void initNSS(const SslOptions& options, bool server) { SslOptions::global = options; if (options.certPasswordFile.empty()) { PK11_SetPasswordFunc(promptForPassword); } else { PK11_SetPasswordFunc(readPasswordFromFile); } NSS_CHECK(NSS_Init(options.certDbPath.c_str())); if (options.exportPolicy) { NSS_CHECK(NSS_SetExportPolicy()); } else { NSS_CHECK(NSS_SetDomesticPolicy()); } if (server) { //use defaults for all args, TODO: may want to make this configurable SSL_ConfigServerSessionIDCache(0, 0, 0, 0); } // disable SSLv2 and SSLv3 versions of the protocol - they are // no longer considered secure SSLVersionRange drange, srange; // default and supported ranges const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0 NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange)); NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange)); if (drange.min < tlsv1) { drange.min = tlsv1; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } if (srange.max > drange.max) { drange.max = srange.max; NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } }
int crypto_init(cert_policy *policy) { SECStatus rv; DBG("Initializing NSS ..."); if (NSS_IsInitialized()) { app_has_NSS = 1; /* we should save the app's password function */ PK11_SetPasswordFunc(password_passthrough); DBG("... NSS is initialized"); return 0; } if (policy->nss_dir) { /* initialize with read only databases */ DBG1("Initializing NSS ... database=%s", policy->nss_dir); rv = NSS_Init(policy->nss_dir); } else { /* not database secified */ DBG("Initializing NSS ... with no db"); rv = NSS_NoDB_Init(NULL); } if (rv != SECSuccess) { DBG1("NSS_Initialize failed: %s", SECU_Strerror(PR_GetError())); return -1; } /* register a callback */ PK11_SetPasswordFunc(password_passthrough); if (policy->ocsp_policy == OCSP_ON) { CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); } DBG("... NSS Complete"); return 0; }
static bool pluto_init_nss(char *nssdb) { SECStatus rv; char dbuf[1024]; snprintf(dbuf, sizeof(dbuf), "sql:%s", nssdb); loglog(RC_LOG_SERIOUS, "NSS DB directory: %s", dbuf); rv = NSS_Initialize(dbuf, "", "", SECMOD_DB, NSS_INIT_READONLY); if (rv != SECSuccess) { loglog(RC_LOG_SERIOUS, "NSS readonly initialization (\"%s\") failed (err %d)\n", dbuf, PR_GetError()); return FALSE; } libreswan_log("NSS initialized"); PK11_SetPasswordFunc(getNSSPassword); /* * This exists purely to make the BSI happy. * We do not inflict this on other users */ if (pluto_nss_seedbits != 0) { int seedbytes = BYTES_FOR_BITS(pluto_nss_seedbits); unsigned char *buf = alloc_bytes(seedbytes,"TLA seedmix"); get_bsi_random(seedbytes, buf); /* much TLA, very blocking */ rv = PK11_RandomUpdate(buf, seedbytes); libreswan_log("seeded %d bytes into the NSS PRNG", seedbytes); passert(rv == SECSuccess); messupn(buf, seedbytes); pfree(buf); } return TRUE; }
static enum okay nss_init(void) { static int initialized; char *cp; verbose = value("verbose") != NULL; if (initialized == 0) { if ((cp = value("nss-config-dir")) == NULL) { fputs("Missing \"nss-config-dir\" variable.\n", stderr); return STOP; } cp = expand(cp); PR_Init(0, 0, 0); PK11_SetPasswordFunc(password_cb); if (NSS_Init(cp) == SECSuccess) { NSS_SetDomesticPolicy(); initialized = 1; return OKAY; } nss_gen_err("Error initializing NSS"); return STOP; } return OKAY; }
int main(int argc, char **argv) { SECStatus rv; /* Initialize NSS */ PK11_SetPasswordFunc(passwdcb); /* The NSS db must be initialized read-write since we'll be creating * keys in it. Once keys are generated, it can be opened without read-write * subsequently (NSS_Init). */ rv = NSS_InitReadWrite("."); if (rv != SECSuccess) { fprintf(stderr, "NSS initialization failed (err %d)\n", PR_GetError()); exit(1); } /* generate a key with id 1. should succeed on first run on a fresh db, * should fail on successive runs because key with that id already exists */ genkey(1); /* generate a key with id 2. should succeed on first run on a fresh db, * should fail on successive runs because key with that id already exists */ genkey(2); /* generate a key with id 1 - this will fail because key with that id * already exists */ genkey(1); }
int main(int argc, char **argv) { char * progName = NULL; SECStatus secStatus; PLOptState *optstate; PLOptStatus status; /* Call the NSPR initialization routines */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); hostName = NULL; optstate = PL_CreateOptState(argc, argv, "d:h:i:o:p:t:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 'd' : certDir = PL_strdup(optstate->value); break; case 'h' : hostName = PL_strdup(optstate->value); break; case 'i' : infileName = PL_strdup(optstate->value); break; case 'o' : outfileName = PL_strdup(optstate->value); break; case 'p' : port = PORT_Atoi(optstate->value); break; case 't' : trustNewServer_p = PL_strdup(optstate->value); break; case '?' : default : Usage(progName); } } if (port == 0 || hostName == NULL || infileName == NULL || outfileName == NULL || certDir == NULL) Usage(progName); #if 0 /* no client authentication */ /* Set our password function callback. */ PK11_SetPasswordFunc(myPasswd); #endif /* Initialize the NSS libraries. */ secStatus = NSS_InitReadWrite(certDir); if (secStatus != SECSuccess) { /* Try it again, readonly. */ secStatus = NSS_Init(certDir); if (secStatus != SECSuccess) exitErr("Error initializing NSS", GENERAL_ERROR); } /* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */ NSS_SetDomesticPolicy(); client_main(port); NSS_Shutdown(); PR_Cleanup(); return 0; }
/* * SVRCORE_RegisterPinObj */ void SVRCORE_RegisterPinObj(SVRCOREPinObj *obj) { /* Set PK11 callback function to call back here */ PK11_SetPasswordFunc(SVRCORE_Pk11PasswordFunc); /* Set object to use for getPin method */ pinObj = obj; }
/* * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding * * "cmsg" - message object * "pwfn", pwfn_arg" - callback function for getting token password * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData * "detached_digestalgs", "detached_digests" - digests from detached content */ void NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, PK11PasswordFunc pwfn, void *pwfn_arg, NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) { if (pwfn) PK11_SetPasswordFunc(pwfn); cmsg->pwfn_arg = pwfn_arg; cmsg->decrypt_key_cb = decrypt_key_cb; cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; cmsg->detached_digestalgs = detached_digestalgs; cmsg->detached_digests = detached_digests; }
/* * SecCmsMessageSetEncodingParams - set up a CMS message object for encoding or decoding * * "cmsg" - message object * "pwfn", pwfn_arg" - callback function for getting token password * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData * "detached_digestalgs", "detached_digests" - digests from detached content */ void SecCmsMessageSetEncodingParams(SecCmsMessageRef cmsg, PK11PasswordFunc pwfn, void *pwfn_arg, SecCmsGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg) { #if 0 // @@@ Deal with password stuff. if (pwfn) PK11_SetPasswordFunc(pwfn); #endif cmsg->pwfn_arg = pwfn_arg; cmsg->decrypt_key_cb = decrypt_key_cb; cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; }
static void pluto_init_nss(char *confddir) { char buf[100]; snprintf(buf, sizeof(buf), "%s",confddir); loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf); SECStatus nss_init_status= NSS_InitReadWrite(buf); if (nss_init_status != SECSuccess) { loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError()); exit_pluto(10); } else { libreswan_log("NSS Initialized"); PK11_SetPasswordFunc(getNSSPassword); } }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; pphrase_arg_t *parg = NULL; parg = (pphrase_arg_t *) malloc(sizeof(*parg)); parg->retryCount = 0; parg->data = conn->data; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized.\n"); } else { failf(conn->data, "The token %s has not been initialized.", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, parg); if(SECSuccess != ret) { if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } parg->retryCount = 0; /* reset counter to 0 for the next token */ PK11_FreeSlot(slot); } free(parg); return status; }
gboolean msd_smartcard_unlock (MsdSmartcard *card, const char *password) { SECStatus status; PK11_SetPasswordFunc ((PK11PasswordFunc) msd_smartcard_password_handler); /* we pass PR_TRUE to load certificates */ status = PK11_Authenticate (card->priv->slot, PR_TRUE, (gpointer) password); if (status != SECSuccess) { g_debug ("could not unlock card - %d", status); return FALSE; } return TRUE; }
void * tls_init(const struct tls_config *conf) { char *dir; tls_nss_ref_count++; if (tls_nss_ref_count > 1) return (void *) 1; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); nss_layer_id = PR_GetUniqueIdentity("wpa_supplicant"); PK11_SetPasswordFunc(nss_password_cb); dir = getenv("SSL_DIR"); if (dir) { if (NSS_Init(dir) != SECSuccess) { wpa_printf(MSG_ERROR, "NSS: NSS_Init(cert_dir=%s) " "failed", dir); return NULL; } } else { if (NSS_NoDB_Init(NULL) != SECSuccess) { wpa_printf(MSG_ERROR, "NSS: NSS_NoDB_Init(NULL) " "failed"); return NULL; } } if (SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess || SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_FALSE) != SECSuccess || SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess || SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE) != SECSuccess) { wpa_printf(MSG_ERROR, "NSS: SSL_OptionSetDefault failed"); return NULL; } if (NSS_SetDomesticPolicy() != SECSuccess) { wpa_printf(MSG_ERROR, "NSS: NSS_SetDomesticPolicy() failed"); return NULL; } return (void *) 1; }
SECStatus InitPKCS11(void) { PK11SlotInfo *keySlot; PK11_SetPasswordFunc(SECU_GetModulePassword); keySlot = PK11_GetInternalKeySlot(); if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) { if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) { printf ("Initializing the PINs failed.\n"); return SECFailure; } } PK11_FreeSlot(keySlot); return SECSuccess; }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized"); } else { failf(conn->data, "The token %s has not been initialized", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, conn->data->set.str[STRING_KEY_PASSWD]); if(SECSuccess != ret) { if(PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } PK11_FreeSlot(slot); } return status; }
