/* Global cleanup */ void Curl_nss_cleanup(void) { /* This function isn't required to be threadsafe and this is only done * as a safety feature. */ PR_Lock(nss_initlock); if(initialized) { /* Free references to client certificates held in the SSL session cache. * Omitting this hampers destruction of the security module owning * the certificates. */ SSL_ClearSessionCache(); if(mod && SECSuccess == SECMOD_UnloadUserModule(mod)) { SECMOD_DestroyModule(mod); mod = NULL; } #ifdef HAVE_NSS_INITCONTEXT NSS_ShutdownContext(nss_context); nss_context = NULL; #else /* HAVE_NSS_INITCONTEXT */ NSS_Shutdown(); #endif } PR_Unlock(nss_initlock); PR_DestroyLock(nss_initlock); PR_DestroyLock(nss_crllock); nss_initlock = NULL; initialized = 0; }
int qdevice_model_net_destroy(struct qdevice_instance *instance) { struct qdevice_net_instance *net_instance; net_instance = instance->model_data; qdevice_log(LOG_DEBUG, "Destroying algorithm"); qdevice_net_algorithm_destroy(net_instance); qdevice_log(LOG_DEBUG, "Destroying qdevice_net_instance"); qdevice_net_instance_destroy(net_instance); qdevice_log(LOG_DEBUG, "Shutting down NSS"); SSL_ClearSessionCache(); if (NSS_Shutdown() != SECSuccess) { qdevice_log_nss(LOG_WARNING, "Can't shutdown NSS"); } if (PR_Cleanup() != PR_SUCCESS) { qdevice_log_nss(LOG_WARNING, "Can't shutdown NSPR"); } free(net_instance); return (0); }
/* add given CRL to cache if it is not already there */ static SECStatus nss_cache_crl(SECItem *crlDER) { CERTCertDBHandle *db = CERT_GetDefaultCertDB(); CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0); if(crl) { /* CRL already cached */ SEC_DestroyCrl(crl); SECITEM_FreeItem(crlDER, PR_FALSE); return SECSuccess; } /* acquire lock before call of CERT_CacheCRL() */ PR_Lock(nss_crllock); if(SECSuccess != CERT_CacheCRL(db, crlDER)) { /* unable to cache CRL */ PR_Unlock(nss_crllock); SECITEM_FreeItem(crlDER, PR_FALSE); return SECFailure; } /* we need to clear session cache, so that the CRL could take effect */ SSL_ClearSessionCache(); PR_Unlock(nss_crllock); return SECSuccess; }
NS_IMETHODIMP nsSecretDecoderRing:: LogoutAndTeardown() { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { nsNSSShutDownPreventionLock locker; PK11_LogoutAll(); SSL_ClearSessionCache(); } rv = nssComponent->LogoutAuthenticatedPK11(); // After we just logged out, we need to prune dead connections to make // sure that all connections that should be stopped, are stopped. See // bug 517584. nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); if (os) os->NotifyObservers(nsnull, "net:prune-dead-connections", nsnull); return rv; }
/** * deleteCrl * * Delete a Crl entry from the cert db. */ NS_IMETHODIMP nsCRLManager::DeleteCrl(uint32_t aCrlIndex) { nsNSSShutDownPreventionLock locker; CERTSignedCrl *realCrl = nullptr; CERTCrlHeadNode *head = nullptr; CERTCrlNode *node = nullptr; SECStatus sec_rv; uint32_t i; // Get the list of certs // sec_rv = SEC_LookupCrls(CERT_GetDefaultCertDB(), &head, -1); if (sec_rv != SECSuccess) { return NS_ERROR_FAILURE; } if (head) { for (i = 0, node=head->first; node; i++, node = node->next) { if (i != aCrlIndex) { continue; } realCrl = SEC_FindCrlByName(CERT_GetDefaultCertDB(), &(node->crl->crl.derName), node->type); SEC_DeletePermCRL(realCrl); SEC_DestroyCrl(realCrl); SSL_ClearSessionCache(); } PORT_FreeArena(head->arena, false); } return NS_OK; }
/** Initialize NSS. NSS is initialized without DB and with domnestic policy. @return 1 on success, otherwise 0. */ static int init_nss(void) { if ((NSS_NoDB_Init(NULL)!=SECSuccess) || (NSS_SetDomesticPolicy()!=SECSuccess)) { print_nspr_error(); return 0; } SSL_ClearSessionCache(); return 1; }
