static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
if(NSS_IsInitialized())
return CURLE_OK;
if(cert_dir) {
SECStatus rv;
const bool use_sql = NSS_VersionCheck("3.12.0");
char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
if(!certpath)
return CURLE_OUT_OF_MEMORY;
infof(data, "Initializing NSS with certpath: %s\n", certpath);
rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
free(certpath);
if(rv == SECSuccess)
return CURLE_OK;
infof(data, "Unable to initialize NSS database\n");
}
infof(data, "Initializing NSS with certpath: none\n");
if(NSS_NoDB_Init(NULL) == SECSuccess)
return CURLE_OK;
infof(data, "Unable to initialize NSS\n");
return CURLE_SSL_CACERT_BADFILE;
}
gboolean
sc_init_nss (const char *nss_dir, GError **error)
{
SECStatus status = SECSuccess;
static const guint32 flags =
NSS_INIT_READONLY| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT |
NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD;
if (!nss_dir) {
nss_dir = SC_NSS_NSS_DB;
}
sc_debug ("attempting to load NSS database '%s'",
SC_NSS_NSS_DB);
status = NSS_Initialize (nss_dir, "", "", SECMOD_DB, flags);
if (status != SECSuccess) {
sc_debug ("NSS security system could not be initialized");
sc_set_nss_error (error, _("NSS security system could not be initialized"));
return FALSE;
}
sc_debug ("NSS database sucessfully loaded");
return TRUE;
}
static bool pluto_init_nss(char *nssdb)
{
SECStatus rv;
char dbuf[1024];
snprintf(dbuf, sizeof(dbuf), "sql:%s", nssdb);
loglog(RC_LOG_SERIOUS, "NSS DB directory: %s", dbuf);
rv = NSS_Initialize(dbuf, "", "", SECMOD_DB, NSS_INIT_READONLY);
if (rv != SECSuccess) {
loglog(RC_LOG_SERIOUS, "NSS readonly initialization (\"%s\") failed (err %d)\n",
dbuf, PR_GetError());
return FALSE;
}
libreswan_log("NSS initialized");
PK11_SetPasswordFunc(getNSSPassword);
/*
* This exists purely to make the BSI happy.
* We do not inflict this on other users
*/
if (pluto_nss_seedbits != 0) {
int seedbytes = BYTES_FOR_BITS(pluto_nss_seedbits);
unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix");
get_bsi_random(seedbytes, buf); /* much TLA, very blocking */
rv = PK11_RandomUpdate(buf, seedbytes);
libreswan_log("seeded %d bytes into the NSS PRNG", seedbytes);
passert(rv == SECSuccess);
messupn(buf, seedbytes);
pfree(buf);
}
return TRUE;
}
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
#ifdef HAVE_NSS_INITCONTEXT
NSSInitParameters initparams;
if(nss_context != NULL)
return CURLE_OK;
memset((void *) &initparams, '\0', sizeof(initparams));
initparams.length = sizeof(initparams);
#else /* HAVE_NSS_INITCONTEXT */
SECStatus rv;
if(NSS_IsInitialized())
return CURLE_OK;
#endif
if(cert_dir) {
const bool use_sql = NSS_VersionCheck("3.12.0");
char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
if(!certpath)
return CURLE_OUT_OF_MEMORY;
infof(data, "Initializing NSS with certpath: %s\n", certpath);
#ifdef HAVE_NSS_INITCONTEXT
nss_context = NSS_InitContext(certpath, "", "", "", &initparams,
NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);
free(certpath);
if(nss_context != NULL)
return CURLE_OK;
#else /* HAVE_NSS_INITCONTEXT */
rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
free(certpath);
if(rv == SECSuccess)
return CURLE_OK;
#endif
infof(data, "Unable to initialize NSS database\n");
}
infof(data, "Initializing NSS with certpath: none\n");
#ifdef HAVE_NSS_INITCONTEXT
nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY
| NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN
| NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD);
if(nss_context != NULL)
return CURLE_OK;
#else /* HAVE_NSS_INITCONTEXT */
if(NSS_NoDB_Init(NULL) == SECSuccess)
return CURLE_OK;
#endif
infof(data, "Unable to initialize NSS\n");
return CURLE_SSL_CACERT_BADFILE;
}
/**
* Initializes the NSS context.
*
* @param NSSConfigDir The config dir containing the private key to use
* @return 0 on success
* -1 on error
*/
int
NSSInitCryptoContext(const char *NSSConfigDir)
{
SECStatus status = NSS_Initialize(NSSConfigDir,
"", "", SECMOD_DB, NSS_INIT_READONLY);
if (SECSuccess != status) {
fprintf(stderr, "ERROR: Could not initialize NSS\n");
return -1;
}
return 0;
}
static CURLcode init_nss(struct SessionHandle *data)
{
char *cert_dir;
struct_stat st;
if(initialized)
return CURLE_OK;
/* First we check if $SSL_DIR points to a valid dir */
cert_dir = getenv("SSL_DIR");
if(cert_dir) {
if((stat(cert_dir, &st) != 0) ||
(!S_ISDIR(st.st_mode))) {
cert_dir = NULL;
}
}
/* Now we check if the default location is a valid dir */
if(!cert_dir) {
if((stat(SSL_DIR, &st) == 0) &&
(S_ISDIR(st.st_mode))) {
cert_dir = (char *)SSL_DIR;
}
}
if(!NSS_IsInitialized()) {
SECStatus rv;
initialized = 1;
infof(data, "Initializing NSS with certpath: %s\n",
cert_dir ? cert_dir : "none");
if(!cert_dir) {
rv = NSS_NoDB_Init(NULL);
}
else {
char *certpath =
PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", cert_dir);
rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
PR_smprintf_free(certpath);
}
if(rv != SECSuccess) {
infof(data, "Unable to initialize NSS database\n");
initialized = 0;
return CURLE_SSL_CACERT_BADFILE;
}
}
if(num_enabled_ciphers() == 0)
NSS_SetDomesticPolicy();
return CURLE_OK;
}
SECStatus
InitializeNSS(const char* nssCertDBDir)
{
// Try initializing an existing DB.
if (NSS_Init(nssCertDBDir) == SECSuccess) {
return SECSuccess;
}
// Create a new DB if there is none...
SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
if (rv != SECSuccess) {
return rv;
}
// ...and load all certificates into it.
return LoadCertificatesAndKeys(nssCertDBDir);
}
static void
load_nss (GsdSmartcardManager *self)
{
GsdSmartcardManagerPrivate *priv = self->priv;
SECStatus status = SECSuccess;
static const guint32 flags = NSS_INIT_READONLY
| NSS_INIT_FORCEOPEN
| NSS_INIT_NOROOTINIT
| NSS_INIT_OPTIMIZESPACE
| NSS_INIT_PK11RELOAD;
g_debug ("attempting to load NSS database '%s'",
GSD_SMARTCARD_MANAGER_NSS_DB);
PR_Init (PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
status = NSS_Initialize (GSD_SMARTCARD_MANAGER_NSS_DB,
"", "", SECMOD_DB, flags);
if (status != SECSuccess) {
gsize error_message_size;
char *error_message;
error_message_size = PR_GetErrorTextLength ();
if (error_message_size == 0) {
g_debug ("NSS security system could not be initialized");
} else {
error_message = g_alloca (error_message_size);
PR_GetErrorText (error_message);
g_debug ("NSS security system could not be initialized - %s",
error_message);
}
priv->nss_is_loaded = FALSE;
return;
}
g_debug ("NSS database '%s' loaded", GSD_SMARTCARD_MANAGER_NSS_DB);
priv->nss_is_loaded = TRUE;
}
static Error
init_crypto(PRBool create, PRBool readOnly)
{
PRUint32 flags = 0;
SECStatus rv;
Error retval;
/* Open/create key database */
if (readOnly)
flags |= NSS_INIT_READONLY;
if (nocertdb)
flags |= NSS_INIT_NOCERTDB;
rv = NSS_Initialize(SECU_ConfigDirectory(NULL), dbprefix, dbprefix,
secmodName, flags);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
retval = NSS_INITIALIZE_FAILED_ERR;
} else
retval = SUCCESS;
return retval;
}
bool lsw_nss_setup(const char *configdir, unsigned setup_flags,
PK11PasswordFunc get_password, lsw_nss_buf_t err)
{
/*
* save for cleanup
*/
flags = setup_flags;
/*
* According to the manual, not needed, and all parameters are
* ignored. Does no harm?
*/
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
libreswan_log("Initializing NSS");
if (configdir) {
const char sql[] = "sql:";
char *nssdb;
if (strncmp(sql, configdir, strlen(sql)) == 0) {
nssdb = strdup(configdir);
} else {
nssdb = alloc_bytes(strlen(configdir) + strlen(sql) + 1, "nssdb");
strcpy(nssdb, sql);
strcat(nssdb, configdir);
}
libreswan_log("Opening NSS database \"%s\" %s", nssdb,
(flags & LSW_NSS_READONLY) ? "read-only" : "read-write");
SECStatus rv = NSS_Initialize(nssdb, "", "", SECMOD_DB,
(flags & LSW_NSS_READONLY) ? NSS_INIT_READONLY : 0);
if (rv != SECSuccess) {
snprintf(err, sizeof(lsw_nss_buf_t),
"Initialization of NSS with %s database \"%s\" failed (%d)",
(flags & LSW_NSS_READONLY) ? "read-only" : "read-write",
nssdb, PR_GetError());
pfree(nssdb);
return FALSE;
}
} else {
NSS_NoDB_Init(".");
}
if (PK11_IsFIPS() && get_password == NULL) {
snprintf(err, sizeof(lsw_nss_buf_t),
"on FIPS mode a password is required");
return FALSE;
}
if (get_password) {
PK11_SetPasswordFunc(get_password);
}
if (!(flags & LSW_NSS_SKIP_AUTH)) {
PK11SlotInfo *slot = lsw_nss_get_authenticated_slot(err);
if (slot == NULL) {
return FALSE;
}
PK11_FreeSlot(slot);
}
return TRUE;
}
int main(int argc, char *argv[])
{
int opt;
long fin = 0;
int use_pkix = 0;
SECStatus rv;
char pbuf[1024];
PRBool crlcheck = PR_FALSE;
PRBool ocspcheck = PR_FALSE;
PRBool strict = PR_FALSE;
CERTCertDBHandle *handle = NULL;
CERTCertificate **certout = NULL;
CERTVerifyLog vfy_log;
CERTVerifyLog vfy_log2;
CERTVerifyLog *cur_log;
CERTValOutParam *pkixout = NULL;
SECItem c1;
SECItem c2;
SECItem *certs[2];
certs[0] = &c1;
certs[1] = &c2;
int numcerts = 0;
while ((opt = getopt(argc, argv, "u:d:e:pn:s:coSr")) != -1) {
switch(opt) {
/* usage type */
case 'u':
set_usage(optarg);
break;
case 'd':
db_dir = optarg;
break;
case 's':
sub_file = optarg;
break;
case 'c':
crlcheck = PR_TRUE;
break;
case 'o':
ocspcheck = PR_TRUE;
break;
case 'S':
strict = PR_TRUE;
break;
case 'e':
end_file = optarg;
break;
case 'p':
use_pkix = 1;
break;
case 'n':
rightca_nick = optarg;
break;
case 'r':
retry_verify = PR_TRUE;
break;
default:
print_usage();
break;
}
}
if (db_dir == NULL)
db_dir = "testfiles/";
if (end_file == NULL)
end_file = "testfiles/end.pem";
get_file(certs[numcerts++], end_file);
if (sub_file != NULL) {
get_file(certs[numcerts++], sub_file);
}
snprintf(pbuf, sizeof(pbuf), "sql:%s", db_dir);
if (NSS_Initialize(pbuf, "", "", "secmod.db", 0x1) != SECSuccess) {
printf("NSS_Initialize failed %d\n", PORT_GetError());
exit(-1);
}
if ((handle = CERT_GetDefaultCertDB()) == NULL) {
printf("NULL handle\n");
exit(-1);
}
if (ocspcheck) {
CERT_EnableOCSPChecking(handle);
CERT_DisableOCSPDefaultResponder(handle);
if (strict)
CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
}
rv = CERT_ImportCerts(handle, 0, numcerts, certs, &certout, PR_FALSE,
PR_FALSE, NULL);
if (rv != SECSuccess) {
printf("CERT_ImportCerts failed %d\n", PORT_GetError());
exit(-1);
}
vfy_log.count = 0;
vfy_log.head = NULL;
vfy_log.tail = NULL;
vfy_log.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
vfy_log2.count = 0;
vfy_log2.head = NULL;
vfy_log2.tail = NULL;
vfy_log2.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (use_pkix) {
int in_idx = 0;
CERTValInParam cvin[7];
CERTValOutParam cvout[3];
CERTCertList *trustcl = NULL;
CERTRevocationFlags rev;
PRUint64 revFlagsLeaf[2] = { 0, 0 };
PRUint64 revFlagsChain[2] = { 0, 0 };
zero(&cvin); /* ??? is this reasonable? */
zero(&cvout); /* ??? is this reasonable? */
zero(&rev); /* ??? is this reasonable? */
if (rightca_nick == NULL)
rightca_nick = "root";
if ((trustcl = get_trust_certlist(handle, rightca_nick)) == NULL) {
printf("Couldn't find trust anchor\n");
exit(-1);
}
cvin[in_idx].type = cert_pi_useAIACertFetch;
cvin[in_idx++].value.scalar.b = PR_TRUE;
cvin[in_idx].type = cert_pi_revocationFlags;
cvin[in_idx++].value.pointer.revocation = &rev;
cvin[in_idx].type = cert_pi_trustAnchors;
cvin[in_idx++].value.pointer.chain = trustcl;
cvin[in_idx].type = cert_pi_useOnlyTrustAnchors;
cvin[in_idx++].value.scalar.b = PR_TRUE;
set_rev_per_meth(&rev, revFlagsLeaf, revFlagsChain);
set_rev_params(&rev, crlcheck, ocspcheck, strict);
cvin[in_idx].type = cert_pi_end;
cvout[0].type = cert_po_errorLog;
cvout[0].value.pointer.log = &vfy_log;
cur_log = &vfy_log;
cvout[1].type = cert_po_certList;
cvout[1].value.pointer.chain = NULL;
cvout[2].type = cert_po_end;
pkixout = &cvout[0];
pkixredo:
rv = CERT_PKIXVerifyCert(*certout, pkixusage, cvin, cvout,
NULL);
//CERT_DestroyCertList(trustcl);
} else {
cur_log = &vfy_log;
vfyredo:
rv = CERT_VerifyCert(handle, *certout, PR_TRUE, usage, PR_Now(),
NULL,
cur_log);
}
if (rv != SECSuccess || cur_log->count > 0) {
if (cur_log->count > 0 && cur_log->head != NULL) {
fin = err_stat(cur_log->head);
} else {
fin = PORT_GetError();
}
if (fin == SEC_ERROR_INADEQUATE_KEY_USAGE) {
printf("SEC_ERROR_INADEQUATE_KEY_USAGE : Certificate key usage inadequate for attempted operation.\n"
);
} else if (fin == SEC_ERROR_INADEQUATE_CERT_TYPE) {
printf("SEC_ERROR_INADEQUATE_CERT_TYPE : Certificate type not approved for application.\n"
);
} else {
printf("OTHER : %ld", fin);
}
}
if ((fin == SEC_ERROR_INADEQUATE_CERT_TYPE ||
fin == SEC_ERROR_INADEQUATE_KEY_USAGE) &&
retry_verify && !retried) {
printf("Retrying verification\n");
fin = 0;
retried = PR_TRUE;
if (use_pkix) {
pkixout[0].value.pointer.log = &vfy_log2;
cur_log = &vfy_log2;
pkixout[1].value.pointer.chain = NULL;
if (pkixusage == certificateUsageSSLClient) {
pkixusage = certificateUsageSSLServer;
} else {
pkixusage = certificateUsageSSLClient;
}
goto pkixredo;
} else {
if (usage == certUsageSSLClient) {
usage = certUsageSSLServer;
} else {
usage = certUsageSSLClient;
}
goto vfyredo;
}
}
PORT_FreeArena(vfy_log.arena, PR_FALSE);
PORT_FreeArena(vfy_log2.arena, PR_FALSE);
NSS_Shutdown();
exit(fin == 0 ? 0 : 1);
}
am_status_t Connection::initialize(const Properties& properties)
{
am_status_t status = AM_SUCCESS;
SECStatus secStatus;
if (! initialized) {
const char *nssMethodName = "NSS_Initialize";
std::string certDir = properties.get(AM_COMMON_SSL_CERT_DIR_PROPERTY,
"");
std::string dbPrefix = properties.get(AM_COMMON_CERT_DB_PREFIX_PROPERTY,
"");
unsigned long timeout = properties.getUnsigned(AM_COMMON_RECEIVE_TIMEOUT_PROPERTY, 0);
if (timeout > 0) {
receive_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(timeout));
} else {
receive_timeout = PR_INTERVAL_NO_TIMEOUT;
}
unsigned long socket_timeout = properties.getUnsigned(AM_COMMON_CONNECT_TIMEOUT_PROPERTY, 0);
if (socket_timeout > 0) {
connect_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(socket_timeout));
} else {
connect_timeout = PR_INTERVAL_NO_TIMEOUT;
}
tcp_nodelay_is_enabled = properties.getBool(AM_COMMON_TCP_NODELAY_ENABLE_PROPERTY, false);
//
// Initialize the NSS libraries and enable use of all of the
// cipher suites. According to the NSS 3.3 API documentation
// NSS_SetDomesticPolicy enables all of the cipher suites except
// two: SSL_RSA_WITH_NULL_MD5 and SSL_FORTEZZA_DMS_WITH_NULL_SHA.
// (It does not explain why those two are not enabled.) The SSL
// code in Agent Pack 1.0 explicitly enabled the first of the
// disabled cipher suites.
// We do not enable them here since null or no encryption is a
// potential security risk.
//
Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
"calling NSS_Initialize() with directory = \"%s\" and "
"prefix = \"%s\"", certDir.c_str(), dbPrefix.c_str());
Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
"Connection timeout when receiving data = %i milliseconds",timeout);
if (tcp_nodelay_is_enabled) {
Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() "
"Socket option TCP_NODELAY is enabled");
}
secStatus = NSS_Initialize(certDir.c_str(), dbPrefix.c_str(),
dbPrefix.c_str(), "secmod.db",
NSS_INIT_READONLY|NSS_INIT_FORCEOPEN);
if (SECSuccess == secStatus) {
nssMethodName = "NSS_SetDomesticPolicy";
secStatus = NSS_SetDomesticPolicy();
}
if (SECSuccess == secStatus) {
nssMethodName = "PK11_SetPasswordFunc";
PK11_SetPasswordFunc(getPasswordFromArg);
initialized = true;
}
if(secStatus != SECSuccess) {
secStatus = NSS_NoDB_Init(NULL);
if (secStatus != SECSuccess) {
Log::log(Log::ALL_MODULES, Log::LOG_ERROR,
"Connection::initialize() unable to initialize SSL "
"libraries: %s returned %d", nssMethodName,
PR_GetError());
status = AM_NSPR_ERROR;
}
}
}
return status;
}
int main(int argc, char ** argv)
{
SECStatus rv;
PRFileDesc *in;
PRFileDesc *out;
PRPollDesc pd;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT;
char buf[1024];
PRInt32 nBytes;
char * command;
char * tokenName;
char * tokenpw;
int fipsmode = 0;
int semid = 0;
union semun semarg;
if (argc < 4 || argc > 5) {
fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
exit(1);
}
signal(SIGHUP, SIG_IGN);
semid = strtol(argv[1], NULL, 10);
if (!strcasecmp(argv[2], "on"))
fipsmode = 1;
/* Initialize NSPR */
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
/* Set the PKCS #11 strings for the internal token. */
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
/* Initialize NSS and open the certificate database read-only. */
rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
if (rv != SECSuccess) {
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
exit(1);
}
if (fipsmode) {
if (!PK11_IsFIPS()) {
char * internal_name = PR_smprintf("%s",
SECMOD_GetInternalModule()->commonName);
if ((SECMOD_DeleteInternalModule(internal_name) != SECSuccess) ||
!PK11_IsFIPS()) {
NSS_Shutdown();
fprintf(stderr,
"Unable to enable FIPS mode");
exit(1);
}
PR_smprintf_free(internal_name);
}
}
in = PR_GetSpecialFD(PR_StandardInput);
out = PR_GetSpecialFD(PR_StandardOutput);
if (in == NULL || out == NULL) {
fprintf(stderr, "PR_GetInheritedFD failed\n");
exit(1);
}
pd.fd = in;
pd.in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
while (1) {
rv = PR_Poll(&pd, 1, timeout);
if (rv == -1) { /* PR_Poll failed */
break;
}
if (pd.out_flags & (PR_POLL_HUP | PR_POLL_ERR | PR_POLL_NVAL | PR_POLL_EXCEPT)) {
break;
}
if (pd.out_flags & PR_POLL_READ) {
memset(buf, 0, sizeof(buf));
nBytes = PR_Read(in, buf, sizeof(buf));
if (nBytes == -1 || nBytes == 0) {
break;
}
command = getstr(buf, 0);
tokenName = getstr(buf, 1);
tokenpw = getstr(buf, 2);
if (command && !strcmp(command, "QUIT")) {
break;
} else if (command && !strcmp(command, "STOR")) {
PRInt32 err = PIN_SUCCESS;
Node *node = NULL;
if (tokenName && tokenpw) {
node = (Node*)malloc(sizeof (Node));
if (!node) { err = PIN_NOMEMORY; }
node->tokenName = strdup(tokenName);
node->store = 0;
node->next = 0;
if (err == PIN_SUCCESS)
err = CreatePk11PinStore(&node->store, tokenName, tokenpw);
memset(tokenpw, 0, strlen(tokenpw));
} else
err = PIN_SYSTEMERROR;
sprintf(buf, "%d", err);
PR_Write(out, buf, 1);
if (err == PIN_SUCCESS) {
if (pinList)
node->next = pinList;
pinList = node;
}
/* Now clean things up */
if (command) free(command);
if (tokenName) free(tokenName);
if (tokenpw) free(tokenpw);
} else if (command && !strcmp(command, "RETR")) {
Node *node;
char *pin = 0;
PRBool found = PR_FALSE;
for (node = pinList; node != NULL; node = node->next) {
if (!strcmp(node->tokenName, tokenName)) {
if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) {
if (strlen(pin) == 0)
PR_Write(out, "", 1);
else
PR_Write(out, pin, strlen(pin));
memset(pin, 0, strlen(pin));
free(pin);
found = PR_TRUE;
break;
}
}
}
if (found != PR_TRUE)
PR_Write(out, "", 1);
free(command);
free(tokenName);
} else {
; /* ack, unknown command */
}
}
}
freeList(pinList);
PR_Close(in);
/* Remove the semaphore used for locking here. This is because this
* program only goes away when Apache shuts down so we don't have to
* worry about reloads.
*/
semctl(semid, 0, IPC_RMID, semarg);
return 0;
}
int
main(int argc, char **argv)
{
PLOptState *optstate;
PLOptStatus optstatus;
PRUint32 flags = 0;
Error ret;
SECStatus rv;
char *dbString = NULL;
PRBool doInitTest = PR_FALSE;
int i;
progName = strrchr(argv[0], '/');
if (!progName)
progName = strrchr(argv[0], '\\');
progName = progName ? progName + 1 : argv[0];
optstate = PL_CreateOptState(argc, argv, "rfip:d:h");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'h':
default:
Usage(progName);
break;
case 'r':
flags |= NSS_INIT_READONLY;
break;
case 'f':
flags |= NSS_INIT_FORCEOPEN;
break;
case 'i':
doInitTest = PR_TRUE;
break;
case 'p':
userPassword = PORT_Strdup(optstate->value);
break;
case 'd':
dbDir = PORT_Strdup(optstate->value);
break;
}
}
if (optstatus == PL_OPT_BAD)
Usage(progName);
if (!dbDir) {
dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
}
dbDir = SECU_ConfigDirectory(dbDir);
PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);
if (dbDir[0] == '\0') {
PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
ret = DIR_DOESNT_EXIST_ERR;
goto loser;
}
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
/* get the status of the directory and databases and output message */
if (PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
} else if (PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir);
} else {
if (!(flags & NSS_INIT_READONLY) &&
PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir);
}
if (!doInitTest) {
for (i = 0; i < 3; i++) {
dbString = PR_smprintf("%s/%s", dbDir, dbName[i]);
PR_fprintf(PR_STDOUT, "database checked is %s\n", dbString);
if (PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR],
dbString);
} else if (PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR],
dbString);
} else if (!(flags & NSS_INIT_READONLY) &&
PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
dbString);
}
}
}
}
rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix,
secmodName, flags);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
ret = NSS_INITIALIZE_FAILED_ERR;
} else {
ret = SUCCESS;
if (doInitTest) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
SECStatus rv;
int passwordSuccess = 0;
int type = CKM_DES3_CBC;
SECItem keyid = { 0, NULL, 0 };
unsigned char keyIdData[] = { 0xff, 0xfe };
PK11SymKey *key = NULL;
keyid.data = keyIdData;
keyid.len = sizeof(keyIdData);
PK11_SetPasswordFunc(getPassword);
rv = PK11_InitPin(slot, (char *)NULL, userPassword);
if (rv != SECSuccess) {
PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n",
SECU_Strerror(PORT_GetError()));
ret = CHANGEPW_FAILED_ERR;
}
if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) {
PR_fprintf(PR_STDERR, "New DB did not log in after init\n");
ret = AUTHENTICATION_FAILED_ERR;
}
/* generate a symetric key */
key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid,
PR_TRUE, &passwordSuccess);
if (!key) {
PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n",
SECU_Strerror(PORT_GetError()));
exit(UNSPECIFIED_ERR);
}
PK11_FreeSymKey(key);
PK11_Logout(slot);
PK11_Authenticate(slot, PR_TRUE, &passwordSuccess);
if (*userPassword && !passwordSuccess) {
PR_fprintf(PR_STDERR, "New DB Did not initalize\n");
ret = AUTHENTICATION_FAILED_ERR;
}
key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess);
if (!key) {
PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
SECU_Strerror(PORT_GetError()));
ret = UNSPECIFIED_ERR;
} else {
PK11_FreeSymKey(key);
}
PK11_FreeSlot(slot);
}
if (NSS_Shutdown() != SECSuccess) {
PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
SECU_Strerror(PORT_GetError()));
exit(1);
}
}
loser:
return ret;
}
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
PRInt32 err;
PRFileDesc *model = NULL;
PRBool ssl2, ssl3, tlsv1;
struct SessionHandle *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECStatus rv;
char *certDir = NULL;
int curlerr;
const int *cipher_to_enable;
curlerr = CURLE_SSL_CONNECT_ERROR;
if (connssl->state == ssl_connection_complete)
return CURLE_OK;
connssl->data = data;
#ifdef HAVE_PK11_CREATEGENERICOBJECT
connssl->cacert[0] = NULL;
connssl->cacert[1] = NULL;
connssl->key = NULL;
#endif
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
if(!initialized) {
struct_stat st;
/* First we check if $SSL_DIR points to a valid dir */
certDir = getenv("SSL_DIR");
if(certDir) {
if((stat(certDir, &st) != 0) ||
(!S_ISDIR(st.st_mode))) {
certDir = NULL;
}
}
/* Now we check if the default location is a valid dir */
if(!certDir) {
if((stat(SSL_DIR, &st) == 0) &&
(S_ISDIR(st.st_mode))) {
certDir = (char *)SSL_DIR;
}
}
if (!NSS_IsInitialized()) {
initialized = 1;
infof(conn->data, "Initializing NSS with certpath: %s\n",
certDir ? certDir : "none");
if(!certDir) {
rv = NSS_NoDB_Init(NULL);
}
else {
char *certpath = PR_smprintf("%s%s",
NSS_VersionCheck("3.12.0") ? "sql:" : "",
certDir);
rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
PR_smprintf_free(certpath);
}
if(rv != SECSuccess) {
infof(conn->data, "Unable to initialize NSS database\n");
curlerr = CURLE_SSL_CACERT_BADFILE;
initialized = 0;
PR_Unlock(nss_initlock);
goto error;
}
}
if(num_enabled_ciphers() == 0)
NSS_SetDomesticPolicy();
#ifdef HAVE_PK11_CREATEGENERICOBJECT
if(!mod) {
char *configstring = aprintf("library=%s name=PEM", pem_library);
if(!configstring) {
PR_Unlock(nss_initlock);
goto error;
}
mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
free(configstring);
if(!mod || !mod->loaded) {
if(mod) {
SECMOD_DestroyModule(mod);
mod = NULL;
}
infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
"PEM certificates will not work.\n", pem_library);
}
}
#endif
PK11_SetPasswordFunc(nss_get_password);
}
PR_Unlock(nss_initlock);
model = PR_NewTCPSocket();
if(!model)
goto error;
model = SSL_ImportFD(NULL, model);
if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess)
goto error;
ssl2 = ssl3 = tlsv1 = PR_FALSE;
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
ssl3 = tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_SSLv2:
ssl2 = PR_TRUE;
break;
case CURL_SSLVERSION_SSLv3:
ssl3 = PR_TRUE;
break;
}
if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
goto error;
/* enable all ciphers from enable_ciphers_by_default */
cipher_to_enable = enable_ciphers_by_default;
while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;
goto error;
}
cipher_to_enable++;
}
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;
goto error;
}
}
if(data->set.ssl.verifyhost == 1)
infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
data->set.ssl.certverifyresult=0; /* not checked yet */
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
!= SECSuccess) {
goto error;
}
if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
NULL) != SECSuccess)
goto error;
if(!data->set.ssl.verifypeer)
/* skip the verifying of the peer */
;
else if(data->set.ssl.CAfile) {
int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile,
PR_TRUE);
if(!rc) {
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
}
else if(data->set.ssl.CApath) {
struct_stat st;
PRDir *dir;
PRDirEntry *entry;
if(stat(data->set.ssl.CApath, &st) == -1) {
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
if(S_ISDIR(st.st_mode)) {
int rc;
dir = PR_OpenDir(data->set.ssl.CApath);
do {
entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN);
if(entry) {
char fullpath[PATH_MAX];
snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
entry->name);
rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE);
/* FIXME: check this return value! */
}
/* This is purposefully tolerant of errors so non-PEM files
* can be in the same directory */
} while(entry != NULL);
PR_CloseDir(dir);
}
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
if (data->set.ssl.CRLfile) {
int rc = nss_load_crl(data->set.ssl.CRLfile, PR_FALSE);
if (!rc) {
curlerr = CURLE_SSL_CRL_BADFILE;
goto error;
}
infof(data,
" CRLfile: %s\n",
data->set.ssl.CRLfile ? data->set.ssl.CRLfile : "none");
}
if(data->set.str[STRING_CERT]) {
bool nickname_alloc = FALSE;
char *nickname = fmt_nickname(data->set.str[STRING_CERT], &nickname_alloc);
