void initNSS(const SslOptions& options, bool server)
{
SslOptions::global = options;
if (options.certPasswordFile.empty()) {
PK11_SetPasswordFunc(promptForPassword);
} else {
PK11_SetPasswordFunc(readPasswordFromFile);
}
NSS_CHECK(NSS_Init(options.certDbPath.c_str()));
if (options.exportPolicy) {
NSS_CHECK(NSS_SetExportPolicy());
} else {
NSS_CHECK(NSS_SetDomesticPolicy());
}
if (server) {
//use defaults for all args, TODO: may want to make this configurable
SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
}
// disable SSLv2 and SSLv3 versions of the protocol - they are
// no longer considered secure
SSLVersionRange drange, srange; // default and supported ranges
const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0
NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
if (drange.min < tlsv1) {
drange.min = tlsv1;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
if (srange.max > drange.max) {
drange.max = srange.max;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
}
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_setCipherPolicyNative(
JNIEnv *env, jobject self, jint policyEnum)
{
SECStatus status;
switch(policyEnum) {
case SSL_POLICY_DOMESTIC:
status = NSS_SetDomesticPolicy();
break;
case SSL_POLICY_EXPORT:
status = NSS_SetExportPolicy();
break;
case SSL_POLICY_FRANCE:
status = NSS_SetFrancePolicy();
break;
default:
PR_ASSERT(PR_FALSE);
status = SECFailure;
}
if(status != SECSuccess) {
JSSL_throwSSLSocketException(env, "Failed to set cipher policy");
goto finish;
}
finish:
return;
}
// Constructor
OsTLSServerSocket::OsTLSServerSocket(int connectionQueueSize,
int serverPort,
UtlString certNickname,
UtlString certPassword,
UtlString dbLocation,
const UtlString bindAddress)
: OsServerSocket(connectionQueueSize,serverPort, bindAddress.data(), false),
mCertNickname(certNickname),
mCertPassword(certPassword),
mDbLocation(dbLocation),
mpMozillaSSLSocket(NULL),
mpCert(NULL),
mpPrivKey(NULL),
mTlsInitCode(TLS_INIT_SUCCESS)
{
PRSocketOptionData socketOption;
PRStatus prStatus;
SECStatus secStatus;
// import the newly created socket into NSS, and set the PRFileDesc.
if (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR)
{
/* Call the NSPR initialization routines. */
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/* Set the cert database password callback. */
PK11_SetPasswordFunc(OsTLS::PasswordCallback);
secStatus = NSS_Init(dbLocation.data());
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_DATABASE_FAILURE;
return ;
}
/* Set the policy for this server (REQUIRED - no default). */
secStatus = NSS_SetExportPolicy();
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_DATABASE_FAILURE;
return ;
}
/* Get own certificate and private key. */
mpCert = PK11_FindCertFromNickname((char*) certNickname.data(), (void*)certPassword.data());
if (mpCert == NULL)
{
return ;
}
unsigned char* szPwd = (unsigned char*) PR_Malloc(certPassword.length()+ 1);
strncpy((char*)szPwd, certPassword.data(), certPassword.length()+1);
mpPrivKey = PK11_FindKeyByAnyCert(mpCert, (void*)szPwd);
if (mpPrivKey == NULL)
{
mTlsInitCode = TLS_INIT_BAD_PASSWORD;
// probably a wrong password
return ;
}
/* Configure the server's cache for a multi-process application
* using default timeout values (24 hrs) and directory location (/tmp).
*/
SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
mpMozillaSSLSocket = PR_ImportTCPSocket(socketDescriptor);
if (!mpMozillaSSLSocket)
{
mTlsInitCode = TLS_INIT_TCP_IMPORT_FAILURE;
}
else
{
/* Make the socket blocking. */
socketOption.option = PR_SockOpt_Nonblocking;
socketOption.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(mpMozillaSSLSocket, &socketOption);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
PRNetAddr addr;
/* Configure the network connection. */
addr.inet.family = PR_AF_INET;
addr.inet.ip = inet_addr(bindAddress.data());
addr.inet.port = PR_htons(serverPort);
/* Bind the address to the listener socket. */
prStatus = PR_Bind(mpMozillaSSLSocket, &addr);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
/* Listen for connection on the socket. The second argument is
* the maximum size of the queue for pending connections.
