void initNSS(const SslOptions& options, bool server) { SslOptions::global = options; if (options.certPasswordFile.empty()) { PK11_SetPasswordFunc(promptForPassword); } else { PK11_SetPasswordFunc(readPasswordFromFile); } NSS_CHECK(NSS_Init(options.certDbPath.c_str())); if (options.exportPolicy) { NSS_CHECK(NSS_SetExportPolicy()); } else { NSS_CHECK(NSS_SetDomesticPolicy()); } if (server) { //use defaults for all args, TODO: may want to make this configurable SSL_ConfigServerSessionIDCache(0, 0, 0, 0); } // disable SSLv2 and SSLv3 versions of the protocol - they are // no longer considered secure SSLVersionRange drange, srange; // default and supported ranges const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0 NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange)); NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange)); if (drange.min < tlsv1) { drange.min = tlsv1; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } if (srange.max > drange.max) { drange.max = srange.max; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } }
int main(int argc, char * const argv[]) { struct qnetd_instance instance; struct qnetd_advanced_settings advanced_settings; char *host_addr; uint16_t host_port; int foreground; int debug_log; int bump_log_priority; enum tlv_tls_supported tls_supported; int client_cert_required; size_t max_clients; PRIntn address_family; int lock_file; int another_instance_running; if (qnetd_advanced_settings_init(&advanced_settings) != 0) { errx(1, "Can't alloc memory for advanced settings"); } cli_parse(argc, argv, &host_addr, &host_port, &foreground, &debug_log, &bump_log_priority, &tls_supported, &client_cert_required, &max_clients, &address_family, &advanced_settings); if (foreground) { qnetd_log_init(QNETD_LOG_TARGET_STDERR); } else { qnetd_log_init(QNETD_LOG_TARGET_SYSLOG); } qnetd_log_set_debug(debug_log); qnetd_log_set_priority_bump(bump_log_priority); /* * Daemonize */ if (!foreground) { utils_tty_detach(); } if ((lock_file = utils_flock(advanced_settings.lock_file, getpid(), &another_instance_running)) == -1) { if (another_instance_running) { qnetd_log(LOG_ERR, "Another instance is running"); } else { qnetd_log_err(LOG_ERR, "Can't acquire lock"); } exit(1); } qnetd_log(LOG_DEBUG, "Initializing nss"); if (nss_sock_init_nss((tls_supported != TLV_TLS_UNSUPPORTED ? advanced_settings.nss_db_dir : NULL)) != 0) { qnetd_err_nss(); } if (SSL_ConfigServerSessionIDCache(0, 0, 0, NULL) != SECSuccess) { qnetd_err_nss(); } if (qnetd_instance_init(&instance, tls_supported, client_cert_required, max_clients, &advanced_settings) == -1) { qnetd_log(LOG_ERR, "Can't initialize qnetd"); exit(1); } instance.host_addr = host_addr; instance.host_port = host_port; if (tls_supported != TLV_TLS_UNSUPPORTED && qnetd_instance_init_certs(&instance) == -1) { qnetd_err_nss(); } qnetd_log(LOG_DEBUG, "Initializing local socket"); if (qnetd_ipc_init(&instance) != 0) { return (1); } qnetd_log(LOG_DEBUG, "Creating listening socket"); instance.server.socket = nss_sock_create_listen_socket(instance.host_addr, instance.host_port, address_family); if (instance.server.socket == NULL) { qnetd_err_nss(); } if (nss_sock_set_non_blocking(instance.server.socket) != 0) { qnetd_err_nss(); } if (PR_Listen(instance.server.socket, instance.advanced_settings->listen_backlog) != PR_SUCCESS) { qnetd_err_nss(); } global_instance = &instance; signal_handlers_register(); qnetd_log(LOG_DEBUG, "Registering algorithms"); if (qnetd_algorithm_register_all() != 0) { exit(1); } qnetd_log(LOG_DEBUG, "QNetd ready to provide service"); /* * MAIN LOOP */ while (qnetd_poll(&instance) == 0) { } /* * Cleanup */ qnetd_ipc_destroy(&instance); if (PR_Close(instance.server.socket) != PR_SUCCESS) { qnetd_warn_nss(); } CERT_DestroyCertificate(instance.server.cert); SECKEY_DestroyPrivateKey(instance.server.private_key); SSL_ClearSessionCache(); SSL_ShutdownServerSessionIDCache(); qnetd_instance_destroy(&instance); qnetd_advanced_settings_destroy(&advanced_settings); if (NSS_Shutdown() != SECSuccess) { qnetd_warn_nss(); } if (PR_Cleanup() != PR_SUCCESS) { qnetd_warn_nss(); } qnetd_log_close(); return (0); }
int StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig, void *sniSocketConfigArg) { const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL"); if (debugLevel) { int level = atoi(debugLevel); switch (level) { case DEBUG_ERRORS: gDebugLevel = DEBUG_ERRORS; break; case DEBUG_WARNINGS: gDebugLevel = DEBUG_WARNINGS; break; case DEBUG_VERBOSE: gDebugLevel = DEBUG_VERBOSE; break; default: PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL"); return 1; } } const char *callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT"); if (callbackPort) { gCallbackPort = atoi(callbackPort); } if (InitializeNSS(nssCertDBDir) != SECSuccess) { PR_fprintf(PR_STDERR, "InitializeNSS failed"); return 1; } if (NSS_SetDomesticPolicy() != SECSuccess) { PrintPRError("NSS_SetDomesticPolicy failed"); return 1; } if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) { PrintPRError("SSL_ConfigServerSessionIDCache failed"); return 1; } UniquePRFileDesc serverSocket(PR_NewTCPSocket()); if (!serverSocket) { PrintPRError("PR_NewTCPSocket failed"); return 1; } PRSocketOptionData socketOption; socketOption.option = PR_SockOpt_Reuseaddr; socketOption.value.reuse_addr = true; PR_SetSocketOption(serverSocket.get(), &socketOption); PRNetAddr serverAddr; PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr); if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) { PrintPRError("PR_Bind failed"); return 1; } if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) { PrintPRError("PR_Listen failed"); return 1; } UniquePRFileDesc rawModelSocket(PR_NewTCPSocket()); if (!rawModelSocket) { PrintPRError("PR_NewTCPSocket failed for rawModelSocket"); return 1; } UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release())); if (!modelSocket) { PrintPRError("SSL_ImportFD of rawModelSocket failed"); return 1; } if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig, sniSocketConfigArg) != SECSuccess) { PrintPRError("SSL_SNISocketConfigHook failed"); return 1; } // We have to configure the server with a certificate, but it's not one // we're actually going to end up using. In the SNI callback, we pick // the right certificate for the connection. if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME, nullptr, nullptr) != SECSuccess) { return 1; } if (gCallbackPort != 0) { if (DoCallback()) { return 1; } } while (true) { PRNetAddr clientAddr; PRFileDesc* clientSocket = PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT); HandleConnection(clientSocket, modelSocket); } return 0; }
int SetServerSecParms(struct ThreadData *td) { int rv; SECKEYPrivateKey *privKey; PRFileDesc *s; s = td->r; rv = SSL_Enable(s, SSL_SECURITY, 1); /* Enable security on this socket */ if (rv < 0) return Error(10); if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) { rv = SSL_Enable(s, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) return Error(11); } ClearCiphers(td); EnableCiphers(td); PK11_SetPasswordFunc(MyPWFunc); SSL_SetPKCS11PinArg(s,(void*) MyPWFunc); /* Find the certificates we are going to use from the database */ /* Test for dummy certificate, which shouldn't exist */ td->cert = PK11_FindCertFromNickname("XXXXXX_CERT_HARDCOREII_1024",NULL); if (td->cert != NULL) return Error(16); td->cert = NULL; if (NO_CERT != REP_ServerCert) { td->cert = PK11_FindCertFromNickname(nicknames[REP_ServerCert],NULL); } /* Note: if we're set to use NO_CERT as the server cert, then we'll * just essentially skip the rest of this (except for session ID cache setup) */ if ( (NULL == td->cert) && ( NO_CERT != REP_ServerCert )) { PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]); PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n", SECU_ErrorString ((int16) PR_GetError())); return Error(12); } if ((NO_CERT != REP_ServerCert)) { privKey = PK11_FindKeyByAnyCert(td->cert, NULL); if (privKey == NULL) { dbmsg((PR_STDERR, "Can't find key for this certificate\n")); return Error(13); } rv = SSL_ConfigSecureServer(s,td->cert,privKey, kt_rsa); if (rv != PR_SUCCESS) { dbmsg((PR_STDERR, "Can't config server error(%d) \n",rv)); return Error(14); } } rv = SSL_ConfigServerSessionIDCache(10, 0, 0, "."); if (rv != 0) { dbmsg((PR_STDERR, "Can't config server session ID cache (%d) \n",rv)); return Error(15); } return 0; }
