int __pmSecureServerInit(void) { const PRUint16 *cipher; SECStatus secsts; int pathSpecified; int sts = 0; PM_INIT_LOCKS(); PM_LOCK(secureserver_lock); /* Only attempt this once. */ if (secure_server.initialized) goto done; secure_server.initialized = 1; if (PR_Initialized() != PR_TRUE) PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); /* Configure optional (cmdline) password file in case DB locked */ PK11_SetPasswordFunc(certificate_database_password); /* * Configure location of the NSS database with a sane default. * For servers, we default to the shared (sql) system-wide database. * If command line db specified, pass it directly through - allowing * any old database format, at the users discretion. */ if (!secure_server.database_path[0]) { const char *path; pathSpecified = 0; path = serverdb(secure_server.database_path, MAXPATHLEN, "sql:"); /* this is the default case on some platforms, so no log spam */ if (access(path, R_OK|X_OK) < 0) { if (pmDebugOptions.context) pmNotifyErr(LOG_INFO, "Cannot access system security database: %s", secure_server.database_path); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } else pathSpecified = 1; /* * pmproxy acts as both a client and server. Since the * server init path happens first, the db previously * got opened readonly. Instead try to open RW. * Fallback if there is an error. */ secsts = NSS_InitReadWrite(secure_server.database_path); if( secsts != SECSuccess ) secsts = NSS_Init(secure_server.database_path); if (secsts != SECSuccess && !pathSpecified) { /* fallback, older versions of NSS do not support sql: */ serverdb(secure_server.database_path, MAXPATHLEN, ""); secsts = NSS_Init(secure_server.database_path); } if (secsts != SECSuccess) { pmNotifyErr(LOG_ERR, "Cannot setup certificate DB (%s): %s", secure_server.database_path, pmErrStr(__pmSecureSocketsError(PR_GetError()))); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) SSL_CipherPolicySet(*cipher, SSL_ALLOWED); /* Configure SSL session cache for multi-process server, using defaults */ secsts = SSL_ConfigMPServerSIDCache(1, 0, 0, NULL); if (secsts != SECSuccess) { pmNotifyErr(LOG_ERR, "Unable to configure SSL session ID cache: %s", pmErrStr(__pmSecureSocketsError(PR_GetError()))); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } else { secure_server.ssl_session_cache_setup = 1; } /* * Iterate over any/all PCP Collector nickname certificates, * seeking one valid certificate. No-such-nickname is not an * error (not configured by admin at all) but anything else is. */ CERTCertList *certlist; CERTCertDBHandle *nssdb = CERT_GetDefaultCertDB(); CERTCertificate *dbcert = PK11_FindCertFromNickname(secure_server.cert_nickname, NULL); if (dbcert) { PRTime now = PR_Now(); SECItem *name = &dbcert->derSubject; CERTCertListNode *node; certlist = CERT_CreateSubjectCertList(NULL, nssdb, name, now, PR_FALSE); if (certlist) { for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node, certlist); node = CERT_LIST_NEXT (node)) { if (pmDebugOptions.context) __pmDumpCertificate(stderr, secure_server.cert_nickname, node->cert); if (!__pmValidCertificate(nssdb, node->cert, now)) continue; secure_server.certificate_verified = 1; break; } CERT_DestroyCertList(certlist); } if (secure_server.certificate_verified) { secure_server.certificate_KEA = NSS_FindCertKEAType(dbcert); secure_server.private_key = PK11_FindKeyByAnyCert(dbcert, NULL); if (!secure_server.private_key) { pmNotifyErr(LOG_ERR, "Unable to extract %s private key", secure_server.cert_nickname); CERT_DestroyCertificate(dbcert); secure_server.certificate_verified = 0; sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } else { pmNotifyErr(LOG_ERR, "Unable to find a valid %s", secure_server.cert_nickname); CERT_DestroyCertificate(dbcert); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } if (! secure_server.certificate_verified) { if (pmDebugOptions.context) { pmNotifyErr(LOG_INFO, "No valid %s in security database: %s", secure_server.cert_nickname, secure_server.database_path); } sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } secure_server.certificate = dbcert; secure_server.init_failed = 0; sts = 0; done: PM_UNLOCK(secureserver_lock); return sts; }
// Constructor OsTLSServerSocket::OsTLSServerSocket(int connectionQueueSize, int serverPort, UtlString certNickname, UtlString certPassword, UtlString dbLocation, const UtlString bindAddress) : OsServerSocket(connectionQueueSize,serverPort, bindAddress.data(), false), mCertNickname(certNickname), mCertPassword(certPassword), mDbLocation(dbLocation), mpMozillaSSLSocket(NULL), mpCert(NULL), mpPrivKey(NULL), mTlsInitCode(TLS_INIT_SUCCESS) { PRSocketOptionData socketOption; PRStatus prStatus; SECStatus secStatus; // import the newly created socket into NSS, and set the PRFileDesc. if (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR) { /* Call the NSPR initialization routines. */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); /* Set the cert database password callback. */ PK11_SetPasswordFunc(OsTLS::PasswordCallback); secStatus = NSS_Init(dbLocation.data()); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_DATABASE_FAILURE; return ; } /* Set the policy for this server (REQUIRED - no default). */ secStatus = NSS_SetExportPolicy(); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_DATABASE_FAILURE; return ; } /* Get own certificate and private key. */ mpCert = PK11_FindCertFromNickname((char*) certNickname.data(), (void*)certPassword.data()); if (mpCert == NULL) { return ; } unsigned char* szPwd = (unsigned char*) PR_Malloc(certPassword.length()+ 1); strncpy((char*)szPwd, certPassword.data(), certPassword.length()+1); mpPrivKey = PK11_FindKeyByAnyCert(mpCert, (void*)szPwd); if (mpPrivKey == NULL) { mTlsInitCode = TLS_INIT_BAD_PASSWORD; // probably a wrong password return ; } /* Configure the server's cache for a multi-process application * using default timeout values (24 hrs) and directory location (/tmp). */ SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); mpMozillaSSLSocket = PR_ImportTCPSocket(socketDescriptor); if (!mpMozillaSSLSocket) { mTlsInitCode = TLS_INIT_TCP_IMPORT_FAILURE; } else { /* Make the socket blocking. */ socketOption.option = PR_SockOpt_Nonblocking; socketOption.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(mpMozillaSSLSocket, &socketOption); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } PRNetAddr addr; /* Configure the network connection. */ addr.inet.family = PR_AF_INET; addr.inet.ip = inet_addr(bindAddress.data()); addr.inet.port = PR_htons(serverPort); /* Bind the address to the listener socket. */ prStatus = PR_Bind(mpMozillaSSLSocket, &addr); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } /* Listen for connection on the socket. The second argument is * the maximum size of the queue for pending connections. */ prStatus = PR_Listen(mpMozillaSSLSocket, connectionQueueSize); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } } } }