	}

	if (PK11_IsFIPS() && get_password == NULL) {
		snprintf(err, sizeof(lsw_nss_buf_t),
			 "on FIPS mode a password is required");
		return FALSE;
	}

	if (get_password) {
		PK11_SetPasswordFunc(get_password);
	}

	if (!(flags & LSW_NSS_SKIP_AUTH)) {
		PK11SlotInfo *slot = lsw_nss_get_authenticated_slot(err);
		if (slot == NULL) {
			return FALSE;
		}
		PK11_FreeSlot(slot);
	}

	return TRUE;
}
Beispiel #11
0
int main(int argc, char *argv[])
{
	int opt;
	long fin = 0;
	int use_pkix = 0;
	SECStatus rv;
	char pbuf[1024];
	PRBool crlcheck = PR_FALSE;
	PRBool ocspcheck = PR_FALSE;
	PRBool strict = PR_FALSE;
	CERTCertDBHandle *handle = NULL;
	CERTCertificate **certout = NULL;
	CERTVerifyLog vfy_log;
	CERTVerifyLog vfy_log2;
	CERTVerifyLog *cur_log;
	CERTValOutParam *pkixout = NULL;

	SECItem c1;
	SECItem c2;
	SECItem *certs[2];
	certs[0] = &c1;
	certs[1] = &c2;

	int numcerts = 0;
	while ((opt = getopt(argc, argv, "u:d:e:pn:s:coSr")) != -1) {
		switch(opt) {
			/* usage type */
		case 'u':
			set_usage(optarg);
			break;
		case 'd':
			db_dir = optarg;
			break;
		case 's':
			sub_file = optarg;
			break;
		case 'c':
			crlcheck = PR_TRUE;
			break;
		case 'o':
			ocspcheck = PR_TRUE;
			break;
		case 'S':
			strict = PR_TRUE;
			break;
		case 'e':
			end_file = optarg;
			break;
		case 'p':
			use_pkix = 1;
			break;
		case 'n':
			rightca_nick = optarg;
			break;
		case 'r':
			retry_verify = PR_TRUE;
			break;
		default:
			print_usage();
			break;
		}
	}

	if (db_dir == NULL)
		db_dir = "testfiles/";
	if (end_file == NULL)
		end_file = "testfiles/end.pem";

	get_file(certs[numcerts++], end_file);

	if (sub_file != NULL) {
		get_file(certs[numcerts++], sub_file);
	}

	snprintf(pbuf, sizeof(pbuf), "sql:%s", db_dir);
	if (NSS_Initialize(pbuf, "", "", "secmod.db", 0x1) != SECSuccess) {
		printf("NSS_Initialize failed %d\n", PORT_GetError());
		exit(-1);
	}

	if ((handle = CERT_GetDefaultCertDB()) == NULL) {
		printf("NULL handle\n");
		exit(-1);
	}
	if (ocspcheck) {
		CERT_EnableOCSPChecking(handle);
		CERT_DisableOCSPDefaultResponder(handle);
		if (strict)
			CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
	}

	rv = CERT_ImportCerts(handle, 0, numcerts, certs, &certout, PR_FALSE,
							 PR_FALSE, NULL);
	if (rv != SECSuccess) {
		printf("CERT_ImportCerts failed %d\n", PORT_GetError());
		exit(-1);
	}
	vfy_log.count = 0;
	vfy_log.head = NULL;
	vfy_log.tail = NULL;
	vfy_log.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

	vfy_log2.count = 0;
	vfy_log2.head = NULL;
	vfy_log2.tail = NULL;
	vfy_log2.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);

	if (use_pkix) {
		int in_idx = 0;
		CERTValInParam cvin[7];
		CERTValOutParam cvout[3];
		CERTCertList *trustcl = NULL;
		CERTRevocationFlags rev;
		PRUint64 revFlagsLeaf[2] = { 0, 0 };
		PRUint64 revFlagsChain[2] = { 0, 0 };

		zero(&cvin);	/* ??? is this reasonable? */
		zero(&cvout);	/* ??? is this reasonable? */
		zero(&rev);	/* ??? is this reasonable? */

		if (rightca_nick == NULL)
			rightca_nick = "root";

		if ((trustcl = get_trust_certlist(handle, rightca_nick)) == NULL) {
			printf("Couldn't find trust anchor\n");
			exit(-1);
		}

		cvin[in_idx].type = cert_pi_useAIACertFetch;
		cvin[in_idx++].value.scalar.b = PR_TRUE;
		cvin[in_idx].type = cert_pi_revocationFlags;
		cvin[in_idx++].value.pointer.revocation = &rev;
		cvin[in_idx].type = cert_pi_trustAnchors;
		cvin[in_idx++].value.pointer.chain = trustcl;
		cvin[in_idx].type = cert_pi_useOnlyTrustAnchors;
		cvin[in_idx++].value.scalar.b = PR_TRUE;

		set_rev_per_meth(&rev, revFlagsLeaf, revFlagsChain);
		set_rev_params(&rev, crlcheck, ocspcheck, strict);
		cvin[in_idx].type = cert_pi_end;

		cvout[0].type = cert_po_errorLog;
		cvout[0].value.pointer.log = &vfy_log;
		cur_log = &vfy_log;
		cvout[1].type = cert_po_certList;
		cvout[1].value.pointer.chain = NULL;
		cvout[2].type = cert_po_end;
		pkixout = &cvout[0];

pkixredo:
		rv = CERT_PKIXVerifyCert(*certout, pkixusage, cvin, cvout,
				NULL);

		//CERT_DestroyCertList(trustcl);

	} else {
		cur_log = &vfy_log;
vfyredo:
		rv = CERT_VerifyCert(handle, *certout, PR_TRUE, usage, PR_Now(),
								       NULL,
								       cur_log);
	}

	if (rv != SECSuccess || cur_log->count > 0) {
		if (cur_log->count > 0 && cur_log->head != NULL) {
			fin = err_stat(cur_log->head);
		} else {
			fin = PORT_GetError();
		}
		if (fin == SEC_ERROR_INADEQUATE_KEY_USAGE) {
			printf("SEC_ERROR_INADEQUATE_KEY_USAGE : Certificate key usage inadequate for attempted operation.\n"
				);
		} else if (fin == SEC_ERROR_INADEQUATE_CERT_TYPE) {
			printf("SEC_ERROR_INADEQUATE_CERT_TYPE : Certificate type not approved for application.\n"
				);
		} else {
			printf("OTHER : %ld", fin);
		}
	}
	if ((fin == SEC_ERROR_INADEQUATE_CERT_TYPE ||
			fin == SEC_ERROR_INADEQUATE_KEY_USAGE) &&
					 retry_verify && !retried) {
		printf("Retrying verification\n");
		fin = 0;
		retried = PR_TRUE;
		if (use_pkix) {
			pkixout[0].value.pointer.log = &vfy_log2;
			cur_log = &vfy_log2;
			pkixout[1].value.pointer.chain = NULL;
			if (pkixusage == certificateUsageSSLClient) {
				pkixusage = certificateUsageSSLServer;
			} else {
				pkixusage = certificateUsageSSLClient;
			}
			goto pkixredo;
		} else {
			if (usage == certUsageSSLClient) {
				usage = certUsageSSLServer;
			} else {
				usage = certUsageSSLClient;
			}
			goto vfyredo;
		}
	}

	PORT_FreeArena(vfy_log.arena, PR_FALSE);
	PORT_FreeArena(vfy_log2.arena, PR_FALSE);
	NSS_Shutdown();
	exit(fin == 0 ? 0 : 1);
}
Beispiel #12
0
am_status_t Connection::initialize(const Properties& properties)
{
    am_status_t status = AM_SUCCESS;
    SECStatus secStatus;

    if (! initialized) {
	const char *nssMethodName = "NSS_Initialize";
	std::string certDir = properties.get(AM_COMMON_SSL_CERT_DIR_PROPERTY, 
					     "");
	std::string dbPrefix = properties.get(AM_COMMON_CERT_DB_PREFIX_PROPERTY,
					      "");

	unsigned long timeout = properties.getUnsigned(AM_COMMON_RECEIVE_TIMEOUT_PROPERTY, 0);
	if (timeout > 0) {
	    receive_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(timeout));
    } else {
	    receive_timeout = PR_INTERVAL_NO_TIMEOUT;
	}

	unsigned long socket_timeout = properties.getUnsigned(AM_COMMON_CONNECT_TIMEOUT_PROPERTY, 0);
	if (socket_timeout > 0) {
	    connect_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(socket_timeout));
	} else {
	    connect_timeout = PR_INTERVAL_NO_TIMEOUT;
	}

	tcp_nodelay_is_enabled = properties.getBool(AM_COMMON_TCP_NODELAY_ENABLE_PROPERTY, false);
		
	//
	// Initialize the NSS libraries and enable use of all of the
	// cipher suites.  According to the NSS 3.3 API documentation
	// NSS_SetDomesticPolicy enables all of the cipher suites except
	// two: SSL_RSA_WITH_NULL_MD5 and SSL_FORTEZZA_DMS_WITH_NULL_SHA.
	// (It does not explain why those two are not enabled.)  The SSL
	// code in Agent Pack 1.0 explicitly enabled the first of the
	// disabled cipher suites.
	// We do not enable them here since null or no encryption is a 
	// potential security risk.
	//

	Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
		 "calling NSS_Initialize() with directory = \"%s\" and "
		 "prefix = \"%s\"", certDir.c_str(), dbPrefix.c_str());
	Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
		 "Connection timeout when receiving data = %i milliseconds",timeout);
	if (tcp_nodelay_is_enabled) {
		Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
		   "Socket option TCP_NODELAY is enabled");
	}

	secStatus = NSS_Initialize(certDir.c_str(), dbPrefix.c_str(),
				   dbPrefix.c_str(), "secmod.db",
				   NSS_INIT_READONLY|NSS_INIT_FORCEOPEN);
	if (SECSuccess == secStatus) {
	    nssMethodName = "NSS_SetDomesticPolicy";
	    secStatus = NSS_SetDomesticPolicy();
	}
	if (SECSuccess == secStatus) {
	    nssMethodName = "PK11_SetPasswordFunc";
	    PK11_SetPasswordFunc(getPasswordFromArg);

	    initialized = true;
	}

	if(secStatus != SECSuccess) {
	    secStatus = NSS_NoDB_Init(NULL);
	    if (secStatus != SECSuccess) {
	        Log::log(Log::ALL_MODULES, Log::LOG_ERROR,
		         "Connection::initialize() unable to initialize SSL "
		         "libraries: %s returned %d", nssMethodName,
		         PR_GetError());
	        status = AM_NSPR_ERROR;
            }
	}
    }

    return status;
}
Beispiel #13
0
int main(int argc, char ** argv)
{
    SECStatus rv;
    PRFileDesc *in;
    PRFileDesc *out;
    PRPollDesc pd;
    PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT;
    char buf[1024];
    PRInt32 nBytes;
    char * command;
    char * tokenName;
    char * tokenpw;
    int fipsmode = 0;
    int semid = 0;
    union semun semarg;

    if (argc < 4 || argc > 5) {
        fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
        exit(1);
    }

    signal(SIGHUP, SIG_IGN);

    semid = strtol(argv[1], NULL, 10);

    if (!strcasecmp(argv[2], "on"))
        fipsmode = 1;

    /* Initialize NSPR */
    PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
 
    /* Set the PKCS #11 strings for the internal token. */
    PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
 
    /* Initialize NSS and open the certificate database read-only. */
    rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);

    if (rv != SECSuccess) {
        fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
        exit(1);
    }

    if (fipsmode) {
        if (!PK11_IsFIPS()) {
            char * internal_name = PR_smprintf("%s",
                SECMOD_GetInternalModule()->commonName);

            if ((SECMOD_DeleteInternalModule(internal_name) != SECSuccess) ||
                 !PK11_IsFIPS()) {
                 NSS_Shutdown();
                 fprintf(stderr,
                     "Unable to enable FIPS mode");
                 exit(1);
            }
            PR_smprintf_free(internal_name);
        } 
    }

    in = PR_GetSpecialFD(PR_StandardInput);
    out = PR_GetSpecialFD(PR_StandardOutput);
    if (in == NULL || out == NULL) {
        fprintf(stderr, "PR_GetInheritedFD failed\n"); 
        exit(1);
    }

    pd.fd = in;
    pd.in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
    while (1) {
        rv = PR_Poll(&pd, 1, timeout);
        if (rv == -1) { /* PR_Poll failed */
            break;
        }
        if (pd.out_flags & (PR_POLL_HUP | PR_POLL_ERR | PR_POLL_NVAL | PR_POLL_EXCEPT)) {
            break;
        }
        if (pd.out_flags & PR_POLL_READ) {
            memset(buf, 0, sizeof(buf));
            nBytes = PR_Read(in, buf, sizeof(buf));
            if (nBytes == -1 || nBytes == 0) {
                break;
            }
            command = getstr(buf, 0);
            tokenName = getstr(buf, 1);
            tokenpw = getstr(buf, 2);