if(!nickname)
return CURLE_OUT_OF_MEMORY;
if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
data->set.str[STRING_KEY])) {
/* failf() is already done in cert_stuff() */
if(nickname_alloc)
free(nickname);
return CURLE_SSL_CERTPROBLEM;
}
/* this "takes over" the pointer to the allocated name or makes a
dup of it */
connssl->client_nickname = nickname_alloc?nickname:strdup(nickname);
if(!connssl->client_nickname)
return CURLE_OUT_OF_MEMORY;
}
else
connssl->client_nickname = NULL;
if(SSL_GetClientAuthDataHook(model, SelectClientCert,
(void *)connssl) != SECSuccess) {
curlerr = CURLE_SSL_CERTPROBLEM;
goto error;
}
/* Import our model socket onto the existing file descriptor */
connssl->handle = PR_ImportTCPSocket(sockfd);
connssl->handle = SSL_ImportFD(model, connssl->handle);
if(!connssl->handle)
goto error;
PR_Close(model); /* We don't need this any more */
/* This is the password associated with the cert that we're using */
if (data->set.str[STRING_KEY_PASSWD]) {
SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]);
}
/* Force handshake on next I/O */
SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
SSL_SetURL(connssl->handle, conn->host.name);
/* Force the handshake now */
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
!= SECSuccess) {
if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
else if(conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT;
goto error;
}
connssl->state = ssl_connection_complete;
display_conn_info(conn, connssl->handle);
if (data->set.str[STRING_SSL_ISSUERCERT]) {
SECStatus ret;
bool nickname_alloc = FALSE;
char *nickname = fmt_nickname(data->set.str[STRING_SSL_ISSUERCERT],
&nickname_alloc);
if(!nickname)
return CURLE_OUT_OF_MEMORY;
ret = check_issuer_cert(connssl->handle, nickname);
if(nickname_alloc)
free(nickname);
if(SECFailure == ret) {
infof(data,"SSL certificate issuer check failed\n");
curlerr = CURLE_SSL_ISSUER_ERROR;
goto error;
}
else {
infof(data, "SSL certificate issuer check ok\n");
}
}
return CURLE_OK;
error:
err = PR_GetError();
infof(data, "NSS error %d\n", err);
if(model)
PR_Close(model);
return curlerr;
}
int FileSSL_main(int argc, char * argv[])
{
bool isServer = true;
SECStatus rv = SECSuccess;
char buffer[32] = {0};
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * socket = PR_NewTCPSocket();
socket = SSL_ImportFD(NULL,socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(socket,&netAddr);
rv = PR_Listen(socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_SetURL(socket, "127.0.0.1");
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(socket,&netAddr, 300000);
rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL);
rv = SSL_ForceHandshake(socket);
while (1) {
rv = PR_Read(socket,buffer, 32);
sleep(1);
}
}
return 0;
}
/**
* Initialise the crypto library and perform one time initialisation.
*/
static apr_status_t crypto_init(apr_pool_t *pool, const char *params, int *rc)
{
SECStatus s;
const char *dir = NULL;
const char *keyPrefix = NULL;
const char *certPrefix = NULL;
const char *secmod = NULL;
int noinit = 0;
PRUint32 flags = 0;
struct {
const char *field;
const char *value;
int set;
} fields[] = {
{ "dir", NULL, 0 },
{ "key3", NULL, 0 },
{ "cert7", NULL, 0 },
{ "secmod", NULL, 0 },
{ "noinit", NULL, 0 },
{ NULL, NULL, 0 }
};
const char *ptr;
size_t klen;
char **elts = NULL;
char *elt;
int i = 0, j;
apr_status_t status;
if (params) {
if (APR_SUCCESS != (status = apr_tokenize_to_argv(params, &elts, pool))) {
return status;
}
while ((elt = elts[i])) {
ptr = strchr(elt, '=');
if (ptr) {
for (klen = ptr - elt; klen && apr_isspace(elt[klen - 1]); --klen)
;
ptr++;
}
else {
for (klen = strlen(elt); klen && apr_isspace(elt[klen - 1]); --klen)
;
}
elt[klen] = 0;
for (j = 0; fields[j].field != NULL; ++j) {
if (klen && !strcasecmp(fields[j].field, elt)) {
fields[j].set = 1;
if (ptr) {
fields[j].value = ptr;
}
break;
}
}
i++;
}
dir = fields[0].value;
keyPrefix = fields[1].value;
certPrefix = fields[2].value;
secmod = fields[3].value;
noinit = fields[4].set;
}
/* if we've been asked to bypass, do so here */
if (noinit) {
return APR_SUCCESS;
}
/* sanity check - we can only initialise NSS once */
if (NSS_IsInitialized()) {
return APR_EREINIT;
}
apr_pool_cleanup_register(pool, pool, crypto_shutdown_helper,
apr_pool_cleanup_null);
if (keyPrefix || certPrefix || secmod) {
s = NSS_Initialize(dir, certPrefix, keyPrefix, secmod, flags);
}
else if (dir) {
s = NSS_InitReadWrite(dir);
}
else {
s = NSS_NoDB_Init(NULL);
}
if (s != SECSuccess) {
if (rc) {
*rc = PR_GetError();
}
return APR_ECRYPT;
}
return APR_SUCCESS;
}
int main(int argc, char **argv)
{
CERTCertDBHandle *certHandle;
PRFileDesc *inFile;
PRFileDesc *inCrlInitFile = NULL;
int generateCRL;
int modifyCRL;
int listCRL;
int importCRL;
int showFileCRL;
int deleteCRL;
int rv;
char *nickName;
char *url;
char *dbPrefix = "";
char *alg = NULL;
char *outFile = NULL;
char *slotName = NULL;
int ascii = 0;
int crlType;
PLOptState *optstate;
PLOptStatus status;
SECStatus secstatus;
PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS;
PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
PRBool quiet = PR_FALSE;
PRBool test = PR_FALSE;
PRBool erase = PR_FALSE;
PRInt32 i = 0;
PRInt32 iterations = 1;
PRBool readonly = PR_FALSE;
secuPWData pwdata = { PW_NONE, 0 };
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
rv = 0;
deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0;
inFile = NULL;
nickName = url = NULL;
certHandle = NULL;
crlType = SEC_CRL_TYPE;
/*
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'T':
test = PR_TRUE;
break;
case 'E':
erase = PR_TRUE;
break;
case 'B':
importOptions |= CRL_IMPORT_BYPASS_CHECKS;
break;
case 'G':
generateCRL = 1;
break;
case 'M':
modifyCRL = 1;
break;
case 'D':
deleteCRL = 1;
break;
case 'I':
importCRL = 1;
break;
case 'S':
showFileCRL = 1;
break;
case 'C':
case 'L':
listCRL = 1;
break;
case 'P':
dbPrefix = strdup(optstate->value);
break;
case 'Z':
alg = strdup(optstate->value);
break;
case 'a':
ascii = 1;
break;
case 'c':
inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0);
if (!inCrlInitFile) {
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
PL_DestroyOptState(optstate);
return -1;
}
