void initNSS(const SslOptions& options, bool server)
{
SslOptions::global = options;
if (options.certPasswordFile.empty()) {
PK11_SetPasswordFunc(promptForPassword);
} else {
PK11_SetPasswordFunc(readPasswordFromFile);
}
NSS_CHECK(NSS_Init(options.certDbPath.c_str()));
if (options.exportPolicy) {
NSS_CHECK(NSS_SetExportPolicy());
} else {
NSS_CHECK(NSS_SetDomesticPolicy());
}
if (server) {
//use defaults for all args, TODO: may want to make this configurable
SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
}
// disable SSLv2 and SSLv3 versions of the protocol - they are
// no longer considered secure
SSLVersionRange drange, srange; // default and supported ranges
const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0
NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
if (drange.min < tlsv1) {
drange.min = tlsv1;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
if (srange.max > drange.max) {
drange.max = srange.max;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
}
int
main(int argc, char * const argv[])
{
struct qnetd_instance instance;
struct qnetd_advanced_settings advanced_settings;
char *host_addr;
uint16_t host_port;
int foreground;
int debug_log;
int bump_log_priority;
enum tlv_tls_supported tls_supported;
int client_cert_required;
size_t max_clients;
PRIntn address_family;
int lock_file;
int another_instance_running;
if (qnetd_advanced_settings_init(&advanced_settings) != 0) {
errx(1, "Can't alloc memory for advanced settings");
}
cli_parse(argc, argv, &host_addr, &host_port, &foreground, &debug_log, &bump_log_priority,
&tls_supported, &client_cert_required, &max_clients, &address_family, &advanced_settings);
if (foreground) {
qnetd_log_init(QNETD_LOG_TARGET_STDERR);
} else {
qnetd_log_init(QNETD_LOG_TARGET_SYSLOG);
}
qnetd_log_set_debug(debug_log);
qnetd_log_set_priority_bump(bump_log_priority);
/*
* Daemonize
*/
if (!foreground) {
utils_tty_detach();
}
if ((lock_file = utils_flock(advanced_settings.lock_file, getpid(),
&another_instance_running)) == -1) {
if (another_instance_running) {
qnetd_log(LOG_ERR, "Another instance is running");
} else {
qnetd_log_err(LOG_ERR, "Can't acquire lock");
}
exit(1);
}
qnetd_log(LOG_DEBUG, "Initializing nss");
if (nss_sock_init_nss((tls_supported != TLV_TLS_UNSUPPORTED ?
advanced_settings.nss_db_dir : NULL)) != 0) {
qnetd_err_nss();
}
if (SSL_ConfigServerSessionIDCache(0, 0, 0, NULL) != SECSuccess) {
qnetd_err_nss();
}
if (qnetd_instance_init(&instance, tls_supported, client_cert_required,
max_clients, &advanced_settings) == -1) {
qnetd_log(LOG_ERR, "Can't initialize qnetd");
exit(1);
}
instance.host_addr = host_addr;
instance.host_port = host_port;
if (tls_supported != TLV_TLS_UNSUPPORTED && qnetd_instance_init_certs(&instance) == -1) {
qnetd_err_nss();
}
qnetd_log(LOG_DEBUG, "Initializing local socket");
if (qnetd_ipc_init(&instance) != 0) {
return (1);
}
qnetd_log(LOG_DEBUG, "Creating listening socket");
instance.server.socket = nss_sock_create_listen_socket(instance.host_addr,
instance.host_port, address_family);
if (instance.server.socket == NULL) {
