diff options
Diffstat (limited to 'nss/cmd/vfyserv')
-rw-r--r-- | nss/cmd/vfyserv/vfyserv.c | 911 | ||||
-rw-r--r-- | nss/cmd/vfyserv/vfyserv.gyp | 32 | ||||
-rw-r--r-- | nss/cmd/vfyserv/vfyserv.h | 68 | ||||
-rw-r--r-- | nss/cmd/vfyserv/vfyutil.c | 507 |
4 files changed, 769 insertions, 749 deletions
diff --git a/nss/cmd/vfyserv/vfyserv.c b/nss/cmd/vfyserv/vfyserv.c index 6ee2248..aa648ad 100644 --- a/nss/cmd/vfyserv/vfyserv.c +++ b/nss/cmd/vfyserv/vfyserv.c @@ -8,7 +8,7 @@ * * * This code was modified from the SSLSample code also kept in the NSS * * directory. * - ****************************************************************************/ + ****************************************************************************/ #include <stdio.h> #include <string.h> @@ -23,7 +23,6 @@ #include "secmod.h" #include "secitem.h" - #include <stdlib.h> #include <errno.h> #include <fcntl.h> @@ -41,13 +40,13 @@ #define RD_BUF_SIZE (60 * 1024) -extern int ssl2CipherSuites[]; extern int ssl3CipherSuites[]; +extern int numSSL3CipherSuites; GlobalThreadMgr threadMGR; char *certNickname = NULL; char *hostName = NULL; -secuPWData pwdata = { PW_NONE, 0 }; +secuPWData pwdata = { PW_NONE, 0 }; unsigned short port = 0; PRBool dumpChain; @@ -59,183 +58,180 @@ Usage(const char *progName) pr_stderr = PR_STDERR; PR_fprintf(pr_stderr, "Usage:\n" - " %s [-c ] [-o] [-p port] [-d dbdir] [-w password] [-f pwfile]\n" - " \t\t[-C cipher(s)] [-l <url> -t <nickname> ] hostname", + " %s [-c ] [-o] [-p port] [-d dbdir] [-w password] [-f pwfile]\n" + " \t\t[-C cipher(s)] [-l <url> -t <nickname> ] hostname", progName); - PR_fprintf (pr_stderr, "\nWhere:\n"); - PR_fprintf (pr_stderr, - " %-13s dump server cert chain into files\n", - "-c"); - PR_fprintf (pr_stderr, - " %-13s perform server cert OCSP check\n", - "-o"); - PR_fprintf (pr_stderr, - " %-13s server port to be used\n", - "-p"); - PR_fprintf (pr_stderr, - " %-13s use security databases in \"dbdir\"\n", - "-d dbdir"); - PR_fprintf (pr_stderr, - " %-13s key database password\n", - "-w password"); - PR_fprintf (pr_stderr, - " %-13s token password file\n", - "-f pwfile"); - PR_fprintf (pr_stderr, - " %-13s communication cipher list\n", - "-C cipher(s)"); - PR_fprintf (pr_stderr, - " %-13s OCSP responder location. This location is used to\n" - " %-13s check status of a server certificate. If not \n" - " %-13s specified, location will be taken from the AIA\n" - " %-13s server certificate extension.\n", - "-l url", "", "", ""); - PR_fprintf (pr_stderr, - " %-13s OCSP Trusted Responder Cert nickname\n\n", - "-t nickname"); - - exit(1); + PR_fprintf(pr_stderr, "\nWhere:\n"); + PR_fprintf(pr_stderr, + " %-13s dump server cert chain into files\n", + "-c"); + PR_fprintf(pr_stderr, + " %-13s perform server cert OCSP check\n", + "-o"); + PR_fprintf(pr_stderr, + " %-13s server port to be used\n", + "-p"); + PR_fprintf(pr_stderr, + " %-13s use security databases in \"dbdir\"\n", + "-d dbdir"); + PR_fprintf(pr_stderr, + " %-13s key database password\n", + "-w password"); + PR_fprintf(pr_stderr, + " %-13s token password file\n", + "-f pwfile"); + PR_fprintf(pr_stderr, + " %-13s communication cipher list\n", + "-C cipher(s)"); + PR_fprintf(pr_stderr, + " %-13s OCSP responder location. This location is used to\n" + " %-13s check status of a server certificate. If not \n" + " %-13s specified, location will be taken from the AIA\n" + " %-13s server certificate extension.\n", + "-l url", "", "", ""); + PR_fprintf(pr_stderr, + " %-13s OCSP Trusted Responder Cert nickname\n\n", + "-t nickname"); + + exit(1); } PRFileDesc * setupSSLSocket(PRNetAddr *addr) { - PRFileDesc *tcpSocket; - PRFileDesc *sslSocket; - PRSocketOptionData socketOption; - PRStatus prStatus; - SECStatus secStatus; - - - tcpSocket = PR_NewTCPSocket(); - if (tcpSocket == NULL) { - errWarn("PR_NewTCPSocket"); - } - - /* Make the socket blocking. */ - socketOption.option = PR_SockOpt_Nonblocking; - socketOption.value.non_blocking = PR_FALSE; - - prStatus = PR_SetSocketOption(tcpSocket, &socketOption); - if (prStatus != PR_SUCCESS) { - errWarn("PR_SetSocketOption"); - goto loser; - } - - - /* Import the socket into the SSL layer. */ - sslSocket = SSL_ImportFD(NULL, tcpSocket); - if (!sslSocket) { - errWarn("SSL_ImportFD"); - goto loser; - } - - /* Set configuration options. */ - secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE); - if (secStatus != SECSuccess) { - errWarn("SSL_OptionSet:SSL_SECURITY"); - goto loser; - } - - secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); - if (secStatus != SECSuccess) { - errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT"); - goto loser; - } - - /* Set SSL callback routines. */ - secStatus = SSL_GetClientAuthDataHook(sslSocket, - (SSLGetClientAuthData)myGetClientAuthData, - (void *)certNickname); - if (secStatus != SECSuccess) { - errWarn("SSL_GetClientAuthDataHook"); - goto loser; - } - - secStatus = SSL_AuthCertificateHook(sslSocket, - (SSLAuthCertificate)myAuthCertificate, - (void *)CERT_GetDefaultCertDB()); - if (secStatus != SECSuccess) { - errWarn("SSL_AuthCertificateHook"); - goto loser; - } - - secStatus = SSL_BadCertHook(sslSocket, - (SSLBadCertHandler)myBadCertHandler, NULL); - if (secStatus != SECSuccess) { - errWarn("SSL_BadCertHook"); - goto loser; - } - - secStatus = SSL_HandshakeCallback(sslSocket, - myHandshakeCallback, - NULL); - if (secStatus != SECSuccess) { - errWarn("SSL_HandshakeCallback"); - goto loser; - } - - return sslSocket; + PRFileDesc *tcpSocket; + PRFileDesc *sslSocket; + PRSocketOptionData socketOption; + PRStatus prStatus; + SECStatus secStatus; + + tcpSocket = PR_NewTCPSocket(); + if (tcpSocket == NULL) { + errWarn("PR_NewTCPSocket"); + } + + /* Make the socket blocking. */ + socketOption.option = PR_SockOpt_Nonblocking; + socketOption.value.non_blocking = PR_FALSE; + + prStatus = PR_SetSocketOption(tcpSocket, &socketOption); + if (prStatus != PR_SUCCESS) { + errWarn("PR_SetSocketOption"); + goto loser; + } + + /* Import the socket into the SSL layer. */ + sslSocket = SSL_ImportFD(NULL, tcpSocket); + if (!sslSocket) { + errWarn("SSL_ImportFD"); + goto loser; + } + + /* Set configuration options. */ + secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE); + if (secStatus != SECSuccess) { + errWarn("SSL_OptionSet:SSL_SECURITY"); + goto