int main(int argc, char **argv)
{
SECStatus rv;
/* Initialize NSS */
PK11_SetPasswordFunc(passwdcb);
/* The NSS db must be initialized read-write since we'll be creating
* keys in it. Once keys are generated, it can be opened without read-write
* subsequently (NSS_Init).
*/
rv = NSS_InitReadWrite(".");
if (rv != SECSuccess)
{
fprintf(stderr, "NSS initialization failed (err %d)\n",
PR_GetError());
exit(1);
}
/* generate a key with id 1. should succeed on first run on a fresh db,
* should fail on successive runs because key with that id already exists */
genkey(1);
/* generate a key with id 2. should succeed on first run on a fresh db,
* should fail on successive runs because key with that id already exists */
genkey(2);
/* generate a key with id 1 - this will fail because key with that id
* already exists */
genkey(1);
}
int
main(int argc, char **argv)
{
char * progName = NULL;
SECStatus secStatus;
PLOptState *optstate;
PLOptStatus status;
/* Call the NSPR initialization routines */
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
progName = PL_strdup(argv[0]);
hostName = NULL;
optstate = PL_CreateOptState(argc, argv, "d:h:i:o:p:t:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK)
{
switch(optstate->option)
{
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'h' : hostName = PL_strdup(optstate->value); break;
case 'i' : infileName = PL_strdup(optstate->value); break;
case 'o' : outfileName = PL_strdup(optstate->value); break;
case 'p' : port = PORT_Atoi(optstate->value); break;
case 't' : trustNewServer_p = PL_strdup(optstate->value); break;
case '?' :
default : Usage(progName);
}
}
if (port == 0 || hostName == NULL || infileName == NULL || outfileName == NULL || certDir == NULL)
Usage(progName);
#if 0 /* no client authentication */
/* Set our password function callback. */
PK11_SetPasswordFunc(myPasswd);
#endif
/* Initialize the NSS libraries. */
secStatus = NSS_InitReadWrite(certDir);
if (secStatus != SECSuccess)
{
/* Try it again, readonly. */
secStatus = NSS_Init(certDir);
if (secStatus != SECSuccess)
exitErr("Error initializing NSS", GENERAL_ERROR);
}
/* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */
NSS_SetDomesticPolicy();
client_main(port);
NSS_Shutdown();
PR_Cleanup();
return 0;
}
static void
pluto_init_nss(char *confddir)
{
char buf[100];
snprintf(buf, sizeof(buf), "%s",confddir);
loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf);
SECStatus nss_init_status= NSS_InitReadWrite(buf);
if (nss_init_status != SECSuccess) {
loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError());
exit_pluto(10);
} else {
libreswan_log("NSS Initialized");
PK11_SetPasswordFunc(getNSSPassword);
}
}
/**
* xmlSecNssAppInit:
* @config: the path to NSS database files.
*
* General crypto engine initialization. This function is used
* by XMLSec command line utility and called before
* @xmlSecInit function.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecNssAppInit(const char* config) {
SECStatus rv;
if(config) {
rv = NSS_InitReadWrite(config);
if(rv != SECSuccess) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"NSS_InitReadWrite",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"config=%s",
xmlSecErrorsSafeString(config));
return(-1);
}
} else {
rv = NSS_NoDB_Init(NULL);
if(rv != SECSuccess) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"NSS_NoDB_Init",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
}
/* configure PKCS11 */
PK11_ConfigurePKCS11("manufacturesID", "libraryDescription",
"tokenDescription", "privateTokenDescription",
"slotDescription", "privateSlotDescription",
"fipsSlotDescription", "fipsPrivateSlotDescription",
0, 0);
/* setup for PKCS12 */
PORT_SetUCS2_ASCIIConversionFunction(xmlSecNssAppAscii2UCS2Conv);
SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
return(0);
}
int main()
{
SECStatus status;
int error;
status = NSS_InitReadWrite("sql:/no/such/db/dir");
if (status == SECSuccess) {
fprintf(stderr, "NSS_InitReadWrite succeeded unexpectedly\n");
exit(1);
}
error = PORT_GetError();
if (error != SEC_ERROR_BAD_DATABASE) {
fprintf(stderr, "NSS_InitReadWrite failed with the wrong error code: "
"%d\n", error);
exit(1);
}
printf("PASS\n");
return 0;
}
void MozillaRenderer::initialize(void)
{
// Initialize NSPR and NSS
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
if (NSS_InitReadWrite(NULL) == SECFailure)
{
if (NSS_NoDB_Init(NULL) == SECFailure)
{
#ifdef DEBUG
cout << "MozillaRenderer::ctor: couldn't initialize NSS" << endl;
#endif
}
}
NSS_SetDomesticPolicy();
SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, PR_TRUE);
}
int
cms_context_init(cms_context *ctx)
{
SECStatus status;
status = NSS_InitReadWrite("/etc/pki/pesign");
if (status != SECSuccess)
return -1;
status = register_oids();
if (status != SECSuccess)
return -1;
memset(ctx, '\0', sizeof (*ctx));
ctx->arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!ctx->arena) {
fprintf(stderr, "Could not create cryptographic arena: %s\n",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
int
__pmSecureServerInit(void)
{
const PRUint16 *cipher;
SECStatus secsts;
int pathSpecified;
int sts = 0;
PM_INIT_LOCKS();
PM_LOCK(secureserver_lock);
/* Only attempt this once. */
if (secure_server.initialized)
goto done;
secure_server.initialized = 1;
if (PR_Initialized() != PR_TRUE)
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/* Configure optional (cmdline) password file in case DB locked */
PK11_SetPasswordFunc(certificate_database_password);
/*
* Configure location of the NSS database with a sane default.
* For servers, we default to the shared (sql) system-wide database.
* If command line db specified, pass it directly through - allowing
* any old database format, at the users discretion.
*/
if (!secure_server.database_path[0]) {
const char *path;
pathSpecified = 0;
path = serverdb(secure_server.database_path, MAXPATHLEN, "sql:");
/* this is the default case on some platforms, so no log spam */
if (access(path, R_OK|X_OK) < 0) {
if (pmDebugOptions.context)
pmNotifyErr(LOG_INFO,
"Cannot access system security database: %s",
secure_server.database_path);
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
}
else
pathSpecified = 1;
/*
* pmproxy acts as both a client and server. Since the
* server init path happens first, the db previously
* got opened readonly. Instead try to open RW.