            if (command && !strcmp(command, "QUIT")) {
                break;
            } else if (command && !strcmp(command, "STOR")) {
                PRInt32 err = PIN_SUCCESS;
                Node *node = NULL;

                if (tokenName && tokenpw) {
                    node = (Node*)malloc(sizeof (Node));
                    if (!node) { err = PIN_NOMEMORY; }

                    node->tokenName = strdup(tokenName);
                    node->store = 0; 
                    node->next = 0; 

                    if (err == PIN_SUCCESS)
                        err = CreatePk11PinStore(&node->store, tokenName, tokenpw);
                    memset(tokenpw, 0, strlen(tokenpw));
                } else
                    err = PIN_SYSTEMERROR;

                sprintf(buf, "%d", err);
                PR_Write(out, buf, 1);

                if (err == PIN_SUCCESS) {
                    if (pinList)
                        node->next = pinList;
                    pinList = node;
                }

                /* Now clean things up */
                if (command) free(command);
                if (tokenName) free(tokenName);
                if (tokenpw) free(tokenpw);
            } else if (command && !strcmp(command, "RETR")) {
                Node *node;
                char *pin = 0;
                PRBool found = PR_FALSE;

                for (node = pinList; node != NULL; node = node->next) {
                    if (!strcmp(node->tokenName, tokenName)) {
                        if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) {
                            if (strlen(pin) == 0)
                                PR_Write(out, "", 1);
                            else
                                PR_Write(out, pin, strlen(pin));
                            memset(pin, 0, strlen(pin));
                            free(pin);
                            found = PR_TRUE;
                            break;
                        }
                    }
                }

                if (found != PR_TRUE)
                    PR_Write(out, "", 1);

                free(command);
                free(tokenName);
            } else {
              ; /* ack, unknown command */
            }
        }
    }
    freeList(pinList);
    PR_Close(in);
    /* Remove the semaphore used for locking here. This is because this
     * program only goes away when Apache shuts down so we don't have to
     * worry about reloads.
     */
    semctl(semid, 0, IPC_RMID, semarg);
    return 0;
}
Beispiel #14
0
int
main(int argc, char **argv)
{
    PLOptState *optstate;
    PLOptStatus optstatus;

    PRUint32 flags = 0;
    Error ret;
    SECStatus rv;
    char *dbString = NULL;
    PRBool doInitTest = PR_FALSE;
    int i;

    progName = strrchr(argv[0], '/');
    if (!progName)
        progName = strrchr(argv[0], '\\');
    progName = progName ? progName + 1 : argv[0];

    optstate = PL_CreateOptState(argc, argv, "rfip:d:h");

    while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
        switch (optstate->option) {
            case 'h':
            default:
                Usage(progName);
                break;

            case 'r':
                flags |= NSS_INIT_READONLY;
                break;

            case 'f':
                flags |= NSS_INIT_FORCEOPEN;
                break;

            case 'i':
                doInitTest = PR_TRUE;
                break;

            case 'p':
                userPassword = PORT_Strdup(optstate->value);
                break;

            case 'd':
                dbDir = PORT_Strdup(optstate->value);
                break;
        }
    }
    if (optstatus == PL_OPT_BAD)
        Usage(progName);

    if (!dbDir) {
        dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
    }
    dbDir = SECU_ConfigDirectory(dbDir);
    PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);

    if (dbDir[0] == '\0') {
        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
        ret = DIR_DOESNT_EXIST_ERR;
        goto loser;
    }

    PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);

    /* get the status of the directory and databases and output message */
    if (PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
        PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
    } else if (PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
        PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir);
    } else {
        if (!(flags & NSS_INIT_READONLY) &&
            PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
            PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir);
        }
        if (!doInitTest) {
            for (i = 0; i < 3; i++) {
                dbString = PR_smprintf("%s/%s", dbDir, dbName[i]);
                PR_fprintf(PR_STDOUT, "database checked is %s\n", dbString);
                if (PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) {
                    PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR],
                               dbString);
                } else if (PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) {
                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR],
                               dbString);
                } else if (!(flags & NSS_INIT_READONLY) &&
                           PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
                    PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
                               dbString);
                }
            }
        }
    }

    rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix,
                        secmodName, flags);
    if (rv != SECSuccess) {
        SECU_PrintPRandOSError(progName);
        ret = NSS_INITIALIZE_FAILED_ERR;
    } else {
        ret = SUCCESS;
        if (doInitTest) {
            PK11SlotInfo *slot = PK11_GetInternalKeySlot();
            SECStatus rv;
            int passwordSuccess = 0;
            int type = CKM_DES3_CBC;
            SECItem keyid = { 0, NULL, 0 };
            unsigned char keyIdData[] = { 0xff, 0xfe };
            PK11SymKey *key = NULL;

            keyid.data = keyIdData;
            keyid.len = sizeof(keyIdData);

            PK11_SetPasswordFunc(getPassword);
            rv = PK11_InitPin(slot, (char *)NULL, userPassword);
            if (rv != SECSuccess) {
                PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n",
                           SECU_Strerror(PORT_GetError()));
                ret = CHANGEPW_FAILED_ERR;
            }
            if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) {
                PR_fprintf(PR_STDERR, "New DB did not log in after init\n");
                ret = AUTHENTICATION_FAILED_ERR;
            }
            /* generate a symetric key */
            key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid,
                                   PR_TRUE, &passwordSuccess);

            if (!key) {
                PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n",
                           SECU_Strerror(PORT_GetError()));
                exit(UNSPECIFIED_ERR);
            }
            PK11_FreeSymKey(key);
            PK11_Logout(slot);

            PK11_Authenticate(slot, PR_TRUE, &passwordSuccess);

            if (*userPassword && !passwordSuccess) {
                PR_fprintf(PR_STDERR, "New DB Did not initalize\n");
                ret = AUTHENTICATION_FAILED_ERR;
            }
            key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess);

            if (!key) {
                PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
                           SECU_Strerror(PORT_GetError()));
                ret = UNSPECIFIED_ERR;
            } else {
                PK11_FreeSymKey(key);
            }
            PK11_FreeSlot(slot);
        }

        if (NSS_Shutdown() != SECSuccess) {
            PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
                       SECU_Strerror(PORT_GetError()));
            exit(1);
        }
    }

loser:
    return ret;
}
Beispiel #15
0
Datei: nss.c Projekt: 0w/moai-dev
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
  PRInt32 err;
  PRFileDesc *model = NULL;
  PRBool ssl2, ssl3, tlsv1;
  struct SessionHandle *data = conn->data;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
  SECStatus rv;
  char *certDir = NULL;
  int curlerr;
  const int *cipher_to_enable;

  curlerr = CURLE_SSL_CONNECT_ERROR;

  if (connssl->state == ssl_connection_complete)
    return CURLE_OK;

  connssl->data = data;