loser; + } + + secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); + if (secStatus != SECSuccess) { + errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT"); + goto loser; + } + + /* Set SSL callback routines. */ + secStatus = SSL_GetClientAuthDataHook(sslSocket, + (SSLGetClientAuthData)myGetClientAuthData, + (void *)certNickname); + if (secStatus != SECSuccess) { + errWarn("SSL_GetClientAuthDataHook"); + goto loser; + } + + secStatus = SSL_AuthCertificateHook(sslSocket, + (SSLAuthCertificate)myAuthCertificate, + (void *)CERT_GetDefaultCertDB()); + if (secStatus != SECSuccess) { + errWarn("SSL_AuthCertificateHook"); + goto loser; + } + + secStatus = SSL_BadCertHook(sslSocket, + (SSLBadCertHandler)myBadCertHandler, NULL); + if (secStatus != SECSuccess) { + errWarn("SSL_BadCertHook"); + goto loser; + } + + secStatus = SSL_HandshakeCallback(sslSocket, + myHandshakeCallback, + NULL); + if (secStatus != SECSuccess) { + errWarn("SSL_HandshakeCallback"); + goto loser; + } + + return sslSocket; loser: - PR_Close(tcpSocket); - return NULL; + PR_Close(tcpSocket); + return NULL; } - -const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" }; +const char requestString[] = { "GET /testfile HTTP/1.0\r\n\r\n" }; SECStatus handle_connection(PRFileDesc *sslSocket, int connection) { - int countRead = 0; - PRInt32 numBytes; - char *readBuffer; - - readBuffer = PORT_Alloc(RD_BUF_SIZE); - if (!readBuffer) { - exitErr("PORT_Alloc"); - } - - /* compose the http request here. */ - - numBytes = PR_Write(sslSocket, requestString, strlen(requestString)); - if (numBytes <= 0) { - errWarn("PR_Write"); - PR_Free(readBuffer); - readBuffer = NULL; - return SECFailure; - } - - /* read until EOF */ - while (PR_TRUE) { - numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE); - if (numBytes == 0) { - break; /* EOF */ - } - if (numBytes < 0) { - errWarn("PR_Read"); - break; - } - countRead += numBytes; - } - - printSecurityInfo(stderr, sslSocket); - - PR_Free(readBuffer); - readBuffer = NULL; - - /* Caller closes the socket. */ - - fprintf(stderr, - "***** Connection %d read %d bytes total.\n", - connection, countRead); - - return SECSuccess; /* success */ + int countRead = 0; + PRInt32 numBytes; + char *readBuffer; + + readBuffer = PORT_Alloc(RD_BUF_SIZE); + if (!readBuffer) { + exitErr("PORT_Alloc"); + } + + /* compose the http request here. */ + + numBytes = PR_Write(sslSocket, requestString, strlen(requestString)); + if (numBytes <= 0) { + errWarn("PR_Write"); + PR_Free(readBuffer); + readBuffer = NULL; + return SECFailure; + } + + /* read until EOF */ + while (PR_TRUE) { + numBytes = PR_Read(sslSocket, readBuffer, RD_BUF_SIZE); + if (numBytes == 0) { + break; /* EOF */ + } + if (numBytes < 0) { + errWarn("PR_Read"); + break; + } + countRead += numBytes; + } + + printSecurityInfo(stderr, sslSocket); + + PR_Free(readBuffer); + readBuffer = NULL; + + /* Caller closes the socket. */ + + fprintf(stderr, + "***** Connection %d read %d bytes total.\n", + connection, countRead); + + return SECSuccess; /* success */ } -#define BYTE(n,i) (((i)>>((n)*8))&0xff) +#define BYTE(n, i) (((i) >> ((n)*8)) & 0xff) /* one copy of this function is launched in a separate thread for each ** connection to be made. @@ -243,319 +239,334 @@ handle_connection(PRFileDesc *sslSocket, int connection) SECStatus do_connects(void *a, int connection) { - PRNetAddr *addr = (PRNetAddr *)a; - PRFileDesc *sslSocket; - PRHostEnt hostEntry; - char buffer[PR_NETDB_BUF_SIZE]; - PRStatus prStatus; - PRIntn hostenum; - PRInt32 ip; - SECStatus secStatus; - - /* Set up SSL secure socket. */ - sslSocket = setupSSLSocket(addr); - if (sslSocket == NULL) { - errWarn("setupSSLSocket"); - return SECFailure; - } - - secStatus = SSL_SetPKCS11PinArg(sslSocket, &pwdata); - if (secStatus != SECSuccess) { - errWarn("SSL_SetPKCS11PinArg"); - return secStatus; - } - - secStatus = SSL_SetURL(sslSocket, hostName); - if (secStatus != SECSuccess) { - errWarn("SSL_SetURL"); - return secStatus; - } - - /* Prepare and setup network connection. */ - prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry); - if (prStatus != PR_SUCCESS) { - errWarn("PR_GetHostByName"); - return SECFailure; - } - - hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr); - if (hostenum == -1) { - errWarn("PR_EnumerateHostEnt"); - return SECFailure; - } - - ip = PR_ntohl(addr->inet.ip); - fprintf(stderr, - "Connecting to host %s (addr %d.%d.%d.%d) on port %d\n", - hostName, BYTE(3,ip), BYTE(2,ip), BYTE(1,ip), - BYTE(0,ip), PR_ntohs(addr->inet.port)); - - prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); - return SECFailure; - } - - /* Established SSL connection, ready to send data. */ + PRNetAddr *addr = (PRNetAddr *)a; + PRFileDesc *sslSocket; + PRHostEnt hostEntry; + char buffer[PR_NETDB_BUF_SIZE]; + PRStatus prStatus; + PRIntn hostenum; + PRInt32 ip; + SECStatus secStatus; + + /* Set up SSL secure socket. */ + sslSocket = setupSSLSocket(addr); + if (sslSocket == NULL) { + errWarn("setupSSLSocket"); + return SECFailure; + } + + secStatus = SSL_SetPKCS11PinArg(sslSocket, &pwdata); + if (secStatus != SECSuccess) { + errWarn("SSL_SetPKCS11PinArg"); + return secStatus; + } + + secStatus = SSL_SetURL(sslSocket, hostName); + if (secStatus != SECSuccess) { + errWarn("SSL_SetURL"); + return secStatus; + } + + /* Prepare and setup network connection. */ + prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry); + if (prStatus != PR_SUCCESS) { + errWarn("PR_GetHostByName"); + return SECFailure; + } + + hostenum = PR_EnumerateHostEnt(0, &hostEntry, port, addr); + if (hostenum == -1) { + errWarn("PR_EnumerateHostEnt"); + return SECFailure; + } + + ip = PR_ntohl(addr->inet.ip); + fprintf(stderr, + "Connecting to host %s (addr %d.%d.%d.