* Fallback if there is an error.
*/
secsts = NSS_InitReadWrite(secure_server.database_path);
if( secsts != SECSuccess )
secsts = NSS_Init(secure_server.database_path);
if (secsts != SECSuccess && !pathSpecified) {
/* fallback, older versions of NSS do not support sql: */
serverdb(secure_server.database_path, MAXPATHLEN, "");
secsts = NSS_Init(secure_server.database_path);
}
if (secsts != SECSuccess) {
pmNotifyErr(LOG_ERR, "Cannot setup certificate DB (%s): %s",
secure_server.database_path,
pmErrStr(__pmSecureSocketsError(PR_GetError())));
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
/* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher)
SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
/* Configure SSL session cache for multi-process server, using defaults */
secsts = SSL_ConfigMPServerSIDCache(1, 0, 0, NULL);
if (secsts != SECSuccess) {
pmNotifyErr(LOG_ERR, "Unable to configure SSL session ID cache: %s",
pmErrStr(__pmSecureSocketsError(PR_GetError())));
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
} else {
secure_server.ssl_session_cache_setup = 1;
}
/*
* Iterate over any/all PCP Collector nickname certificates,
* seeking one valid certificate. No-such-nickname is not an
* error (not configured by admin at all) but anything else is.
*/
CERTCertList *certlist;
CERTCertDBHandle *nssdb = CERT_GetDefaultCertDB();
CERTCertificate *dbcert = PK11_FindCertFromNickname(secure_server.cert_nickname, NULL);
if (dbcert) {
PRTime now = PR_Now();
SECItem *name = &dbcert->derSubject;
CERTCertListNode *node;
certlist = CERT_CreateSubjectCertList(NULL, nssdb, name, now, PR_FALSE);
if (certlist) {
for (node = CERT_LIST_HEAD(certlist);
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT (node)) {
if (pmDebugOptions.context)
__pmDumpCertificate(stderr, secure_server.cert_nickname, node->cert);
if (!__pmValidCertificate(nssdb, node->cert, now))
continue;
secure_server.certificate_verified = 1;
break;
}
CERT_DestroyCertList(certlist);
}
if (secure_server.certificate_verified) {
secure_server.certificate_KEA = NSS_FindCertKEAType(dbcert);
secure_server.private_key = PK11_FindKeyByAnyCert(dbcert, NULL);
if (!secure_server.private_key) {
pmNotifyErr(LOG_ERR, "Unable to extract %s private key",
secure_server.cert_nickname);
CERT_DestroyCertificate(dbcert);
secure_server.certificate_verified = 0;
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
} else {
pmNotifyErr(LOG_ERR, "Unable to find a valid %s", secure_server.cert_nickname);
CERT_DestroyCertificate(dbcert);
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
}
if (! secure_server.certificate_verified) {
if (pmDebugOptions.context) {
pmNotifyErr(LOG_INFO, "No valid %s in security database: %s",
secure_server.cert_nickname, secure_server.database_path);
}
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
secure_server.certificate = dbcert;
secure_server.init_failed = 0;
sts = 0;
done:
PM_UNLOCK(secureserver_lock);
return sts;
}
int
main(int argc, char **argv)
{
bool fork_desired = TRUE;
int lockfd;
char* ocspuri = NULL;
int nhelpers = -1;
char *coredir;
const struct osw_conf_options *oco;
#ifdef NAT_TRAVERSAL
/** Overridden by nat_traversal= in ipsec.conf */
bool nat_traversal = FALSE;
bool nat_t_spf = TRUE; /* support port floating */
unsigned int keep_alive = 0;
bool force_keepalive = FALSE;
#endif
/** Overridden by virtual_private= in ipsec.conf */
char *virtual_private = NULL;
#ifdef LEAK_DETECTIVE
leak_detective=1;
#else
leak_detective=0;
#endif
#ifdef HAVE_LIBCAP_NG
/* Drop capabilities */
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW,
CAP_IPC_LOCK, -1);
/* our children must be able to CAP_NET_ADMIN to change routes.
*/
capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET,
CAP_NET_ADMIN, -1);
capng_apply(CAPNG_SELECT_BOTH);
#endif
global_argv = argv;
global_argc = argc;
#ifdef DEBUG
openswan_passert_fail = passert_fail;
#endif
/* see if there is an environment variable */
coredir = getenv("PLUTO_CORE_DIR");
if(getenv("PLUTO_WAIT_FOR_GDB")) {
sleep(120);
}
/* handle arguments */
for (;;)
{
# define DBG_OFFSET 256
static const struct option long_opts[] = {
/* name, has_arg, flag, val */
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "optionsfrom", required_argument, NULL, '+' },
{ "nofork", no_argument, NULL, 'd' },
{ "stderrlog", no_argument, NULL, 'e' },
{ "noklips", no_argument, NULL, 'n' },
{ "use-nostack", no_argument, NULL, 'n' },
{ "use-none", no_argument, NULL, 'n' },
{ "force_busy", no_argument, NULL, 'D' },
{ "nocrsend", no_argument, NULL, 'c' },
{ "strictcrlpolicy", no_argument, NULL, 'r' },
{ "crlcheckinterval", required_argument, NULL, 'x'},
{ "ocsprequestcert", required_argument, NULL, 'q'},
{ "ocspuri", required_argument, NULL, 'o'},
{ "uniqueids", no_argument, NULL, 'u' },
{ "useklips", no_argument, NULL, 'k' },
{ "use-klips", no_argument, NULL, 'k' },
{ "use-auto", no_argument, NULL, 'G' },
{ "usenetkey", no_argument, NULL, 'K' },
{ "use-netkey", no_argument, NULL, 'K' },
{ "use-mast", no_argument, NULL, 'M' },
{ "use-mastklips", no_argument, NULL, 'M' },
{ "use-bsdkame", no_argument, NULL, 'F' },
{ "interface", required_argument, NULL, 'i' },
{ "listen", required_argument, NULL, 'L' },
{ "ikeport", required_argument, NULL, 'p' },
{ "ctlbase", required_argument, NULL, 'b' },
{ "secretsfile", required_argument, NULL, 's' },
{ "foodgroupsdir", required_argument, NULL, 'f' },
{ "perpeerlogbase", required_argument, NULL, 'P' },
{ "perpeerlog", no_argument, NULL, 'l' },
{ "noretransmits", no_argument, NULL, 'R' },
{ "coredir", required_argument, NULL, 'C' },