qnetd_err_nss();
}
if (nss_sock_set_non_blocking(instance.server.socket) != 0) {
qnetd_err_nss();
}
if (PR_Listen(instance.server.socket, instance.advanced_settings->listen_backlog) !=
PR_SUCCESS) {
qnetd_err_nss();
}
global_instance = &instance;
signal_handlers_register();
qnetd_log(LOG_DEBUG, "Registering algorithms");
if (qnetd_algorithm_register_all() != 0) {
exit(1);
}
qnetd_log(LOG_DEBUG, "QNetd ready to provide service");
/*
* MAIN LOOP
*/
while (qnetd_poll(&instance) == 0) {
}
/*
* Cleanup
*/
qnetd_ipc_destroy(&instance);
if (PR_Close(instance.server.socket) != PR_SUCCESS) {
qnetd_warn_nss();
}
CERT_DestroyCertificate(instance.server.cert);
SECKEY_DestroyPrivateKey(instance.server.private_key);
SSL_ClearSessionCache();
SSL_ShutdownServerSessionIDCache();
qnetd_instance_destroy(&instance);
qnetd_advanced_settings_destroy(&advanced_settings);
if (NSS_Shutdown() != SECSuccess) {
qnetd_warn_nss();
}
if (PR_Cleanup() != PR_SUCCESS) {
qnetd_warn_nss();
}
qnetd_log_close();
return (0);
}
int
StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig,
void *sniSocketConfigArg)
{
const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
if (debugLevel) {
int level = atoi(debugLevel);
switch (level) {
case DEBUG_ERRORS: gDebugLevel = DEBUG_ERRORS; break;
case DEBUG_WARNINGS: gDebugLevel = DEBUG_WARNINGS; break;
case DEBUG_VERBOSE: gDebugLevel = DEBUG_VERBOSE; break;
default:
PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
return 1;
}
}
const char *callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
if (callbackPort) {
gCallbackPort = atoi(callbackPort);
}
if (InitializeNSS(nssCertDBDir) != SECSuccess) {
PR_fprintf(PR_STDERR, "InitializeNSS failed");
return 1;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
PrintPRError("NSS_SetDomesticPolicy failed");
return 1;
}
if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
PrintPRError("SSL_ConfigServerSessionIDCache failed");
return 1;
}
UniquePRFileDesc serverSocket(PR_NewTCPSocket());
if (!serverSocket) {
PrintPRError("PR_NewTCPSocket failed");
return 1;
}
PRSocketOptionData socketOption;
socketOption.option = PR_SockOpt_Reuseaddr;
socketOption.value.reuse_addr = true;
PR_SetSocketOption(serverSocket.get(), &socketOption);
PRNetAddr serverAddr;
PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) {
PrintPRError("PR_Bind failed");
return 1;
}
if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) {
PrintPRError("PR_Listen failed");
return 1;
}
UniquePRFileDesc rawModelSocket(PR_NewTCPSocket());
if (!rawModelSocket) {
PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
return 1;
}
UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release()));
if (!modelSocket) {
PrintPRError("SSL_ImportFD of rawModelSocket failed");
return 1;
}
if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig,
sniSocketConfigArg) != SECSuccess) {
PrintPRError("SSL_SNISocketConfigHook failed");
return 1;
}
// We have to configure the server with a certificate, but it's not one
// we're actually going to end up using. In the SNI callback, we pick
// the right certificate for the connection.