#ifdef HAVE_PK11_CREATEGENERICOBJECT
  connssl->cacert[0] = NULL;
  connssl->cacert[1] = NULL;
  connssl->key = NULL;
#endif

  /* FIXME. NSS doesn't support multiple databases open at the same time. */
  PR_Lock(nss_initlock);
  if(!initialized) {
    struct_stat st;

    /* First we check if $SSL_DIR points to a valid dir */
    certDir = getenv("SSL_DIR");
    if(certDir) {
      if((stat(certDir, &st) != 0) ||
              (!S_ISDIR(st.st_mode))) {
        certDir = NULL;
      }
    }

    /* Now we check if the default location is a valid dir */
    if(!certDir) {
      if((stat(SSL_DIR, &st) == 0) &&
              (S_ISDIR(st.st_mode))) {
        certDir = (char *)SSL_DIR;
      }
    }

    if (!NSS_IsInitialized()) {
      initialized = 1;
      infof(conn->data, "Initializing NSS with certpath: %s\n",
            certDir ? certDir : "none");
      if(!certDir) {
        rv = NSS_NoDB_Init(NULL);
      }
      else {
        char *certpath = PR_smprintf("%s%s",
                         NSS_VersionCheck("3.12.0") ? "sql:" : "",
                         certDir);
        rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
        PR_smprintf_free(certpath);
      }
      if(rv != SECSuccess) {
        infof(conn->data, "Unable to initialize NSS database\n");
        curlerr = CURLE_SSL_CACERT_BADFILE;
        initialized = 0;
        PR_Unlock(nss_initlock);
        goto error;
      }
    }

    if(num_enabled_ciphers() == 0)
      NSS_SetDomesticPolicy();

#ifdef HAVE_PK11_CREATEGENERICOBJECT
    if(!mod) {
      char *configstring = aprintf("library=%s name=PEM", pem_library);
      if(!configstring) {
        PR_Unlock(nss_initlock);
        goto error;
      }
      mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
      free(configstring);

      if(!mod || !mod->loaded) {
        if(mod) {
          SECMOD_DestroyModule(mod);
          mod = NULL;
        }
        infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
              "PEM certificates will not work.\n", pem_library);
      }
    }
#endif

    PK11_SetPasswordFunc(nss_get_password);

  }
  PR_Unlock(nss_initlock);

  model = PR_NewTCPSocket();
  if(!model)
    goto error;
  model = SSL_ImportFD(NULL, model);

  if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess)
    goto error;

  ssl2 = ssl3 = tlsv1 = PR_FALSE;

  switch (data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
    ssl3 = tlsv1 = PR_TRUE;
    break;
  case CURL_SSLVERSION_TLSv1:
    tlsv1 = PR_TRUE;
    break;
  case CURL_SSLVERSION_SSLv2:
    ssl2 = PR_TRUE;
    break;
  case CURL_SSLVERSION_SSLv3:
    ssl3 = PR_TRUE;
    break;
  }

  if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
    goto error;

  if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
    goto error;

  /* enable all ciphers from enable_ciphers_by_default */
  cipher_to_enable = enable_ciphers_by_default;
  while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
    if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
      curlerr = CURLE_SSL_CIPHER;
      goto error;
    }
    cipher_to_enable++;
  }

  if(data->set.ssl.cipher_list) {
    if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
      curlerr = CURLE_SSL_CIPHER;
      goto error;
    }
  }

  if(data->set.ssl.verifyhost == 1)
    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");

  data->set.ssl.certverifyresult=0; /* not checked yet */
  if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
     != SECSuccess) {
    goto error;
  }
  if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
                           NULL) != SECSuccess)
    goto error;

  if(!data->set.ssl.verifypeer)
    /* skip the verifying of the peer */
    ;
  else if(data->set.ssl.CAfile) {
    int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile,
                           PR_TRUE);
    if(!rc) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }
  }
  else if(data->set.ssl.CApath) {
    struct_stat st;
    PRDir      *dir;
    PRDirEntry *entry;

    if(stat(data->set.ssl.CApath, &st) == -1) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }

    if(S_ISDIR(st.st_mode)) {
      int rc;

      dir = PR_OpenDir(data->set.ssl.CApath);
      do {
        entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN);

        if(entry) {
          char fullpath[PATH_MAX];

          snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
                   entry->name);
          rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE);
          /* FIXME: check this return value! */
        }
        /* This is purposefully tolerant of errors so non-PEM files
         * can be in the same directory */
      } while(entry != NULL);
      PR_CloseDir(dir);
    }
  }
  infof(data,
        "  CAfile: %s\n"
        "  CApath: %s\n",
        data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
        data->set.ssl.CApath ? data->set.ssl.CApath : "none");

  if (data->set.ssl.CRLfile) {
    int rc = nss_load_crl(data->set.ssl.CRLfile, PR_FALSE);
    if (!rc) {
      curlerr = CURLE_SSL_CRL_BADFILE;
      goto error;
    }
    infof(data,
          "  CRLfile: %s\n",
          data->set.ssl.CRLfile ? data->set.ssl.CRLfile : "none");
  }

  if(data->set.str[STRING_CERT]) {
    bool nickname_alloc = FALSE;
    char *nickname = fmt_nickname(data->set.str[STRING_CERT], &nickname_alloc);
    if(!nickname)
      return CURLE_OUT_OF_MEMORY;

    if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
                    data->set.str[STRING_KEY])) {
      /* failf() is already done in cert_stuff() */
      if(nickname_alloc)
        free(nickname);
      return CURLE_SSL_CERTPROBLEM;
    }

    /* this "takes over" the pointer to the allocated name or makes a
       dup of it */
    connssl->client_nickname = nickname_alloc?nickname:strdup(nickname);
    if(!connssl->client_nickname)
      return CURLE_OUT_OF_MEMORY;

  }
  else
    connssl->client_nickname = NULL;

  if(SSL_GetClientAuthDataHook(model, SelectClientCert,
                               (void *)connssl) != SECSuccess) {
    curlerr = CURLE_SSL_CERTPROBLEM;
    goto error;
  }