{ "ipsecdir", required_argument, NULL, 'f' },
{ "ipsec_dir", required_argument, NULL, 'f' },
#ifdef USE_LWRES
{ "lwdnsq", required_argument, NULL, 'a' },
#else /* !USE_LWRES */
{ "adns", required_argument, NULL, 'a' },
#endif /* !USE_LWRES */
#ifdef NAT_TRAVERSAL
{ "nat_traversal", no_argument, NULL, '1' },
{ "keep_alive", required_argument, NULL, '2' },
{ "force_keepalive", no_argument, NULL, '3' },
{ "disable_port_floating", no_argument, NULL, '4' },
{ "debug-nat_t", no_argument, NULL, '5' },
{ "debug-nattraversal", no_argument, NULL, '5' },
{ "debug-nat-t", no_argument, NULL, '5' },
#endif
{ "virtual_private", required_argument, NULL, '6' },
{ "nhelpers", required_argument, NULL, 'j' },
#ifdef DEBUG
{ "debug-none", no_argument, NULL, 'N' },
{ "debug-all", no_argument, NULL, 'A' },
{ "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
{ "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
{ "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
{ "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET },
{ "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET },
{ "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET },
{ "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET },
{ "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET },
{ "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET },
{ "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET },
{ "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET },
{ "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET },
{ "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET },
{ "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET },
{ "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
{ "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET },
{ "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET },
{ "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET },
{ "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET },
{ "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET },
{ "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET },
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET },
{ "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET },
#endif
{ 0,0,0,0 }
};
/* Note: we don't like the way short options get parsed
* by getopt_long, so we simply pass an empty string as
* the list. It could be "hvdenp:l:s:" "NARXPECK".
*/
int c = getopt_long(argc, argv, "", long_opts, NULL);
/** Note: "breaking" from case terminates loop */
switch (c)
{
case EOF: /* end of flags */
break;
case 0: /* long option already handled */
continue;
case ':': /* diagnostic already printed by getopt_long */
case '?': /* diagnostic already printed by getopt_long */
usage("");
break; /* not actually reached */
case 'h': /* --help */
usage(NULL);
break; /* not actually reached */
case 'C':
coredir = clone_str(optarg, "coredir");
break;
case 'v': /* --version */
{
const char **sp = ipsec_copyright_notice();
printf("%s%s\n", ipsec_version_string(),
compile_time_interop_options);
for (; *sp != NULL; sp++)
puts(*sp);
}
exit(0); /* not exit_pluto because we are not initialized yet */
break; /* not actually reached */
case '+': /* --optionsfrom <filename> */
optionsfrom(optarg, &argc, &argv, optind, stderr);
/* does not return on error */
continue;
case 'j': /* --nhelpers */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing number of pluto helpers");
{
char *endptr;
long count = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| count < -1)
usage("<nhelpers> must be a positive number, 0 or -1");
nhelpers = count;
}
continue;
case 'd': /* --nofork*/
fork_desired = FALSE;
continue;
case 'e': /* --stderrlog */
log_to_stderr_desired = TRUE;
continue;
case 'G': /* --use-auto */
kern_interface = AUTO_PICK;
continue;
case 'k': /* --use-klips */
kern_interface = USE_KLIPS;
continue;
case 'L': /* --listen ip_addr */
{
ip_address lip;
err_t e = ttoaddr(optarg,0,0,&lip);
if(e) {
openswan_log("invalid listen argument ignored: %s\n",e);
} else {
pluto_listen = clone_str(optarg, "pluto_listen");
openswan_log("bind() will be filtered for %s\n",pluto_listen);
}
}
continue;
case 'M': /* --use-mast */
kern_interface = USE_MASTKLIPS;
continue;
case 'F': /* --use-bsdkame */
kern_interface = USE_BSDKAME;
continue;
case 'K': /* --use-netkey */
kern_interface = USE_NETKEY;
continue;
case 'n': /* --use-nostack */
kern_interface = NO_KERNEL;
continue;
case 'D': /* --force_busy */
force_busy = TRUE;
continue
;
case 'c': /* --nocrsend */
no_cr_send = TRUE;
continue
;
case 'r': /* --strictcrlpolicy */
strict_crl_policy = TRUE;
continue
;
case 'R':
no_retransmits = TRUE;
continue;
case 'x': /* --crlcheckinterval <time>*/
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing interval time");
{
char *endptr;
long interval = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| interval <= 0)
usage("<interval-time> must be a positive number");
crl_check_interval = interval;
}
continue
;
case 'o': /* --ocspuri */
ocspuri = optarg;
continue;
case 'u': /* --uniqueids */
uniqueIDs = TRUE;
continue;
case 'i': /* --interface <ifname|ifaddr> */
if (!use_interface(optarg))
usage("too many --interface specifications");
continue;
/*
* This option does not really work, as this is the "left"
* site only, you also need --to --ikeport again later on
* It will result in: yourport -> 500, still not bypassing filters
*/
case 'p': /* --ikeport <portnumber> */
if (optarg == NULL || !isdigit(optarg[0]))
usage("missing port number");
{
char *endptr;
long port = strtol(optarg, &endptr, 0);
if (*endptr != '\0' || endptr == optarg
|| port <= 0 || port > 0x10000)
