|
|
|
|
| 186 |
"-3 means disable SSL v3\n" |
186 |
"-3 means disable SSL v3\n" |
| 187 |
"-T means disable TLS\n" |
187 |
"-T means disable TLS\n" |
| 188 |
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n" |
188 |
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n" |
| 189 |
"-q checks for bypassability\n" |
189 |
"-q checks for bypassability\n" |
| 190 |
"-D means disable Nagle delays in TCP\n" |
190 |
"-D means disable Nagle delays in TCP\n" |
| 191 |
"-E means disable export ciphersuites and SSL step down key gen\n" |
191 |
"-E means disable export ciphersuites and SSL step down key gen\n" |
| 192 |
"-R means disable detection of rollback from TLS to SSL3\n" |
192 |
"-R means disable detection of rollback from TLS to SSL3\n" |
| 193 |
"-a configure server for SNI.\n" |
193 |
"-a configure server for SNI.\n" |
| 194 |
"-k expected name negotiated on server sockets" |
194 |
"-k expected name negotiated on server sockets" |
| 195 |
"-b means try binding to the port and exit\n" |
195 |
"-b means try binding to the port and exit\n" |
|
|
196 |
"-I local hostname, used to decide between ipv4 and ipv6 interface\n" |
| 196 |
"-m means test the model-socket feature of SSL_ImportFD.\n" |
197 |
"-m means test the model-socket feature of SSL_ImportFD.\n" |
| 197 |
"-r flag is interepreted as follows:\n" |
198 |
"-r flag is interepreted as follows:\n" |
| 198 |
" 1 -r means request, not require, cert on initial handshake.\n" |
199 |
" 1 -r means request, not require, cert on initial handshake.\n" |
| 199 |
" 2 -r's mean request and require, cert on initial handshake.\n" |
200 |
" 2 -r's mean request and require, cert on initial handshake.\n" |
| 200 |
" 3 -r's mean request, not require, cert on second handshake.\n" |
201 |
" 3 -r's mean request, not require, cert on second handshake.\n" |
| 201 |
" 4 -r's mean request and require, cert on second handshake.\n" |
202 |
" 4 -r's mean request and require, cert on second handshake.\n" |
| 202 |
"-s means disable SSL socket locking for performance\n" |
203 |
"-s means disable SSL socket locking for performance\n" |
| 203 |
"-u means enable Session Ticket extension for TLS.\n" |
204 |
"-u means enable Session Ticket extension for TLS.\n" |
| 204 |
"-v means verbose output\n" |
205 |
"-v means verbose output\n" |
| 205 |
"-x means use export policy.\n" |
206 |
"-x means use export policy.\n" |
|
|
| 1477 |
|
1478 |
|
| 1478 |
FPRINTF(stderr, "selfserv: Closing listen socket.\n"); |
1479 |
FPRINTF(stderr, "selfserv: Closing listen socket.\n"); |
| 1479 |
VLOG(("selfserv: do_accepts: exiting")); |
1480 |
VLOG(("selfserv: do_accepts: exiting")); |
| 1480 |
if (listen_sock) { |
1481 |
if (listen_sock) { |
| 1481 |
PR_Close(listen_sock); |
1482 |
PR_Close(listen_sock); |
| 1482 |
} |
1483 |
} |
| 1483 |
return SECSuccess; |
1484 |
return SECSuccess; |
| 1484 |
} |
1485 |
} |
| 1485 |
|
1486 |
|
| 1486 |
PRFileDesc * |
1487 |
PRFileDesc * |
| 1487 |
getBoundListenSocket(unsigned short port) |
1488 |
getBoundListenSocket(unsigned short port, PRBool ipv6) |
| 1488 |
{ |
1489 |
{ |
| 1489 |
PRFileDesc * listen_sock; |
1490 |
PRFileDesc * listen_sock; |
| 1490 |
int listenQueueDepth = 5 + (2 * maxThreads); |
1491 |
int listenQueueDepth = 5 + (2 * maxThreads); |
| 1491 |
PRStatus prStatus; |
1492 |
PRStatus prStatus; |
| 1492 |
PRNetAddr addr; |
1493 |
PRNetAddr addr; |
| 1493 |
PRSocketOptionData opt; |
1494 |
PRSocketOptionData opt; |
| 1494 |
|
1495 |
|
| 1495 |
addr.inet.family = PR_AF_INET; |