  /* Import our model socket  onto the existing file descriptor */
  connssl->handle = PR_ImportTCPSocket(sockfd);
  connssl->handle = SSL_ImportFD(model, connssl->handle);
  if(!connssl->handle)
    goto error;
  PR_Close(model); /* We don't need this any more */

  /* This is the password associated with the cert that we're using */
  if (data->set.str[STRING_KEY_PASSWD]) {
      SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]);
  }

  /* Force handshake on next I/O */
  SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);

  SSL_SetURL(connssl->handle, conn->host.name);

  /* Force the handshake now */
  if(SSL_ForceHandshakeWithTimeout(connssl->handle,
                                    PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
      != SECSuccess) {
    if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
      curlerr = CURLE_PEER_FAILED_VERIFICATION;
    else if(conn->data->set.ssl.certverifyresult!=0)
      curlerr = CURLE_SSL_CACERT;
    goto error;
  }

  connssl->state = ssl_connection_complete;

  display_conn_info(conn, connssl->handle);

  if (data->set.str[STRING_SSL_ISSUERCERT]) {
    SECStatus ret;
    bool nickname_alloc = FALSE;
    char *nickname = fmt_nickname(data->set.str[STRING_SSL_ISSUERCERT],
                                  &nickname_alloc);

    if(!nickname)
      return CURLE_OUT_OF_MEMORY;

    ret = check_issuer_cert(connssl->handle, nickname);

    if(nickname_alloc)
      free(nickname);

    if(SECFailure == ret) {
      infof(data,"SSL certificate issuer check failed\n");
      curlerr = CURLE_SSL_ISSUER_ERROR;
      goto error;
    }
    else {
      infof(data, "SSL certificate issuer check ok\n");
    }
  }

  return CURLE_OK;

error:
  err = PR_GetError();
  infof(data, "NSS error %d\n", err);
  if(model)
    PR_Close(model);
  return curlerr;
}
Beispiel #16
0
int FileSSL_main(int argc, char * argv[])
{
    bool isServer = true;
    
    SECStatus rv = SECSuccess;

    
    char buffer[32] = {0};
    

    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
    
    PK11_SetPasswordFunc(GetModulePassword);
    rv = NSS_Initialize(GetSystemDBDir(),
                        "", "",
                        "secmod.db", 0);
    
    
    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
    
    rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
    
    rv = NSS_SetDomesticPolicy();
    rv = NSS_SetExportPolicy();
    rv = NSS_SetFrancePolicy();
    //    rv = SSL_CipherPolicySet();
    
    
    
    SSL_ClearSessionCache();
    
    rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
    
    
    PRFileDesc * socket = PR_NewTCPSocket();
    
    socket = SSL_ImportFD(NULL,socket);
    
    
    
    if (isServer) {
        
        CERTCertDBHandle *certHandle;
        
        certHandle = CERT_GetDefaultCertDB();
        
        char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/
        
        CERTCertificate* cert = NULL;
        cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
        
        
        SECKEYPrivateKey *prvKey = NULL;
        
        prvKey = PK11_FindKeyByAnyCert(cert, NULL);
        
        rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa);
        
        
        PRNetAddr netAddr;
        
        PRNetAddr netAddrLocal;
        
        
        rv = PR_InitializeNetAddr(0, 8888, &netAddr);
        
        
        rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
        
        rv = PR_Bind(socket,&netAddr);
        rv = PR_Listen(socket, 100);
        
        
        while (1) {
            PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000);
            PRNetAddr addr;
            
            
            rv = PR_GetSockName(client, &addr);
            
            rv = SSL_ForceHandshake(client);
            
            
            rv = PR_Write(client,"123", 4);
            
            sleep(1);
        }
        
    }
    else
    {
        rv = SSL_SetURL(socket, "127.0.0.1");
        
        PRNetAddr netAddr;
        
        PRNetAddr netAddrLocal;
        
        
        rv = PR_InitializeNetAddr(0, 8888, &netAddr);
        
        
        rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
        
        //        rv = PR_GetHostByName();
        //        PR_EnumerateHostEnt
        rv = PR_Connect(socket,&netAddr, 300000);
        
        rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL);
        
        rv = SSL_ForceHandshake(socket);
        
        while (1) {
            rv = PR_Read(socket,buffer, 32);
            
            sleep(1);
        }
        
    }
    
    
    return 0;
}
Beispiel #17
0
/**
 * Initialise the crypto library and perform one time initialisation.
 */
static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc)
{
    SECStatus s;
    const char *dir = NULL;
    const char *keyPrefix = NULL;
    const char *certPrefix = NULL;
    const char *secmod = NULL;
    int noinit = 0;
    PRUint32 flags = 0;

    struct {
        const char *field;
        const char *value;
        int set;
    } fields[] = {
        { "dir", NULL, 0 },
        { "key3", NULL, 0 },
        { "cert7", NULL, 0 },
        { "secmod", NULL, 0 },
        { "noinit", NULL, 0 },
        { NULL, NULL, 0 }
    };
    const char *ptr;
    size_t klen;
    char **elts = NULL;
    char *elt;
    int i = 0, j;
    apr_status_t status;

    if (params) {
        if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) {
            return status;
        }
        while ((elt = elts[i])) {
            ptr = strchr(elt, '=');
            if (ptr) {
                for (klen = ptr - elt; klen && apr_isspace(elt[klen - 1]); --klen)
                    ;
                ptr++;
            }
            else {
                for (klen = strlen(elt); klen && apr_isspace(elt[klen - 1]); --klen)
                    ;
            }
            elt[klen] = 0;

            for (j = 0; fields[j].field != NULL; ++j) {
                if (klen && !strcasecmp(fields[j].field, elt)) {
                    fields[j].set = 1;
                    if (ptr) {
                        fields[j].value = ptr;
                    }
                    break;
                }
            }

            i++;
        }
        dir = fields[0].value;
        keyPrefix = fields[1].value;
        certPrefix = fields[2].value;
        secmod = fields[3].value;
        noinit = fields[4].set;
    }

    /* if we've been asked to bypass, do so here */
    if (noinit) {
        return APR_SUCCESS;
    }

    /* sanity check - we can only initialise NSS once */
    if (NSS_IsInitialized()) {
        return APR_EREINIT;
    }

    apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper,
            apr_pool_cleanup_null);

    if (keyPrefix || certPrefix || secmod) {
        s = NSS_Initialize(dir, certPrefix, keyPrefix, secmod, flags);
    }
    else if (dir) {
        s = NSS_InitReadWrite(dir);
    }
    else {
        s = NSS_NoDB_Init(NULL);
    }
    if (s != SECSuccess) {
        if (rc) {
            *rc = PR_GetError();
        }
        return APR_ECRYPT;
    }

    return APR_SUCCESS;