if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME,
nullptr, nullptr) != SECSuccess) {
return 1;
}
if (gCallbackPort != 0) {
if (DoCallback()) {
return 1;
}
}
while (true) {
PRNetAddr clientAddr;
PRFileDesc* clientSocket = PR_Accept(serverSocket.get(), &clientAddr,
PR_INTERVAL_NO_TIMEOUT);
HandleConnection(clientSocket, modelSocket);
}
return 0;
}
int SetServerSecParms(struct ThreadData *td) {
int rv;
SECKEYPrivateKey *privKey;
PRFileDesc *s;
s = td->r;
rv = SSL_Enable(s, SSL_SECURITY, 1); /* Enable security on this socket */
if (rv < 0) return Error(10);
if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) {
rv = SSL_Enable(s, SSL_REQUEST_CERTIFICATE, 1);
if (rv < 0) return Error(11);
}
ClearCiphers(td);
EnableCiphers(td);
PK11_SetPasswordFunc(MyPWFunc);
SSL_SetPKCS11PinArg(s,(void*) MyPWFunc);
/* Find the certificates we are going to use from the database */
/* Test for dummy certificate, which shouldn't exist */
td->cert = PK11_FindCertFromNickname("XXXXXX_CERT_HARDCOREII_1024",NULL);
if (td->cert != NULL) return Error(16);
td->cert = NULL;
if (NO_CERT != REP_ServerCert) {
td->cert = PK11_FindCertFromNickname(nicknames[REP_ServerCert],NULL);
}
/* Note: if we're set to use NO_CERT as the server cert, then we'll
* just essentially skip the rest of this (except for session ID cache setup)
*/
if ( (NULL == td->cert) && ( NO_CERT != REP_ServerCert )) {
PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]);
PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n",
SECU_ErrorString ((int16) PR_GetError()));
return Error(12);
}
if ((NO_CERT != REP_ServerCert)) {
privKey = PK11_FindKeyByAnyCert(td->cert, NULL);
if (privKey == NULL) {
dbmsg((PR_STDERR, "Can't find key for this certificate\n"));
return Error(13);
}
rv = SSL_ConfigSecureServer(s,td->cert,privKey, kt_rsa);
if (rv != PR_SUCCESS) {
dbmsg((PR_STDERR, "Can't config server error(%d) \n",rv));
return Error(14);
}
}
rv = SSL_ConfigServerSessionIDCache(10, 0, 0, ".");
if (rv != 0) {
dbmsg((PR_STDERR, "Can't config server session ID cache (%d) \n",rv));
return Error(15);
}
return 0;
}
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName)
{
#if 1
int isServer = 0;
SECStatus rv = SECSuccess;
char * buffer = malloc(1024 * 1024);
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * tcp_socket = PR_NewTCPSocket();
PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(tcp_socket,&netAddr);
rv = PR_Listen(tcp_socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL);
char * nickname = "nickname";/*nickname*/
rv = SSL_SetURL(ssl_socket, "192.168.18.22");
char * str = malloc(1024) ;
memset(str, 0, 1024);
strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行
// str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"];
// str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"];
//str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"];
strcat(str ,"Host: 192.168.18.22:8443\r\n");
// str = [str stringByAppendingString:@"Content-Length: 0\r\n"];
strcat(str ,"\r\n");
// str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"];
// str = [str stringByAppendingString:@"\r\n"];
PRNetAddr netAddr;
rv = PR_StringToNetAddr("192.168.18.22", &netAddr);
rv = PR_InitializeNetAddr(0, 8443, &netAddr);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(tcp_socket,&netAddr, 300000);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_ForceHandshake(ssl_socket);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Write(tcp_socket, str, strlen(str));
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
FILE * file = fopen("/sdcard/ssl_read.txt", "wb");
//fwrite(buffer, 1, rv, file);
//rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
fwrite(buffer, 1, rv, file);
fclose(file);
sleep(1);
rv = SSL_InvalidateSession(ssl_socket);
rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH);
rv = PR_Close(tcp_socket);
rv = ssl_FreeSessionCacheLocks();
rv = NSS_Shutdown();
}
#endif
return 0;
}
int FileSSL_main(int argc, char * argv[])
{
bool isServer = true;
SECStatus rv = SECSuccess;
char buffer[32] = {0};
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * socket = PR_NewTCPSocket();
socket = SSL_ImportFD(NULL,socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(socket,&netAddr);
rv = PR_Listen(socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_SetURL(socket, "127.0.0.1");
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(socket,&netAddr, 300000);
rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL);
rv = SSL_ForceHandshake(socket);
while (1) {
rv = PR_Read(socket,buffer, 32);
sleep(1);
}
}
return 0;
}