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = strdup(optstate->value);
break;
case 'h':
slotName = strdup(optstate->value);
break;
case 'i':
inFile = PR_Open(optstate->value, PR_RDONLY, 0);
if (!inFile) {
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
PL_DestroyOptState(optstate);
return -1;
}
break;
case 'n':
nickName = strdup(optstate->value);
break;
case 'o':
outFile = strdup(optstate->value);
break;
case 'p':
decodeOptions |= CRL_DECODE_SKIP_ENTRIES;
break;
case 'r': {
const char* str = optstate->value;
if (str && atoi(str)>0)
iterations = atoi(str);
}
break;
case 't': {
crlType = atoi(optstate->value);
if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) {
PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName);
PL_DestroyOptState(optstate);
return -1;
}
break;
case 'q':
quiet = PR_TRUE;
break;
case 'w':
pwdata.source = PW_PLAINTEXT;
pwdata.data = strdup(optstate->value);
break;
case 'u':
url = strdup(optstate->value);
break;
}
}
}
PL_DestroyOptState(optstate);
if (deleteCRL && !nickName) Usage (progName);
if (importCRL && !inFile) Usage (progName);
if (showFileCRL && !inFile) Usage (progName);
if ((generateCRL && !nickName) ||
(modifyCRL && !inFile && !nickName)) Usage (progName);
if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
modifyCRL || test || erase)) Usage (progName);
if (listCRL || showFileCRL) {
readonly = PR_TRUE;
}
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(SECU_GetModulePassword);
if (showFileCRL) {
NSS_NoDB_Init(NULL);
}
else {
secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix,
"secmod.db", readonly ? NSS_INIT_READONLY : 0);
if (secstatus != SECSuccess) {
SECU_PrintPRandOSError(progName);
return -1;
}
}
SECU_RegisterDynamicOids();
certHandle = CERT_GetDefaultCertDB();
if (certHandle == NULL) {
SECU_PrintError(progName, "unable to open the cert db");
/*ignoring return value of NSS_Shutdown() as code returns -1*/
(void) NSS_Shutdown();
return (-1);
}
CRLGEN_InitCrlGenParserLock();
for (i=0; i<iterations; i++) {
/* Read in the private key info */
if (deleteCRL)
DeleteCRL (certHandle, nickName, crlType);
else if (listCRL) {
rv = ListCRL (certHandle, nickName, crlType);
}
else if (importCRL) {
rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
decodeOptions, &pwdata);
}
else if (showFileCRL) {
rv = DumpCRL (inFile);
} else if (generateCRL || modifyCRL) {
if (!inCrlInitFile)
inCrlInitFile = PR_STDIN;
rv = GenerateCRL (certHandle, nickName, inCrlInitFile,
inFile, outFile, ascii, slotName,
importOptions, alg, quiet,
decodeOptions, url, &pwdata,
modifyCRL);
}
else if (erase) {
/* list and delete all CRLs */
ListCRLNames (certHandle, crlType, PR_TRUE);
}
#ifdef DEBUG
else if (test) {
/* list and delete all CRLs */
ListCRLNames (certHandle, crlType, PR_TRUE);
/* list CRLs */
ListCRLNames (certHandle, crlType, PR_FALSE);
/* import CRL as a blob */
rv = ImportCRL (certHandle, url, crlType, inFile, importOptions,
decodeOptions, &pwdata);
/* list CRLs */
ListCRLNames (certHandle, crlType, PR_FALSE);
}
#endif
}
CRLGEN_DestroyCrlGenParserLock();
if (NSS_Shutdown() != SECSuccess) {
rv = SECFailure;
}
return (rv != SECSuccess);
}
static string ComputeDumpHash() {
#ifdef XP_LINUX
// On Linux we rely on the system-provided libcurl which uses nss so we have
// to also use the system-provided nss instead of the ones we have bundled.
const char* libnssNames[] = {
"libnss3.so",
#ifndef HAVE_64BIT_BUILD
// 32-bit versions on 64-bit hosts
"/usr/lib32/libnss3.so",
#endif
};
void* lib = nullptr;
for (const char* libname : libnssNames) {
lib = dlopen(libname, RTLD_NOW);
if (lib) {
break;
}
}
if (!lib) {
return "";
}
SECStatus (*NSS_Initialize)(const char*, const char*, const char*,
const char*, PRUint32);
HASHContext* (*HASH_Create)(HASH_HashType);
void (*HASH_Destroy)(HASHContext*);
void (*HASH_Begin)(HASHContext*);
void (*HASH_Update)(HASHContext*, const unsigned char*, unsigned int);
void (*HASH_End)(HASHContext*, unsigned char*, unsigned int*, unsigned int);
*(void**) (&NSS_Initialize) = dlsym(lib, "NSS_Initialize");
*(void**) (&HASH_Create) = dlsym(lib, "HASH_Create");
*(void**) (&HASH_Destroy) = dlsym(lib, "HASH_Destroy");
*(void**) (&HASH_Begin) = dlsym(lib, "HASH_Begin");
*(void**) (&HASH_Update) = dlsym(lib, "HASH_Update");
*(void**) (&HASH_End) = dlsym(lib, "HASH_End");
if (!HASH_Create || !HASH_Destroy || !HASH_Begin || !HASH_Update ||
!HASH_End) {
return "";
}
#endif
// Minimal NSS initialization so we can use the hash functions
const PRUint32 kNssFlags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT |
NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB;
if (NSS_Initialize(nullptr, "", "", "", kNssFlags) != SECSuccess) {
return "";
}
HASHContext* hashContext = HASH_Create(HASH_AlgSHA256);
if (!hashContext) {
return "";
}
HASH_Begin(hashContext);
ifstream* f = UIOpenRead(gReporterDumpFile, /* binary */ true);
bool error = false;
// Read the minidump contents
if (f->is_open()) {
uint8_t buff[4096];
do {
f->read((char*) buff, sizeof(buff));
if (f->bad()) {
error = true;
break;
}
HASH_Update(hashContext, buff, f->gcount());
} while (!f->eof());
f->close();
} else {
error = true;
}
delete f;
// Finalize the hash computation
uint8_t result[SHA256_LENGTH];
uint32_t resultLen = 0;
HASH_End(hashContext, result, &resultLen, SHA256_LENGTH);
if (resultLen != SHA256_LENGTH) {
error = true;
}
HASH_Destroy(hashContext);
if (!error) {
ostringstream hash;
for (size_t i = 0; i < SHA256_LENGTH; i++) {
hash << std::setw(2) << std::setfill('0') << std::hex
<< static_cast<unsigned int>(result[i]);
}
return hash.str();
} else {
return ""; // If we encountered an error, return an empty hash
}
}
CURLcode Curl_nss_connect(struct connectdata * conn, int sockindex)
{
PRInt32 err;
PRFileDesc *model = NULL;
PRBool ssl2, ssl3, tlsv1;
struct SessionHandle *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECStatus rv;
#ifdef HAVE_PK11_CREATEGENERICOBJECT
char *configstring = NULL;
#endif
char *certDir = NULL;
int curlerr;
curlerr = CURLE_SSL_CONNECT_ERROR;
/* FIXME. NSS doesn't support multiple databases open at the same time. */
if(!initialized) {
initialized = 1;
certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
if (!certDir) {
struct stat st;