%d) on port %d\n", + hostName, BYTE(3, ip), BYTE(2, ip), BYTE(1, ip), + BYTE(0, ip), PR_ntohs(addr->inet.port)); + + prStatus = PR_Connect(sslSocket, addr, PR_INTERVAL_NO_TIMEOUT); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Connect"); + return SECFailure; + } + +/* Established SSL connection, ready to send data. */ #if 0 - secStatus = SSL_ForceHandshake(sslSocket); - if (secStatus != SECSuccess) { - errWarn("SSL_ForceHandshake"); - return secStatus; - } + secStatus = SSL_ForceHandshake(sslSocket); + if (secStatus != SECSuccess) { + errWarn("SSL_ForceHandshake"); + return secStatus; + } #endif - secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); - if (secStatus != SECSuccess) { - errWarn("SSL_ResetHandshake"); - prStatus = PR_Close(sslSocket); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Close"); - } - return secStatus; - } - - secStatus = handle_connection(sslSocket, connection); - if (secStatus != SECSuccess) { - /* error already printed out in handle_connection */ - /* errWarn("handle_connection"); */ - prStatus = PR_Close(sslSocket); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Close"); - } - return secStatus; - } - - PR_Close(sslSocket); - return SECSuccess; + secStatus = SSL_ResetHandshake(sslSocket, /* asServer */ PR_FALSE); + if (secStatus != SECSuccess) { + errWarn("SSL_ResetHandshake"); + prStatus = PR_Close(sslSocket); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Close"); + } + return secStatus; + } + + secStatus = handle_connection(sslSocket, connection); + if (secStatus != SECSuccess) { + /* error already printed out in handle_connection */ + /* errWarn("handle_connection"); */ + prStatus = PR_Close(sslSocket); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Close"); + } + return secStatus; + } + + PR_Close(sslSocket); + return SECSuccess; } void -client_main(unsigned short port, - int connections, - const char * hostName) +client_main(unsigned short port, + int connections, + const char *hostName) { - int i; - SECStatus secStatus; - PRStatus prStatus; - PRInt32 rv; - PRNetAddr addr; - PRHostEnt hostEntry; - char buffer[PR_NETDB_BUF_SIZE]; - - /* Setup network connection. */ - prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry); - if (prStatus != PR_SUCCESS) { - exitErr("PR_GetHostByName"); - } - - rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr); - if (rv < 0) { - exitErr("PR_EnumerateHostEnt"); - } - - secStatus = launch_thread(&threadMGR, do_connects, &addr, 1); - if (secStatus != SECSuccess) { - exitErr("launch_thread"); - } - - if (connections > 1) { - /* wait for the first connection to terminate, then launch the rest. */ - reap_threads(&threadMGR); - /* Start up the connections */ - for (i = 2; i <= connections; ++i) { - secStatus = launch_thread(&threadMGR, do_connects, &addr, i); - if (secStatus != SECSuccess) { - errWarn("launch_thread"); - } - } - } - - reap_threads(&threadMGR); - destroy_thread_data(&threadMGR); + int i; + SECStatus secStatus; + PRStatus prStatus; + PRInt32 rv; + PRNetAddr addr; + PRHostEnt hostEntry; + char buffer[PR_NETDB_BUF_SIZE]; + + /* Setup network connection. */ + prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry); + if (prStatus != PR_SUCCESS) { + exitErr("PR_GetHostByName"); + } + + rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr); + if (rv < 0) { + exitErr("PR_EnumerateHostEnt"); + } + + secStatus = launch_thread(&threadMGR, do_connects, &addr, 1); + if (secStatus != SECSuccess) { + exitErr("launch_thread"); + } + + if (connections > 1) { + /* wait for the first connection to terminate, then launch the rest. */ + reap_threads(&threadMGR); + /* Start up the connections */ + for (i = 2; i <= connections; ++i) { + secStatus = launch_thread(&threadMGR, do_connects, &addr, i); + if (secStatus != SECSuccess) { + errWarn("launch_thread"); + } + } + } + + reap_threads(&threadMGR); + destroy_thread_data(&threadMGR); } -#define HEXCHAR_TO_INT(c, i) \ - if (((c) >= '0') && ((c) <= '9')) { \ - i = (c) - '0'; \ +#define HEXCHAR_TO_INT(c, i) \ + if (((c) >= '0') && ((c) <= '9')) { \ + i = (c) - '0'; \ } else if (((c) >= 'a') && ((c) <= 'f')) { \ - i = (c) - 'a' + 10; \ + i = (c) - 'a' + 10; \ } else if (((c) >= 'A') && ((c) <= 'F')) { \ - i = (c) - 'A' + 10; \ - } else { \ - Usage(progName); \ + i = (c) - 'A' + 10; \ + } else { \ + Usage(progName); \ } int main(int argc, char **argv) { - char * certDir = NULL; - char * progName = NULL; - int connections = 1; - char * cipherString = NULL; - char * respUrl = NULL; - char * respCertName = NULL; - SECStatus secStatus; - PLOptState * optstate; - PLOptStatus status; - PRBool doOcspCheck = PR_FALSE; - - /* Call the NSPR initialization routines */ - PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - - progName = PORT_Strdup(argv[0]); - - hostName = NULL; - optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:"); - while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - switch(optstate->option) { - case 'C' : cipherString = PL_strdup(optstate->value); break; - case 'c' : dumpChain = PR_TRUE; break; - case 'd' : certDir = PL_strdup(optstate->value); break; - case 'l' : respUrl = PL_strdup(optstate->value); break; - case 'p' : port = PORT_Atoi(optstate->value); break; - case 'o' : doOcspCheck = PR_TRUE; break; - case 't' : respCertName = PL_strdup(optstate->value); break; - case 'w': - pwdata.source = PW_PLAINTEXT; - pwdata.data = PORT_Strdup(optstate->value); - break; - - case 'f': - pwdata.source = PW_FROMFILE; - pwdata.data = PORT_Strdup(optstate->value); - break; - case '\0': hostName = PL_strdup(optstate->value); break; - default : Usage(progName); - } - } - - if (port == 0) { - port = 443; - } - - if (port == 0 || hostName == NULL) - Usage(progName); - - if (doOcspCheck && - ((respCertName != NULL && respUrl == NULL) || - (respUrl != NULL && respCertName == NULL))) { - SECU_PrintError (progName, "options -l <url> and -t " - "<responder> must be used together"); - Usage(progName); + char *certDir = NULL; + char *progName = NULL; + int connections = 1; + char *cipherString = NULL; + char *respUrl = NULL; + char *respCertName = NULL; + SECStatus secStatus; + PLOptState *optstate; + PLOptStatus status; + PRBool doOcspCheck = PR_FALSE; + + /* Call the NSPR initialization routines */ + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + progName = PORT_Strdup(argv[0]); + + hostName = NULL; + optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'C': + cipherString = PL_strdup(optstate->value); + break; + case 'c': + dumpChain = PR_TRUE; + break; + case 'd': + certDir = PL_strdup(optstate->value); + break; + case 'l': + respUrl = PL_strdup(optstate->value); + break; + case 'p': + port = PORT_Atoi(optstate->value); + break; + case 'o': + doOcspCheck = PR_TRUE; + break; + case 