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName) { #if 1 int isServer = 0; SECStatus rv = SECSuccess; char * buffer = malloc(1024 * 1024); PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(GetModulePassword); rv = NSS_Initialize(GetSystemDBDir(), "", "", "secmod.db", 0); rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE); rv = NSS_SetDomesticPolicy(); rv = NSS_SetExportPolicy(); rv = NSS_SetFrancePolicy(); // rv = SSL_CipherPolicySet(); SSL_ClearSessionCache(); rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, "."); PRFileDesc * tcp_socket = PR_NewTCPSocket(); PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket); if (isServer) { CERTCertDBHandle *certHandle; certHandle = CERT_GetDefaultCertDB(); char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/ CERTCertificate* cert = NULL; cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname); SECKEYPrivateKey *prvKey = NULL; prvKey = PK11_FindKeyByAnyCert(cert, NULL); rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); rv = PR_Bind(tcp_socket,&netAddr); rv = PR_Listen(tcp_socket, 100); while (1) { PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000); PRNetAddr addr; rv = PR_GetSockName(client, &addr); rv = SSL_ForceHandshake(client); rv = PR_Write(client,"123", 4); sleep(1); } } else { rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL); char * nickname = "nickname";/*nickname*/ rv = SSL_SetURL(ssl_socket, "192.168.18.22"); char * str = malloc(1024) ; memset(str, 0, 1024); strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行 // str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"]; // str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"]; //str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"]; strcat(str ,"Host: 192.168.18.22:8443\r\n"); // str = [str stringByAppendingString:@"Content-Length: 0\r\n"]; strcat(str ,"\r\n"); // str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"]; // str = [str stringByAppendingString:@"\r\n"]; PRNetAddr netAddr; rv = PR_StringToNetAddr("192.168.18.22", &netAddr); rv = PR_InitializeNetAddr(0, 8443, &netAddr); // rv = PR_GetHostByName(); // PR_EnumerateHostEnt rv = PR_Connect(tcp_socket,&netAddr, 300000); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = SSL_ForceHandshake(ssl_socket); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = PR_Write(tcp_socket, str, strlen(str)); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = PR_Read(tcp_socket,buffer, 1024 * 1024); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); FILE * file = fopen("/sdcard/ssl_read.txt", "wb"); //fwrite(buffer, 1, rv, file); //rv = PR_Read(tcp_socket,buffer, 1024 * 1024); fwrite(buffer, 1, rv, file); fclose(file); sleep(1); rv = SSL_InvalidateSession(ssl_socket); rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH); rv = PR_Close(tcp_socket); rv = ssl_FreeSessionCacheLocks(); rv = NSS_Shutdown(); } #endif return 0; }
int FileSSL_main(int argc, char * argv[]) { bool isServer = true; SECStatus rv = SECSuccess; char buffer[32] = {0}; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(GetModulePassword); rv = NSS_Initialize(GetSystemDBDir(), "", "", "secmod.db", 0); rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE); rv = NSS_SetDomesticPolicy(); rv = NSS_SetExportPolicy(); rv = NSS_SetFrancePolicy(); // rv = SSL_CipherPolicySet(); SSL_ClearSessionCache(); rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, "."); PRFileDesc * socket = PR_NewTCPSocket(); socket = SSL_ImportFD(NULL,socket); if (isServer) { CERTCertDBHandle *certHandle; certHandle = CERT_GetDefaultCertDB(); char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/ CERTCertificate* cert = NULL; cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname); SECKEYPrivateKey *prvKey = NULL; prvKey = PK11_FindKeyByAnyCert(cert, NULL); rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); rv = PR_Bind(socket,&netAddr); rv = PR_Listen(socket, 100); while (1) { PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000); PRNetAddr addr; rv = PR_GetSockName(client, &addr); rv = SSL_ForceHandshake(client); rv = PR_Write(client,"123", 4); sleep(1); } } else { rv = SSL_SetURL(socket, "127.0.0.1"); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); // rv = PR_GetHostByName(); // PR_EnumerateHostEnt rv = PR_Connect(socket,&netAddr, 300000); rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL); rv = SSL_ForceHandshake(socket); while (1) { rv = PR_Read(socket,buffer, 32); sleep(1); } } return 0; }