1496 |
if (ipv6) { |
| 1496 |
addr.inet.ip = PR_INADDR_ANY; |
1497 |
const PRIPv6Addr _pr_in6addr_any = {{{ 0, 0, 0, 0, |
| 1497 |
addr.inet.port = PR_htons(port); |
1498 |
0, 0, 0, 0, |
|
|
1499 |
0, 0, 0, 0, |
| 1500 |
0, 0, 0, 0 }}}; |
| 1501 |
|
| 1502 |
addr.inet.family = PR_AF_INET6; |
| 1503 |
addr.ipv6.ip = _pr_in6addr_any; |
| 1504 |
addr.ipv6.port = PR_htons(port); |
| 1505 |
addr.ipv6.flowinfo = 0; |
| 1506 |
addr.ipv6.scope_id = 0; |
| 1507 |
listen_sock = PR_OpenTCPSocket(PR_AF_INET6); |
| 1508 |
} |
| 1509 |
else { |
| 1510 |
addr.inet.family = PR_AF_INET; |
| 1511 |
addr.inet.ip = PR_INADDR_ANY; |
| 1512 |
addr.inet.port = PR_htons(port); |
| 1513 |
listen_sock = PR_NewTCPSocket(); |
| 1514 |
} |
| 1498 |
|
1515 |
|
| 1499 |
listen_sock = PR_NewTCPSocket(); |
|
|
| 1500 |
if (listen_sock == NULL) { |
1516 |
if (listen_sock == NULL) { |
| 1501 |
errExit("PR_NewTCPSocket"); |
1517 |
errExit("PR_NewTCPSocket"); |
| 1502 |
} |
1518 |
} |
| 1503 |
|
1519 |
|
| 1504 |
opt.option = PR_SockOpt_Nonblocking; |
1520 |
opt.option = PR_SockOpt_Nonblocking; |
| 1505 |
opt.value.non_blocking = PR_FALSE; |
1521 |
opt.value.non_blocking = PR_FALSE; |
| 1506 |
prStatus = PR_SetSocketOption(listen_sock, &opt); |
1522 |
prStatus = PR_SetSocketOption(listen_sock, &opt); |
| 1507 |
if (prStatus < 0) { |
1523 |
if (prStatus < 0) { |
| 1508 |
PR_Close(listen_sock); |
1524 |
PR_Close(listen_sock); |
| 1509 |
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); |
1525 |
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); |
|
|
| 1930 |
PRThread *loggerThread = NULL; |
1946 |
PRThread *loggerThread = NULL; |
| 1931 |
PRBool debugCache = PR_FALSE; /* bug 90518 */ |
1947 |
PRBool debugCache = PR_FALSE; /* bug 90518 */ |
| 1932 |
char emptyString[] = { "" }; |
1948 |
char emptyString[] = { "" }; |
| 1933 |
char* certPrefix = emptyString; |
1949 |
char* certPrefix = emptyString; |
| 1934 |
PRUint32 protos = 0; |
1950 |
PRUint32 protos = 0; |
| 1935 |
SSL3Statistics *ssl3stats; |
1951 |
SSL3Statistics *ssl3stats; |
| 1936 |
PRUint32 i; |
1952 |
PRUint32 i; |
| 1937 |
secuPWData pwdata = { PW_NONE, 0 }; |
1953 |
secuPWData pwdata = { PW_NONE, 0 }; |
| 1938 |
int virtServerNameIndex = 1; |
1954 |
int virtServerNameIndex = 1; |
| 1939 |
char *expectedHostNameVal = NULL; |
1955 |
char *expectedHostNameVal = NULL; |
|
|
1956 |
char *bindName = NULL; |
| 1957 |
PRBool ipv6 = PR_FALSE; |
| 1940 |
|
1958 |
|
| 1941 |
tmp = strrchr(argv[0], '/'); |
1959 |
tmp = strrchr(argv[0], '/'); |
| 1942 |
tmp = tmp ? tmp + 1 : argv[0]; |
1960 |
tmp = tmp ? tmp + 1 : argv[0]; |
| 1943 |
progName = strrchr(tmp, '\\'); |
1961 |
progName = strrchr(tmp, '\\'); |
| 1944 |
progName = progName ? progName + 1 : tmp; |
1962 |
progName = progName ? progName + 1 : tmp; |
| 1945 |
|
1963 |
|
| 1946 |
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); |
1964 |
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); |
| 1947 |
|
1965 |
|
| 1948 |
/* please keep this list of options in ASCII collating sequence. |
1966 |
/* please keep this list of options in ASCII collating sequence. |
| 1949 |
** numbers, then capital letters, then lower case, alphabetical. |
1967 |
** numbers, then capital letters, then lower case, alphabetical. |
| 1950 |
*/ |
1968 |
*/ |
| 1951 |
optstate = PL_CreateOptState(argc, argv, |
1969 |
optstate = PL_CreateOptState(argc, argv, |
| 1952 |
"2:3BC:DEL:M:NP:RSTa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); |