}
Beispiel #18
0
int main(int argc, char **argv)
{
    CERTCertDBHandle *certHandle;
    PRFileDesc *inFile;
    PRFileDesc *inCrlInitFile = NULL;
    int generateCRL;
    int modifyCRL;
    int listCRL;
    int importCRL;
    int showFileCRL;
    int deleteCRL;
    int rv;
    char *nickName;
    char *url;
    char *dbPrefix = "";
    char *alg = NULL;
    char *outFile = NULL;
    char *slotName = NULL;
    int ascii = 0;
    int crlType;
    PLOptState *optstate;
    PLOptStatus status;
    SECStatus secstatus;
    PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
    PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
    PRBool quiet = PR_FALSE;
    PRBool test = PR_FALSE;
    PRBool erase = PR_FALSE;
    PRInt32 i = 0;
    PRInt32 iterations = 1;
    PRBool readonly = PR_FALSE;

    secuPWData  pwdata          = { PW_NONE, 0 };

    progName = strrchr(argv[0], '/');
    progName = progName ? progName+1 : argv[0];

    rv = 0;
    deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0;
    inFile = NULL;
    nickName = url = NULL;
    certHandle = NULL;
    crlType = SEC_CRL_TYPE;
    /*
     * Parse command line arguments
     */
    optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
	switch (optstate->option) {
	  case '?':
	    Usage(progName);
	    break;

          case 'T':
            test = PR_TRUE;
            break;

          case 'E':
            erase = PR_TRUE;
            break;

	  case 'B':
            importOptions |= CRL_IMPORT_BYPASS_CHECKS;
            break;

	  case 'G':
	    generateCRL = 1;
	    break;

          case 'M':
            modifyCRL = 1;
            break;

	  case 'D':
	      deleteCRL = 1;
	      break;

	  case 'I':
	      importCRL = 1;
	      break;
	      
	  case 'S':
	      showFileCRL = 1;
	      break;
	           
	  case 'C':
	  case 'L':
	      listCRL = 1;
	      break;

	  case 'P':
 	    dbPrefix = strdup(optstate->value);
 	    break;
              
	  case 'Z':
              alg = strdup(optstate->value);
              break;
              
	  case 'a':
	      ascii = 1;
	      break;

	  case 'c':
              inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
              if (!inCrlInitFile) {
                  PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
                             progName, optstate->value);
                  PL_DestroyOptState(optstate);
                  return -1;
              }
              break;
	    
	  case 'd':
              SECU_ConfigDirectory(optstate->value);
              break;

	  case 'f':
	      pwdata.source = PW_FROMFILE;
	      pwdata.data = strdup(optstate->value);
	      break;

	  case 'h':
              slotName = strdup(optstate->value);
              break;

	  case 'i':
	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
	    if (!inFile) {
		PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
			progName, optstate->value);
		PL_DestroyOptState(optstate);
		return -1;
	    }
	    break;
	    
	  case 'n':
	    nickName = strdup(optstate->value);
	    break;

	  case 'o':
	    outFile = strdup(optstate->value);
	    break;
	    
	  case 'p':
	    decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
	    break;

	  case 'r': {
	    const char* str = optstate->value;
	    if (str && atoi(str)>0)
		iterations = atoi(str);
	    }
	    break;
	    
	  case 't': {
	    crlType = atoi(optstate->value);
	    if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
		PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
		PL_DestroyOptState(optstate);
		return -1;
	    }
	    break;

	  case 'q':
            quiet = PR_TRUE;
	    break;

	  case 'w':
	      pwdata.source = PW_PLAINTEXT;
	      pwdata.data = strdup(optstate->value);
	      break;

	  case 'u':
	    url = strdup(optstate->value);
	    break;

          }
	}
    }
    PL_DestroyOptState(optstate);

    if (deleteCRL && !nickName) Usage (progName);
    if (importCRL && !inFile) Usage (progName);
    if (showFileCRL && !inFile) Usage (progName);
    if ((generateCRL && !nickName) ||
        (modifyCRL && !inFile && !nickName)) Usage (progName);
    if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
	  modifyCRL || test || erase)) Usage (progName);

    if (listCRL || showFileCRL) {
        readonly = PR_TRUE;
    }
    
    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

    PK11_SetPasswordFunc(SECU_GetModulePassword);

    if (showFileCRL) {
	NSS_NoDB_Init(NULL);
    }
    else {
	secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
				"secmod.db", readonly ? NSS_INIT_READONLY : 0);
	if (secstatus != SECSuccess) {
	    SECU_PrintPRandOSError(progName);
	    return -1;
	}
    }
    
    SECU_RegisterDynamicOids();

    certHandle = CERT_GetDefaultCertDB();
    if (certHandle == NULL) {
	SECU_PrintError(progName, "unable to open the cert db");	    	
	/*ignoring return value of NSS_Shutdown() as code returns -1*/
	(void) NSS_Shutdown();
	return (-1);
    }

    CRLGEN_InitCrlGenParserLock();

    for (i=0; i<iterations; i++) {
	/* Read in the private key info */
	if (deleteCRL) 
	    DeleteCRL (certHandle, nickName, crlType);
	else if (listCRL) {
	    rv = ListCRL (certHandle, nickName, crlType);
	}
	else if (importCRL) {
	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
			    decodeOptions, &pwdata);
	}
	else if (showFileCRL) {
	    rv = DumpCRL (inFile);
	} else if (generateCRL || modifyCRL) {
	    if (!inCrlInitFile)
		inCrlInitFile = PR_STDIN;
	    rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
			      inFile, outFile, ascii,  slotName,
			      importOptions, alg, quiet,
			      decodeOptions, url, &pwdata,
			      modifyCRL);
	}
	else if (erase) {
	    /* list and delete all CRLs */
	    ListCRLNames (certHandle, crlType, PR_TRUE);
	}
#ifdef DEBUG
	else if (test) {
	    /* list and delete all CRLs */
	    ListCRLNames (certHandle, crlType, PR_TRUE);
	    /* list CRLs */
	    ListCRLNames (certHandle, crlType, PR_FALSE);
	    /* import CRL as a blob */
	    rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
			    decodeOptions, &pwdata);
	    /* list CRLs */
	    ListCRLNames (certHandle, crlType, PR_FALSE);
	}
#endif    
    }