int main(int argc, char *argv[], char *envp[]) { char * certDir = NULL; char * progName = NULL; char * oidStr = NULL; CERTCertificate * cert; CERTCertificate * firstCert = NULL; CERTCertificate * issuerCert = NULL; CERTCertDBHandle * defaultDB = NULL; PRBool isAscii = PR_FALSE; PRBool trusted = PR_FALSE; SECStatus secStatus; SECCertificateUsage certUsage = certificateUsageSSLServer; PLOptState * optstate; PRTime time = 0; PLOptStatus status; int usePkix = 0; int rv = 1; int usage; CERTVerifyLog log; CERTCertList *builtChain = NULL; PRBool certFetching = PR_FALSE; int revDataIndex = 0; PRBool ocsp_fetchingFailureIsAFailure = PR_TRUE; PRBool useDefaultRevFlags = PR_TRUE; int vfyCounts = 1; PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PL_strdup(argv[0]); optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 0 : /* positional parameter */ goto breakout; case 'a' : isAscii = PR_TRUE; break; case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); if (secStatus != SECSuccess) Usage(progName); break; case 'd' : certDir = PL_strdup(optstate->value); break; case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; case 'f' : certFetching = PR_TRUE; break; case 'g' : if (revMethodsData[revDataIndex].testTypeStr || revMethodsData[revDataIndex].methodTypeStr) { revDataIndex += 1; if (revDataIndex == REV_METHOD_INDEX_MAX) { fprintf(stderr, "Invalid revocation configuration" "specified.\n"); secStatus = SECFailure; break; } } useDefaultRevFlags = PR_FALSE; revMethodsData[revDataIndex]. testTypeStr = PL_strdup(optstate->value); break; case 'h' : revMethodsData[revDataIndex]. testFlagsStr = PL_strdup(optstate->value);break; case 'i' : vfyCounts = PORT_Atoi(optstate->value); break; break; case 'm' : if (revMethodsData[revDataIndex].methodTypeStr) { revDataIndex += 1; if (revDataIndex == REV_METHOD_INDEX_MAX) { fprintf(stderr, "Invalid revocation configuration" "specified.\n"); secStatus = SECFailure; break; } } useDefaultRevFlags = PR_FALSE; revMethodsData[revDataIndex]. methodTypeStr = PL_strdup(optstate->value); break; case 'o' : oidStr = PL_strdup(optstate->value); break; case 'p' : usePkix += 1; break; case 'r' : isAscii = PR_FALSE; break; case 's' : revMethodsData[revDataIndex]. methodFlagsStr = PL_strdup(optstate->value); break; case 't' : trusted = PR_TRUE; break; case 'u' : usage = PORT_Atoi(optstate->value); if (usage < 0 || usage > 62) Usage(progName); certUsage = ((SECCertificateUsage)1) << usage; if (certUsage > certificateUsageHighest) Usage(progName); break; case 'w': pwdata.source = PW_PLAINTEXT; pwdata.data = PORT_Strdup(optstate->value); break; case 'W': pwdata.source = PW_FROMFILE; pwdata.data = PORT_Strdup(optstate->value); break; case 'v' : verbose++; break; default : Usage(progName); break; } } breakout: if (status != PL_OPT_OK) Usage(progName); if (usePkix < 2) { if (oidStr) { fprintf(stderr, "Policy oid(-o) can be used only with" " CERT_PKIXVerifyChain(-pp) function.\n"); Usage(progName); } if (trusted) { fprintf(stderr, "Cert trust flag can be used only with" " CERT_PKIXVerifyChain(-pp) function.\n"); Usage(progName); } } if (!useDefaultRevFlags && parseRevMethodsAndFlags()) { fprintf(stderr, "Invalid revocation configuration specified.\n"); goto punt; } /* Set our password function callback. */ PK11_SetPasswordFunc(SECU_GetModulePassword); /* Initialize the NSS libraries. */ if (certDir) { secStatus = NSS_Init(certDir); } else { secStatus = NSS_NoDB_Init(NULL); /* load the builtins */ SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0); } if (secStatus != SECSuccess) { exitErr("NSS_Init"); } SECU_RegisterDynamicOids(); if (isOCSPEnabled()) { CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB()); if (!ocsp_fetchingFailureIsAFailure) { CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure); } } while (status == PL_OPT_OK) { switch(optstate->option) { default : Usage(progName); break; case 'a' : isAscii = PR_TRUE; break; case 'r' : isAscii = PR_FALSE; break; case 't' : trusted = PR_TRUE; break; case 0 : /* positional parameter */ if (usePkix < 2 && trusted) { fprintf(stderr, "Cert trust flag can be used only with" " CERT_PKIXVerifyChain(-pp) function.\n"); Usage(progName); } cert = getCert(optstate->value, isAscii, progName); if (!cert) goto punt; rememberCert(cert, trusted); if (!firstCert) firstCert = cert; trusted = PR_FALSE; } status = PL_GetNextOpt(optstate); } PL_DestroyOptState(optstate); if (status == PL_OPT_BAD || !firstCert) Usage(progName); /* Initialize log structure */ log.arena = PORT_NewArena(512); log.head = log.tail = NULL; log.count = 0; do { if (usePkix < 2) { /* NOW, verify the cert chain. */ if (usePkix) { /* Use old API with libpkix validation lib */ CERT_SetUsePKIXForValidation(PR_TRUE); } if (!time) time = PR_Now(); defaultDB = CERT_GetDefaultCertDB(); secStatus = CERT_VerifyCertificate(defaultDB, firstCert, PR_TRUE /* check sig */, certUsage, time, &pwdata, /* wincx */ &log, /* error log */ NULL);/* returned usages */ } else do { static CERTValOutParam cvout[4]; static CERTValInParam cvin[6]; SECOidTag oidTag; int inParamIndex = 0; static PRUint64 revFlagsLeaf[2]; static PRUint64 revFlagsChain[2]; static CERTRevocationFlags rev; if (oidStr) { PRArenaPool *arena; SECOidData od; memset(&od, 0, sizeof od); od.offset = SEC_OID_UNKNOWN; od.desc = "User Defined Policy OID"; od.mechanism = CKM_INVALID_MECHANISM; od.supportedExtension = INVALID_CERT_EXTENSION; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if ( !arena ) { fprintf(stderr, "out of memory"); goto punt; } secStatus = SEC_StringToOID(arena, &od.oid, oidStr, 0); if (secStatus != SECSuccess) { PORT_FreeArena(arena, PR_FALSE); fprintf(stderr, "Can not encode oid: %s(%s)\n", oidStr, SECU_Strerror(PORT_GetError())); break; } oidTag = SECOID_AddEntry(&od); PORT_FreeArena(arena, PR_FALSE); if (oidTag == SEC_OID_UNKNOWN) { fprintf(stderr, "Can not add new oid to the dynamic " "table: %s\n", oidStr); secStatus = SECFailure; break; } cvin[inParamIndex].type = cert_pi_policyOID; cvin[inParamIndex].value.arraySize = 1; cvin[inParamIndex].value.array.oids = &oidTag; inParamIndex++; } if (trustedCertList) { cvin[inParamIndex].type = cert_pi_trustAnchors; cvin[inParamIndex].value.pointer.chain = trustedCertList; inParamIndex++; } cvin[inParamIndex].type = cert_pi_useAIACertFetch; cvin[inParamIndex].value.scalar.b = certFetching; inParamIndex++; rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf; rev.chainTests.cert_rev_flags_per_method = revFlagsChain; secStatus = configureRevocationParams(&rev); if (secStatus) { fprintf(stderr, "Can not config revocation parameters "); break; } cvin[inParamIndex].type = cert_pi_revocationFlags; cvin[inParamIndex].value.pointer.revocation = &rev; inParamIndex++; if (time) { cvin[inParamIndex].type = cert_pi_date; cvin[inParamIndex].value.scalar.time = time; inParamIndex++; } cvin[inParamIndex].type = cert_pi_end; cvout[0].type = cert_po_trustAnchor; cvout[0].value.pointer.cert = NULL; cvout[1].type = cert_po_certList; cvout[1].value.pointer.chain = NULL; /* setting pointer to CERTVerifyLog. Initialized structure * will be used CERT_PKIXVerifyCert */ cvout[2].type = cert_po_errorLog; cvout[2].value.pointer.log = &log; cvout[3].type = cert_po_end; secStatus = CERT_PKIXVerifyCert(firstCert, certUsage, cvin, cvout, &pwdata); if (secStatus != SECSuccess) { break; } issuerCert = cvout[0].value.pointer.cert; builtChain = cvout[1].value.pointer.chain; } while (0); /* Display validation results */ if (secStatus != SECSuccess || log.count > 0) { CERTVerifyLogNode *node = NULL; PRIntn err = PR_GetError(); fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err)); SECU_displayVerifyLog(stderr, &log, verbose); /* Have cert refs in the log only in case of failure. * Destroy them. */ for (node = log.head; node; node = node->next) { if (node->cert) CERT_DestroyCertificate(node->cert); } rv = 1; } else { fprintf(stderr, "Chain is good!\n"); if (issuerCert) { if (verbose > 1) { rv = SEC_PrintCertificateAndTrust(issuerCert, "Root Certificate", NULL); if (rv != SECSuccess) { SECU_PrintError(progName, "problem printing certificate"); } } else if (verbose > 0) { SECU_PrintName(stdout, &issuerCert->subject, "Root " "Certificate Subject:", 0); } CERT_DestroyCertificate(issuerCert); } if (builtChain) { CERTCertListNode *node; int count = 0; char buff[256]; if (verbose) { for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain); node = CERT_LIST_NEXT(node), count++ ) { sprintf(buff, "Certificate %d Subject", count + 1); SECU_PrintName(stdout, &node->cert->subject, buff, 0); } } CERT_DestroyCertList(builtChain); } rv = 0; } } while (--vfyCounts > 0); /* Need to destroy CERTVerifyLog arena at the end */ PORT_FreeArena(log.arena, PR_FALSE); punt: forgetCerts(); if (NSS_Shutdown() != SECSuccess) { SECU_PrintError(progName, "NSS_Shutdown"); rv = 1; } PORT_Free(progName); PORT_Free(certDir); PORT_Free(oidStr); freeRevocationMethodData(); if (pwdata.data) { PORT_Free(pwdata.data); } PR_Cleanup(); return rv; }
/** * Writes out a copy of the MAR at src but with embedded signatures. * The passed in MAR file must not already be signed or an error will * be returned. * * @param NSSConfigDir The NSS directory containing the private key for signing * @param certNames The nicknames of the certificate to use for signing * @param certCount The number of certificate names contained in certNames. * One signature will be produced for each certificate. * @param src The path of the source MAR file to sign * @param dest The path of the MAR file to write out that is signed * @return 0 on success * -1 on error */ int mar_repackage_and_sign(const char *NSSConfigDir, const char * const *certNames, uint32_t certCount, const char *src, const char *dest) { uint32_t offsetToIndex, dstOffsetToIndex, indexLength, numSignatures = 0, leftOver, signatureAlgorithmID, signatureSectionLength = 0; uint32_t signatureLengths[MAX_SIGNATURES]; int64_t oldPos, sizeOfEntireMAR = 0, realSizeOfSrcMAR, signaturePlaceholderOffset, numBytesToCopy, numChunks, i; FILE *fpSrc = NULL, *fpDest = NULL; int rv = -1, hasSignatureBlock; SGNContext *ctxs[MAX_SIGNATURES]; SECItem secItems[MAX_SIGNATURES]; char buf[BLOCKSIZE]; SECKEYPrivateKey *privKeys[MAX_SIGNATURES]; CERTCertificate *certs[MAX_SIGNATURES]; char *indexBuf = NULL; uint32_t k; memset(signatureLengths, 0, sizeof(signatureLengths)); memset(ctxs, 0, sizeof(ctxs)); memset(secItems, 0, sizeof(secItems)); memset(privKeys, 0, sizeof(privKeys)); memset(certs, 0, sizeof(certs)); if (!NSSConfigDir || !certNames || certCount == 0 || !src || !dest) { fprintf(stderr, "ERROR: Invalid parameter passed in.\n"); return -1; } if (NSSInitCryptoContext(NSSConfigDir)) { fprintf(stderr, "ERROR: Could not init config dir: %s\n", NSSConfigDir); goto failure; } PK11_SetPasswordFunc(SECU_GetModulePassword); fpSrc = fopen(src, "rb"); if (!fpSrc) { fprintf(stderr, "ERROR: could not open source file: %s\n", src); goto failure; } fpDest = fopen(dest, "wb"); if (!fpDest) { fprintf(stderr, "ERROR: could not create target file: %s\n", dest); goto failure; } /* Determine if the source MAR file has the new fields for signing or not */ if (get_mar_file_info(src, &hasSignatureBlock, NULL, NULL, NULL, NULL)) { fprintf(stderr, "ERROR: could not determine if MAR is old or new.\n"); goto failure; } for (k = 0; k < certCount; k++) { if (NSSSignBegin(certNames[k], &ctxs[k], &privKeys[k], &certs[k], &signatureLengths[k])) { fprintf(stderr, "ERROR: NSSSignBegin failed\n"); goto failure; } } /* MAR ID */ if (ReadWriteAndUpdateSignatures(fpSrc, fpDest, buf, MAR_ID_SIZE, ctxs, certCount, "MAR ID")) { goto failure; } /* Offset to index */ if (fread(&offsetToIndex, sizeof(offsetToIndex), 1, fpSrc) != 1) { fprintf(stderr, "ERROR: Could not read offset\n"); goto failure; } offsetToIndex = ntohl(offsetToIndex); /* Get the real size of the MAR */ oldPos = ftello(fpSrc); if (fseeko(fpSrc, 0, SEEK_END)) { fprintf(stderr, "ERROR: Could not seek to end of file.\n"); goto failure; } realSizeOfSrcMAR = ftello(fpSrc); if (fseeko(fpSrc, oldPos, SEEK_SET)) { fprintf(stderr, "ERROR: Could not seek back to current location.\n"); goto failure; } if (hasSignatureBlock) { /* Get the MAR length and adjust its size */ if (fread(&sizeOfEntireMAR, sizeof(sizeOfEntireMAR), 1, fpSrc) != 1) { fprintf(stderr, "ERROR: Could read mar size\n"); goto failure; } sizeOfEntireMAR = NETWORK_TO_HOST64(sizeOfEntireMAR); if (sizeOfEntireMAR != realSizeOfSrcMAR) { fprintf(stderr, "ERROR: Source MAR is not of the right size\n"); goto failure; } /* Get the num signatures in the source file */ if (fread(&numSignatures, sizeof(numSignatures), 1, fpSrc) != 1) { fprintf(stderr, "ERROR: Could read num signatures\n"); goto failure; } numSignatures = ntohl(numSignatures); /* We do not support resigning, if you have multiple signatures, you must add them all at the same time. */ if (numSignatures) { fprintf(stderr, "ERROR: MAR is already signed\n"); goto failure; } } else { sizeOfEntireMAR = realSizeOfSrcMAR; } if (((int64_t)offsetToIndex) > sizeOfEntireMAR) { fprintf(stderr, "ERROR: Offset to index is larger than the file size.