Attachment #499383 for bug #617723

Attachment #499383: combined patch v3 for bug #617723

View | Details | Raw Unified | Return to bug 617723
Collapse All | Expand All





"-3 means disable SSL v3\n"
"-T means disable TLS\n"
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
"-q checks for bypassability\n"
"-D means disable Nagle delays in TCP\n"
"-E means disable export ciphersuites and SSL step down key gen\n"
"-R means disable detection of rollback from TLS to SSL3\n"
"-a configure server for SNI.\n"
"-k expected name negotiated on server sockets"
"-b means try binding to the port and exit\n"
"-I local hostname, used to decide between ipv4 and ipv6 interface\n"
"-m means test the model-socket feature of SSL_ImportFD.\n"
"-r flag is interepreted as follows:\n"
"    1 -r  means request, not require, cert on initial handshake.\n"
"    2 -r's mean request  and require, cert on initial handshake.\n"
"    3 -r's mean request, not require, cert on second handshake.\n"
"    4 -r's mean request  and require, cert on second handshake.\n"
"-s means disable SSL socket locking for performance\n"
"-u means enable Session Ticket extension for TLS.\n"
"-v means verbose output\n"
"-x means use export policy.\n"


    FPRINTF(stderr, "selfserv: Closing listen socket.\n");
    VLOG(("selfserv: do_accepts: exiting"));
    if (listen_sock) {
        PR_Close(listen_sock);
    }
    return SECSuccess;
}

PRFileDesc *
getBoundListenSocket(unsigned short port, PRBool ipv6)
{
    PRFileDesc *       listen_sock;
    int                listenQueueDepth = 5 + (2 * maxThreads);
    PRStatus	       prStatus;
    PRNetAddr          addr;
    PRSocketOptionData opt;

    if (ipv6) {
        const PRIPv6Addr _pr_in6addr_any =      {{{ 0, 0, 0, 0,
                                                    0, 0, 0, 0,
                                                    0, 0, 0, 0,
                                                    0, 0, 0, 0 }}};

        addr.inet.family = PR_AF_INET6;
        addr.ipv6.ip     = _pr_in6addr_any;
        addr.ipv6.port   = PR_htons(port);
        addr.ipv6.flowinfo = 0;
        addr.ipv6.scope_id = 0;
        listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
    }
    else {
        addr.inet.family = PR_AF_INET;
        addr.inet.ip     = PR_INADDR_ANY;
        addr.inet.port   = PR_htons(port);
        listen_sock = PR_NewTCPSocket();
    }

    listen_sock = PR_NewTCPSocket();
    if (listen_sock == NULL) {
	errExit("PR_NewTCPSocket");
    }

    opt.option = PR_SockOpt_Nonblocking;
    opt.value.non_blocking = PR_FALSE;
    prStatus = PR_SetSocketOption(listen_sock, &opt);
    if (prStatus < 0) {
        PR_Close(listen_sock);
	errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

    PRThread             *loggerThread = NULL;
    PRBool               debugCache = PR_FALSE; /* bug 90518 */
    char                 emptyString[] = { "" };
    char*                certPrefix = emptyString;
    PRUint32             protos = 0;
    SSL3Statistics      *ssl3stats;
    PRUint32             i;
    secuPWData  pwdata = { PW_NONE, 0 };
    int                  virtServerNameIndex = 1;
    char                *expectedHostNameVal = NULL;
    char                *bindName = NULL;
    PRBool              ipv6 = PR_FALSE;

    tmp = strrchr(argv[0], '/');
    tmp = tmp ? tmp + 1 : argv[0];
    progName = strrchr(tmp, '\\');
    progName = progName ? progName + 1 : tmp;

    PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

    /* please keep this list of options in ASCII collating sequence.
    ** numbers, then capital letters, then lower case, alphabetical. 
    */
    optstate = PL_CreateOptState(argc, argv, 
        "2:3BC:DEI:L:M:NP:RSTa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
	++optionsFound;
	switch(optstate->option) {
	case '2': fileName = optstate->value; break;

	case '3': disableSSL3 = PR_TRUE; break;

	case 'B': bypassPKCS11 = PR_TRUE; break;

        case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break;

	case 'D': noDelay = PR_TRUE; break;
	case 'E': disableStepDown = PR_TRUE; break;

	case 'I': bindName = PORT_Strdup(optstate->value); break;

        case 'L':
            logStats = PR_TRUE;
	    if (optstate->value == NULL) {
	    	logPeriod = 30;
	    } else {
                logPeriod  = PORT_Atoi(optstate->value);
                if (logPeriod <= 0) logPeriod = 30;
	    }
            break;


    if (status == PL_OPT_BAD) {
	fprintf(stderr, "Unrecognized or bad option specified.\n");
	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
	exit(5);
    }
    if (!optionsFound) {
	Usage(progName);
	exit(51);
    } 