NS_IMETHODIMP nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, PRInt32 aPort) { nsCAutoString hostPort; GetHostWithPort(aHostName, aPort, hostPort); { nsAutoMonitor lock(monitor); mSettingsTable.RemoveEntry(hostPort.get()); Write(); } SSL_ClearSessionCache(); return NS_OK; }
NS_IMETHODIMP nsSecretDecoderRing:: Logout() { nsresult rv; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; { nsNSSShutDownPreventionLock locker; PK11_LogoutAll(); SSL_ClearSessionCache(); } return NS_OK; }
NS_IMETHODIMP nsCRLManager::ImportCrl (PRUint8 *aData, PRUint32 aLength, nsIURI * aURI, PRUint32 aType, PRBool doSilentDonwload, const PRUnichar* crlKey) { nsNSSShutDownPreventionLock locker; nsresult rv; PRArenaPool *arena = NULL; CERTCertificate *caCert; SECItem derName = { siBuffer, NULL, 0 }; SECItem derCrl; CERTSignedData sd; SECStatus sec_rv; CERTSignedCrl *crl; nsCAutoString url; nsCOMPtr<nsICRLInfo> crlData; PRBool importSuccessful; PRInt32 errorCode; nsString errorMessage; nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv)); if (NS_FAILED(rv)) return rv; aURI->GetSpec(url); arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { goto loser; } memset(&sd, 0, sizeof(sd)); derCrl.data = (unsigned char*)aData; derCrl.len = aLength; sec_rv = CERT_KeyFromDERCrl(arena, &derCrl, &derName); if (sec_rv != SECSuccess) { goto loser; } caCert = CERT_FindCertByName(CERT_GetDefaultCertDB(), &derName); if (!caCert) { if (aType == SEC_KRL_TYPE){ goto loser; } } else { sec_rv = SEC_ASN1DecodeItem(arena, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate), &derCrl); if (sec_rv != SECSuccess) { goto loser; } sec_rv = CERT_VerifySignedData(&sd, caCert, PR_Now(), nsnull); if (sec_rv != SECSuccess) { goto loser; } } crl = SEC_NewCrl(CERT_GetDefaultCertDB(), const_cast<char*>(url.get()), &derCrl, aType); if (!crl) { goto loser; } crlData = new nsCRLInfo(crl); SSL_ClearSessionCache(); SEC_DestroyCrl(crl); importSuccessful = PR_TRUE; goto done; loser: importSuccessful = PR_FALSE; errorCode = PR_GetError(); switch (errorCode) { case SEC_ERROR_CRL_EXPIRED: nssComponent->GetPIPNSSBundleString("CrlImportFailureExpired", errorMessage); break; case SEC_ERROR_CRL_BAD_SIGNATURE: nssComponent->GetPIPNSSBundleString("CrlImportFailureBadSignature", errorMessage); break; case SEC_ERROR_CRL_INVALID: nssComponent->GetPIPNSSBundleString("CrlImportFailureInvalid", errorMessage); break; case SEC_ERROR_OLD_CRL: nssComponent->GetPIPNSSBundleString("CrlImportFailureOld", errorMessage); break; case SEC_ERROR_CRL_NOT_YET_VALID: nssComponent->GetPIPNSSBundleString("CrlImportFailureNotYetValid", errorMessage); break; default: nssComponent->GetPIPNSSBundleString("CrlImportFailureReasonUnknown", errorMessage); errorMessage.AppendInt(errorCode,16); break; } done: if(!doSilentDonwload){ if (!importSuccessful){ nsString message; nsString temp; nsCOMPtr<nsIWindowWatcher> wwatch(do_GetService(NS_WINDOWWATCHER_CONTRACTID)); nsCOMPtr<nsIPrompt> prompter; if (wwatch){ wwatch->GetNewPrompter(0, getter_AddRefs(prompter)); nssComponent->GetPIPNSSBundleString("CrlImportFailure1x", message); message.Append(NS_LITERAL_STRING("\n").get()); message.Append(errorMessage); nssComponent->GetPIPNSSBundleString("CrlImportFailure2", temp); message.Append(NS_LITERAL_STRING("\n").get()); message.Append(temp); if(prompter) { nsPSMUITracker tracker; if (!tracker.isUIForbidden()) { prompter->Alert(0, message.get()); } } } } else { nsCOMPtr<nsICertificateDialogs> certDialogs; // Not being able to display the success dialog should not // be a fatal error, so don't return a failure code. { nsPSMUITracker tracker; if (tracker.isUIForbidden()) { rv = NS_ERROR_NOT_AVAILABLE; } else { rv = ::getNSSDialogs(getter_AddRefs(certDialogs), NS_GET_IID(nsICertificateDialogs), NS_CERTIFICATEDIALOGS_CONTRACTID); } } if (NS_SUCCEEDED(rv)) { nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext(); certDialogs->CrlImportStatusDialog(cxt, crlData); } } } else { if(crlKey == nsnull){ return NS_ERROR_FAILURE; } nsCOMPtr<nsIPrefService> prefSvc = do_GetService(NS_PREFSERVICE_CONTRACTID,&rv); nsCOMPtr<nsIPrefBranch> pref = do_GetService(NS_PREFSERVICE_CONTRACTID,&rv); if (NS_FAILED(rv)){ return rv; } nsCAutoString updateErrCntPrefStr(CRL_AUTOUPDATE_ERRCNT_PREF); updateErrCntPrefStr.AppendWithConversion(crlKey); if(importSuccessful){ PRUnichar *updateTime; nsCAutoString updateTimeStr; nsCString updateURL; PRInt32 timingTypePref; double dayCnt; char *dayCntStr; nsCAutoString updateTypePrefStr(CRL_AUTOUPDATE_TIMIINGTYPE_PREF); nsCAutoString updateTimePrefStr(CRL_AUTOUPDATE_TIME_PREF); nsCAutoString updateUrlPrefStr(CRL_AUTOUPDATE_URL_PREF); nsCAutoString updateDayCntPrefStr(CRL_AUTOUPDATE_DAYCNT_PREF); nsCAutoString updateFreqCntPrefStr(CRL_AUTOUPDATE_FREQCNT_PREF); updateTypePrefStr.AppendWithConversion(crlKey); updateTimePrefStr.AppendWithConversion(crlKey); updateUrlPrefStr.AppendWithConversion(crlKey); updateDayCntPrefStr.AppendWithConversion(crlKey); updateFreqCntPrefStr.AppendWithConversion(crlKey); pref->GetIntPref(updateTypePrefStr.get(),&timingTypePref); //Compute and update the next download instant if(timingTypePref == TYPE_AUTOUPDATE_TIME_BASED){ pref->GetCharPref(updateDayCntPrefStr.get(),&dayCntStr); }else{ pref->GetCharPref(updateFreqCntPrefStr.get(),&dayCntStr); } dayCnt = atof(dayCntStr); nsMemory::Free(dayCntStr); PRBool toBeRescheduled = PR_FALSE; if(NS_SUCCEEDED(ComputeNextAutoUpdateTime(crlData, timingTypePref, dayCnt, &updateTime))){ updateTimeStr.AssignWithConversion(updateTime); nsMemory::Free(updateTime); pref->SetCharPref(updateTimePrefStr.get(),updateTimeStr.get()); //Now, check if this update time is already in the past. This would //imply we have downloaded the same crl, or there is something wrong //with the next update date. We will not reschedule this crl in this //session anymore - or else, we land into a loop. It would anyway be //imported once the browser is restarted. PRTime nextTime; PR_ParseTimeString(updateTimeStr.get(),PR_TRUE, &nextTime); if(LL_CMP(nextTime, > , PR_Now())){ toBeRescheduled = PR_TRUE; } } //Update the url to download from, next time crlData->GetLastFetchURL(updateURL); pref->SetCharPref(updateUrlPrefStr.get(),updateURL.get()); pref->SetIntPref(updateErrCntPrefStr.get(),0); if (toBeRescheduled) { nsAutoString hashKey(crlKey); nssComponent->RemoveCrlFromList(hashKey); nssComponent->DefineNextTimer(); } } else{
int main(int argc, char * const argv[]) { struct qnetd_instance instance; struct qnetd_advanced_settings advanced_settings; char *host_addr; uint16_t host_port; int foreground; int debug_log; int bump_log_priority; enum tlv_tls_supported tls_supported; int client_cert_required; size_t max_clients; PRIntn address_family; int lock_file; int another_instance_running; if (qnetd_advanced_settings_init(&advanced_settings) != 0) { errx(1, "Can't alloc memory for advanced settings"); } cli_parse(argc, argv, &host_addr, &host_port, &foreground, &debug_log, &bump_log_priority, &tls_supported, &client_cert_required, &max_clients, &address_family, &advanced_settings); if (foreground) { qnetd_log_init(QNETD_LOG_TARGET_STDERR); } else { qnetd_log_init(QNETD_LOG_TARGET_SYSLOG); } qnetd_log_set_debug(debug_log); qnetd_log_set_priority_bump(bump_log_priority); /* * Daemonize */ if (!foreground) { utils_tty_detach(); } if ((lock_file = utils_flock(advanced_settings.lock_file, getpid(), &another_instance_running)) == -1) { if (another_instance_running) { qnetd_log(LOG_ERR, "Another instance is running"); } else { qnetd_log_err(LOG_ERR, "Can't acquire lock"); } exit(1); } qnetd_log(LOG_DEBUG, "Initializing nss"); if (nss_sock_init_nss((tls_supported != TLV_TLS_UNSUPPORTED ? advanced_settings.nss_db_dir : NULL)) != 0) { qnetd_err_nss(); } if (SSL_ConfigServerSessionIDCache(0, 0, 0, NULL) != SECSuccess) { qnetd_err_nss(); } if (qnetd_instance_init(&instance, tls_supported, client_cert_required, max_clients, &advanced_settings) == -1) { qnetd_log(LOG_ERR, "Can't initialize qnetd"); exit(1); } instance.host_addr = host_addr; instance.host_port = host_port; if (tls_supported != TLV_TLS_UNSUPPORTED && qnetd_instance_init_certs(&instance) == -1) { qnetd_err_nss(); } qnetd_log(LOG_DEBUG, "Initializing local socket"); if (qnetd_ipc_init(&instance) != 0) { return (1); } qnetd_log(LOG_DEBUG, "Creating listening socket"); instance.server.socket = nss_sock_create_listen_socket(instance.host_addr, instance.host_port, address_family); if (instance.server.socket == NULL) { qnetd_err_nss(); } if (nss_sock_set_non_blocking(instance.server.socket) != 0) { qnetd_err_nss(); } if (PR_Listen(instance.server.socket, instance.advanced_settings->listen_backlog) != PR_SUCCESS) { qnetd_err_nss(); } global_instance = &instance; signal_handlers_register(); qnetd_log(LOG_DEBUG, "Registering algorithms"); if (qnetd_algorithm_register_all() != 0) { exit(1); } qnetd_log(LOG_DEBUG, "QNetd ready to provide service"); /* * MAIN LOOP */ while (qnetd_poll(&instance) == 0) { } /* * Cleanup */ qnetd_ipc_destroy(&instance); if (PR_Close(instance.server.socket) != PR_SUCCESS) { qnetd_warn_nss(); } CERT_DestroyCertificate(instance.server.cert); SECKEY_DestroyPrivateKey(instance.server.private_key); SSL_ClearSessionCache(); SSL_ShutdownServerSessionIDCache(); qnetd_instance_destroy(&instance); qnetd_advanced_settings_destroy(&advanced_settings); if (NSS_Shutdown() != SECSuccess) { qnetd_warn_nss(); } if (PR_Cleanup() != PR_SUCCESS) { qnetd_warn_nss(); } qnetd_log_close(); return (0); }
int FileSSLDoublePoint_main(char * strUserPin, char * strNickName) { #if 1 int isServer = 0; SECStatus rv = SECSuccess; char * buffer = malloc(1024 * 1024); PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(GetModulePassword); rv = NSS_Initialize(GetSystemDBDir(), "", "", "secmod.db", 0); rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE); rv = NSS_SetDomesticPolicy(); rv = NSS_SetExportPolicy(); rv = NSS_SetFrancePolicy(); // rv = SSL_CipherPolicySet(); SSL_ClearSessionCache(); rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, "."); PRFileDesc * tcp_socket = PR_NewTCPSocket(); PRFileDesc * ssl_socket = SSL_ImportFD(NULL,tcp_socket); if (isServer) { CERTCertDBHandle *certHandle; certHandle = CERT_GetDefaultCertDB(); char * nickname = "4914afeedee988071490b98f1120ddac_e73f20c7-176d-4342-ac89-ea7c00bb570a";/*nickname*/ CERTCertificate* cert = NULL; cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname); SECKEYPrivateKey *prvKey = NULL; prvKey = PK11_FindKeyByAnyCert(cert, NULL); rv = SSL_ConfigSecureServer(ssl_socket, cert,prvKey,ssl_kea_rsa); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); rv = PR_Bind(tcp_socket,&netAddr); rv = PR_Listen(tcp_socket, 100); while (1) { PRFileDesc * client = PR_Accept(tcp_socket, &netAddr, 6000000); PRNetAddr addr; rv = PR_GetSockName(client, &addr); rv = SSL_ForceHandshake(client); rv = PR_Write(client,"123", 4); sleep(1); } } else { rv = SSL_AuthCertificateHook(ssl_socket, OwnAuthCertHandler, NULL); char * nickname = "nickname";/*nickname*/ rv = SSL_SetURL(ssl_socket, "192.168.18.22"); char * str = malloc(1024) ; memset(str, 0, 1024); strcpy(str ,"GET /test/test2.html HTTP/1.1\r\n");//注意\r\n为回车换行 // str = [str stringByAppendingString:@"Accept-Language: zh-cn\r\n"]; // str = [str stringByAppendingString:@"Connection: Keep-Alive\r\n"]; //str = [str stringByAppendingString:@"Host: 192.168.0.106\r\n"]; strcat(str ,"Host: 192.168.18.22:8443\r\n"); // str = [str stringByAppendingString:@"Content-Length: 0\r\n"]; strcat(str ,"\r\n"); // str = [str stringByAppendingString:@"userName=liqiangqiang&password=new_andy\r\n"]; // str = [str stringByAppendingString:@"\r\n"]; PRNetAddr netAddr; rv = PR_StringToNetAddr("192.168.18.22", &netAddr); rv = PR_InitializeNetAddr(0, 8443, &netAddr); // rv = PR_GetHostByName(); // PR_EnumerateHostEnt rv = PR_Connect(tcp_socket,&netAddr, 300000); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = SSL_GetClientAuthDataHook(ssl_socket,NSS_GetClientAuthData,strNickName); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = SSL_ForceHandshake(ssl_socket); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = PR_Write(tcp_socket, str, strlen(str)); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); rv = PR_Read(tcp_socket,buffer, 1024 * 1024); FILE_LOG_NUMBER("/sdcard/ssl.log", rv); FILE * file = fopen("/sdcard/ssl_read.txt", "wb"); //fwrite(buffer, 1, rv, file); //rv = PR_Read(tcp_socket,buffer, 1024 * 1024); fwrite(buffer, 1, rv, file); fclose(file); sleep(1); rv = SSL_InvalidateSession(ssl_socket); rv = PR_Shutdown(tcp_socket, PR_SHUTDOWN_BOTH); rv = PR_Close(tcp_socket); rv = ssl_FreeSessionCacheLocks(); rv = NSS_Shutdown(); } #endif return 0; }
int FileSSL_main(int argc, char * argv[]) { bool isServer = true; SECStatus rv = SECSuccess; char buffer[32] = {0}; PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); PK11_SetPasswordFunc(GetModulePassword); rv = NSS_Initialize(GetSystemDBDir(), "", "", "secmod.db", 0); rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); rv = SSL_OptionSetDefault(SSL_SOCKS, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_FDX, PR_TRUE); rv = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE); rv = NSS_SetDomesticPolicy(); rv = NSS_SetExportPolicy(); rv = NSS_SetFrancePolicy(); // rv = SSL_CipherPolicySet(); SSL_ClearSessionCache(); rv = SSL_ConfigServerSessionIDCache(10, 30 , 30, "."); PRFileDesc * socket = PR_NewTCPSocket(); socket = SSL_ImportFD(NULL,socket); if (isServer) { CERTCertDBHandle *certHandle; certHandle = CERT_GetDefaultCertDB(); char * nickname = "itrus Certificate DB:2013-11-15 12:44:10";/*nickname*/ CERTCertificate* cert = NULL; cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, nickname); SECKEYPrivateKey *prvKey = NULL; prvKey = PK11_FindKeyByAnyCert(cert, NULL); rv = SSL_ConfigSecureServer(socket, cert,prvKey,ssl_kea_rsa); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); rv = PR_Bind(socket,&netAddr); rv = PR_Listen(socket, 100); while (1) { PRFileDesc * client = PR_Accept(socket, &netAddr, 6000000); PRNetAddr addr; rv = PR_GetSockName(client, &addr); rv = SSL_ForceHandshake(client); rv = PR_Write(client,"123", 4); sleep(1); } } else { rv = SSL_SetURL(socket, "127.0.0.1"); PRNetAddr netAddr; PRNetAddr netAddrLocal; rv = PR_InitializeNetAddr(0, 8888, &netAddr); rv = PR_StringToNetAddr("127.0.0.1", &netAddrLocal); // rv = PR_GetHostByName(); // PR_EnumerateHostEnt rv = PR_Connect(socket,&netAddr, 300000); rv = SSL_AuthCertificateHook(socket, OwnAuthCertHandler, NULL); rv = SSL_ForceHandshake(socket); while (1) { rv = PR_Read(socket,buffer, 32); sleep(1); } } return 0; }