1970 |
"2:3BC:DEI:L:M:NP:RSTa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz"); |
| 1953 |
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { |
1971 |
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { |
| 1954 |
++optionsFound; |
1972 |
++optionsFound; |
| 1955 |
switch(optstate->option) { |
1973 |
switch(optstate->option) { |
| 1956 |
case '2': fileName = optstate->value; break; |
1974 |
case '2': fileName = optstate->value; break; |
| 1957 |
|
1975 |
|
| 1958 |
case '3': disableSSL3 = PR_TRUE; break; |
1976 |
case '3': disableSSL3 = PR_TRUE; break; |
| 1959 |
|
1977 |
|
| 1960 |
case 'B': bypassPKCS11 = PR_TRUE; break; |
1978 |
case 'B': bypassPKCS11 = PR_TRUE; break; |
| 1961 |
|
1979 |
|
| 1962 |
case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break; |
1980 |
case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break; |
| 1963 |
|
1981 |
|
| 1964 |
case 'D': noDelay = PR_TRUE; break; |
1982 |
case 'D': noDelay = PR_TRUE; break; |
| 1965 |
case 'E': disableStepDown = PR_TRUE; break; |
1983 |
case 'E': disableStepDown = PR_TRUE; break; |
| 1966 |
|
1984 |
|
|
|
1985 |
case 'I': bindName = PORT_Strdup(optstate->value); break; |
| 1986 |
|
| 1967 |
case 'L': |
1987 |
case 'L': |
| 1968 |
logStats = PR_TRUE; |
1988 |
logStats = PR_TRUE; |
| 1969 |
if (optstate->value == NULL) { |
1989 |
if (optstate->value == NULL) { |
| 1970 |
logPeriod = 30; |
1990 |
logPeriod = 30; |
| 1971 |
} else { |
1991 |
} else { |
| 1972 |
logPeriod = PORT_Atoi(optstate->value); |
1992 |
logPeriod = PORT_Atoi(optstate->value); |
| 1973 |
if (logPeriod <= 0) logPeriod = 30; |
1993 |
if (logPeriod <= 0) logPeriod = 30; |
| 1974 |
} |
1994 |
} |
| 1975 |
break; |
1995 |
break; |
| 1976 |
|
1996 |
|
|
|
| 2079 |
if (status == PL_OPT_BAD) { |
2099 |
if (status == PL_OPT_BAD) { |
| 2080 |
fprintf(stderr, "Unrecognized or bad option specified.\n"); |
2100 |
fprintf(stderr, "Unrecognized or bad option specified.\n"); |
| 2081 |
fprintf(stderr, "Run '%s -h' for usage information.\n", progName); |
2101 |
fprintf(stderr, "Run '%s -h' for usage information.\n", progName); |
| 2082 |
exit(5); |
2102 |
exit(5); |
| 2083 |
} |
2103 |
} |
| 2084 |
if (!optionsFound) { |
2104 |
if (!optionsFound) { |
| 2085 |
Usage(progName); |
2105 |
Usage(progName); |
| 2086 |
exit(51); |
2106 |
exit(51); |
| 2087 |
} |
2107 |
} |
| 2088 |
|
2108 |
|
|
|
2109 |
if (bindName) { |
| 2110 |
PRNetAddr addr; |
| 2111 |
PRAddrInfo *addrInfo; |
| 2112 |
void *enumPtr = NULL; |
| 2113 |
|
| 2114 |
addrInfo = PR_GetAddrInfoByName(bindName, PR_AF_UNSPEC, |
| 2115 |
PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME); |
| 2116 |
if (!addrInfo) { |
| 2117 |
SECU_PrintError(progName, "error looking up hostname from parameter -I"); |
| 2118 |
exit(4); |
| 2119 |
} |
| 2120 |
do { |
| 2121 |
enumPtr = PR_EnumerateAddrInfo(enumPtr, addrInfo, port, &addr); |
| 2122 |
} while (enumPtr != NULL && |
| 2123 |
addr.raw.family != PR_AF_INET && |
| 2124 |
addr.raw.family != PR_AF_INET6); |
| 2125 |
PR_FreeAddrInfo(addrInfo); |
| 2126 |
if (enumPtr == NULL) { |
| 2127 |
SECU_PrintError(progName, "error looking up hostname from parameter -I"); |
| 2128 |
exit(4); |
| 2129 |
} |
| 2130 |
if (addr.raw.family == PR_AF_INET6) { |
| 2131 |
ipv6 = PR_TRUE; |
| 2132 |
} |
| 2133 |
} |
| 2134 |
|
| 2089 |
/* The -b (bindOnly) option is only used by the ssl.sh test |
2135 |
/* The -b (bindOnly) option is only used by the ssl.sh test |
| 2090 |
* script on Linux to determine whether a previous selfserv |