    if (bindName) {
        PRNetAddr   addr;
        PRAddrInfo *addrInfo;
        void       *enumPtr   = NULL;

        addrInfo = PR_GetAddrInfoByName(bindName, PR_AF_UNSPEC,
                                        PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
        if (!addrInfo) {
            SECU_PrintError(progName, "error looking up hostname from parameter -I");
            exit(4);
        }
        do {
            enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, port, &addr);
        } while (enumPtr != NULL &&
                 addr.raw.family != PR_AF_INET &&
                 addr.raw.family != PR_AF_INET6);
        PR_FreeAddrInfo(addrInfo);
        if (enumPtr == NULL) {
            SECU_PrintError(progName, "error looking up hostname from parameter -I");
            exit(4);
        }
        if (addr.raw.family == PR_AF_INET6) {
            ipv6 = PR_TRUE;
        }
    }

    /* The -b (bindOnly) option is only used by the ssl.sh test
     * script on Linux to determine whether a previous selfserv
     * process has fully died and freed the port.  (Bug 129701)
     */
    if (bindOnly) {
	listen_sock = getBoundListenSocket(port, ipv6);
	if (!listen_sock) {
	    exit(1);
	}
        if (listen_sock) {
            PR_Close(listen_sock);
        }
	exit(0);
    }

    if ((nickName == NULL)

	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
	if (prStatus != PR_SUCCESS)
	    errExit("PR_SetFDInheritable");
#endif
	rv = SSL_InheritMPServerSIDCache(envString);
	if (rv != SECSuccess)
	    errExit("SSL_InheritMPServerSIDCache");
    	hasSidCache = PR_TRUE;
    } else if (maxProcs > 1) {
	/* we're going to be the parent in a multi-process server.  */
	listen_sock = getBoundListenSocket(port, ipv6);
	rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp);
	if (rv != SECSuccess)
	    errExit("SSL_ConfigMPServerSIDCache");
    	hasSidCache = PR_TRUE;
	beAGoodParent(argc, argv, maxProcs, listen_sock);
	exit(99); /* should never get here */
    } else {
	/* we're an ordinary single process server. */
	listen_sock = getBoundListenSocket(port, ipv6);
	prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
	if (prStatus != PR_SUCCESS)
	    errExit("PR_SetFDInheritable");
	if (!NoReuse) {
	    rv = SSL_ConfigServerSessionIDCache(NumSidCacheEntries, 
	                                        0, 0, tmp);
	    if (rv != SECSuccess)
		errExit("SSL_ConfigServerSessionIDCache");
	    hasSidCache = PR_TRUE;
	}


    if (debugCache) {
	nss_DumpCertificateCacheInfo();
    }
    if (nickName) {
        PORT_Free(nickName);
    }
    if (expectedHostNameVal) {
        PORT_Free(expectedHostNameVal);
    }
    if (bindName) {
        PORT_Free(bindName);
    }
    if (passwd) {
        PORT_Free(passwd);
    }
    if (pwfile) {
        PORT_Free(pwfile);
    }
    if (certPrefix && certPrefix != emptyString) {                            
        PORT_Free(certPrefix);
    }
 #ifdef NSS_ENABLE_ECC





##############################################################
ssl_simple_client_auth()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
  PORT=8443; export PORT
  START_AT=1; export START_AT
  STOP_AT=106160; export STOP_AT
  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/selfserv -I ${HOSTNAME} -p $PORT -d $SERVER -n server_crt -rr -t 5 -w test > \
$NISCC_HOME/nisccLog01 2>&1 &
  sleep 10

  NISCC_TEST=$TEST/simple_client; export NISCC_TEST
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  ${HACKBIN}/strsclnt -d $CLIENT -n client_crt -p $PORT -t 4 -c 106160 -o -N \
-w test $HOSTNAME > $NISCC_HOME/nisccLog02 2>&1

  unset NISCC_TEST; export NISCC_TEST
  echo "starting tstclnt to shutdown simple client selfserv process"

##############################################################
ssl_simple_server_auth()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
  PORT=8444; export PORT
  START_AT=1; export START_AT
  STOP_AT=106167; export STOP_AT
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  NISCC_TEST=$TEST/simple_server; export NISCC_TEST
  ${HACKBIN}/selfserv -I ${HOSTNAME} -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
$NISCC_HOME/nisccLog03 2>&1 &

  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 106167 -o -N $HOSTNAME > \
$NISCC_HOME/nisccLog04 2>&1 

  echo "starting tstclnt to shutdown simple server selfserv process"
  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
-w test < $CLIENT/stop.txt >> nisccLog04 2>&1