't': + respCertName = PL_strdup(optstate->value); + break; + case 'w': + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; + + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = PORT_Strdup(optstate->value); + break; + case '\0': + hostName = PL_strdup(optstate->value); + break; + default: + Usage(progName); } - - PK11_SetPasswordFunc(SECU_GetModulePassword); - - /* Initialize the NSS libraries. */ - if (certDir) { - secStatus = NSS_Init(certDir); - } else { - secStatus = NSS_NoDB_Init(NULL); - - /* load the builtins */ - SECMOD_AddNewModule("Builtins", - DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0); - } - if (secStatus != SECSuccess) { - exitErr("NSS_Init"); - } - SECU_RegisterDynamicOids(); - - if (doOcspCheck == PR_TRUE) { - SECStatus rv; - CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); - if (handle == NULL) { - SECU_PrintError (progName, "problem getting certdb handle"); + } + + if (port == 0) { + port = 443; + } + + if (port == 0 || hostName == NULL) + Usage(progName); + + if (doOcspCheck && + ((respCertName != NULL && respUrl == NULL) || + (respUrl != NULL && respCertName == NULL))) { + SECU_PrintError(progName, "options -l <url> and -t " + "<responder> must be used together"); + Usage(progName); + } + + PK11_SetPasswordFunc(SECU_GetModulePassword); + + /* Initialize the NSS libraries. */ + if (certDir) { + secStatus = NSS_Init(certDir); + } else { + secStatus = NSS_NoDB_Init(NULL); + + /* load the builtins */ + SECMOD_AddNewModule("Builtins", + DLL_PREFIX "nssckbi." DLL_SUFFIX, 0, 0); + } + if (secStatus != SECSuccess) { + exitErr("NSS_Init"); + } + SECU_RegisterDynamicOids(); + + if (doOcspCheck == PR_TRUE) { + SECStatus rv; + CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); + if (handle == NULL) { + SECU_PrintError(progName, "problem getting certdb handle"); + goto cleanup; + } + + rv = CERT_EnableOCSPChecking(handle); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling OCSP checking"); + goto cleanup; + } + + if (respUrl != NULL) { + rv = CERT_SetOCSPDefaultResponder(handle, respUrl, + respCertName); + if (rv != SECSuccess) { + SECU_PrintError(progName, + "error setting default responder"); goto cleanup; } - - rv = CERT_EnableOCSPChecking (handle); + + rv = CERT_EnableOCSPDefaultResponder(handle); if (rv != SECSuccess) { - SECU_PrintError (progName, "error enabling OCSP checking"); + SECU_PrintError(progName, + "error enabling default responder"); goto cleanup; } + } + } - if (respUrl != NULL) { - rv = CERT_SetOCSPDefaultResponder (handle, respUrl, - respCertName); - if (rv != SECSuccess) { - SECU_PrintError (progName, - "error setting default responder"); - goto cleanup; - } - - rv = CERT_EnableOCSPDefaultResponder (handle); - if (rv != SECSuccess) { - SECU_PrintError (progName, - "error enabling default responder"); - goto cleanup; + /* All cipher suites except RSA_NULL_MD5 are enabled by + * Domestic Policy. */ + NSS_SetDomesticPolicy(); + SSL_CipherPrefSetDefault(TLS_RSA_WITH_NULL_MD5, PR_TRUE); + + /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + if (cipherString) { + int ndx; + + /* disable all the ciphers, then enable the ones we want. */ + disableAllSSLCiphers(); + + while (0 != (ndx = *cipherString++)) { + int cipher = 0; + + if (ndx == ':') { + int ctmp = 0; + + HEXCHAR_TO_INT(*cipherString, ctmp) + cipher |= (ctmp << 12); + cipherString++; + HEXCHAR_TO_INT(*cipherString, ctmp) + cipher |= (ctmp << 8); + cipherString++; + HEXCHAR_TO_INT(*cipherString, ctmp) + cipher |= (ctmp << 4); + cipherString++; + HEXCHAR_TO_INT(*cipherString, ctmp) + cipher |= ctmp; + cipherString++; + } else { + if (!isalpha(ndx)) + Usage(progName); + ndx = tolower(ndx) - 'a'; + if (ndx < numSSL3CipherSuites) { + cipher = ssl3CipherSuites[ndx]; } } - } - - /* All cipher suites except RSA_NULL_MD5 are enabled by - * Domestic Policy. */ - NSS_SetDomesticPolicy(); - SSL_CipherPrefSetDefault(TLS_RSA_WITH_NULL_MD5, PR_TRUE); - - /* all the SSL2 and SSL3 cipher suites are enabled by default. */ - if (cipherString) { - int ndx; - - /* disable all the ciphers, then enable the ones we want. */ - disableAllSSLCiphers(); - - while (0 != (ndx = *cipherString++)) { - int cipher; - - if (ndx == ':') { - int ctmp = 0; - - cipher = 0; - HEXCHAR_TO_INT(*cipherString, ctmp) - cipher |= (ctmp << 12); - cipherString++; - HEXCHAR_TO_INT(*cipherString, ctmp) - cipher |= (ctmp << 8); - cipherString++; - HEXCHAR_TO_INT(*cipherString, ctmp) - cipher |= (ctmp << 4); - cipherString++; - HEXCHAR_TO_INT(*cipherString, ctmp) - cipher |= ctmp; - cipherString++; - } else { - const int *cptr; - if (! isalpha(ndx)) - Usage(progName); - cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; - for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) - /* do nothing */; - } - if (cipher > 0) { - SSL_CipherPrefSetDefault(cipher, PR_TRUE); - } else { - Usage(progName); - } - } - } - - client_main(port, connections, hostName); + if (cipher > 0) { + SSL_CipherPrefSetDefault(cipher, PR_TRUE); + } else { + Usage(progName); + } + } + } + + client_main(port, connections, hostName); cleanup: - if (doOcspCheck) { - CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); - CERT_DisableOCSPDefaultResponder(handle); - CERT_DisableOCSPChecking (handle); - } + if (doOcspCheck) { + CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); + CERT_DisableOCSPDefaultResponder(handle); + CERT_DisableOCSPChecking(handle); + } - if (NSS_Shutdown() != SECSuccess) { - exit(1); - } + if (NSS_Shutdown() != SECSuccess) { + exit(1); + } - PR_Cleanup(); - PORT_Free(progName); - return 0; + PR_Cleanup(); + PORT_Free(progName); + return 0; } - diff --git a/nss/cmd/vfyserv/vfyserv.gyp b/nss/cmd/vfyserv/vfyserv.gyp new file mode 100644 index 0000000..85001a1 --- /dev/null +++ b/nss/cmd/vfyserv/vfyserv.gyp @@ -0,0 +1,32 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'vfyserv', + 'type': 'executable', + 'sources': [ + 'vfyserv.c', + 'vfyutil.