\n"); goto failure; } /* Calculate the total signature block length */ for (k = 0; k < certCount; k++) { signatureSectionLength += sizeof(signatureAlgorithmID) + sizeof(signatureLengths[k]) + signatureLengths[k]; } dstOffsetToIndex = offsetToIndex; if (!hasSignatureBlock) { dstOffsetToIndex += sizeof(sizeOfEntireMAR) + sizeof(numSignatures); } dstOffsetToIndex += signatureSectionLength; /* Write out the index offset */ dstOffsetToIndex = htonl(dstOffsetToIndex); if (WriteAndUpdateSignatures(fpDest, &dstOffsetToIndex, sizeof(dstOffsetToIndex), ctxs, certCount, "index offset")) { goto failure; } dstOffsetToIndex = ntohl(dstOffsetToIndex); /* Write out the new MAR file size */ sizeOfEntireMAR += signatureSectionLength; if (!hasSignatureBlock) { sizeOfEntireMAR += sizeof(sizeOfEntireMAR) + sizeof(numSignatures); } /* Write out the MAR size */ sizeOfEntireMAR = HOST_TO_NETWORK64(sizeOfEntireMAR); if (WriteAndUpdateSignatures(fpDest, &sizeOfEntireMAR, sizeof(sizeOfEntireMAR), ctxs, certCount, "size of MAR")) { goto failure; } sizeOfEntireMAR = NETWORK_TO_HOST64(sizeOfEntireMAR); /* Write out the number of signatures */ numSignatures = certCount; numSignatures = htonl(numSignatures); if (WriteAndUpdateSignatures(fpDest, &numSignatures, sizeof(numSignatures), ctxs, certCount, "num signatures")) { goto failure; } numSignatures = ntohl(numSignatures); signaturePlaceholderOffset = ftello(fpDest); for (k = 0; k < certCount; k++) { /* Write out the signature algorithm ID, Only an ID of 1 is supported */ signatureAlgorithmID = htonl(1); if (WriteAndUpdateSignatures(fpDest, &signatureAlgorithmID, sizeof(signatureAlgorithmID), ctxs, certCount, "num signatures")) { goto failure; } signatureAlgorithmID = ntohl(signatureAlgorithmID); /* Write out the signature length */ signatureLengths[k] = htonl(signatureLengths[k]); if (WriteAndUpdateSignatures(fpDest, &signatureLengths[k], sizeof(signatureLengths[k]), ctxs, certCount, "signature length")) { goto failure; } signatureLengths[k] = ntohl(signatureLengths[k]); /* Write out a placeholder for the signature, we'll come back to this later *** THIS IS NOT SIGNED because it is a placeholder that will be replaced below, plus it is going to be the signature itself. *** */ memset(buf, 0, sizeof(buf)); if (fwrite(buf, signatureLengths[k], 1, fpDest) != 1) { fprintf(stderr, "ERROR: Could not write signature length\n"); goto failure; } } /* Write out the rest of the MAR excluding the index header and index offsetToIndex unfortunately has to remain 32-bit because for backwards compatibility with the old MAR file format. */ if (ftello(fpSrc) > ((int64_t)offsetToIndex)) { fprintf(stderr, "ERROR: Index offset is too small.\n"); goto failure; } numBytesToCopy = ((int64_t)offsetToIndex) - ftello(fpSrc); numChunks = numBytesToCopy / BLOCKSIZE; leftOver = numBytesToCopy % BLOCKSIZE; /* Read each file and write it to the MAR file */ for (i = 0; i < numChunks; ++i) { if (ReadWriteAndUpdateSignatures(fpSrc, fpDest, buf, BLOCKSIZE, ctxs, certCount, "content block")) { goto failure; } } /* Write out the left over */ if (ReadWriteAndUpdateSignatures(fpSrc, fpDest, buf, leftOver, ctxs, certCount, "left over content block")) { goto failure; } /* Length of the index */ if (ReadWriteAndUpdateSignatures(fpSrc, fpDest, &indexLength, sizeof(indexLength), ctxs, certCount, "index length")) { goto failure; } indexLength = ntohl(indexLength); /* Consume the index and adjust each index by signatureSectionLength */ indexBuf = malloc(indexLength); if (fread(indexBuf, indexLength, 1, fpSrc) != 1) { fprintf(stderr, "ERROR: Could not read index\n"); goto failure; } /* Adjust each entry in the index */ if (hasSignatureBlock) { AdjustIndexContentOffsets(indexBuf, indexLength, signatureSectionLength); } else { AdjustIndexContentOffsets(indexBuf, indexLength, sizeof(sizeOfEntireMAR) + sizeof(numSignatures) + signatureSectionLength); } if (WriteAndUpdateSignatures(fpDest, indexBuf, indexLength, ctxs, certCount, "index")) { goto failure; } /* Ensure that we don't sign a file that is too large to be accepted by the verification function. */ if (ftello(fpDest) > MAX_SIZE_OF_MAR_FILE) { goto failure; } for (k = 0; k < certCount; k++) { /* Get the signature */ if (SGN_End(ctxs[k], &secItems[k]) != SECSuccess) { fprintf(stderr, "ERROR: Could not end signature context\n"); goto failure; } if (signatureLengths[k] != secItems[k].len) { fprintf(stderr, "ERROR: Signature is not the expected length\n"); goto failure; } } /* Get back to the location of the signature placeholder */ if (fseeko(fpDest, signaturePlaceholderOffset, SEEK_SET)) { fprintf(stderr, "ERROR: Could not seek to signature offset\n"); goto failure; } for (k = 0; k < certCount; k++) { /* Skip to the position of the next signature */ if (fseeko(fpDest, sizeof(signatureAlgorithmID) + sizeof(signatureLengths[k]), SEEK_CUR)) { fprintf(stderr, "ERROR: Could not seek to signature offset\n"); goto failure; } /* Write out the calculated signature. *** THIS IS NOT SIGNED because it is the signature itself. *** */ if (fwrite(secItems[k].data, secItems[k].len, 1, fpDest) != 1) { fprintf(stderr, "ERROR: Could not write signature\n"); goto failure; } } rv = 0; failure: if (fpSrc) { fclose(fpSrc); } if (fpDest) { fclose(fpDest); } if (rv) { remove(dest); } if (indexBuf) { free(indexBuf); } /* Cleanup */ for (k = 0; k < certCount; k++) { if (ctxs[k]) { SGN_DestroyContext(ctxs[k], PR_TRUE); } if (certs[k]) { CERT_DestroyCertificate(certs[k]); } if (privKeys[k]) { SECKEY_DestroyPrivateKey(privKeys[k]); } SECITEM_FreeItem(&secItems[k], PR_FALSE); } if (rv) { remove(dest); } return rv; }
int main(int argc, char **argv) { bool fork_desired = TRUE; int lockfd; char* ocspuri = NULL; int nhelpers = -1; char *coredir; const struct osw_conf_options *oco; #ifdef NAT_TRAVERSAL /** Overridden by nat_traversal= in ipsec.conf */ bool nat_traversal = FALSE; bool nat_t_spf = TRUE; /* support port floating */ unsigned int keep_alive = 0; bool force_keepalive = FALSE; #endif /** Overridden by virtual_private= in ipsec.conf */ char *virtual_private = NULL; #ifdef LEAK_DETECTIVE leak_detective=1; #else leak_detective=0; #endif #ifdef HAVE_LIBCAP_NG /* Drop capabilities */ capng_clear(CAPNG_SELECT_BOTH); capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_NET_BIND_SERVICE, CAP_NET_ADMIN, CAP_NET_RAW, CAP_IPC_LOCK, -1); /* our children must be able to CAP_NET_ADMIN to change routes. */ capng_updatev(CAPNG_ADD, CAPNG_BOUNDING_SET, CAP_NET_ADMIN, -1); capng_apply(CAPNG_SELECT_BOTH); #endif global_argv = argv; global_argc = argc; #ifdef DEBUG openswan_passert_fail = passert_fail; #endif /* see if there is an environment variable */ coredir = getenv("PLUTO_CORE_DIR"); if(getenv("PLUTO_WAIT_FOR_GDB")) { sleep(120); } /* handle arguments */ for (;;) { # define DBG_OFFSET 256 static const struct option long_opts[] = { /* name, has_arg, flag, val */ { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "optionsfrom", required_argument, NULL, '+' }, { "nofork", no_argument, NULL, 'd' }, { "stderrlog", no_argument, NULL, 'e' }, { "noklips", no_argument, NULL, 'n' }, { "use-nostack", no_argument, NULL, 'n' }, { "use-none", no_argument, NULL, 'n' }, { "force_busy", no_argument, NULL, 'D' }, { "nocrsend", no_argument, NULL, 'c' }, { "strictcrlpolicy", no_argument, NULL, 'r' }, { "crlcheckinterval", required_argument, NULL, 'x'}, { "ocsprequestcert", required_argument, NULL, 'q'}, { "ocspuri", required_argument, NULL, 'o'}, { "uniqueids", no_argument, NULL, 'u' }, { "useklips", no_argument, NULL, 'k' }, { "use-klips", no_argument, NULL, 'k' }, { "use-auto", no_argument, NULL, 'G' }, { "usenetkey", no_argument, NULL, 'K' }, { "use-netkey", no_argument, NULL, 'K' }, { "use-mast", no_argument, NULL, 'M' }, { "use-mastklips", no_argument, NULL, 'M' }, { "use-bsdkame", no_argument, NULL, 'F' }, { "interface", required_argument, NULL, 'i' }, { "listen", required_argument, NULL, 'L' }, { "ikeport", required_argument, NULL, 'p' }, { "ctlbase", required_argument, NULL, 'b' }, { "secretsfile", required_argument, NULL, 's' }, { "foodgroupsdir", required_argument, NULL, 'f' }, { "perpeerlogbase", required_argument, NULL, 'P' }, { "perpeerlog", no_argument, NULL, 'l' }, { "noretransmits", no_argument, NULL, 'R' }, { "coredir", required_argument, NULL, 'C' }, { "ipsecdir", required_argument, NULL, 'f' }, { "ipsec_dir", required_argument, NULL, 'f' }, #ifdef USE_LWRES { "lwdnsq", required_argument, NULL, 'a' }, #else /* !USE_LWRES */ { "adns", required_argument, NULL, 'a' }, #endif /* !USE_LWRES */ #ifdef NAT_TRAVERSAL { "nat_traversal", no_argument, NULL, '1' }, { "keep_alive", required_argument, NULL, '2' }, { "force_keepalive", no_argument, NULL, '3' }, { "disable_port_floating", no_argument, NULL, '4' }, { "debug-nat_t", no_argument, NULL, '5' }, { "debug-nattraversal", no_argument, NULL, '5' }, { "debug-nat-t", no_argument, NULL, '5' }, #endif { "virtual_private", required_argument, NULL, '6' }, { "nhelpers", required_argument, NULL, 'j' }, #ifdef DEBUG { "debug-none", no_argument, NULL, 'N' }, { "debug-all", no_argument, NULL, 'A' }, { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET }, { "debug-crypto", no_argument, NULL, DBG_CRYPT + DBG_OFFSET }, { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, { "debug-emitting", no_argument, NULL, DBG_EMITTING + DBG_OFFSET }, { "debug-control", no_argument, NULL, DBG_CONTROL + DBG_OFFSET }, { "debug-lifecycle", no_argument, NULL, DBG_LIFECYCLE + DBG_OFFSET }, { "debug-klips", no_argument, NULL, DBG_KLIPS + DBG_OFFSET }, { "debug-netkey", no_argument, NULL, DBG_NETKEY + DBG_OFFSET }, { "debug-dns", no_argument, NULL, DBG_DNS + DBG_OFFSET }, { "debug-oppo", no_argument, NULL, DBG_OPPO + DBG_OFFSET }, { "debug-oppoinfo", no_argument, NULL, DBG_OPPOINFO + DBG_OFFSET }, { "debug-controlmore", no_argument, NULL, DBG_CONTROLMORE + DBG_OFFSET }, { "debug-dpd", no_argument, NULL, DBG_DPD + DBG_OFFSET }, { "debug-x509", no_argument, NULL, DBG_X509 + DBG_OFFSET }, { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, { "debug-pfkey", no_argument, NULL, DBG_PFKEY + DBG_OFFSET }, { "impair-delay-adns-key-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_KEY_ANSWER + DBG_OFFSET }, { "impair-delay-adns-txt-answer", no_argument, NULL, IMPAIR_DELAY_ADNS_TXT_ANSWER + DBG_OFFSET }, { "impair-bust-mi2", no_argument, NULL, IMPAIR_BUST_MI2 + DBG_OFFSET }, { "impair-bust-mr2", no_argument, NULL, IMPAIR_BUST_MR2 + DBG_OFFSET }, { "impair-sa-creation", no_argument, NULL, IMPAIR_SA_CREATION + DBG_OFFSET }, { "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO + DBG_OFFSET }, { "impair-jacob-two-two", no_argument, NULL, IMPAIR_JACOB_TWO_TWO + DBG_OFFSET }, #endif { 0,0,0,0 } }; /* Note: we don't like the way short options get parsed * by getopt_long, so we simply pass an empty string as * the list. It could be "hvdenp:l:s:" "NARXPECK". */ int c = getopt_long(argc, argv, "", long_opts, NULL); /** Note: "breaking" from case terminates loop */ switch (c) { case EOF: /* end of flags */ break; case 0: /* long option already handled */ continue; case ':': /* diagnostic already printed by getopt_long */ case '?': /* diagnostic already printed by getopt_long */ usage(""); break; /* not actually reached */ case 'h': /* --help */ usage(NULL); break; /* not actually reached */ case 'C': coredir = clone_str(optarg, "coredir"); break; case 'v': /* --version */ { const char **sp = ipsec_copyright_notice(); printf("%s%s\n", ipsec_version_string(), compile_time_interop_options); for (; *sp != NULL; sp++) puts(*sp); } exit(0); /* not exit_pluto because we are not initialized yet */ break; /* not actually reached */ case '+': /* --optionsfrom <filename> */ optionsfrom(optarg, &argc, &argv, optind, stderr); /* does not return on error */ continue; case 'j': /* --nhelpers */ if (optarg == NULL || !isdigit(optarg[0])) usage("missing number of pluto helpers"); { char *endptr; long count = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || count < -1) usage("<nhelpers> must be a positive number, 0 or -1"); nhelpers = count; } continue; case 'd': /* --nofork*/ fork_desired = FALSE; continue; case 'e': /* --stderrlog */ log_to_stderr_desired = TRUE; continue; case 'G': /* --use-auto */ kern_interface = AUTO_PICK; continue; case 'k': /* --use-klips */ kern_interface = USE_KLIPS; continue; case 'L': /* --listen ip_addr */ { ip_address lip; err_t e = ttoaddr(optarg,0,0,&lip); if(e) { openswan_log("invalid listen argument ignored: %s\n",e); } else { pluto_listen = clone_str(optarg, "pluto_listen"); openswan_log("bind() will be filtered for %s\n",pluto_listen); } } continue; case 'M': /* --use-mast */ kern_interface = USE_MASTKLIPS; continue; case 'F': /* --use-bsdkame */ kern_interface = USE_BSDKAME; continue; case 'K': /* --use-netkey */ kern_interface = USE_NETKEY; continue; case 'n': /* --use-nostack */ kern_interface = NO_KERNEL; continue; case 'D': /* --force_busy */ force_busy = TRUE; continue ; case 'c': /* --nocrsend */ no_cr_send = TRUE; continue ; case 'r': /* --strictcrlpolicy */ strict_crl_policy = TRUE; continue ; case 'R': no_retransmits = TRUE; continue; case 'x': /* --crlcheckinterval <time>*/ if (optarg == NULL || !isdigit(optarg[0])) usage("missing interval time"); { char *endptr; long interval = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || interval <= 0) usage("<interval-time> must be a positive number"); crl_check_interval = interval; } continue ; case 'o': /* --ocspuri */ ocspuri = optarg; continue; case 'u': /* --uniqueids */ uniqueIDs = TRUE; continue; case 'i': /* --interface <ifname|ifaddr> */ if (!use_interface(optarg)) usage("too many --interface specifications"); continue; /* * This option does not really work, as this is the "left" * site only, you also need --to --ikeport again later on * It will result in: yourport -> 500, still not bypassing filters */ case 'p': /* --ikeport <portnumber> */ if (optarg == NULL || !isdigit(optarg[0])) usage("missing port number"); { char *endptr; long port = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || port <= 0 || port > 0x10000) usage("<port-number> must be a number between 1 and 65535"); pluto_port = port; } continue; case 'b': /* --ctlbase <path> */ ctlbase = optarg; if (snprintf(ctl_addr.sun_path, sizeof(ctl_addr.sun_path) , "%s%s", ctlbase, CTL_SUFFIX) == -1) usage("<path>" CTL_SUFFIX " too long for sun_path"); if (snprintf(info_addr.sun_path, sizeof(info_addr.sun_path) , "%s%s", ctlbase, INFO_SUFFIX) == -1) usage("<path>" INFO_SUFFIX " too long for sun_path"); if (snprintf(pluto_lock, sizeof(pluto_lock) , "%s%s", ctlbase, LOCK_SUFFIX) == -1) usage("<path>" LOCK_SUFFIX " must fit"); continue; case 's': /* --secretsfile <secrets-file> */ pluto_shared_secrets_file = optarg; continue; case 'f': /* --ipsecdir <ipsec-dir> */ (void)osw_init_ipsecdir(optarg); continue; case 'a': /* --adns <pathname> */ pluto_adns_option = optarg; continue; #ifdef DEBUG case 'N': /* --debug-none */ base_debugging = DBG_NONE; continue; case 'A': /* --debug-all */ base_debugging = DBG_ALL; continue; #endif case 'P': /* --perpeerlogbase */ base_perpeer_logdir = optarg; continue; case 'l': log_to_perpeer = TRUE; continue; #ifdef NAT_TRAVERSAL case '1': /* --nat_traversal */ nat_traversal = TRUE; continue; case '2': /* --keep_alive */ keep_alive = atoi(optarg); continue; case '3': /* --force_keepalive */ force_keepalive = TRUE; continue; case '4': /* --disable_port_floating */ nat_t_spf = FALSE; continue; #ifdef DEBUG case '5': /* --debug-nat_t */ base_debugging |= DBG_NATT; continue; #endif #endif case '6': /* --virtual_private */ virtual_private = optarg; continue; default: #ifdef DEBUG if (c >= DBG_OFFSET) { base_debugging |= c - DBG_OFFSET; continue; } # undef DBG_OFFSET #endif bad_case(c); } break; } if (optind != argc) usage("unexpected argument"); reset_debugging(); #ifdef HAVE_NO_FORK fork_desired = FALSE; nhelpers = 0; #endif /* if a core dir was set, chdir there */ if(coredir) if(chdir(coredir) == -1) { int e = errno; openswan_log("pluto: chdir() do dumpdir failed (%d %s)\n", e, strerror(e)); } oco = osw_init_options(); lockfd = create_lock(); /* select between logging methods */ if (log_to_stderr_desired) log_to_syslog = FALSE; else log_to_stderr = FALSE; #ifdef DEBUG #if 0 if(kernel_ops->set_debug) { (*kernel_ops->set_debug)(cur_debugging, DBG_log, DBG_log); } #endif #endif /** create control socket. * We must create it before the parent process returns so that * there will be no race condition in using it. The easiest * place to do this is before the daemon fork. */ { err_t ugh = init_ctl_socket(); if (ugh != NULL) { fprintf(stderr, "pluto: %s", ugh); exit_pluto(1); } } #ifdef IPSECPOLICY /* create info socket. */ { err_t ugh = init_info_socket(); if (ugh != NULL) { fprintf(stderr, "pluto: %s", ugh); exit_pluto(1); } } #endif /* If not suppressed, do daemon fork */ if (fork_desired) { { pid_t pid = fork(); if (pid < 0) { int e = errno; fprintf(stderr, "pluto: fork failed (%d %s)\n", errno, strerror(e)); exit_pluto(1); } if (pid != 0) { /* parent: die, after filling PID into lock file. * must not use exit_pluto: lock would be removed! */ exit(fill_lock(lockfd, pid)? 0 : 1); } } if (setsid() < 0) { int e = errno; fprintf(stderr, "setsid() failed in main(). Errno %d: %s\n", errno, strerror(e)); exit_pluto(1); } } else { /* no daemon fork: we have to fill in lock file */ (void) fill_lock(lockfd, getpid()); fprintf(stdout, "Pluto initialized\n"); fflush(stdout); } /** Close everything but ctl_fd and (if needed) stderr. * There is some danger that a library that we don't know * about is using some fd that we don't know about. * I guess we'll soon find out. */ { int i; for (i = getdtablesize() - 1; i >= 0; i--) /* Bad hack */ if ((!log_to_stderr || i != 2) #ifdef IPSECPOLICY && i != info_fd #endif && i != ctl_fd) close(i); /* make sure that stdin, stdout, stderr are reserved */ if (open("/dev/null", O_RDONLY) != 0) osw_abort(); if (dup2(0, 1) != 1) osw_abort(); if (!log_to_stderr && dup2(0, 2) != 2) osw_abort(); } init_constants(); pluto_init_log(); #ifdef HAVE_LIBNSS char buf[100]; snprintf(buf, sizeof(buf), "%s",oco->confddir); loglog(RC_LOG_SERIOUS,"nss directory plutomain: %s",buf); SECStatus nss_init_status= NSS_InitReadWrite(buf); if (nss_init_status != SECSuccess) { loglog(RC_LOG_SERIOUS, "NSS initialization failed (err %d)\n", PR_GetError()); exit_pluto(10); } else { loglog(RC_LOG_SERIOUS, "NSS Initialized"); PK11_SetPasswordFunc(getNSSPassword); #ifdef FIPS_CHECK const char *package_files[]= { IPSECLIBDIR"/setup", IPSECLIBDIR"/addconn", IPSECLIBDIR"/auto", IPSECLIBDIR"/barf", IPSECLIBDIR"/_copyright", IPSECLIBDIR"/eroute", IPSECLIBDIR"/ikeping", IPSECLIBDIR"/_include", IPSECLIBDIR"/_keycensor", IPSECLIBDIR"/klipsdebug", IPSECLIBDIR"/look", IPSECLIBDIR"/newhostkey", IPSECLIBDIR"/pf_key", IPSECLIBDIR"/_pluto_adns", IPSECLIBDIR"/_plutoload", IPSECLIBDIR"/_plutorun", IPSECLIBDIR"/ranbits", IPSECLIBDIR"/_realsetup", IPSECLIBDIR"/rsasigkey", IPSECLIBDIR"/pluto", IPSECLIBDIR"/_secretcensor", IPSECLIBDIR"/secrets", IPSECLIBDIR"/showdefaults", IPSECLIBDIR"/showhostkey", IPSECLIBDIR"/showpolicy", IPSECLIBDIR"/spi", IPSECLIBDIR"/spigrp", IPSECLIBDIR"/_startklips", IPSECLIBDIR"/_startnetkey", IPSECLIBDIR"/tncfg", IPSECLIBDIR"/_updown", IPSECLIBDIR"/_updown.klips", IPSECLIBDIR"/_updown.mast", IPSECLIBDIR"/_updown.netkey", IPSECLIBDIR"/verify", IPSECLIBDIR"/whack", IPSECSBINDIR"/ipsec", NULL }; if (Pluto_IsFIPS() && !FIPSCHECK_verify_files(package_files)) { loglog(RC_LOG_SERIOUS, "FIPS integrity verification test failed"); exit_pluto(10); } #endif } #endif /* Note: some scripts may look for this exact message -- don't change * ipsec barf was one, but it no longer does. */ { const char *vc = ipsec_version_code(); #ifdef PLUTO_SENDS_VENDORID const char *v = init_pluto_vendorid(); openswan_log("Starting Pluto (Openswan Version %s%s; Vendor ID %s) pid:%u" , vc, compile_time_interop_options, v, getpid()); #else openswan_log("Starting Pluto (Openswan Version %s%s) pid:%u" , vc, compile_time_interop_options, getpid()); #endif #ifdef HAVE_LIBNSS if(Pluto_IsFIPS()) { openswan_log("Pluto is running in FIPS mode"); } #endif if((vc[0]=='c' && vc[1]=='v' && vc[2]=='s') || (vc[2]=='g' && vc[3]=='i' && vc[4]=='t')) { /* * when people build RPMs from CVS or GIT, make sure they * get blamed appropriately, and that we get some way to * identify who did it, and when they did it. Use string concat, * so that strings the binary can or classic SCCS "what", will find * stuff too. */ openswan_log("@(#) built on "__DATE__":" __TIME__ " by " BUILDER); } #if defined(USE_1DES) openswan_log("WARNING: 1DES is enabled"); #endif } if(coredir) { openswan_log("core dump dir: %s", coredir); } #ifdef LEAK_DETECTIVE openswan_log("LEAK_DETECTIVE support [enabled]"); #else openswan_log("LEAK_DETECTIVE support [disabled]"); #endif #ifdef HAVE_OCF { struct stat buf; errno=0; if( stat("/dev/crypto",&buf) != -1) openswan_log("OCF support for IKE via /dev/crypto [enabled]"); else openswan_log("OCF support for IKE via /dev/crypto [failed:%s]", strerror(errno)); } #else openswan_log("OCF support for IKE [disabled]"); #endif /* Check for SAREF support */ #ifdef KLIPS_MAST #include <ipsec_saref.h> { int e, sk, saref; saref = 1; errno=0; sk = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_REFINFO, &saref, sizeof(saref)); if (e == -1 ) { openswan_log("SAref support [disabled]: %s" , strerror(errno)); } else { openswan_log("SAref support [enabled]"); } errno=0; e = setsockopt(sk, IPPROTO_IP, IP_IPSEC_BINDREF, &saref, sizeof(saref)); if (e == -1 ) { openswan_log("SAbind support [disabled]: %s" , strerror(errno)); } else { openswan_log("SAbind support [enabled]"); } close(sk); } #endif #ifdef HAVE_LIBNSS openswan_log("NSS support [enabled]"); #else openswan_log("NSS support [disabled]"); #endif #ifdef HAVE_STATSD openswan_log("HAVE_STATSD notification via /bin/openswan-statsd enabled"); #else openswan_log("HAVE_STATSD notification support not compiled in"); #endif /** Log various impair-* functions if they were enabled */ if(DBGP(IMPAIR_BUST_MI2)) openswan_log("Warning: IMPAIR_BUST_MI2 enabled"); if(DBGP(IMPAIR_BUST_MR2)) openswan_log("Warning: IMPAIR_BUST_MR2 enabled"); if(DBGP(IMPAIR_SA_CREATION)) openswan_log("Warning: IMPAIR_SA_CREATION enabled"); if(DBGP(IMPAIR_JACOB_TWO_TWO)) openswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled"); if(DBGP(IMPAIR_DIE_ONINFO)) openswan_log("Warning: IMPAIR_DIE_ONINFO enabled"); if(DBGP(IMPAIR_DELAY_ADNS_KEY_ANSWER)) openswan_log("Warning: IMPAIR_DELAY_ADNS_KEY_ANSWER enabled"); if(DBGP(IMPAIR_DELAY_ADNS_TXT_ANSWER)) openswan_log("Warning: IMPAIR_DELAY_ADNS_TXT_ANSWER enabled"); /** Initialize all of the various features */ #ifdef NAT_TRAVERSAL init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); #endif init_virtual_ip(virtual_private); init_rnd_pool(); init_timer(); init_secret(); init_states(); init_connections(); init_crypto(); init_crypto_helpers(nhelpers); load_oswcrypto(); init_demux(); init_kernel(); init_adns(); init_id(); #ifdef TPM init_tpm(); #endif #ifdef HAVE_THREADS init_fetch(); #endif ocsp_set_default_uri(ocspuri); /* loading X.509 CA certificates */ load_authcerts("CA cert", oco->cacerts_dir, AUTH_CA); /* loading X.509 AA certificates */ load_authcerts("AA cert", oco->aacerts_dir, AUTH_AA); /* loading X.509 OCSP certificates */ load_authcerts("OCSP cert", oco->ocspcerts_dir, AUTH_OCSP); /* loading X.509 CRLs */ load_crls(); /* loading attribute certificates (experimental) */ load_acerts(); #ifdef HAVE_LIBNSS /*Loading CA certs from NSS DB*/ load_authcerts_from_nss("CA cert", AUTH_CA); #endif daily_log_event(); call_server(); return -1; /* Shouldn't ever reach this */ }