usage("<port-number> must be a number between 1 and 65535");
pluto_port = port;
}
continue;
case 'b': /* --ctlbase <path> */
ctlbase = optarg;
if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path)
, "%s%s", ctlbase, CTL_SUFFIX) == -1)
usage("<path>" CTL_SUFFIX " too long for sun_path");
if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path)
, "%s%s", ctlbase, INFO_SUFFIX) == -1)
usage("<path>" INFO_SUFFIX " too long for sun_path");
if (snprintf(pluto_lock, sizeof(pluto_lock)
, "%s%s", ctlbase, LOCK_SUFFIX) == -1)
usage("<path>" LOCK_SUFFIX " must fit");
continue;
case 's': /* --secretsfile <secrets-file> */
pluto_shared_secrets_file = optarg;
continue;
case 'f': /* --ipsecdir <ipsec-dir> */
(void)osw_init_ipsecdir(optarg);
continue;
case 'a': /* --adns <pathname> */
pluto_adns_option = optarg;
continue;
#ifdef DEBUG
case 'N': /* --debug-none */
base_debugging = DBG_NONE;
continue;
case 'A': /* --debug-all */
base_debugging = DBG_ALL;
continue;
#endif
case 'P': /* --perpeerlogbase */
base_perpeer_logdir = optarg;
continue;
case 'l':
log_to_perpeer = TRUE;
continue;
#ifdef NAT_TRAVERSAL
case '1': /* --nat_traversal */
nat_traversal = TRUE;
continue;
case '2': /* --keep_alive */
keep_alive = atoi(optarg);
continue;
case '3': /* --force_keepalive */
force_keepalive = TRUE;
continue;
case '4': /* --disable_port_floating */
nat_t_spf = FALSE;
continue;
#ifdef DEBUG
case '5': /* --debug-nat_t */
base_debugging |= DBG_NATT;
continue;
#endif
#endif
case '6': /* --virtual_private */
virtual_private = optarg;
continue;
default:
#ifdef DEBUG
if (c >= DBG_OFFSET)
{
base_debugging |= c - DBG_OFFSET;
continue;
}
# undef DBG_OFFSET
#endif
bad_case(c);
}
break;
}
if (optind != argc)
usage("unexpected argument");
reset_debugging();
#ifdef HAVE_NO_FORK
fork_desired = FALSE;
nhelpers = 0;
#endif
/* if a core dir was set, chdir there */
if(coredir)
if(chdir(coredir) == -1) {
int e = errno;
openswan_log("pluto: chdir() do dumpdir failed (%d %s)\n",
e, strerror(e));
}
oco = osw_init_options();
lockfd = create_lock();
/* select between logging methods */
if (log_to_stderr_desired)
log_to_syslog = FALSE;
else
log_to_stderr = FALSE;
#ifdef DEBUG
#if 0
if(kernel_ops->set_debug) {
(*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log);
}
#endif
#endif
/** create control socket.
* We must create it before the parent process returns so that
* there will be no race condition in using it. The easiest
* place to do this is before the daemon fork.
*/
{
err_t ugh = init_ctl_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#ifdef IPSECPOLICY
/* create info socket. */
{
err_t ugh = init_info_socket();
if (ugh != NULL)
{
fprintf(stderr, "pluto: %s", ugh);
exit_pluto(1);
}
}
#endif
/* If not suppressed, do daemon fork */
if (fork_desired)
{
{
pid_t pid = fork();
if (pid < 0)
{
int e = errno;
fprintf(stderr, "pluto: fork failed (%d %s)\n",
errno, strerror(e));
exit_pluto(1);
}
if (pid != 0)
{
/* parent: die, after filling PID into lock file.
* must not use exit_pluto: lock would be removed!
*/
exit(fill_lock(lockfd, pid)? 0 : 1);
}
}
if (setsid() < 0)
{
int e = errno;
fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n",
errno, strerror(e));
exit_pluto(1);
}
}
else
{
/* no daemon fork: we have to fill in lock file */
(void) fill_lock(lockfd, getpid());
fprintf(stdout, "Pluto initialized\n");
fflush(stdout);
}
/** Close everything but ctl_fd and (if needed) stderr.
* There is some danger that a library that we don't know
* about is using some fd that we don't know about.
* I guess we'll soon find out.
*/
{
int i;
for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */
if ((!log_to_stderr || i != 2)
#ifdef IPSECPOLICY
&& i != info_fd
#endif
&& i != ctl_fd)
close(i);
/* make sure that stdin, stdout, stderr are reserved */
if (open("/dev/null", O_RDONLY) != 0)
osw_abort();
if (dup2(0, 1) != 1)
osw_abort();
if (!log_to_stderr && dup2(0, 2) != 2)
osw_abort();
}
init_constants();
pluto_init_log();
#ifdef HAVE_LIBNSS
char buf[100];
snprintf(buf, sizeof(buf), "%s",oco->confddir);
loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf);
SECStatus nss_init_status= NSS_InitReadWrite(buf);
if (nss_init_status != SECSuccess) {
loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError());
exit_pluto(10);
} else {
loglog(RC_LOG_SERIOUS, "NSS Initialized");
PK11_SetPasswordFunc(getNSSPassword);
#ifdef FIPS_CHECK
const char *package_files[]= { IPSECLIBDIR"/setup",
IPSECLIBDIR"/addconn",
IPSECLIBDIR"/auto",
IPSECLIBDIR"/barf",
IPSECLIBDIR"/_copyright",
IPSECLIBDIR"/eroute",
IPSECLIBDIR"/ikeping",
IPSECLIBDIR"/_include",
IPSECLIBDIR"/_keycensor",
IPSECLIBDIR"/klipsdebug",
IPSECLIBDIR"/look",
IPSECLIBDIR"/newhostkey",
IPSECLIBDIR"/pf_key",
IPSECLIBDIR"/_pluto_adns",
IPSECLIBDIR"/_plutoload",
IPSECLIBDIR"/_plutorun",
IPSECLIBDIR"/ranbits",
IPSECLIBDIR"/_realsetup",
IPSECLIBDIR"/rsasigkey",
IPSECLIBDIR"/pluto",
IPSECLIBDIR"/_secretcensor",
IPSECLIBDIR"/secrets",
IPSECLIBDIR"/showdefaults",
IPSECLIBDIR"/showhostkey",
IPSECLIBDIR"/showpolicy",
IPSECLIBDIR"/spi",
IPSECLIBDIR"/spigrp",
IPSECLIBDIR"/_startklips",
IPSECLIBDIR"/_startnetkey",
IPSECLIBDIR"/tncfg",
IPSECLIBDIR"/_updown",
IPSECLIBDIR"/_updown.klips",
IPSECLIBDIR"/_updown.mast",
IPSECLIBDIR"/_updown.netkey",
IPSECLIBDIR"/verify",
IPSECLIBDIR"/whack",
IPSECSBINDIR"/ipsec",
NULL
};
if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) {
loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed");
exit_pluto(10);
}
#endif
}
#endif
/* Note: some scripts may look for this exact message -- don't change
* ipsec barf was one, but it no longer does.