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'DLL_PREFIX=\"<(dll_prefix)\"', + 'DLL_SUFFIX=\"<(dll_suffix)\"' + ] + }, + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/nss/cmd/vfyserv/vfyserv.h b/nss/cmd/vfyserv/vfyserv.h index 56045bd..00afc80 100644 --- a/nss/cmd/vfyserv/vfyserv.h +++ b/nss/cmd/vfyserv/vfyserv.h @@ -38,21 +38,20 @@ /* Declare SSL cipher suites. */ extern int cipherSuites[]; -extern int ssl2CipherSuites[]; extern int ssl3CipherSuites[]; /* Data buffer read from a socket. */ typedef struct DataBufferStr { - char data[BUFFER_SIZE]; - int index; - int remaining; - int dataStart; - int dataEnd; + char data[BUFFER_SIZE]; + int index; + int remaining; + int dataStart; + int dataEnd; } DataBuffer; /* SSL callback routines. */ -char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg); +char *myPasswd(PK11SlotInfo *info, PRBool retry, void *arg); SECStatus myAuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); @@ -70,7 +69,6 @@ SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket, void disableAllSSLCiphers(void); - /* Error and information utilities. */ void errWarn(char *function); @@ -85,31 +83,33 @@ void printSecurityInfo(FILE *outfile, PRFileDesc *fd); typedef SECStatus startFn(void *a, int b); -typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState; +typedef enum { rs_idle = 0, + rs_running = 1, + rs_zombie = 2 } runState; typedef struct perThreadStr { - PRFileDesc *a; - int b; - int rv; - startFn *startFunc; - PRThread *prThread; - PRBool inUse; - runState running; + PRFileDesc *a; + int b; + int rv; + startFn *startFunc; + PRThread *prThread; + PRBool inUse; + runState running; } perThread; typedef struct GlobalThreadMgrStr { - PRLock *threadLock; - PRCondVar *threadStartQ; - PRCondVar *threadEndQ; - perThread threads[MAX_THREADS]; - int index; - int numUsed; - int numRunning; + PRLock *threadLock; + PRCondVar *threadStartQ; + PRCondVar *threadEndQ; + perThread threads[MAX_THREADS]; + int index; + int numUsed; + int numRunning; } GlobalThreadMgr; -void thread_wrapper(void * arg); +void thread_wrapper(void *arg); -SECStatus launch_thread(GlobalThreadMgr *threadMGR, +SECStatus launch_thread(GlobalThreadMgr *threadMGR, startFn *startFunc, void *a, int b); SECStatus reap_threads(GlobalThreadMgr *threadMGR); @@ -119,10 +119,10 @@ void destroy_thread_data(GlobalThreadMgr *threadMGR); /* Management of locked variables. */ struct lockedVarsStr { - PRLock * lock; - int count; - int waiters; - PRCondVar * condVar; + PRLock *lock; + int count; + int waiters; + PRCondVar *condVar; }; typedef struct lockedVarsStr lockedVars; @@ -135,14 +135,4 @@ void lockedVars_WaitForDone(lockedVars *lv); int lockedVars_AddToCount(lockedVars *lv, int addend); -/* Buffer stuff. */ - -static const char stopCmd[] = { "GET /stop " }; -static const char defaultHeader[] = { - "HTTP/1.0 200 OK\r\n" - "Server: SSL sample server\r\n" - "Content-type: text/plain\r\n" - "\r\n" -}; - #endif diff --git a/nss/cmd/vfyserv/vfyutil.c b/nss/cmd/vfyserv/vfyutil.c index 686c7b1..2f1b532 100644 --- a/nss/cmd/vfyserv/vfyutil.c +++ b/nss/cmd/vfyserv/vfyutil.c @@ -8,60 +8,50 @@ #include "nspr.h" #include "secutil.h" - extern PRBool dumpChain; extern void dumpCertChain(CERTCertificate *, SECCertUsage); /* Declare SSL cipher suites. */ -int ssl2CipherSuites[] = { - SSL_EN_RC4_128_WITH_MD5, /* A */ - SSL_EN_RC4_128_EXPORT40_WITH_MD5, /* B */ - SSL_EN_RC2_128_CBC_WITH_MD5, /* C */ - SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, /* D */ - SSL_EN_DES_64_CBC_WITH_MD5, /* E */ - SSL_EN_DES_192_EDE3_CBC_WITH_MD5, /* F */ - 0 -}; - int ssl3CipherSuites[] = { - -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ - -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ - TLS_RSA_WITH_RC4_128_MD5, /* c */ - TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ - TLS_RSA_WITH_DES_CBC_SHA, /* e */ - TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ - TLS_RSA_WITH_NULL_MD5, /* i */ - SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ - SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ - TLS_RSA_WITH_RC4_128_SHA, /* n */ - TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ - TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ - TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ - TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ - TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ - TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ - TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ - TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ - TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ - TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ - TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ - TLS_RSA_WITH_NULL_SHA, /* z */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ + TLS_RSA_WITH_RC4_128_MD5, /* c */ + TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ + TLS_RSA_WITH_DES_CBC_SHA, /* e */ + -1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 * f */ + -1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 * g */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA * h */ + TLS_RSA_WITH_NULL_MD5, /* i */ + -1, /* SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA * j */ + -1, /* SSL_RSA_FIPS_WITH_DES_CBC_SHA * k */ + -1, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA * l */ + -1, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA * m */ + TLS_RSA_WITH_RC4_128_SHA, /* n */ + TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + TLS_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ + TLS_RSA_WITH_NULL_SHA, /* z */ 0 }; +int numSSL3CipherSuites = PR_ARRAY_SIZE(ssl3CipherSuites); /************************************************************************** -** +** ** SSL callback routines. ** **************************************************************************/ /* Function: char * myPasswd() - * + * * Purpose: This function is our custom password handler that is called by * SSL when retreiving private certs and keys from the database. Returns a * pointer to a string that with a password for the database. Password pointer @@ -70,10 +60,10 @@ int ssl3CipherSuites[] = { char * myPasswd(PK11SlotInfo *info, PRBool retry, void *arg) { - char * passwd = NULL; + char *passwd = NULL; - if ( (!retry) && arg ) { - passwd = PORT_Strdup((char *)arg); + if ((!retry) && arg) { + passwd = PORT_Strdup((char *)arg); } return passwd; } @@ -81,24 +71,24 @@ myPasswd(PK11SlotInfo *info, PRBool retry, void *arg) /* Function: SECStatus myAuthCertificate() * * Purpose: This function is our custom certificate authentication