VCardEmulError vcard_emul_init(const VCardEmulOptions *options) { SECStatus rv; PRBool ret, has_readers = PR_FALSE, need_coolkey_module; VReader *vreader; VReaderEmul *vreader_emul; SECMODListLock *module_lock; SECMODModuleList *module_list; SECMODModuleList *mlp; int i; if (vcard_emul_init_called) { return VCARD_EMUL_INIT_ALREADY_INITED; } vcard_emul_init_called = 1; vreader_init(); vevent_queue_init(); if (options == NULL) { options = &default_options; } /* first initialize NSS */ if (options->nss_db) { rv = NSS_Init(options->nss_db); } else { rv = NSS_Init("sql:/etc/pki/nssdb"); } if (rv != SECSuccess) { return VCARD_EMUL_FAIL; } /* Set password callback function */ PK11_SetPasswordFunc(vcard_emul_get_password); /* set up soft cards emulated by software certs rather than physical cards * */ for (i = 0; i < options->vreader_count; i++) { int j; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; slot = PK11_FindSlotByName(options->vreader[i].name); if (slot == NULL) { continue; } vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, options->vreader[i].type_params); vreader = vreader_new(options->vreader[i].vname, vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); cert_count = options->vreader[i].cert_count; ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, options->vreader[i].cert_count); if (ret == PR_FALSE) { continue; } cert_count = 0; for (j = 0; j < options->vreader[i].cert_count; j++) { /* we should have a better way of identifying certs than by * nickname here */ CERTCertificate *cert = PK11_FindCertFromNickname( options->vreader[i].cert_name[j], NULL); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); /* this is safe because the key is still holding a cert reference */ CERT_DestroyCertificate(cert); cert_count++; } if (cert_count) { VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); /* allow insertion and removal of soft cards */ vreader_emul->saved_vcard = vcard_reference(vcard); vcard_free(vcard); vreader_free(vreader); has_readers = PR_TRUE; } g_free(certs); g_free(cert_len); g_free(keys); } /* if we aren't suppose to use hw, skip looking up hardware tokens */ if (!options->use_hw) { nss_emul_init = has_readers; return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; } /* make sure we have some PKCS #11 module loaded */ module_lock = SECMOD_GetDefaultModuleListLock(); module_list = SECMOD_GetDefaultModuleList(); need_coolkey_module = !has_readers; SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; if (module_has_removable_hw_slots(module)) { need_coolkey_module = PR_FALSE; break; } } SECMOD_ReleaseReadLock(module_lock); if (need_coolkey_module) { SECMODModule *module; module = SECMOD_LoadUserModule( (char *)"library=libcoolkeypk11.so name=Coolkey", NULL, PR_FALSE); if (module == NULL) { return VCARD_EMUL_FAIL; } SECMOD_DestroyModule(module); /* free our reference, Module will still * be on the list. * until we destroy it */ } /* now examine all the slots, finding which should be readers */ /* We should control this with options. For now we mirror out any * removable hardware slot */ default_card_type = options->hw_card_type; default_type_params = strdup(options->hw_type_params); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; PRBool has_emul_slots = PR_FALSE; if (module == NULL) { continue; } for (i = 0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; /* only map removable HW slots */ if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { continue; } vreader_emul = vreader_emul_new(slot, options->hw_card_type, options->hw_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); has_readers = PR_TRUE; has_emul_slots = PR_TRUE; if (PK11_IsPresent(slot)) { VCard *vcard; vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); vcard_free(vcard); } } if (has_emul_slots) { vcard_emul_new_event_thread(module); } } SECMOD_ReleaseReadLock(module_lock); nss_emul_init = has_readers; return VCARD_EMUL_OK; }
int main(int argc, char **argv) { char * certDir = NULL; char * progName = NULL; int connections = 1; char * cipherString = NULL; char * respUrl = NULL; char * respCertName = NULL; SECStatus secStatus; PLOptState * optstate; PLOptStatus status; PRBool doOcspCheck = PR_FALSE; /* Call the NSPR initialization routines */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); progName = PORT_Strdup(argv[0]); hostName = NULL; optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch(optstate->option) { case 'C' : cipherString = PL_strdup(optstate->value); break; case 'c' : dumpChain = PR_TRUE; break; case 'd' : certDir = PL_strdup(optstate->value); break; case 'l' : respUrl = PL_strdup(optstate->value); break; case 'p' : port = PORT_Atoi(optstate->value); break; case 'o' : doOcspCheck = PR_TRUE; break; case 't' : respCertName = PL_strdup(optstate->value); break; case 'w': pwdata.source = PW_PLAINTEXT; pwdata.data = PORT_Strdup(optstate->value); break; case 'f': pwdata.source = PW_FROMFILE; pwdata.data = PORT_Strdup(optstate->value); break; case '\0': hostName = PL_strdup(optstate->value); break; default : Usage(progName); } } if (port == 0) { port = 443; } if (port == 0 || hostName == NULL) Usage(progName); if (doOcspCheck && ((respCertName != NULL && respUrl == NULL) || (respUrl != NULL && respCertName == NULL))) { SECU_PrintError (progName, "options -l <url> and -t " "<responder> must be used together"); Usage(progName); } PK11_SetPasswordFunc(SECU_GetModulePassword); /* Initialize the NSS libraries. */ if (certDir) { secStatus = NSS_Init(certDir); } else { secStatus = NSS_NoDB_Init(NULL); /* load the builtins */ SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0); } if (secStatus != SECSuccess) { exitErr("NSS_Init"); } SECU_RegisterDynamicOids(); if (doOcspCheck == PR_TRUE) { SECStatus rv; CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); if (handle == NULL) { SECU_PrintError (progName, "problem getting certdb handle"); goto cleanup; } rv = CERT_EnableOCSPChecking (handle); if (rv != SECSuccess) { SECU_PrintError (progName, "error enabling OCSP checking"); goto cleanup; } if (respUrl != NULL) { rv = CERT_SetOCSPDefaultResponder (handle, respUrl, respCertName); if (rv != SECSuccess) { SECU_PrintError (progName, "error setting default responder"); goto cleanup; } rv = CERT_EnableOCSPDefaultResponder (handle); if (rv != SECSuccess) { SECU_PrintError (progName, "error enabling default responder"); goto cleanup; } } } /* All cipher suites except RSA_NULL_MD5 are enabled by * Domestic Policy. */ NSS_SetDomesticPolicy(); SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { int ndx; /* disable all the ciphers, then enable the ones we want. */ disableAllSSLCiphers(); while (0 != (ndx = *cipherString++)) { int cipher; if (ndx == ':') { int ctmp; cipher = 0; HEXCHAR_TO_INT(*cipherString, ctmp) cipher |= (ctmp << 12); cipherString++; HEXCHAR_TO_INT(*cipherString, ctmp) cipher |= (ctmp << 8); cipherString++; HEXCHAR_TO_INT(*cipherString, ctmp) cipher |= (ctmp << 4); cipherString++; HEXCHAR_TO_INT(*cipherString, ctmp) cipher |= ctmp; cipherString++; } else { const int *cptr; if (! isalpha(ndx)) Usage(progName); cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; } if (cipher > 0) { SSL_CipherPrefSetDefault(cipher, PR_TRUE); } else { Usage(progName); } } } client_main(port, connections, hostName); cleanup: if (doOcspCheck) { CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); CERT_DisableOCSPDefaultResponder(handle); CERT_DisableOCSPChecking (handle); } if (NSS_Shutdown() != SECSuccess) { exit(1); } PR_Cleanup(); PORT_Free(progName); return 0; }
int SetServerSecParms(struct ThreadData *td) { int rv; SECKEYPrivateKey *privKey; PRFileDesc *s; s = td->r; rv = SSL_Enable(s, SSL_SECURITY, 1); /* Enable security on this socket */ if (rv < 0) return Error(10); if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) { rv = SSL_Enable(s, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) return Error(11); } ClearCiphers(td); EnableCiphers(td); PK11_SetPasswordFunc(MyPWFunc); SSL_SetPKCS11PinArg(s,(void*) MyPWFunc); /* Find the certificates we are going to use from the database */ /* Test for dummy certificate, which shouldn't exist */ td->cert = PK11_FindCertFromNickname("XXXXXX_CERT_HARDCOREII_1024",NULL); if (td->cert != NULL) return Error(16); td->cert = NULL; if (NO_CERT != REP_ServerCert) { td->cert = PK11_FindCertFromNickname(nicknames[REP_ServerCert],NULL); } /* Note: if we're set to use NO_CERT as the server cert, then we'll * just essentially skip the rest of this (except for session ID cache setup) */ if ( (NULL == td->cert) && ( NO_CERT != REP_ServerCert )) { PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]); PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n", SECU_ErrorString ((int16) PR_GetError())); return Error(12); } if ((NO_CERT != REP_ServerCert)) { privKey = PK11_FindKeyByAnyCert(td->cert, NULL); if (privKey == NULL) { dbmsg((PR_STDERR, "Can't find key for this certificate\n")); return Error(13); } rv = SSL_ConfigSecureServer(s,td->cert,privKey, kt_rsa); if (rv != PR_SUCCESS) { dbmsg((PR_STDERR, "Can't config server error(%d) \n",rv)); return Error(14); } } rv = SSL_ConfigServerSessionIDCache(10, 0, 0, "."); if (rv != 0) { dbmsg((PR_STDERR, "Can't config server session ID cache (%d) \n",rv)); return Error(15); } return 0; }