    CRLGEN_DestroyCrlGenParserLock();

    if (NSS_Shutdown() != SECSuccess) {
        rv = SECFailure;
    }

    return (rv != SECSuccess);
}
static string ComputeDumpHash() {
#ifdef XP_LINUX
  // On Linux we rely on the system-provided libcurl which uses nss so we have
  // to also use the system-provided nss instead of the ones we have bundled.
  const char* libnssNames[] = {
    "libnss3.so",
#ifndef HAVE_64BIT_BUILD
    // 32-bit versions on 64-bit hosts
    "/usr/lib32/libnss3.so",
#endif
  };
  void* lib = nullptr;

  for (const char* libname : libnssNames) {
    lib = dlopen(libname, RTLD_NOW);

    if (lib) {
      break;
    }
  }

  if (!lib) {
    return "";
  }

  SECStatus (*NSS_Initialize)(const char*, const char*, const char*,
                              const char*, PRUint32);
  HASHContext* (*HASH_Create)(HASH_HashType);
  void (*HASH_Destroy)(HASHContext*);
  void (*HASH_Begin)(HASHContext*);
  void (*HASH_Update)(HASHContext*, const unsigned char*, unsigned int);
  void (*HASH_End)(HASHContext*, unsigned char*, unsigned int*, unsigned int);

  *(void**) (&NSS_Initialize) = dlsym(lib, "NSS_Initialize");
  *(void**) (&HASH_Create) = dlsym(lib, "HASH_Create");
  *(void**) (&HASH_Destroy) = dlsym(lib, "HASH_Destroy");
  *(void**) (&HASH_Begin) = dlsym(lib, "HASH_Begin");
  *(void**) (&HASH_Update) = dlsym(lib, "HASH_Update");
  *(void**) (&HASH_End) = dlsym(lib, "HASH_End");

  if (!HASH_Create || !HASH_Destroy || !HASH_Begin || !HASH_Update ||
      !HASH_End) {
    return "";
  }
#endif
  // Minimal NSS initialization so we can use the hash functions
  const PRUint32 kNssFlags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT |
                             NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB;
  if (NSS_Initialize(nullptr, "", "", "", kNssFlags) != SECSuccess) {
    return "";
  }

  HASHContext* hashContext = HASH_Create(HASH_AlgSHA256);

  if (!hashContext) {
    return "";
  }

  HASH_Begin(hashContext);

  ifstream* f = UIOpenRead(gReporterDumpFile, /* binary */ true);
  bool error = false;

  // Read the minidump contents
  if (f->is_open()) {
    uint8_t buff[4096];

    do {
      f->read((char*) buff, sizeof(buff));

      if (f->bad()) {
        error = true;
        break;
      }

      HASH_Update(hashContext, buff, f->gcount());
    } while (!f->eof());

    f->close();
  } else {
    error = true;
  }

  delete f;

  // Finalize the hash computation
  uint8_t result[SHA256_LENGTH];
  uint32_t resultLen = 0;

  HASH_End(hashContext, result, &resultLen, SHA256_LENGTH);

  if (resultLen != SHA256_LENGTH) {
    error = true;
  }

  HASH_Destroy(hashContext);

  if (!error) {
    ostringstream hash;

    for (size_t i = 0; i < SHA256_LENGTH; i++) {
      hash << std::setw(2) << std::setfill('0') << std::hex
           << static_cast<unsigned int>(result[i]);
    }

    return hash.str();
  } else {
    return ""; // If we encountered an error, return an empty hash
  }
}
Beispiel #20
0
CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
{
  PRInt32 err;
  PRFileDesc *model = NULL;
  PRBool ssl2, ssl3, tlsv1;
  struct SessionHandle *data = conn->data;
  curl_socket_t sockfd = conn->sock[sockindex];
  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
  SECStatus rv;
#ifdef HAVE_PK11_CREATEGENERICOBJECT
  char *configstring = NULL;
#endif
  char *certDir = NULL;
  int curlerr;

  curlerr = CURLE_SSL_CONNECT_ERROR;

  /* FIXME. NSS doesn't support multiple databases open at the same time. */
  if(!initialized) {
    initialized = 1;

    certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */

    if (!certDir) {
      struct stat st;

      if (stat(SSL_DIR, &st) == 0)
        if (S_ISDIR(st.st_mode)) {
          certDir = (char *)SSL_DIR;
        }
    }

    if(!certDir) {
      rv = NSS_NoDB_Init(NULL);
    }
    else {
      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
                          NSS_INIT_READONLY);
    }
    if(rv != SECSuccess) {
      infof(conn->data, "Unable to initialize NSS database\n");
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }

    NSS_SetDomesticPolicy();

#ifdef HAVE_PK11_CREATEGENERICOBJECT
    configstring = (char *)malloc(PATH_MAX);

    PR_snprintf(configstring, PATH_MAX, "library=%s name=PEM", pem_library);

    mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
    free(configstring);
    if (!mod || !mod->loaded) {
      if (mod) {
        SECMOD_DestroyModule(mod);
        mod = NULL;
      }
      infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
            "PEM certificates will not work.\n", pem_library);
    }
#endif
  }

  model = PR_NewTCPSocket();
  if(!model)
    goto error;
  model = SSL_ImportFD(NULL, model);

  if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess)
    goto error;

  ssl2 = ssl3 = tlsv1 = PR_FALSE;

  switch (data->set.ssl.version) {
  default:
  case CURL_SSLVERSION_DEFAULT:
    ssl2 = ssl3 = tlsv1 = PR_TRUE;
    break;
  case CURL_SSLVERSION_TLSv1:
    tlsv1 = PR_TRUE;
    break;
  case CURL_SSLVERSION_SSLv2:
    ssl2 = PR_TRUE;
    break;
  case CURL_SSLVERSION_SSLv3:
    ssl3 = PR_TRUE;
    break;
  }

  if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
    goto error;
  if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
    goto error;

  if(data->set.ssl.cipher_list) {
    if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
      curlerr = CURLE_SSL_CIPHER;
      goto error;
    }
  }

  data->set.ssl.certverifyresult=0; /* not checked yet */
  if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
     != SECSuccess) {
    goto error;
  }
  if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
                           NULL) != SECSuccess)
    goto error;

  if(!data->set.ssl.verifypeer)
    /* skip the verifying of the peer */
    ;
  else if (data->set.ssl.CAfile) {
    int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
    if (!rc) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }
  }
  else if (data->set.ssl.CApath) {
    struct stat st;
    PRDir      *dir;
    PRDirEntry *entry;

    if (stat(data->set.ssl.CApath, &st) == -1) {
      curlerr = CURLE_SSL_CACERT_BADFILE;
      goto error;
    }

    if (S_ISDIR(st.st_mode)) {
      int rc;