*/
{
const char *vc = ipsec_version_code();
#ifdef PLUTO_SENDS_VENDORID
const char *v = init_pluto_vendorid();
openswan_log("Starting Pluto (Openswan Version %s%s; Vendor ID %s) pid:%u"
, vc, compile_time_interop_options, v, getpid());
#else
openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u"
, vc, compile_time_interop_options, getpid());
#endif
#ifdef HAVE_LIBNSS
if(Pluto_IsFIPS()) {
openswan_log("Pluto is running in FIPS mode");
}
#endif
if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') ||
(vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) {
/*
* when people build RPMs from CVS or GIT, make sure they
* get blamed appropriately, and that we get some way to
* identify who did it, and when they did it. Use string concat,
* so that strings the binary can or classic SCCS "what", will find
* stuff too.
*/
openswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER);
}
#if defined(USE_1DES)
openswan_log("WARNING: 1DES is enabled");
#endif
}
if(coredir) {
openswan_log("core dump dir: %s", coredir);
}
#ifdef LEAK_DETECTIVE
openswan_log("LEAK_DETECTIVE support [enabled]");
#else
openswan_log("LEAK_DETECTIVE support [disabled]");
#endif
#ifdef HAVE_OCF
{
struct stat buf;
errno=0;
if( stat("/dev/crypto",&buf) != -1)
openswan_log("OCF support for IKE via /dev/crypto [enabled]");
else
openswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno));
}
#else
openswan_log("OCF support for IKE [disabled]");
#endif
/* Check for SAREF support */
#ifdef KLIPS_MAST
#include <ipsec_saref.h>
{
int e, sk, saref;
saref = 1;
errno=0;
sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAref support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAref support [enabled]");
}
errno=0;
e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref));
if (e == -1 ) {
openswan_log("SAbind support [disabled]: %s" , strerror(errno));
}
else {
openswan_log("SAbind support [enabled]");
}
close(sk);
}
#endif
#ifdef HAVE_LIBNSS
openswan_log("NSS support [enabled]");
#else
openswan_log("NSS support [disabled]");
#endif
#ifdef HAVE_STATSD
openswan_log("HAVE_STATSD notification via /bin/openswan-statsd enabled");
#else
openswan_log("HAVE_STATSD notification support not compiled in");
#endif
/** Log various impair-* functions if they were enabled */
if(DBGP(IMPAIR_BUST_MI2))
openswan_log("Warning: IMPAIR_BUST_MI2 enabled");
if(DBGP(IMPAIR_BUST_MR2))
openswan_log("Warning: IMPAIR_BUST_MR2 enabled");
if(DBGP(IMPAIR_SA_CREATION))
openswan_log("Warning: IMPAIR_SA_CREATION enabled");
if(DBGP(IMPAIR_JACOB_TWO_TWO))
openswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
if(DBGP(IMPAIR_DIE_ONINFO))
openswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled");
if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER))
openswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled");
/** Initialize all of the various features */
#ifdef NAT_TRAVERSAL
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
#endif
init_virtual_ip(virtual_private);
init_rnd_pool();
init_timer();
init_secret();
init_states();
init_connections();
init_crypto();
init_crypto_helpers(nhelpers);
load_oswcrypto();
init_demux();
init_kernel();
init_adns();
init_id();
#ifdef TPM
init_tpm();
#endif
#ifdef HAVE_THREADS
init_fetch();
#endif
ocsp_set_default_uri(ocspuri);
/* loading X.509 CA certificates */
load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA);
/* loading X.509 AA certificates */
load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA);
/* loading X.509 OCSP certificates */
load_authcerts("OCSP cert", oco->ocspcerts_dir, AUTH_OCSP);
/* loading X.509 CRLs */
load_crls();
/* loading attribute certificates (experimental) */
load_acerts();
#ifdef HAVE_LIBNSS
/*Loading CA certs from NSS DB*/
load_authcerts_from_nss("CA cert", AUTH_CA);
#endif
daily_log_event();
call_server();
return -1; /* Shouldn't ever reach this */
}
int FileCertExport_main(int argc, char * argv[])
{
CERTCertListNode *node;
SECStatus rv = 0;
/*初始化数据库*/
rv = NSS_InitReadWrite(GetSystemDBDir());
if (SECSuccess != rv) {
printf("初始化数据库失败\n");
return -1;
}
CERTCertList * certs = NULL;
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
CERTCertificate *the_cert;
/*用nickname查找数据库证书*/
char * nickname = "BCDEF";/*nickname*/
the_cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
if (NULL == the_cert) {
printf("nickname为%s证书未找到",nickname);
}
certs = CERT_CreateSubjectCertList(NULL, certHandle, &the_cert->derSubject,
PR_Now(), PR_FALSE);
/*导出cert的文件名称*/
char * tempCertPath = malloc(255);
memset(tempCertPath, 0, 255);
strcpy(tempCertPath, GetSystemDBDir());
strcat(tempCertPath, "11111out_2.cer");
FILE * fileOUT = fopen(tempCertPath, "w+b");
if (NULL == fileOUT) {
printf("%s文件打开失败\n",tempCertPath);
return -1;
}
CERT_DestroyCertificate(the_cert);
if (!certs) {
return SECFailure;
}
for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs);
node = CERT_LIST_NEXT(node)) {
the_cert = node->cert;
/* now get the subjectList that matches this cert */
SECItem data;
data.data = the_cert->derCert.data;
data.len = the_cert->derCert.len;
{
PRInt32 numBytes = fwrite(data.data,data.len,1,fileOUT);
if (numBytes != (PRInt32) data.len) {
rv = SECFailure;
}
rv = SECSuccess;
}
if (rv != SECSuccess) {
break;
}
}
fclose(fileOUT);
printf("Export Cert SUCCESS!\n");
if (certs) {
CERT_DestroyCertList(certs);
}
rv = NSS_Shutdown();
return rv;
}
/**
* Initialise the crypto library and perform one time initialisation.