VCardEmulError vcard_emul_init(const VCardEmulOptions *options) { SECStatus rv; PRBool ret, has_readers = PR_FALSE; VReader *vreader; VReaderEmul *vreader_emul; SECMODListLock *module_lock; SECMODModuleList *module_list; SECMODModuleList *mlp; int i; if (vcard_emul_init_called) { return VCARD_EMUL_INIT_ALREADY_INITED; } vcard_emul_init_called = 1; vreader_init(); vevent_queue_init(); if (options == NULL) { options = &default_options; } /* first initialize NSS */ if (options->nss_db) { rv = NSS_Init(options->nss_db); } else { gchar *path; #ifndef _WIN32 path = g_strdup("/etc/pki/nssdb"); #else if (g_get_system_config_dirs() == NULL || g_get_system_config_dirs()[0] == NULL) { return VCARD_EMUL_FAIL; } path = g_build_filename( g_get_system_config_dirs()[0], "pki", "nssdb", NULL); #endif rv = NSS_Init(path); g_free(path); } if (rv != SECSuccess) { return VCARD_EMUL_FAIL; } /* Set password callback function */ PK11_SetPasswordFunc(vcard_emul_get_password); /* set up soft cards emulated by software certs rather than physical cards * */ for (i = 0; i < options->vreader_count; i++) { int j; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; slot = PK11_FindSlotByName(options->vreader[i].name); if (slot == NULL) { continue; } vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, options->vreader[i].type_params); vreader = vreader_new(options->vreader[i].vname, vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); cert_count = options->vreader[i].cert_count; ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, options->vreader[i].cert_count); if (ret == PR_FALSE) { continue; } cert_count = 0; for (j = 0; j < options->vreader[i].cert_count; j++) { /* we should have a better way of identifying certs than by * nickname here */ CERTCertificate *cert = PK11_FindCertFromNickname( options->vreader[i].cert_name[j], NULL); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); /* this is safe because the key is still holding a cert reference */ CERT_DestroyCertificate(cert); cert_count++; } if (cert_count) { VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); /* allow insertion and removal of soft cards */ vreader_emul->saved_vcard = vcard_reference(vcard); vcard_free(vcard); vreader_free(vreader); has_readers = PR_TRUE; } g_free(certs); g_free(cert_len); g_free(keys); } /* if we aren't suppose to use hw, skip looking up hardware tokens */ if (!options->use_hw) { nss_emul_init = has_readers; return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; } /* make sure we have some PKCS #11 module loaded */ module_lock = SECMOD_GetDefaultModuleListLock(); module_list = SECMOD_GetDefaultModuleList(); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; if (module_has_removable_hw_slots(module)) { break; } } SECMOD_ReleaseReadLock(module_lock); /* now examine all the slots, finding which should be readers */ /* We should control this with options. For now we mirror out any * removable hardware slot */ default_card_type = options->hw_card_type; default_type_params = g_strdup(options->hw_type_params); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; /* Ignore the internal module */ if (module == NULL || module == SECMOD_GetInternalModule()) { continue; } for (i = 0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; /* only map removable HW slots */ if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { continue; } if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) { /* * coolkey <= 1.1.0-20 emulates this reader if it can't find * any hardware readers. This causes problems, warn user of * problems. */ fprintf(stderr, "known bad coolkey version - see " "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n"); continue; } vreader_emul = vreader_emul_new(slot, options->hw_card_type, options->hw_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); if (PK11_IsPresent(slot)) { VCard *vcard; vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); vcard_free(vcard); } } vcard_emul_new_event_thread(module); } SECMOD_ReleaseReadLock(module_lock); nss_emul_init = PR_TRUE; return VCARD_EMUL_OK; }
int main(int argc, char **argv) { char *progName; FILE *outFile; PRFileDesc *inFile; char *keyName = NULL; CERTCertDBHandle *certHandle; CERTCertificate *cert; PLOptState *optstate; PLOptStatus status; SECStatus rv; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; inFile = NULL; outFile = NULL; keyName = NULL; /* * Parse command line arguments */ optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': Usage(progName); break; case 'd': SECU_ConfigDirectory(optstate->value); break; case 'i': inFile = PR_Open(optstate->value, PR_RDONLY, 0); if (!inFile) { fprintf(stderr, "%s: unable to open \"%s\" for reading\n", progName, optstate->value); return -1; } break; case 'k': keyName = strdup(optstate->value); break; case 'o': outFile = fopen(optstate->value, "wb"); if (!outFile) { fprintf(stderr, "%s: unable to open \"%s\" for writing\n", progName, optstate->value); return -1; } break; case 'p': pwdata.source = PW_PLAINTEXT; pwdata.data = strdup (optstate->value); break; case 'f': pwdata.source = PW_FROMFILE; pwdata.data = PORT_Strdup (optstate->value); break; } } if (!keyName) Usage(progName); if (!inFile) inFile = PR_STDIN; if (!outFile) outFile = stdout; /* Call the initialization routines */ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); rv = NSS_Init(SECU_ConfigDirectory(NULL)); if (rv != SECSuccess) { SECU_PrintPRandOSError(progName); goto loser; } PK11_SetPasswordFunc(SECU_GetModulePassword); /* open cert database */ certHandle = CERT_GetDefaultCertDB(); if (certHandle == NULL) { rv = SECFailure; goto loser; } /* find cert */ cert = CERT_FindCertByNickname(certHandle, keyName); if (cert == NULL) { SECU_PrintError(progName, "the corresponding cert for key \"%s\" does not exist", keyName); rv = SECFailure; goto loser; } if (SignFile(outFile, inFile, cert)) { SECU_PrintError(progName, "problem signing data"); rv = SECFailure; goto loser; } loser: if (pwdata.data) { PORT_Free(pwdata.data); } if (keyName) { PORT_Free(keyName); } if (cert) { CERT_DestroyCertificate(cert); } if (inFile && inFile != PR_STDIN) { PR_Close(inFile); } if (outFile && outFile != stdout) { fclose(outFile); } if (NSS_Shutdown() != SECSuccess) { SECU_PrintError(progName, "NSS shutdown:"); exit(1); } return (rv != SECSuccess); }
// Constructor OsTLSServerSocket::OsTLSServerSocket(int connectionQueueSize, int serverPort, UtlString certNickname, UtlString certPassword, UtlString dbLocation, const UtlString bindAddress) : OsServerSocket(connectionQueueSize,serverPort, bindAddress.data(), false), mCertNickname(certNickname), mCertPassword(certPassword), mDbLocation(dbLocation), mpMozillaSSLSocket(NULL), mpCert(NULL), mpPrivKey(NULL), mTlsInitCode(TLS_INIT_SUCCESS) { PRSocketOptionData socketOption; PRStatus prStatus; SECStatus secStatus; // import the newly created socket into NSS, and set the PRFileDesc. if (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR) { /* Call the NSPR initialization routines. */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); /* Set the cert database password callback. */ PK11_SetPasswordFunc(OsTLS::PasswordCallback); secStatus = NSS_Init(dbLocation.data()); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_DATABASE_FAILURE; return ; } /* Set the policy for this server (REQUIRED - no default). */ secStatus = NSS_SetExportPolicy(); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_DATABASE_FAILURE; return ; } /* Get own certificate and private key. */ mpCert = PK11_FindCertFromNickname((char*) certNickname.data(), (void*)certPassword.data()); if (mpCert == NULL) { return ; } unsigned char* szPwd = (unsigned char*) PR_Malloc(certPassword.length()+ 1); strncpy((char*)szPwd, certPassword.data(), certPassword.length()+1); mpPrivKey = PK11_FindKeyByAnyCert(mpCert, (void*)szPwd); if (mpPrivKey == NULL) { mTlsInitCode = TLS_INIT_BAD_PASSWORD; // probably a wrong password return ; } /* Configure the server's cache for a multi-process application * using default timeout values (24 hrs) and directory location (/tmp). */ SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); mpMozillaSSLSocket = PR_ImportTCPSocket(socketDescriptor); if (!mpMozillaSSLSocket) { mTlsInitCode = TLS_INIT_TCP_IMPORT_FAILURE; } else { /* Make the socket blocking. */ socketOption.option = PR_SockOpt_Nonblocking; socketOption.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(mpMozillaSSLSocket, &socketOption); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); if (secStatus != SECSuccess) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } PRNetAddr addr; /* Configure the network connection. */ addr.inet.family = PR_AF_INET; addr.inet.ip = inet_addr(bindAddress.data()); addr.inet.port = PR_htons(serverPort); /* Bind the address to the listener socket. */ prStatus = PR_Bind(mpMozillaSSLSocket, &addr); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } /* Listen for connection on the socket. The second argument is * the maximum size of the queue for pending connections. */ prStatus = PR_Listen(mpMozillaSSLSocket, connectionQueueSize); if (prStatus != PR_SUCCESS) { mTlsInitCode = TLS_INIT_NSS_FAILURE; return; } } } }
int main(int argc, char **argv) { CERTCertDBHandle *certHandle; PRFileDesc *inFile; PRFileDesc *inCrlInitFile = NULL; int generateCRL; int modifyCRL; int listCRL; int importCRL; int showFileCRL; int deleteCRL; int rv; char *nickName; char *url; char *dbPrefix = ""; char *alg = NULL; char *outFile = NULL; char *slotName = NULL; int ascii = 0; int crlType; PLOptState *optstate; PLOptStatus status; SECStatus secstatus; PRInt32 decodeOptions = CRL_DECODE_DEFAULT_OPTIONS; PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS; PRBool quiet = PR_FALSE; PRBool test = PR_FALSE; PRBool erase = PR_FALSE; PRInt32 i = 0; PRInt32 iterations = 1; PRBool readonly = PR_FALSE; secuPWData pwdata = { PW_NONE, 0 }; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; rv = 0; deleteCRL = importCRL = listCRL = generateCRL = modifyCRL = showFileCRL = 0; inFile = NULL; nickName = url = NULL; certHandle = NULL; crlType = SEC_CRL_TYPE; /* * Parse command line arguments */ optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': Usage(progName); break; case 'T': test = PR_TRUE; break; case 'E': erase = PR_TRUE; break; case 'B': importOptions |= CRL_IMPORT_BYPASS_CHECKS; break; case 'G': generateCRL = 1; break; case 'M': modifyCRL = 1; break; case 'D': deleteCRL = 1; break; case 'I': importCRL = 1; break; case 'S': showFileCRL = 1; break; case 'C': case 'L': listCRL = 1; break; case 'P': dbPrefix = strdup(optstate->value); break; case 'Z': alg = strdup(optstate->value); break; case 'a': ascii = 1; break; case 'c': inCrlInitFile = PR_Open(optstate->value, PR_RDONLY, 0); if (!inCrlInitFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n", progName, optstate->value); PL_DestroyOptState(optstate); return -1; } break; case 'd': SECU_ConfigDirectory(optstate->value); break; case 'f': pwdata.source = PW_FROMFILE; pwdata.data = strdup(optstate->value); break; case 'h': slotName = strdup(optstate->value); break; case 'i': inFile = PR_Open(optstate->value, PR_RDONLY, 0); if (!inFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading\n", progName, optstate->value); PL_DestroyOptState(optstate); return -1; } break; case 'n': nickName = strdup(optstate->value); break; case 'o': outFile = strdup(optstate->value); break; case 'p': decodeOptions |= CRL_DECODE_SKIP_ENTRIES; break; case 'r': { const char* str = optstate->value; if (str && atoi(str)>0) iterations = atoi(str); } break; case 't': { crlType = atoi(optstate->value); if (crlType != SEC_CRL_TYPE && crlType != SEC_KRL_TYPE) { PR_fprintf(PR_STDERR, "%s: invalid crl type\n", progName); PL_DestroyOptState(optstate); return -1; } break; case 'q': quiet = PR_TRUE; break; case 'w': pwdata.source = PW_PLAINTEXT; pwdata.data = strdup(optstate->value); break; case 'u': url = strdup(optstate->value); break; } } } PL_DestroyOptState(optstate); if (deleteCRL && !nickName) Usage (progName); if (importCRL && !inFile) Usage (progName); if (showFileCRL && !inFile) Usage (progName); if ((generateCRL && !nickName) || (modifyCRL && !inFile && !nickName)) Usage (progName); if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL || modifyCRL || test || erase)) Usage (progName); if (listCRL || showFileCRL) { readonly = PR_TRUE; } PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(SECU_GetModulePassword); if (showFileCRL) { NSS_NoDB_Init(NULL); } else { secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix, "secmod.db", readonly ? NSS_INIT_READONLY : 0); if (secstatus != SECSuccess) { SECU_PrintPRandOSError(progName); return -1; } } SECU_RegisterDynamicOids(); certHandle = CERT_GetDefaultCertDB(); if (certHandle == NULL) { SECU_PrintError(progName, "unable to open the cert db"); /*ignoring return value of NSS_Shutdown() as code returns -1*/ (void) NSS_Shutdown(); return (-1); } CRLGEN_InitCrlGenParserLock(); for (i=0; i<iterations; i++) { /* Read in the private key info */ if (deleteCRL) DeleteCRL (certHandle, nickName, crlType); else if (listCRL) { rv = ListCRL (certHandle, nickName, crlType); } else if (importCRL) { rv = ImportCRL (certHandle, url, crlType, inFile, importOptions, decodeOptions, &pwdata); } else if (showFileCRL) { rv = DumpCRL (inFile); } else if (generateCRL || modifyCRL) { if (!inCrlInitFile) inCrlInitFile = PR_STDIN; rv = GenerateCRL (certHandle, nickName, inCrlInitFile, inFile, outFile, ascii, slotName, importOptions, alg, quiet, decodeOptions, url, &pwdata, modifyCRL); } else if (erase) { /* list and delete all CRLs */ ListCRLNames (certHandle, crlType, PR_TRUE); } #ifdef DEBUG else if (test) { /* list and delete all CRLs */ ListCRLNames (certHandle, crlType, PR_TRUE); /* list CRLs */ ListCRLNames (certHandle, crlType, PR_FALSE); /* import CRL as a blob */ rv = ImportCRL (certHandle, url, crlType, inFile, importOptions, decodeOptions, &pwdata); /* list CRLs */ ListCRLNames (certHandle, crlType, PR_FALSE); } #endif } CRLGEN_DestroyCrlGenParserLock(); if (NSS_Shutdown() != SECSuccess) { rv = SECFailure; } return (rv != SECSuccess); }