if (stat(SSL_DIR, &st) == 0)
if (S_ISDIR(st.st_mode)) {
certDir = (char *)SSL_DIR;
}
}
if(!certDir) {
rv = NSS_NoDB_Init(NULL);
}
else {
rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
NSS_INIT_READONLY);
}
if(rv != SECSuccess) {
infof(conn->data, "Unable to initialize NSS database\n");
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
NSS_SetDomesticPolicy();
#ifdef HAVE_PK11_CREATEGENERICOBJECT
configstring = (char *)malloc(PATH_MAX);
PR_snprintf(configstring, PATH_MAX, "library=%s name=PEM", pem_library);
mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
free(configstring);
if (!mod || !mod->loaded) {
if (mod) {
SECMOD_DestroyModule(mod);
mod = NULL;
}
infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
"PEM certificates will not work.\n", pem_library);
}
#endif
}
model = PR_NewTCPSocket();
if(!model)
goto error;
model = SSL_ImportFD(NULL, model);
if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess)
goto error;
ssl2 = ssl3 = tlsv1 = PR_FALSE;
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
ssl2 = ssl3 = tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_TLSv1:
tlsv1 = PR_TRUE;
break;
case CURL_SSLVERSION_SSLv2:
ssl2 = PR_TRUE;
break;
case CURL_SSLVERSION_SSLv3:
ssl3 = PR_TRUE;
break;
}
if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess)
goto error;
if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess)
goto error;
if(data->set.ssl.cipher_list) {
if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
curlerr = CURLE_SSL_CIPHER;
goto error;
}
}
data->set.ssl.certverifyresult=0; /* not checked yet */
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
!= SECSuccess) {
goto error;
}
if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
NULL) != SECSuccess)
goto error;
if(!data->set.ssl.verifypeer)
/* skip the verifying of the peer */
;
else if (data->set.ssl.CAfile) {
int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
if (!rc) {
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
}
else if (data->set.ssl.CApath) {
struct stat st;
PRDir *dir;
PRDirEntry *entry;
if (stat(data->set.ssl.CApath, &st) == -1) {
curlerr = CURLE_SSL_CACERT_BADFILE;
goto error;
}
if (S_ISDIR(st.st_mode)) {
int rc;
dir = PR_OpenDir(data->set.ssl.CApath);
do {
entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN);
if (entry) {
char fullpath[PATH_MAX];
snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
entry->name);
rc = nss_load_cert(fullpath, PR_TRUE);
/* FIXME: check this return value! */
}
/* This is purposefully tolerant of errors so non-PEM files
* can be in the same directory */
} while (entry != NULL);
PR_CloseDir(dir);
}
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
if(data->set.str[STRING_CERT]) {
char *n;
char *nickname;
nickname = (char *)malloc(PATH_MAX);
if(is_file(data->set.str[STRING_CERT])) {
n = strrchr(data->set.str[STRING_CERT], '/');
if (n) {
n++; /* skip last slash */
snprintf(nickname, PATH_MAX, "PEM Token #%ld:%s", 1, n);
}
}
else {
strncpy(nickname, data->set.str[STRING_CERT], PATH_MAX);
}
if(nss_Init_Tokens(conn) != SECSuccess) {
free(nickname);
goto error;
}
if (!cert_stuff(conn, data->set.str[STRING_CERT],
data->set.str[STRING_KEY])) {
/* failf() is already done in cert_stuff() */
free(nickname);
return CURLE_SSL_CERTPROBLEM;
}
connssl->client_nickname = strdup(nickname);
if(SSL_GetClientAuthDataHook(model,
(SSLGetClientAuthData) SelectClientCert,
(void *)connssl->client_nickname) !=
SECSuccess) {
curlerr = CURLE_SSL_CERTPROBLEM;
goto error;
}
free(nickname);
PK11_SetPasswordFunc(nss_no_password);
}
else
connssl->client_nickname = NULL;
/* Import our model socket onto the existing file descriptor */
connssl->handle = PR_ImportTCPSocket(sockfd);
connssl->handle = SSL_ImportFD(model, connssl->handle);
if(!connssl->handle)
goto error;
PR_Close(model); /* We don't need this any more */
/* Force handshake on next I/O */
SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
SSL_SetURL(connssl->handle, conn->host.name);
/* Force the handshake now */
if (SSL_ForceHandshakeWithTimeout(connssl->handle,
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
!= SECSuccess) {
if (conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT;
goto error;
}
display_conn_info(conn, connssl->handle);
return CURLE_OK;
error:
err = PR_GetError();
infof(data, "NSS error %d\n", err);
if(model)
PR_Close(model);
return curlerr;
}
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName)
{
#if 1
int isServer = 0;
SECStatus rv = SECSuccess;
char * buffer = malloc(1024 * 1024);
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * tcp_socket = PR_NewTCPSocket();
PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(tcp_socket,&netAddr);
rv = PR_Listen(tcp_socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL);
char * nickname = "nickname";/*nickname*/
rv = SSL_SetURL(ssl_socket, "192.168.18.22");
char * str = malloc(1024) ;
memset(str, 0, 1024);
strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行
// str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"];
// str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"];
//str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"];
strcat(str ,"Host: 192.168.18.22:8443\r\n");
// str = [str stringByAppendingString:@"Content-Length: 0\r\n"];
strcat(str ,"\r\n");
// str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"];
// str = [str stringByAppendingString:@"\r\n"];
PRNetAddr netAddr;
rv = PR_StringToNetAddr("192.168.18.22", &netAddr);
rv = PR_InitializeNetAddr(0, 8443, &netAddr);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(tcp_socket,&netAddr, 300000);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_ForceHandshake(ssl_socket);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Write(tcp_socket, str, strlen(str));
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
FILE * file = fopen("/sdcard/ssl_read.txt", "wb");
//fwrite(buffer, 1, rv, file);
//rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
fwrite(buffer, 1, rv, file);
fclose(file);
sleep(1);
rv = SSL_InvalidateSession(ssl_socket);
rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH);
rv = PR_Close(tcp_socket);
rv = ssl_FreeSessionCacheLocks();
rv = NSS_Shutdown();
}
#endif
return 0;
}