*/
static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc)
{
SECStatus s;
const char *dir = NULL;
const char *keyPrefix = NULL;
const char *certPrefix = NULL;
const char *secmod = NULL;
int noinit = 0;
PRUint32 flags = 0;
struct {
const char *field;
const char *value;
int set;
} fields[] = {
{ "dir", NULL, 0 },
{ "key3", NULL, 0 },
{ "cert7", NULL, 0 },
{ "secmod", NULL, 0 },
{ "noinit", NULL, 0 },
{ NULL, NULL, 0 }
};
const char *ptr;
size_t klen;
char **elts = NULL;
char *elt;
int i = 0, j;
apr_status_t status;
if (params) {
if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) {
return status;
}
while ((elt = elts[i])) {
ptr = strchr(elt, '=');
if (ptr) {
for (klen = ptr - elt; klen && apr_isspace(elt[klen - 1]); --klen)
;
ptr++;
}
else {
for (klen = strlen(elt); klen && apr_isspace(elt[klen - 1]); --klen)
;
}
elt[klen] = 0;
for (j = 0; fields[j].field != NULL; ++j) {
if (klen && !strcasecmp(fields[j].field, elt)) {
fields[j].set = 1;
if (ptr) {
fields[j].value = ptr;
}
break;
}
}
i++;
}
dir = fields[0].value;
keyPrefix = fields[1].value;
certPrefix = fields[2].value;
secmod = fields[3].value;
noinit = fields[4].set;
}
/* if we've been asked to bypass, do so here */
if (noinit) {
return APR_SUCCESS;
}
/* sanity check - we can only initialise NSS once */
if (NSS_IsInitialized()) {
return APR_EREINIT;
}
apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper,
apr_pool_cleanup_null);
if (keyPrefix || certPrefix || secmod) {
s = NSS_Initialize(dir, certPrefix, keyPrefix, secmod, flags);
}
else if (dir) {
s = NSS_InitReadWrite(dir);
}
else {
s = NSS_NoDB_Init(NULL);
}
if (s != SECSuccess) {
if (rc) {
*rc = PR_GetError();
}
return APR_ECRYPT;
}
return APR_SUCCESS;
}
/*
* generate an RSA signature key
*
* e is fixed at 3, without discussion. That would not be wise if these
* keys were to be used for encryption, but for signatures there are some
* real speed advantages.
* See also: https://www.imperialviolet.org/2012/03/16/rsae.html
*/
void rsasigkey(int nbits, char *configdir, char *password)
{
SECStatus rv;
PK11RSAGenParams rsaparams = { nbits, (long) E };
secuPWData pwdata = { PW_NONE, NULL };
PK11SlotInfo *slot = NULL;
SECKEYPrivateKey *privkey = NULL;
SECKEYPublicKey *pubkey = NULL;
unsigned char *bundp = NULL;
mpz_t n;
mpz_t e;
size_t bs;
char n_str[3 + MAXBITS / 4 + 1];
realtime_t now = realnow();
mpz_init(n);
mpz_init(e);
if (password == NULL) {
pwdata.source = PW_NONE;
} else {
/* check if passwd == configdir/nsspassword */
size_t cdl = strlen(configdir);
size_t pwl = strlen(password);
static const char suf[] = "/nsspassword";
if (pwl == cdl + sizeof(suf) - 1 &&
memeq(password, configdir, cdl) &&
memeq(password + cdl, suf, sizeof(suf)))
pwdata.source = PW_FROMFILE;
else
pwdata.source = PW_PLAINTEXT;
}
pwdata.data = password;
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
rv = NSS_InitReadWrite(configdir);
if (rv != SECSuccess) {
fprintf(stderr, "%s: NSS_InitReadWrite(%s) returned %d\n",
me, configdir, PR_GetError());
exit(1);
}
#ifdef FIPS_CHECK
if (PK11_IsFIPS() && !FIPSCHECK_verify(NULL, NULL)) {
fprintf(stderr,
"FIPS HMAC integrity verification test failed.\n");
exit(1);
}
#endif
if (PK11_IsFIPS() && !password) {
fprintf(stderr,
"%s: On FIPS mode a password is required\n",
me);
exit(1);
}
PK11_SetPasswordFunc(GetModulePassword);
/* Good for now but someone may want to use a hardware token */
slot = PK11_GetInternalKeySlot();
/* In which case this may be better */
/* slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, password ? &pwdata : NULL); */
/* or the user may specify the name of a token. */
#if 0
if (PK11_IsFIPS() || !PK11_IsInternal(slot)) {
rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
if (rv != SECSuccess) {
fprintf(stderr, "%s: could not authenticate to token '%s'\n",
me, PK11_GetTokenName(slot));
return;
}
}
#endif /* 0 */
/* Do some random-number initialization. */
UpdateNSS_RNG();
/* Log in to the token */
if (password) {
rv = PK11_Authenticate(slot, PR_FALSE, &pwdata);
if (rv != SECSuccess) {
fprintf(stderr,
"%s: could not authenticate to token '%s'\n",
me, PK11_GetTokenName(slot));
return;
}
}
privkey = PK11_GenerateKeyPair(slot,
CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaparams, &pubkey,
PR_TRUE,
password ? PR_TRUE : PR_FALSE,
&pwdata);
/* inTheToken, isSensitive, passwordCallbackFunction */
if (!privkey) {
fprintf(stderr,
"%s: key pair generation failed: \"%d\"\n", me,
PORT_GetError());
return;
}
/*privkey->wincx = &pwdata;*/
PORT_Assert(pubkey != NULL);
fprintf(stderr,
"Generated RSA key pair using the NSS database\n");
SECItemToHex(getModulus(pubkey), n_str);
assert(!mpz_set_str(n, n_str, 16));
/* and the output */
report("output...\n"); /* deliberate extra newline */
printf("\t# RSA %d bits %s %s", nbits, outputhostname,
ctime(&now.real_secs));
/* ctime provides \n */
printf("\t# for signatures only, UNSAFE FOR ENCRYPTION\n");
bundp = bundle(E, n, &bs);
printf("\t#pubkey=%s\n", conv(bundp, bs, 's')); /* RFC2537ish format */
printf("\tModulus: %s\n", hexOut(getModulus(pubkey)));
printf("\tPublicExponent: %s\n",
hexOut(getPublicExponent(pubkey)));
SECItem *ckaID = PK11_MakeIDFromPubKey(getModulus(pubkey));
if (ckaID != NULL) {
printf("\t# everything after this point is CKA_ID in hex format - not the real values \n");
printf("\tPrivateExponent: %s\n", hexOut(ckaID));
printf("\tPrime1: %s\n", hexOut(ckaID));
printf("\tPrime2: %s\n", hexOut(ckaID));
printf("\tExponent1: %s\n", hexOut(ckaID));
printf("\tExponent2: %s\n", hexOut(ckaID));
printf("\tCoefficient: %s\n", hexOut(ckaID));
printf("\tCKAIDNSS: %s\n", hexOut(ckaID));
SECITEM_FreeItem(ckaID, PR_TRUE);
}
if (privkey)
SECKEY_DestroyPrivateKey(privkey);
if (pubkey)
SECKEY_DestroyPublicKey(pubkey);
(void) NSS_Shutdown();
(void) PR_Cleanup();
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
PLOptStatus optstatus;
char *program_name;
const char *input_file = NULL; /* read encrypted data from here (or create) */