bool lsw_nss_setup(const char *configdir, unsigned setup_flags, PK11PasswordFunc get_password, lsw_nss_buf_t err) { /* * save for cleanup */ flags = setup_flags; /* * According to the manual, not needed, and all parameters are * ignored. Does no harm? */ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1); libreswan_log("Initializing NSS"); if (configdir) { const char sql[] = "sql:"; char *nssdb; if (strncmp(sql, configdir, strlen(sql)) == 0) { nssdb = strdup(configdir); } else { nssdb = alloc_bytes(strlen(configdir) + strlen(sql) + 1, "nssdb"); strcpy(nssdb, sql); strcat(nssdb, configdir); } libreswan_log("Opening NSS database \"%s\" %s", nssdb, (flags & LSW_NSS_READONLY) ? "read-only" : "read-write"); SECStatus rv = NSS_Initialize(nssdb, "", "", SECMOD_DB, (flags & LSW_NSS_READONLY) ? NSS_INIT_READONLY : 0); if (rv != SECSuccess) { snprintf(err, sizeof(lsw_nss_buf_t), "Initialization of NSS with %s database \"%s\" failed (%d)", (flags & LSW_NSS_READONLY) ? "read-only" : "read-write", nssdb, PR_GetError()); pfree(nssdb); return FALSE; } } else { NSS_NoDB_Init("."); } if (PK11_IsFIPS() && get_password == NULL) { snprintf(err, sizeof(lsw_nss_buf_t), "on FIPS mode a password is required"); return FALSE; } if (get_password) { PK11_SetPasswordFunc(get_password); } if (!(flags & LSW_NSS_SKIP_AUTH)) { PK11SlotInfo *slot = lsw_nss_get_authenticated_slot(err); if (slot == NULL) { return FALSE; } PK11_FreeSlot(slot); } return TRUE; }
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) { PRErrorCode err = 0; PRFileDesc *model = NULL; PRBool ssl2 = PR_FALSE; PRBool ssl3 = PR_FALSE; PRBool tlsv1 = PR_FALSE; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode curlerr; const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; PRUint32 timeout; if(connssl->state == ssl_connection_complete) return CURLE_OK; connssl->data = data; /* list of all NSS objects we need to destroy in Curl_nss_close() */ connssl->obj_list = Curl_llist_alloc(nss_destroy_object); if(!connssl->obj_list) return CURLE_OUT_OF_MEMORY; /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); curlerr = nss_init(conn->data); if(CURLE_OK != curlerr) { PR_Unlock(nss_initlock); goto error; } curlerr = CURLE_SSL_CONNECT_ERROR; if(!mod) { char *configstring = aprintf("library=%s name=PEM", pem_library); if(!configstring) { PR_Unlock(nss_initlock); goto error; } mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); free(configstring); if(!mod || !mod->loaded) { if(mod) { SECMOD_DestroyModule(mod); mod = NULL; } infof(data, "WARNING: failed to load NSS PEM library %s. Using " "OpenSSL PEM certificates will not work.\n", pem_library); } } PK11_SetPasswordFunc(nss_get_password); PR_Unlock(nss_initlock); model = PR_NewTCPSocket(); if(!model) goto error; model = SSL_ImportFD(NULL, model); /* make the socket nonblocking */ sock_opt.option = PR_SockOpt_Nonblocking; sock_opt.value.non_blocking = PR_TRUE; if(PR_SetSocketOption(model, &sock_opt) != PR_SUCCESS) goto error; if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess) goto error; /* do not use SSL cache if we are not going to verify peer */ ssl_no_cache = (data->set.ssl.verifypeer) ? PR_FALSE : PR_TRUE; if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) goto error; switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: ssl3 = PR_TRUE; if(data->state.ssl_connect_retry) infof(data, "TLS disabled due to previous handshake failure\n"); else tlsv1 = PR_TRUE; break; case CURL_SSLVERSION_TLSv1: tlsv1 = PR_TRUE; break; case CURL_SSLVERSION_SSLv2: ssl2 = PR_TRUE; break; case CURL_SSLVERSION_SSLv3: ssl3 = PR_TRUE; break; } if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; ssl_cbc_random_iv = !data->set.ssl_enable_beast; #ifdef SSL_CBC_RANDOM_IV /* unless the user explicitly asks to allow the protocol vulnerability, we use the work-around */ if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n", ssl_cbc_random_iv); #else if(ssl_cbc_random_iv) infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); #endif /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; /* enable all ciphers from enable_ciphers_by_default */ cipher_to_enable = enable_ciphers_by_default; while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; goto error; } cipher_to_enable++; } if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; goto error; } } if(!data->set.ssl.verifypeer && data->set.ssl.verifyhost) infof(data, "warning: ignoring value of ssl.verifyhost\n"); /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, conn) != SECSuccess) goto error; data->set.ssl.certverifyresult=0; /* not checked yet */ if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) goto error; if(SSL_HandshakeCallback(model, HandshakeCallback, NULL) != SECSuccess) goto error; if(data->set.ssl.verifypeer) { const CURLcode rv = nss_load_ca_certificates(conn, sockindex); if(CURLE_OK != rv) { curlerr = rv; goto error; } } if(data->set.ssl.CRLfile) { if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) { curlerr = CURLE_SSL_CRL_BADFILE; goto error; } infof(data, " CRLfile: %s\n", data->set.ssl.CRLfile ? data->set.ssl.CRLfile : "none"); } if(data->set.str[STRING_CERT]) { char *nickname = dup_nickname(data, STRING_CERT); if(nickname) { /* we are not going to use libnsspem.so to read the client cert */ connssl->obj_clicert = NULL; } else { CURLcode rv = cert_stuff(conn, sockindex, data->set.str[STRING_CERT], data->set.str[STRING_KEY]); if(CURLE_OK != rv) { /* failf() is already done in cert_stuff() */ curlerr = rv; goto error; } } /* store the nickname for SelectClientCert() called during handshake */ connssl->client_nickname = nickname; } else connssl->client_nickname = NULL; if(SSL_GetClientAuthDataHook(model, SelectClientCert, (void *)connssl) != SECSuccess) { curlerr = CURLE_SSL_CERTPROBLEM; goto error; } /* Import our model socket onto the existing file descriptor */ connssl->handle = PR_ImportTCPSocket(sockfd); connssl->handle = SSL_ImportFD(model, connssl->handle); if(!connssl->handle) goto error; PR_Close(model); /* We don't need this any more */ model = NULL; /* This is the password associated with the cert that we're using */ if(data->set.str[STRING_KEY_PASSWD]) { SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]); } /* Force handshake on next I/O */ SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE); SSL_SetURL(connssl->handle, conn->host.name); /* check timeout situation */ time_left = Curl_timeleft(data, NULL, TRUE); if(time_left < 0L) { failf(data, "timed out before SSL handshake"); curlerr = CURLE_OPERATION_TIMEDOUT; goto error; } timeout = PR_MillisecondsToInterval((PRUint32) time_left); /* Force the handshake now */ if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) { if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) curlerr = CURLE_PEER_FAILED_VERIFICATION; else if(conn->data->set.ssl.certverifyresult!=0) curlerr = CURLE_SSL_CACERT; goto error; } connssl->state = ssl_connection_complete; conn->recv[sockindex] = nss_recv; conn->send[sockindex] = nss_send; display_conn_info(conn, connssl->handle); if(data->set.str[STRING_SSL_ISSUERCERT]) { SECStatus ret = SECFailure; char *nickname = dup_nickname(data, STRING_SSL_ISSUERCERT); if(nickname) { /* we support only nicknames in case of STRING_SSL_ISSUERCERT for now */ ret = check_issuer_cert(connssl->handle, nickname); free(nickname); } if(SECFailure == ret) { infof(data,"SSL certificate issuer check failed\n"); curlerr = CURLE_SSL_ISSUER_ERROR; goto error; } else { infof(data, "SSL certificate issuer check ok\n"); } } return CURLE_OK; error: /* reset the flag to avoid an infinite loop */ data->state.ssl_connect_retry = FALSE; if(is_nss_error(curlerr)) { /* read NSPR error code */ err = PR_GetError(); if(is_cc_error(err)) curlerr = CURLE_SSL_CERTPROBLEM; /* print the error number and error string */ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); } if(model) PR_Close(model); /* cleanup on connection failure */ Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; infof(data, "Error in TLS handshake, trying SSLv3...\n"); return CURLE_OK; } return curlerr; }
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) { PRInt32 err; PRFileDesc *model = NULL; PRBool ssl2, ssl3, tlsv1; struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECStatus rv; char *certDir = NULL; int curlerr; const int *cipher_to_enable; curlerr = CURLE_SSL_CONNECT_ERROR; if (connssl->state == ssl_connection_complete) return CURLE_OK; connssl->data = data; #ifdef HAVE_PK11_CREATEGENERICOBJECT connssl->cacert[0] = NULL; connssl->cacert[1] = NULL; connssl->key = NULL; #endif /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); if(!initialized) { struct_stat st; /* First we check if $SSL_DIR points to a valid dir */ certDir = getenv("SSL_DIR"); if(certDir) { if((stat(certDir, &st) != 0) || (!S_ISDIR(st.st_mode))) { certDir = NULL; } } /* Now we check if the default location is a valid dir */ if(!certDir) { if((stat(SSL_DIR, &st) == 0) && (S_ISDIR(st.st_mode))) { certDir = (char *)SSL_DIR; } } if (!NSS_IsInitialized()) { initialized = 1; infof(conn->data, "Initializing NSS with certpath: %s\n", certDir ? certDir : "none"); if(!certDir) { rv = NSS_NoDB_Init(NULL); } else { char *certpath = PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", certDir); rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); PR_smprintf_free(certpath); } if(rv != SECSuccess) { infof(conn->data, "Unable to initialize NSS database\n"); curlerr = CURLE_SSL_CACERT_BADFILE; initialized = 0; PR_Unlock(nss_initlock); goto error; } } if(num_enabled_ciphers() == 0) NSS_SetDomesticPolicy(); #ifdef HAVE_PK11_CREATEGENERICOBJECT if(!mod) { char *configstring = aprintf("library=%s name=PEM", pem_library); if(!configstring) { PR_Unlock(nss_initlock); goto error; } mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); free(configstring); if(!mod || !mod->loaded) { if(mod) { SECMOD_DestroyModule(mod); mod = NULL; } infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL " "PEM certificates will not work.