      dir = PR_OpenDir(data->set.ssl.CApath);
      do {
        entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN);

        if (entry) {
          char fullpath[PATH_MAX];

          snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
                   entry->name);
          rc = nss_load_cert(fullpath, PR_TRUE);
          /* FIXME: check this return value! */
        }
      /* This is purposefully tolerant of errors so non-PEM files
       * can be in the same directory */
      } while (entry != NULL);
      PR_CloseDir(dir);
    }
  }
  infof(data,
        "  CAfile: %s\n"
        "  CApath: %s\n",
        data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
        data->set.ssl.CApath ? data->set.ssl.CApath : "none");

  if(data->set.str[STRING_CERT]) {
    char *n;
    char *nickname;

    nickname = (char *)malloc(PATH_MAX);
    if(is_file(data->set.str[STRING_CERT])) {
      n = strrchr(data->set.str[STRING_CERT], '/');
      if (n) {
        n++; /* skip last slash */
        snprintf(nickname, PATH_MAX, "PEM Token #%ld:%s", 1, n);
      }
    }
    else {
      strncpy(nickname, data->set.str[STRING_CERT], PATH_MAX);
    }
    if(nss_Init_Tokens(conn) != SECSuccess) {
      free(nickname);
      goto error;
    }
    if (!cert_stuff(conn, data->set.str[STRING_CERT],
                    data->set.str[STRING_KEY])) {
      /* failf() is already done in cert_stuff() */
      free(nickname);
      return CURLE_SSL_CERTPROBLEM;
    }

    connssl->client_nickname = strdup(nickname);
    if(SSL_GetClientAuthDataHook(model,
                                 (SSLGetClientAuthData) SelectClientCert,
                                 (void *)connssl->client_nickname) !=
       SECSuccess) {
      curlerr = CURLE_SSL_CERTPROBLEM;
      goto error;
    }

    free(nickname);

    PK11_SetPasswordFunc(nss_no_password);
  }
  else
    connssl->client_nickname = NULL;

  /* Import our model socket  onto the existing file descriptor */
  connssl->handle = PR_ImportTCPSocket(sockfd);
  connssl->handle = SSL_ImportFD(model, connssl->handle);
  if(!connssl->handle)
    goto error;
  PR_Close(model); /* We don't need this any more */

  /* Force handshake on next I/O */
  SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);

  SSL_SetURL(connssl->handle, conn->host.name);

  /* Force the handshake now */
  if (SSL_ForceHandshakeWithTimeout(connssl->handle,
                                    PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
      != SECSuccess) {
    if (conn->data->set.ssl.certverifyresult!=0)
      curlerr = CURLE_SSL_CACERT;
    goto error;
  }

  display_conn_info(conn, connssl->handle);

  return CURLE_OK;

error:
  err = PR_GetError();
  infof(data, "NSS error %d\n", err);
  if(model)
    PR_Close(model);
  return curlerr;
}
Beispiel #21
0
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName)
{
#if 1
    int isServer = 0;
    
    SECStatus rv = SECSuccess;
    
    
    char * buffer = malloc(1024 * 1024);
    
    
    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
    
    PK11_SetPasswordFunc(GetModulePassword);
    rv = NSS_Initialize(GetSystemDBDir(),
                        "", "",
                        "secmod.db", 0);
    
    
    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
    rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
    
    rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
    
    rv = NSS_SetDomesticPolicy();
    rv = NSS_SetExportPolicy();
    rv = NSS_SetFrancePolicy();
    //    rv = SSL_CipherPolicySet();
    
    
    
    SSL_ClearSessionCache();
    
    rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
    
    
    PRFileDesc * tcp_socket = PR_NewTCPSocket();
    
    PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket);
    
    if (isServer) {
        
        CERTCertDBHandle *certHandle;
        
        certHandle = CERT_GetDefaultCertDB();
        
        char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/
        
        CERTCertificate* cert = NULL;
        cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
        
        
        SECKEYPrivateKey *prvKey = NULL;
        
        prvKey = PK11_FindKeyByAnyCert(cert, NULL);
        
        rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa);
        
        
        PRNetAddr netAddr;
        
        PRNetAddr netAddrLocal;
        
        
        rv = PR_InitializeNetAddr(0, 8888, &netAddr);
        
        
        rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
        
        rv = PR_Bind(tcp_socket,&netAddr);
        rv = PR_Listen(tcp_socket, 100);
        
        
        while (1) {
            PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000);
            PRNetAddr addr;
            
            
            rv = PR_GetSockName(client, &addr);
            
            rv = SSL_ForceHandshake(client);
            
            
            rv = PR_Write(client,"123", 4);
            
            sleep(1);
        }
        
    }
    else
    {
        rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL);
        char * nickname = "nickname";/*nickname*/
        
        rv = SSL_SetURL(ssl_socket, "192.168.18.22");
        
        char * str = malloc(1024) ;

		memset(str, 0, 1024);
        
        strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行
        //        str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"];
        //        str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"];
        //str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"];
        strcat(str ,"Host: 192.168.18.22:8443\r\n");
        //        str = [str stringByAppendingString:@"Content-Length: 0\r\n"];
        strcat(str ,"\r\n");
        //        str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"];
        //        str = [str stringByAppendingString:@"\r\n"];
        
        PRNetAddr netAddr;
        
        
        rv = PR_StringToNetAddr("192.168.18.22", &netAddr);
        
        rv = PR_InitializeNetAddr(0, 8443, &netAddr);
        
        //        rv = PR_GetHostByName();
        //        PR_EnumerateHostEnt
        
        
        rv = PR_Connect(tcp_socket,&netAddr, 300000);

		FILE_LOG_NUMBER("/sdcard/ssl.log", rv);

        rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName);

		FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
        
        rv = SSL_ForceHandshake(ssl_socket);
        
		FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
        
        rv = PR_Write(tcp_socket, str, strlen(str));
        
		FILE_LOG_NUMBER("/sdcard/ssl.log", rv);

        rv = PR_Read(tcp_socket,buffer, 1024 * 1024);

		FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
        
        FILE * file = fopen("/sdcard/ssl_read.txt", "wb");
        
        //fwrite(buffer, 1, rv, file);

        //rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
        
        fwrite(buffer, 1, rv, file);
        
        fclose(file);
        
        sleep(1);
        
        
        rv = SSL_InvalidateSession(ssl_socket);
        
        rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH);
        
        rv = PR_Close(tcp_socket);
        
        rv = ssl_FreeSessionCacheLocks();
        
        rv = NSS_Shutdown();
        
    }
#endif
    
    return 0;
}