const char *output_file = NULL; /* write new encrypted data here */
const char *value = default_value; /* Use this for plaintext */
SECItem data;
SECItem result = {0, 0, 0};
SECItem text;
PRBool ascii = PR_FALSE;
secuPWData pwdata = { PW_NONE, 0 };
pr_stderr = PR_STDERR;
result.data = 0;
text.data = 0; text.len = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return -1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return retval;
case 'H':
long_usage (program_name);
return retval;
case 'a':
ascii = PR_TRUE;
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = optstate->value;
break;
case 'o':
output_file = optstate->value;
break;
case 't':
value = optstate->value;
break;
case 'f':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'p':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'v':
verbose = PR_TRUE;
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return -1;
}
if (!output_file && !input_file && value == default_value) {
short_usage (program_name);
PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
return -1;
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
if (output_file) {
rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
} else {
rv = NSS_Init(SECU_ConfigDirectory(NULL));
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "NSS_Init failed");
retval = -1;
goto prdone;
}
/* Convert value into an item */
data.data = (unsigned char *)value;
data.len = strlen(value);
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
if (input_file)
{
if (verbose) printf("Reading data from %s\n", input_file);
if (!strcmp(input_file, "-")) {
retval = readStdin(&result);
ascii = PR_TRUE;
} else {
retval = readInputFile(input_file, &result);
}
if (retval != 0)
goto loser;
if (ascii) {
/* input was base64 encoded. Decode it. */
SECItem newResult = {0, 0, 0};
SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult,
(const char *)result.data, result.len);
if (!ok) {
SECU_PrintError(program_name, "Base 64 decode failed");
retval = -1;
goto loser;
}
SECITEM_ZfreeItem(&result, PR_FALSE);
result = *ok;
}
}
else
{
SECItem keyid = { 0, 0, 0 };
SECItem outBuf = { 0, 0, 0 };
PK11SlotInfo *slot = NULL;
/* sigh, initialize the key database */
slot = PK11_GetInternalKeySlot();
if (slot && PK11_NeedUserInit(slot)) {
switch (pwdata.source) {
case PW_FROMFILE:
rv = SECU_ChangePW(slot, 0, pwdata.data);
break;
case PW_PLAINTEXT:
rv = SECU_ChangePW(slot, pwdata.data, 0);
break;
default:
rv = SECU_ChangePW(slot, "", 0);
break;
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
PK11_GetSlotName(slot));
return SECFailure;
}
}
if (slot) {
PK11_FreeSlot(slot);
}
rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
if (rv != SECSuccess) {
if (verbose)
SECU_PrintError(program_name, "Encrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
if (!strcmp(output_file, "-")) {
ascii = PR_TRUE;
}
if (ascii) {
/* base64 encode output. */
char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
if (!newResult) {
SECU_PrintError(program_name, "Base 64 encode failed\n");
retval = -1;
goto loser;
}
outBuf.data = (unsigned char *)newResult;
outBuf.len = strlen(newResult);
if (verbose)
printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
} else {
outBuf = result;
}
/* -v printf("Result is %.*s\n", text.len, text.data); */
if (output_file) {
PRFileDesc *file;
PRInt32 count;
if (verbose) printf("Writing result to %s\n", output_file);
if (!strcmp(output_file, "-")) {
file = PR_STDOUT;
} else {
/* Write to file */
file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
}
if (!file) {
if (verbose)
SECU_PrintError(program_name,
"Open of output file %s failed\n",
output_file);
retval = -1;
goto loser;
}
count = PR_Write(file, outBuf.data, outBuf.len);
if (file == PR_STDOUT) {
puts("");
} else {
PR_Close(file);
}
if (count != outBuf.len) {
if (verbose) SECU_PrintError(program_name, "Write failed\n");
retval = -1;
goto loser;
}
if (ascii) {
free(outBuf.data);
}
}
}
/* Decrypt the value */
rv = PK11SDR_Decrypt(&result, &text, &pwdata);
if (rv != SECSuccess) {
if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
/* Compare to required value */
if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
{
if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
retval = -1;
goto loser;
}
loser:
if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE);
if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
prdone:
PR_Cleanup ();
if (pwdata.data) {
PORT_Free(pwdata.data);
}
return retval;
}
gint
camel_init (const gchar *configdir,
gboolean nss_init)
{
CamelCertDB *certdb;
gchar *path;
if (initialised)
return 0;
bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
camel_debug_init ();
if (nss_init) {
static gchar v2_enabled = -1, weak_ciphers = -1;
gchar *nss_configdir = NULL;
gchar *nss_sql_configdir = NULL;
SECStatus status = SECFailure;
#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
/* NSS pre-3.14 has most of the ciphers disabled, thus enable
* weak ciphers, if it's compiled against such */
weak_ciphers = 1;
#endif
/* check camel-tcp-stream-ssl.c for the same "CAMEL_SSL_V2_ENABLE" */
if (v2_enabled == -1)
v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
if (weak_ciphers == -1)
weak_ciphers = g_strcmp0 (g_getenv ("CAMEL_SSL_WEAK_CIPHERS"), "1") == 0 ? 1 : 0;
if (nss_initlock == NULL) {
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
nss_initlock = PR_NewLock ();
}
PR_Lock (nss_initlock);
if (NSS_IsInitialized ())
goto skip_nss_init;
#ifndef G_OS_WIN32
nss_configdir = g_strdup (configdir);
#else
nss_configdir = g_win32_locale_filename_from_utf8 (configdir);
#endif
if (nss_has_system_db ()) {
nss_sql_configdir = g_strdup ("sql:" NSS_SYSTEM_DB );
} else {
/* On Windows, we use the Evolution configdir. On other
* operating systems we use ~/.pki/nssdb/, which is where
* the user-specific part of the "shared system db" is
* stored and is what Chrome uses too.