\n", pem_library); } } #endif PK11_SetPasswordFunc(nss_get_password); } PR_Unlock(nss_initlock); model = PR_NewTCPSocket(); if(!model) goto error; model = SSL_ImportFD(NULL, model); if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE) != SECSuccess) goto error; ssl2 = ssl3 = tlsv1 = PR_FALSE; switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: ssl3 = tlsv1 = PR_TRUE; break; case CURL_SSLVERSION_TLSv1: tlsv1 = PR_TRUE; break; case CURL_SSLVERSION_SSLv2: ssl2 = PR_TRUE; break; case CURL_SSLVERSION_SSLv3: ssl3 = PR_TRUE; break; } if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) goto error; /* enable all ciphers from enable_ciphers_by_default */ cipher_to_enable = enable_ciphers_by_default; while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; goto error; } cipher_to_enable++; } if(data->set.ssl.cipher_list) { if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { curlerr = CURLE_SSL_CIPHER; goto error; } } if(data->set.ssl.verifyhost == 1) infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n"); data->set.ssl.certverifyresult=0; /* not checked yet */ if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) != SECSuccess) { goto error; } if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback, NULL) != SECSuccess) goto error; if(!data->set.ssl.verifypeer) /* skip the verifying of the peer */ ; else if(data->set.ssl.CAfile) { int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile, PR_TRUE); if(!rc) { curlerr = CURLE_SSL_CACERT_BADFILE; goto error; } } else if(data->set.ssl.CApath) { struct_stat st; PRDir *dir; PRDirEntry *entry; if(stat(data->set.ssl.CApath, &st) == -1) { curlerr = CURLE_SSL_CACERT_BADFILE; goto error; } if(S_ISDIR(st.st_mode)) { int rc; dir = PR_OpenDir(data->set.ssl.CApath); do { entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN); if(entry) { char fullpath[PATH_MAX]; snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath, entry->name); rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE); /* FIXME: check this return value! */ } /* This is purposefully tolerant of errors so non-PEM files * can be in the same directory */ } while(entry != NULL); PR_CloseDir(dir); } } infof(data, " CAfile: %s\n" " CApath: %s\n", data->set.ssl.CAfile ? data->set.ssl.CAfile : "none", data->set.ssl.CApath ? data->set.ssl.CApath : "none"); if (data->set.ssl.CRLfile) { int rc = nss_load_crl(data->set.ssl.CRLfile, PR_FALSE); if (!rc) { curlerr = CURLE_SSL_CRL_BADFILE; goto error; } infof(data, " CRLfile: %s\n", data->set.ssl.CRLfile ? data->set.ssl.CRLfile : "none"); } if(data->set.str[STRING_CERT]) { bool nickname_alloc = FALSE; char *nickname = fmt_nickname(data->set.str[STRING_CERT], &nickname_alloc); if(!nickname) return CURLE_OUT_OF_MEMORY; if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT], data->set.str[STRING_KEY])) { /* failf() is already done in cert_stuff() */ if(nickname_alloc) free(nickname); return CURLE_SSL_CERTPROBLEM; } /* this "takes over" the pointer to the allocated name or makes a dup of it */ connssl->client_nickname = nickname_alloc?nickname:strdup(nickname); if(!connssl->client_nickname) return CURLE_OUT_OF_MEMORY; } else connssl->client_nickname = NULL; if(SSL_GetClientAuthDataHook(model, SelectClientCert, (void *)connssl) != SECSuccess) { curlerr = CURLE_SSL_CERTPROBLEM; goto error; } /* Import our model socket onto the existing file descriptor */ connssl->handle = PR_ImportTCPSocket(sockfd); connssl->handle = SSL_ImportFD(model, connssl->handle); if(!connssl->handle) goto error; PR_Close(model); /* We don't need this any more */ /* This is the password associated with the cert that we're using */ if (data->set.str[STRING_KEY_PASSWD]) { SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]); } /* Force handshake on next I/O */ SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE); SSL_SetURL(connssl->handle, conn->host.name); /* Force the handshake now */ if(SSL_ForceHandshakeWithTimeout(connssl->handle, PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) != SECSuccess) { if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) curlerr = CURLE_PEER_FAILED_VERIFICATION; else if(conn->data->set.ssl.certverifyresult!=0) curlerr = CURLE_SSL_CACERT; goto error; } connssl->state = ssl_connection_complete; display_conn_info(conn, connssl->handle); if (data->set.str[STRING_SSL_ISSUERCERT]) { SECStatus ret; bool nickname_alloc = FALSE; char *nickname = fmt_nickname(data->set.str[STRING_SSL_ISSUERCERT], &nickname_alloc); if(!nickname) return CURLE_OUT_OF_MEMORY; ret = check_issuer_cert(connssl->handle, nickname); if(nickname_alloc) free(nickname); if(SECFailure == ret) { infof(data,"SSL certificate issuer check failed\n"); curlerr = CURLE_SSL_ISSUER_ERROR; goto error; } else { infof(data, "SSL certificate issuer check ok\n"); } } return CURLE_OK; error: err = PR_GetError(); infof(data, "NSS error %d\n", err); if(model) PR_Close(model); return curlerr; }
int __pmSecureServerInit(void) { const PRUint16 *cipher; SECStatus secsts; int pathSpecified; int sts = 0; PM_INIT_LOCKS(); PM_LOCK(secureserver_lock); /* Only attempt this once. */ if (secure_server.initialized) goto done; secure_server.initialized = 1; if (PR_Initialized() != PR_TRUE) PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); /* Configure optional (cmdline) password file in case DB locked */ PK11_SetPasswordFunc(certificate_database_password); /* * Configure location of the NSS database with a sane default. * For servers, we default to the shared (sql) system-wide database. * If command line db specified, pass it directly through - allowing * any old database format, at the users discretion. */ if (!secure_server.database_path[0]) { const char *path; pathSpecified = 0; path = serverdb(secure_server.database_path, MAXPATHLEN, "sql:"); /* this is the default case on some platforms, so no log spam */ if (access(path, R_OK|X_OK) < 0) { if (pmDebugOptions.context) pmNotifyErr(LOG_INFO, "Cannot access system security database: %s", secure_server.database_path); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } else pathSpecified = 1; /* * pmproxy acts as both a client and server. Since the * server init path happens first, the db previously * got opened readonly. Instead try to open RW. * Fallback if there is an error. */ secsts = NSS_InitReadWrite(secure_server.database_path); if( secsts != SECSuccess ) secsts = NSS_Init(secure_server.database_path); if (secsts != SECSuccess && !pathSpecified) { /* fallback, older versions of NSS do not support sql: */ serverdb(secure_server.database_path, MAXPATHLEN, ""); secsts = NSS_Init(secure_server.database_path); } if (secsts != SECSuccess) { pmNotifyErr(LOG_ERR, "Cannot setup certificate DB (%s): %s", secure_server.database_path, pmErrStr(__pmSecureSocketsError(PR_GetError()))); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } /* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */ for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher) SSL_CipherPolicySet(*cipher, SSL_ALLOWED); /* Configure SSL session cache for multi-process server, using defaults */ secsts = SSL_ConfigMPServerSIDCache(1, 0, 0, NULL); if (secsts != SECSuccess) { pmNotifyErr(LOG_ERR, "Unable to configure SSL session ID cache: %s", pmErrStr(__pmSecureSocketsError(PR_GetError()))); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } else { secure_server.ssl_session_cache_setup = 1; } /* * Iterate over any/all PCP Collector nickname certificates, * seeking one valid certificate. No-such-nickname is not an * error (not configured by admin at all) but anything else is. */ CERTCertList *certlist; CERTCertDBHandle *nssdb = CERT_GetDefaultCertDB(); CERTCertificate *dbcert = PK11_FindCertFromNickname(secure_server.cert_nickname, NULL); if (dbcert) { PRTime now = PR_Now(); SECItem *name = &dbcert->derSubject; CERTCertListNode *node; certlist = CERT_CreateSubjectCertList(NULL, nssdb, name, now, PR_FALSE); if (certlist) { for (node = CERT_LIST_HEAD(certlist); !CERT_LIST_END(node, certlist); node = CERT_LIST_NEXT (node)) { if (pmDebugOptions.context) __pmDumpCertificate(stderr, secure_server.cert_nickname, node->cert); if (!__pmValidCertificate(nssdb, node->cert, now)) continue; secure_server.certificate_verified = 1; break; } CERT_DestroyCertList(certlist); } if (secure_server.certificate_verified) { secure_server.certificate_KEA = NSS_FindCertKEAType(dbcert); secure_server.private_key = PK11_FindKeyByAnyCert(dbcert, NULL); if (!secure_server.private_key) { pmNotifyErr(LOG_ERR, "Unable to extract %s private key", secure_server.cert_nickname); CERT_DestroyCertificate(dbcert); secure_server.certificate_verified = 0; sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } else { pmNotifyErr(LOG_ERR, "Unable to find a valid %s", secure_server.cert_nickname); CERT_DestroyCertificate(dbcert); sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } } if (! secure_server.certificate_verified) { if (pmDebugOptions.context) { pmNotifyErr(LOG_INFO, "No valid %s in security database: %s", secure_server.cert_nickname, secure_server.database_path); } sts = -EOPNOTSUPP; /* not fatal - just no secure connections */ secure_server.init_failed = 1; goto done; } secure_server.certificate = dbcert; secure_server.init_failed = 0; sts = 0; done: PM_UNLOCK(secureserver_lock); return sts; }
am_status_t Connection::initialize(const Properties& properties) { am_status_t status = AM_SUCCESS; SECStatus secStatus; if (! initialized) { const char *nssMethodName = "NSS_Initialize"; std::string certDir = properties.get(AM_COMMON_SSL_CERT_DIR_PROPERTY, ""); std::string dbPrefix = properties.get(AM_COMMON_CERT_DB_PREFIX_PROPERTY, ""); unsigned long timeout = properties.getUnsigned(AM_COMMON_RECEIVE_TIMEOUT_PROPERTY, 0); if (timeout > 0) { receive_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(timeout)); } else { receive_timeout = PR_INTERVAL_NO_TIMEOUT; } unsigned long socket_timeout = properties.getUnsigned(AM_COMMON_CONNECT_TIMEOUT_PROPERTY, 0); if (socket_timeout > 0) { connect_timeout = PR_MillisecondsToInterval(static_cast<PRInt32>(socket_timeout)); } else { connect_timeout = PR_INTERVAL_NO_TIMEOUT; } tcp_nodelay_is_enabled = properties.getBool(AM_COMMON_TCP_NODELAY_ENABLE_PROPERTY, false); // // Initialize the NSS libraries and enable use of all of the // cipher suites. According to the NSS 3.3 API documentation // NSS_SetDomesticPolicy enables all of the cipher suites except // two: SSL_RSA_WITH_NULL_MD5 and SSL_FORTEZZA_DMS_WITH_NULL_SHA. // (It does not explain why those two are not enabled.) The SSL // code in Agent Pack 1.0 explicitly enabled the first of the // disabled cipher suites. // We do not enable them here since null or no encryption is a // potential security risk. // Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() " "calling NSS_Initialize() with directory = \"%s\" and " "prefix = \"%s\"", certDir.c_str(), dbPrefix.c_str()); Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() " "Connection timeout when receiving data = %i milliseconds",timeout); if (tcp_nodelay_is_enabled) { Log::log(Log::ALL_MODULES, Log::LOG_DEBUG, "Connection::initialize() " "Socket option TCP_NODELAY is enabled"); } secStatus = NSS_Initialize(certDir.c_str(), dbPrefix.c_str(), dbPrefix.c_str(), "secmod.db", NSS_INIT_READONLY|NSS_INIT_FORCEOPEN); if (SECSuccess == secStatus) { nssMethodName = "NSS_SetDomesticPolicy"; secStatus = NSS_SetDomesticPolicy(); } if (SECSuccess == secStatus) { nssMethodName = "PK11_SetPasswordFunc"; PK11_SetPasswordFunc(getPasswordFromArg); initialized = true; } if(secStatus != SECSuccess) { secStatus = NSS_NoDB_Init(NULL); if (secStatus != SECSuccess) { Log::log(Log::ALL_MODULES, Log::LOG_ERROR, "Connection::initialize() unable to initialize SSL " "libraries: %s returned %d", nssMethodName, PR_GetError()); status = AM_NSPR_ERROR; } } } return status; }