*/
prStatus = PR_Listen(mpMozillaSSLSocket, connectionQueueSize);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
}
}
}
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName)
{
#if 1
int isServer = 0;
SECStatus rv = SECSuccess;
char * buffer = malloc(1024 * 1024);
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * tcp_socket = PR_NewTCPSocket();
PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(tcp_socket,&netAddr);
rv = PR_Listen(tcp_socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL);
char * nickname = "nickname";/*nickname*/
rv = SSL_SetURL(ssl_socket, "192.168.18.22");
char * str = malloc(1024) ;
memset(str, 0, 1024);
strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行
// str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"];
// str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"];
//str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"];
strcat(str ,"Host: 192.168.18.22:8443\r\n");
// str = [str stringByAppendingString:@"Content-Length: 0\r\n"];
strcat(str ,"\r\n");
// str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"];
// str = [str stringByAppendingString:@"\r\n"];
PRNetAddr netAddr;
rv = PR_StringToNetAddr("192.168.18.22", &netAddr);
rv = PR_InitializeNetAddr(0, 8443, &netAddr);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(tcp_socket,&netAddr, 300000);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = SSL_ForceHandshake(ssl_socket);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Write(tcp_socket, str, strlen(str));
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
FILE_LOG_NUMBER("/sdcard/ssl.log", rv);
FILE * file = fopen("/sdcard/ssl_read.txt", "wb");
//fwrite(buffer, 1, rv, file);
//rv = PR_Read(tcp_socket,buffer, 1024 * 1024);
fwrite(buffer, 1, rv, file);
fclose(file);
sleep(1);
rv = SSL_InvalidateSession(ssl_socket);
rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH);
rv = PR_Close(tcp_socket);
rv = ssl_FreeSessionCacheLocks();
rv = NSS_Shutdown();
}
#endif
return 0;
}
int FileSSL_main(int argc, char * argv[])
{
bool isServer = true;
SECStatus rv = SECSuccess;
char buffer[32] = {0};
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(GetModulePassword);
rv = NSS_Initialize(GetSystemDBDir(),
"", "",
"secmod.db", 0);
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE);
rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
rv = NSS_SetDomesticPolicy();
rv = NSS_SetExportPolicy();
rv = NSS_SetFrancePolicy();
// rv = SSL_CipherPolicySet();
SSL_ClearSessionCache();
rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, ".");
PRFileDesc * socket = PR_NewTCPSocket();
socket = SSL_ImportFD(NULL,socket);
if (isServer) {
CERTCertDBHandle *certHandle;
certHandle = CERT_GetDefaultCertDB();
char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/
CERTCertificate* cert = NULL;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname);
SECKEYPrivateKey *prvKey = NULL;
prvKey = PK11_FindKeyByAnyCert(cert, NULL);
rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa);
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
rv = PR_Bind(socket,&netAddr);
rv = PR_Listen(socket, 100);
while (1) {
PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000);
PRNetAddr addr;
rv = PR_GetSockName(client, &addr);
rv = SSL_ForceHandshake(client);
rv = PR_Write(client,"123", 4);
sleep(1);
}
}
else
{
rv = SSL_SetURL(socket, "127.0.0.1");
PRNetAddr netAddr;
PRNetAddr netAddrLocal;
rv = PR_InitializeNetAddr(0, 8888, &netAddr);
rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal);
// rv = PR_GetHostByName();
// PR_EnumerateHostEnt
rv = PR_Connect(socket,&netAddr, 300000);
rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL);
rv = SSL_ForceHandshake(socket);
while (1) {
rv = PR_Read(socket,buffer, 32);
sleep(1);
}
}
return 0;
}