##############################################################
ssl_simple_rootca()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/simple_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/simple_server; export SERVER
  PORT=8445; export PORT
  START_AT=1; export START_AT
  STOP_AT=106190; export STOP_AT
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  NISCC_TEST=$TEST/simple_rootca; export NISCC_TEST
  ${HACKBIN}/selfserv -I ${HOSTNAME} -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
$NISCC_HOME/nisccLog05 2>&1 &

  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 106190 -o -N $HOSTNAME > \
$NISCC_HOME/nisccLog06 2>&1

  echo "starting tstclnt to shutdown simple rootca selfserv process"
  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
-w test < $CLIENT/stop.txt >> nisccLog06 2>&1

##############################################################
ssl_resigned_client_auth()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
  PORT=8446; export PORT
  START_AT=0; export START_AT
  STOP_AT=99981; export STOP_AT
  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/selfserv -I ${HOSTNAME} -p $PORT-d $SERVER -n server_crt -rr -t 5 -w test > \
$NISCC_HOME/nisccLog07 2>&1 &

  NISCC_TEST=$TEST/resigned_client; export NISCC_TEST
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  ${HACKBIN}/strsclnt -d $CLIENT -n client_crt -p $PORT -t 4 -c 99982 -o -N \
-w test $HOSTNAME > $NISCC_HOME/nisccLog08 2>&1 

  unset NISCC_TEST; export NISCC_TEST
  echo "starting tstclnt to shutdown resigned client selfserv process"
  ${HACKBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \

##############################################################
ssl_resigned_server_auth()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
  PORT=8447; export PORT
  START_AT=0; export START_AT
  STOP_AT=100068; export STOP_AT
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  NISCC_TEST=$TEST/resigned_server; export NISCC_TEST
  ${HACKBIN}/selfserv  -I ${HOSTNAME} -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
$NISCC_HOME/nisccLog09 2>&1 &

  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 100069 -o -N $HOSTNAME > \
$NISCC_HOME/nisccLog10 2>&1 

  echo "starting tstclnt to shutdown resigned server selfserv process"
  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
-w test < $CLIENT/stop.txt >> nisccLog10 2>&1

##############################################################
ssl_resigned_rootca()
{
  CLIENT=${NISCC_HOME}/niscc_ssl/resigned_client; export CLIENT
  SERVER=${NISCC_HOME}/niscc_ssl/resigned_server; export SERVER
  PORT=8448; export PORT
  START_AT=0; export START_AT
  STOP_AT=99959; export STOP_AT
  LD_LIBRARY_PATH=${HACKLIB}; export LD_LIBRARY_PATH
  NISCC_TEST=$TEST/resigned_rootca; export NISCC_TEST
  ${HACKBIN}/selfserv -I ${HOSTNAME} -p $PORT -d $SERVER -n server_crt -t 5 -w test > \
$NISCC_HOME/nisccLog11 2>&1 &

  unset NISCC_TEST; export NISCC_TEST
  LD_LIBRARY_PATH=${TESTLIB}; export LD_LIBRARY_PATH
  ${TESTBIN}/strsclnt -d $CLIENT -p $PORT -t 4 -c 99960 -o -N $HOSTNAME > \
$NISCC_HOME/nisccLog12 2>&1 

  echo "starting tstclnt to shutdown resigned rootca selfserv process"
  ${TESTBIN}/tstclnt -h $HOSTNAME -p $PORT -d $CLIENT -n client_crt -o -f \
-w test < $CLIENT/stop.txt >> nisccLog12 2>&1





  if [ -n "$NSS_ENABLE_ECC" ] && \
     [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
      ECC_OPTIONS="-e ${HOSTADDR}-ec"
  else
      ECC_OPTIONS=""
  fi
  if [ "$1" = "mixed" ]; then
      ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
  fi
  echo "selfserv starting at `date`"
  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} -I ${HOSTNAME} ${SERVER_OPTIONS} \\"
  echo "         ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &"
  if [ ${fileout} -eq 1 ]; then
      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} -I ${HOSTNAME} ${SERVER_OPTIONS} \
               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose \
               > ${SERVEROUTFILE} 2>&1 &
      RET=$?
  else
      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} -I ${HOSTNAME} ${SERVER_OPTIONS} \
               ${ECC_OPTIONS} -w nss ${sparam} -i ${R_SERVERPID} $verbose &
      RET=$?
  fi

  # The PID $! returned by the MKS or Cygwin shell is not the PID of
  # the real background process, but rather the PID of a helper
  # process (sh.exe).  MKS's kill command has a bug: invoking kill
  # on the helper process does not terminate the real background
  # process.  Our workaround has been to have selfserv save its PID
  # in the ${SERVERPID} file and "kill" that PID instead.  But this

Return to bug 617723

Bugzilla

Quick Search

Attachment #499383: combined patch v3 for bug #617723