handler. - * - * Note: This implementation is essentially the same as the default + * + * Note: This implementation is essentially the same as the default * SSL_AuthCertificate(). */ -SECStatus -myAuthCertificate(void *arg, PRFileDesc *socket, - PRBool checksig, PRBool isServer) +SECStatus +myAuthCertificate(void *arg, PRFileDesc *socket, + PRBool checksig, PRBool isServer) { SECCertificateUsage certUsage; - CERTCertificate * cert; - void * pinArg; - char * hostName; - SECStatus secStatus; + CERTCertificate *cert; + void *pinArg; + char *hostName; + SECStatus secStatus; if (!arg || !socket) { - errWarn("myAuthCertificate"); - return SECFailure; + errWarn("myAuthCertificate"); + return SECFailure; } /* Define how the cert is being used based upon the isServer flag. */ @@ -106,26 +96,26 @@ myAuthCertificate(void *arg, PRFileDesc *socket, certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer; cert = SSL_PeerCertificate(socket); - + pinArg = SSL_RevealPinArg(socket); - + if (dumpChain == PR_TRUE) { dumpCertChain(cert, certUsage); } secStatus = CERT_VerifyCertificateNow((CERTCertDBHandle *)arg, - cert, - checksig, - certUsage, - pinArg, - NULL); + cert, + checksig, + certUsage, + pinArg, + NULL); /* If this is a server, we're finished. */ if (isServer || secStatus != SECSuccess) { - SECU_printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, - checksig, certUsage, pinArg, PR_FALSE); - CERT_DestroyCertificate(cert); - return secStatus; + SECU_printCertProblems(stderr, (CERTCertDBHandle *)arg, cert, + checksig, certUsage, pinArg, PR_FALSE); + CERT_DestroyCertificate(cert); + return secStatus; } /* Certificate is OK. Since this is the client side of an SSL @@ -138,14 +128,14 @@ myAuthCertificate(void *arg, PRFileDesc *socket, hostName = SSL_RevealURL(socket); if (hostName && hostName[0]) { - secStatus = CERT_VerifyCertName(cert, hostName); + secStatus = CERT_VerifyCertName(cert, hostName); } else { - PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0); - secStatus = SECFailure; + PR_SetError(SSL_ERROR_BAD_CERT_DOMAIN, 0); + secStatus = SECFailure; } if (hostName) - PR_Free(hostName); + PR_Free(hostName); CERT_DestroyCertificate(cert); return secStatus; @@ -157,48 +147,48 @@ myAuthCertificate(void *arg, PRFileDesc *socket, * valid. We define a certain set of parameters that still cause the * certificate to be "valid" for this session, and return SECSuccess to cause * the server to continue processing the request when any of these conditions - * are met. Otherwise, SECFailure is return and the server rejects the + * are met. Otherwise, SECFailure is return and the server rejects the * request. */ -SECStatus -myBadCertHandler(void *arg, PRFileDesc *socket) +SECStatus +myBadCertHandler(void *arg, PRFileDesc *socket) { - SECStatus secStatus = SECFailure; - PRErrorCode err; + SECStatus secStatus = SECFailure; + PRErrorCode err; /* log invalid cert here */ if (!arg) { - return secStatus; + return secStatus; } *(PRErrorCode *)arg = err = PORT_GetError(); /* If any of the cases in the switch are met, then we will proceed */ - /* with the processing of the request anyway. Otherwise, the default */ + /* with the processing of the request anyway. Otherwise, the default */ /* case will be reached and we will reject the request. */ switch (err) { - case SEC_ERROR_INVALID_AVA: - case SEC_ERROR_INVALID_TIME: - case SEC_ERROR_BAD_SIGNATURE: - case SEC_ERROR_EXPIRED_CERTIFICATE: - case SEC_ERROR_UNKNOWN_ISSUER: - case SEC_ERROR_UNTRUSTED_CERT: - case SEC_ERROR_CERT_VALID: - case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: - case SEC_ERROR_CRL_EXPIRED: - case SEC_ERROR_CRL_BAD_SIGNATURE: - case SEC_ERROR_EXTENSION_VALUE_INVALID: - case SEC_ERROR_CA_CERT_INVALID: - case SEC_ERROR_CERT_USAGES_INVALID: - case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: - secStatus = SECSuccess; - break; - default: - secStatus = SECFailure; - break; + case SEC_ERROR_INVALID_AVA: + case SEC_ERROR_INVALID_TIME: + case SEC_ERROR_BAD_SIGNATURE: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_CERT: + case SEC_ERROR_CERT_VALID: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_CRL_EXPIRED: + case SEC_ERROR_CRL_BAD_SIGNATURE: + case SEC_ERROR_EXTENSION_VALUE_INVALID: + case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_CERT_USAGES_INVALID: + case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION: + secStatus = SECSuccess; + break; + default: + secStatus = SECFailure; + break; } fprintf(stderr, "Bad certificate: %d, %s\n", err, SECU_Strerror(err)); @@ -208,75 +198,75 @@ myBadCertHandler(void *arg, PRFileDesc *socket) /* Function: SECStatus ownGetClientAuthData() * - * Purpose: This callback is used by SSL to pull client certificate + * Purpose: This callback is used by SSL to pull client certificate * information upon server request. */ -SECStatus +SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket, struct CERTDistNamesStr *caNames, struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) + struct SECKEYPrivateKeyStr **pRetKey) { - CERTCertificate * cert; - SECKEYPrivateKey * privKey; - char * chosenNickName = (char *)arg; - void * proto_win = NULL; - SECStatus secStatus = SECFailure; + CERTCertificate *cert; + SECKEYPrivateKey *privKey; + char *chosenNickName = (char *)arg; + void *proto_win = NULL; + SECStatus secStatus = SECFailure; proto_win = SSL_RevealPinArg(socket); if (chosenNickName) { - cert = PK11_FindCertFromNickname(chosenNickName, proto_win); - if (cert) { - privKey = PK11_FindKeyByAnyCert(cert, proto_win); - if (privKey) { - secStatus = SECSuccess; - } else { - CERT_DestroyCertificate(cert); - } - } + cert = PK11_FindCertFromNickname(chosenNickName, proto_win); + if (cert) { + privKey = PK11_FindKeyByAnyCert(cert, proto_win); + if (privKey) { + secStatus = SECSuccess; + } else { + CERT_DestroyCertificate(cert); + } + } } else { /* no nickname given, automatically find the right cert */ - CERTCertNicknames *names; - int i; - - names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), - SEC_CERT_NICKNAMES_USER, proto_win); - - if (names != NULL) { - for(i = 0; i < names->numnicknames; i++ ) { - - cert = PK11_FindCertFromNickname(names->nicknames[i], - proto_win); - if (!cert) { - continue; - } - - /* Only check unexpired certs */ - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) - != secCertTimeValid ) { - CERT_DestroyCertificate(cert); - continue; - } - - secStatus = NSS_CmpCertChainWCANames(cert, caNames); - if (secStatus == SECSuccess) { - privKey = PK11_FindKeyByAnyCert(cert, proto_win); - if (privKey) { - break; - } - secStatus = SECFailure; - } - CERT_DestroyCertificate(cert); - } /* for loop */ - CERT_FreeNicknames(names); - } + CERTCertNicknames *names; + int i; + + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), + SEC_CERT_NICKNAMES_USER, proto_win); + + if (names != NULL) { + for (i = 0; i < names->numnicknames; i++) { + + cert = PK11_FindCertFromNickname(names->nicknames[i], + proto_win); + if (!cert) { + continue; + } + + /* Only check unexpired certs */ + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) != + secCertTimeValid) { + CERT_DestroyCertificate(cert); + continue; + } + + secStatus = NSS_CmpCertChainWCANames(cert, caNames); + if (secStatus == SECSuccess) { + privKey = PK11_FindKeyByAnyCert(cert, proto_win); + if (privKey) { + break; + } + secStatus = SECFailure; + } + CERT_DestroyCertificate(cert); + } /* for loop */ + CERT_FreeNicknames(names); + } } if (secStatus == SECSuccess) { - *pRetCert = cert; - *pRetKey = privKey; + *pRetCert = cert; + *pRetKey = privKey; } return secStatus; @@ -287,7 +277,7 @@ myGetClientAuthData(void *arg, * Purpose: Called by SSL to inform application that the handshake is * complete. This function is mostly used on the server side of an SSL * connection, although it is provided for a client as well. - * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake + * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake * is used to initiate a handshake. * * A typical scenario would be: @@ -306,14 +296,13 @@ myGetClientAuthData(void *arg, * blocking sockets. */ void -myHandshakeCallback(PRFileDesc *socket, void *arg) +myHandshakeCallback(PRFileDesc *socket, void *arg) { - fprintf(stderr,"Handshake Complete: SERVER CONFIGURED CORRECTLY\n"); + fprintf(stderr, "Handshake Complete: SERVER CONFIGURED CORRECTLY\n"); } - /************************************************************************** -** +** ** Routines for disabling SSL ciphers. ** **************************************************************************/ @@ -322,25 +311,25 @@ void disableAllSSLCiphers(void) { const PRUint16 *cipherSuites = SSL_ImplementedCiphers; - int i = SSL_NumImplementedCiphers; - SECStatus rv; + int i = SSL_NumImplementedCiphers; + SECStatus rv; /* disable all the SSL3 cipher suites */ while (--i >= 0) { - PRUint16 suite = cipherSuites[i]; + PRUint16 suite = cipherSuites[i]; rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); - if (rv != SECSuccess) { - fprintf(stderr, - "SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n", - suite, i); - errWarn("SSL_CipherPrefSetDefault"); - exit(2); - } + if (rv != SECSuccess) { + fprintf(stderr, + "SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n", + suite, i); + errWarn("SSL_CipherPrefSetDefault"); + exit(2); + } } } /************************************************************************** -** +** ** Error and information routines. ** **************************************************************************/ @@ -348,11 +337,11 @@ disableAllSSLCiphers(void) void errWarn(char *function) { - PRErrorCode errorNumber = PR_GetError(); - const char * errorString = SECU_Strerror(errorNumber); + PRErrorCode errorNumber = PR_GetError(); + const char *errorString = SECU_Strerror(errorNumber); fprintf(stderr, "Error in function %s: %d\n - %s\n", - function, errorNumber, errorString); + function, errorNumber, errorString); } void @@ -361,52 +350,51 @@ exitErr(char *function) errWarn(function); /* Exit gracefully. */ /* ignoring return value of NSS_Shutdown as code exits with 1 anyway*/ - (void) NSS_Shutdown(); + (void)NSS_Shutdown(); PR_Cleanup(); exit(1); } -void +void printSecurityInfo(FILE *outfile, PRFileDesc *fd) { - char * cp; /* bulk cipher name */ - char * ip; /* cert issuer DN */ - char * sp; /* cert subject DN */ - int op; /* High, Low, Off */ - int kp0; /* total key bits */ - int kp1; /* secret key bits */ - int result; - SSL3Statistics * ssl3stats = SSL_GetStatistics(); + char *cp; /* bulk cipher name */ + char *ip; /* cert issuer DN */ + char *sp; /* cert subject DN */ + int op; /* High, Low, Off */ + int kp0; /* total key bits */ + int kp1; /* secret key bits */ + int result; + SSL3Statistics *ssl3stats = SSL_GetStatistics(); if (!outfile) { - outfile = stdout; + outfile = stdout; } result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result != SECSuccess) - return; + return; fprintf(outfile, - " bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" - " subject DN:\n %s\n" - " issuer DN:\n %s\n", cp, kp1, kp0, op, sp, ip); + " bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" + " subject DN:\n %s\n" + " issuer DN:\n %s\n", + cp, kp1, kp0, op, sp, ip); PR_Free(cp); PR_Free(ip); PR_Free(sp); fprintf(outfile, - " %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, - ssl3stats->hch_sid_cache_not_ok); - + " %ld cache hits; %ld cache misses, %ld cache not reusable\n", + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } - /************************************************************************** ** Begin thread management routines and data. **************************************************************************/ void -thread_wrapper(void * arg) +thread_wrapper(void *arg) { GlobalThreadMgr *threadMGR = (GlobalThreadMgr *)arg; perThread *slot = &threadMGR->threads[threadMGR->index]; @@ -415,7 +403,7 @@ thread_wrapper(void * arg) PR_Lock(threadMGR->threadLock); PR_Unlock(threadMGR->threadLock); - slot->rv = (* slot->startFunc)(slot->a, slot->b); + slot->rv = (*slot->startFunc)(slot->a, slot->b); PR_Lock(threadMGR->threadLock); slot->running = rs_zombie; @@ -428,37 +416,37 @@ thread_wrapper(void * arg) SECStatus launch_thread(GlobalThreadMgr *threadMGR, - startFn *startFunc, - void *a, - int b) + startFn *startFunc, + void *a, + int b) { perThread *slot; - int i; + int i; if (!threadMGR->threadStartQ) { - threadMGR->threadLock = PR_NewLock(); - threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock); - threadMGR->threadEndQ = PR_NewCondVar(threadMGR->threadLock); + threadMGR->threadLock = PR_NewLock(); + threadMGR->threadStartQ = PR_NewCondVar(threadMGR->threadLock); + threadMGR->threadEndQ = PR_NewCondVar(threadMGR->threadLock); } PR_Lock(threadMGR->threadLock); while (threadMGR->numRunning >= MAX_THREADS) { - PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT); + PR_WaitCondVar(threadMGR->threadStartQ, PR_INTERVAL_NO_TIMEOUT); } for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running == rs_idle) - break; + slot = &threadMGR->threads[i]; + if (slot->running == rs_idle) + break; } if (i >= threadMGR->numUsed) { - if (i >= MAX_THREADS) { - /* something's really wrong here. */ - PORT_Assert(i < MAX_THREADS); - PR_Unlock(threadMGR->threadLock); - return SECFailure; - } - ++(threadMGR->numUsed); - PORT_Assert(threadMGR->numUsed == i + 1); - slot = &threadMGR->threads[i]; + if (i >= MAX_THREADS) { + /* something's really wrong here. */ + PORT_Assert(i < MAX_THREADS); + PR_Unlock(threadMGR->threadLock); + return SECFailure; + } + ++(threadMGR->numUsed); + PORT_Assert(threadMGR->numUsed == i + 1); + slot = &threadMGR->threads[i]; } slot->a = a; @@ -468,17 +456,17 @@ launch_thread(GlobalThreadMgr *threadMGR, threadMGR->index = i; slot->prThread = PR_CreateThread(PR_USER_THREAD, - thread_wrapper, threadMGR, - PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_JOINABLE_THREAD, 0); + thread_wrapper, threadMGR, + PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, + PR_JOINABLE_THREAD, 0); if (slot->prThread == NULL) { - PR_Unlock(threadMGR->threadLock); - printf("Failed to launch thread!\n"); - return SECFailure; - } + PR_Unlock(threadMGR->threadLock); + printf("Failed to launch thread!\n"); + return SECFailure; + } - slot->inUse = 1; + slot->inUse = 1; slot->running = 1; ++(threadMGR->numRunning); PR_Unlock(threadMGR->threadLock); @@ -486,40 +474,40 @@ launch_thread(GlobalThreadMgr *threadMGR, return SECSuccess; } -SECStatus +SECStatus reap_threads(GlobalThreadMgr *threadMGR) { - perThread * slot; - int i; + perThread *slot; + int i; if (!threadMGR->threadLock) - return SECSuccess; + return SECSuccess; PR_Lock(threadMGR->threadLock); while (threadMGR->numRunning > 0) { - PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); - for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running == rs_zombie) { - /* Handle cleanup of thread here. */ - - /* Now make sure the thread has ended OK. */ - PR_JoinThread(slot->prThread); - slot->running = rs_idle; - --threadMGR->numRunning; - - /* notify the thread launcher. */ - PR_NotifyCondVar(threadMGR->threadStartQ); - } - } + PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); + for (i = 0; i < threadMGR->numUsed; ++i) { + slot = &threadMGR->threads[i]; + if (slot->running == rs_zombie) { + /* Handle cleanup of thread here. */ + + /* Now make sure the thread has ended OK. */ + PR_JoinThread(slot->prThread); + slot->running = rs_idle; + --threadMGR->numRunning; + + /* notify the thread launcher. */ + PR_NotifyCondVar(threadMGR->threadStartQ); + } + } } /* Safety Sam sez: make sure count is right. */ for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running != rs_idle) { - fprintf(stderr, "Thread in slot %d is in state %d!\n", - i, slot->running); - } + slot = &threadMGR->threads[i]; + if (slot->running != rs_idle) { + fprintf(stderr, "Thread in slot %d is in state %d!\n", + i, slot->running); + } } PR_Unlock(threadMGR->threadLock); return SECSuccess; @@ -531,16 +519,16 @@ destroy_thread_data(GlobalThreadMgr *threadMGR) PORT_Memset(threadMGR->threads, 0, sizeof(threadMGR->threads)); if (threadMGR->threadEndQ) { - PR_DestroyCondVar(threadMGR->threadEndQ); - threadMGR->threadEndQ = NULL; + PR_DestroyCondVar(threadMGR->threadEndQ); + threadMGR->threadEndQ = NULL; } if (threadMGR->threadStartQ) { - PR_DestroyCondVar(threadMGR->threadStartQ); - threadMGR->threadStartQ = NULL; + PR_DestroyCondVar(threadMGR->threadStartQ); + threadMGR->threadStartQ = NULL; } if (threadMGR->threadLock) { - PR_DestroyLock(threadMGR->threadLock); - threadMGR->threadLock = NULL; + PR_DestroyLock(threadMGR->threadLock); + threadMGR->threadLock = NULL; } } @@ -548,17 +536,17 @@ destroy_thread_data(GlobalThreadMgr *threadMGR) ** End thread management routines. **************************************************************************/ -void -lockedVars_Init( lockedVars * lv) +void +lockedVars_Init(lockedVars *lv) { - lv->count = 0; + lv->count = 0; lv->waiters = 0; - lv->lock = PR_NewLock(); + lv->lock = PR_NewLock(); lv->condVar = PR_NewCondVar(lv->lock); } void -lockedVars_Destroy( lockedVars * lv) +lockedVars_Destroy(lockedVars *lv) { PR_DestroyCondVar(lv->condVar); lv->condVar = NULL; @@ -568,30 +556,29 @@ lockedVars_Destroy( lockedVars * lv) } void -lockedVars_WaitForDone(lockedVars * lv) +lockedVars_WaitForDone(lockedVars *lv) { PR_Lock(lv->lock); while (lv->count > 0) { - PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT); + PR_WaitCondVar(lv->condVar, PR_INTERVAL_NO_TIMEOUT); } PR_Unlock(lv->lock); } -int /* returns count */ -lockedVars_AddToCount(lockedVars * lv, int addend) +int /* returns count */ + lockedVars_AddToCount(lockedVars *lv, int addend) { int rv; PR_Lock(lv->lock); rv = lv->count += addend; if (rv <= 0) { - PR_NotifyCondVar(lv->condVar); + PR_NotifyCondVar(lv->condVar); } PR_Unlock(lv->lock); return rv; } - /* * Dump cert chain in to cert.* files. This function is will * create collisions while dumping cert chains if called from @@ -611,20 +598,20 @@ dumpCertChain(CERTCertificate *cert, SECCertUsage usage) return; } - for(count = 0; count < (unsigned int)certList->len; count++) { + for (count = 0; count < (unsigned int)certList->len; count++) { char certFileName[16]; PRFileDesc *cfd; PR_snprintf(certFileName, sizeof certFileName, "cert.%03d", count); - cfd = PR_Open(certFileName, PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE, + cfd = PR_Open(certFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0664); if (!cfd) { PR_fprintf(PR_STDOUT, "Error: couldn't save cert der in file '%s'\n", certFileName); } else { - PR_Write(cfd, certList->certs[count].data, certList->certs[count].len); + PR_Write(cfd, certList->certs[count].data, certList->certs[count].len); PR_Close(cfd); PR_fprintf(PR_STDOUT, "Cert file %s was created.\n", certFileName); } |