*
* We have to create the configdir if it does not exist,
* to prevent camel from bailing out on first run. */
#ifdef G_OS_WIN32
g_mkdir_with_parents (configdir, 0700);
nss_sql_configdir = g_strconcat (
"sql:", nss_configdir, NULL);
#else
gchar *user_nss_dir = g_build_filename (
g_get_home_dir (), ".pki/nssdb", NULL );
if (g_mkdir_with_parents (user_nss_dir, 0700))
g_warning (
"Failed to create SQL "
"database directory %s: %s\n",
user_nss_dir, strerror (errno));
nss_sql_configdir = g_strconcat (
"sql:", user_nss_dir, NULL);
g_free (user_nss_dir);
#endif
}
#if NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR >= 12)
/* See: https://wiki.mozilla.org/NSS_Shared_DB,
* particularly "Mode 3A". Note that the target
* directory MUST EXIST. */
status = NSS_InitWithMerge (
nss_sql_configdir, /* dest dir */
"", "", /* new DB name prefixes */
SECMOD_DB, /* secmod name */
nss_configdir, /* old DB dir */
"", "", /* old DB name prefixes */
nss_configdir, /* unique ID for old DB */
"Evolution S/MIME", /* UI name for old DB */
0); /* flags */
if (status == SECFailure) {
g_warning (
"Failed to initialize NSS SQL database in %s: NSS error %d",
nss_sql_configdir, PORT_GetError ());
/* Fall back to opening the old DBM database */
}
#endif
/* Support old versions of libnss, pre-sqlite support. */
if (status == SECFailure)
status = NSS_InitReadWrite (nss_configdir);
if (status == SECFailure) {
/* Fall back to using volatile dbs? */
status = NSS_NoDB_Init (nss_configdir);
if (status == SECFailure) {
g_free (nss_configdir);
g_free (nss_sql_configdir);
g_warning ("Failed to initialize NSS");
PR_Unlock (nss_initlock);
return -1;
}
}
nss_initialized = TRUE;
skip_nss_init:
NSS_SetDomesticPolicy ();
if (weak_ciphers) {
PRUint16 indx;
/* enable SSL3/TLS cipher-suites */
for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]) &&
SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_SHA &&
SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_MD5)
SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
}
}
SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
PR_Unlock (nss_initlock);
g_free (nss_configdir);
g_free (nss_sql_configdir);
}
path = g_strdup_printf ("%s/camel-cert.db", configdir);
certdb = camel_certdb_new ();
camel_certdb_set_filename (certdb, path);
g_free (path);
/* if we fail to load, who cares? it'll just be a volatile certdb */
camel_certdb_load (certdb);
/* set this certdb as the default db */
camel_certdb_set_default (certdb);
g_object_unref (certdb);
initialised = TRUE;
return 0;
}
main(int argc, char *argv[])
{
int i;
chunk_t blob, crl_uri;
err_t e;
cert_t cacert,t1;
time_t until;
/* sadly, this is actually too late */
EF_DISABLE_BANNER = 1;
progname = argv[0];
leak_detective=1;
tool_init_log();
load_oswcrypto();
set_debugging(DBG_X509|DBG_PARSING|DBG_CONTROL);
until =1421896274;
set_fake_x509_time(until); /* Wed Jan 21 22:11:14 2015 */
#ifdef HAVE_LIBNSS
{
SECStatus nss_init_status= NSS_InitReadWrite("nss.d");
if (nss_init_status != SECSuccess) {
fprintf(stderr, "NSS initialization failed (err %d)\n", PR_GetError());
exit(10);
} else {
printf("NSS Initialized\n");
PK11_SetPasswordFunc(getNSSPassword);
}
}
#endif
if(argc < 3) {
fprintf(stderr, "Usage: nsscert CAcertfile.pem cert1.pem cert2.pem...\n");
exit(5);
}
/* skip argv0 */
argc--;
argv++;
/* load CAcert */
if(!load_cert(CERT_NONE, argv[0], TRUE, "cacert", &cacert)) {
printf("could not load CA cert file: %s\n", argv[0]);
exit(1);
}
add_authcert(cacert.u.x509, AUTH_CA);
argc--;
argv++;
while(argc-- > 0) {
char *file = *argv++;
/* load target cert */
if(!load_cert(CERT_NONE, file, TRUE, "test1", &t1)) {
printf("could not load cert file: %s\n", file);
exit(1);
}
until += 86400;
if(verify_x509cert(t1.u.x509, FALSE, &until) == FALSE) {
printf("verify x509 failed\n");
exit(3);
}
printf("cert: %s is valid\n", file);
free_x509cert(t1.u.x509);
}
free_x509cert(cacert.u.x509);
report_leaks();
tool_close_log();
exit(0);
}