2136 |
* script on Linux to determine whether a previous selfserv |
| 2091 |
* process has fully died and freed the port. (Bug 129701) |
2137 |
* process has fully died and freed the port. (Bug 129701) |
| 2092 |
*/ |
2138 |
*/ |
| 2093 |
if (bindOnly) { |
2139 |
if (bindOnly) { |
| 2094 |
listen_sock = getBoundListenSocket(port); |
2140 |
listen_sock = getBoundListenSocket(port, ipv6); |
| 2095 |
if (!listen_sock) { |
2141 |
if (!listen_sock) { |
| 2096 |
exit(1); |
2142 |
exit(1); |
| 2097 |
} |
2143 |
} |
| 2098 |
if (listen_sock) { |
2144 |
if (listen_sock) { |
| 2099 |
PR_Close(listen_sock); |
2145 |
PR_Close(listen_sock); |
| 2100 |
} |
2146 |
} |
| 2101 |
exit(0); |
2147 |
exit(0); |
| 2102 |
} |
2148 |
} |
| 2103 |
|
2149 |
|
| 2104 |
if ((nickName == NULL) |
2150 |
if ((nickName == NULL) |
|
|
| 2163 |
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE); |
2209 |
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE); |
| 2164 |
if (prStatus != PR_SUCCESS) |
2210 |
if (prStatus != PR_SUCCESS) |
| 2165 |
errExit("PR_SetFDInheritable"); |
2211 |
errExit("PR_SetFDInheritable"); |
| 2166 |
#endif |
2212 |
#endif |
| 2167 |
rv = SSL_InheritMPServerSIDCache(envString); |
2213 |
rv = SSL_InheritMPServerSIDCache(envString); |
| 2168 |
if (rv != SECSuccess) |
2214 |
if (rv != SECSuccess) |
| 2169 |
errExit("SSL_InheritMPServerSIDCache"); |
2215 |
errExit("SSL_InheritMPServerSIDCache"); |
| 2170 |
hasSidCache = PR_TRUE; |
2216 |
hasSidCache = PR_TRUE; |
| 2171 |
} else if (maxProcs > 1) { |
2217 |
} else if (maxProcs > 1) { |
| 2172 |
/* we're going to be the parent in a multi-process server. */ |
2218 |
/* we're going to be the parent in a multi-process server. */ |
| 2173 |
listen_sock = getBoundListenSocket(port); |
2219 |
listen_sock = getBoundListenSocket(port, ipv6); |
| 2174 |
rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp); |
2220 |
rv = SSL_ConfigMPServerSIDCache(NumSidCacheEntries, 0, 0, tmp); |
| 2175 |
if (rv != SECSuccess) |
2221 |
if (rv != SECSuccess) |
| 2176 |
errExit("SSL_ConfigMPServerSIDCache"); |
2222 |
errExit("SSL_ConfigMPServerSIDCache"); |
| 2177 |
hasSidCache = PR_TRUE; |
2223 |
hasSidCache = PR_TRUE; |
| 2178 |
beAGoodParent(argc, argv, maxProcs, listen_sock); |
2224 |
beAGoodParent(argc, argv, maxProcs, listen_sock); |
| 2179 |
exit(99); /* should never get here */ |
2225 |
exit(99); /* should never get here */ |
| 2180 |
} else { |
2226 |
} else { |
| 2181 |
/* we're an ordinary single process server. */ |
2227 |
/* we're an ordinary single process server. */ |
| 2182 |
listen_sock = getBoundListenSocket(port); |
2228 |
listen_sock = getBoundListenSocket(port, ipv6); |
| 2183 |
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE); |
2229 |
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE); |
| 2184 |
if (prStatus != PR_SUCCESS) |
2230 |
if (prStatus != PR_SUCCESS) |
| 2185 |
errExit("PR_SetFDInheritable"); |
2231 |
errExit("PR_SetFDInheritable"); |
| 2186 |
if (!NoReuse) { |
2232 |
if (!NoReuse) { |
| 2187 |
rv = SSL_ConfigServerSessionIDCache(NumSidCacheEntries, |
2233 |
rv = SSL_ConfigServerSessionIDCache(NumSidCacheEntries, |
| 2188 |
0, 0, tmp); |
2234 |
0, 0, tmp); |
| 2189 |
if (rv != SECSuccess) |
2235 |
if (rv != SECSuccess) |
| 2190 |
errExit("SSL_ConfigServerSessionIDCache"); |
2236 |
errExit("SSL_ConfigServerSessionIDCache"); |
| 2191 |
hasSidCache = PR_TRUE; |
2237 |
hasSidCache = PR_TRUE; |
| 2192 |
} |
2238 |
} |
|
|
| 2395 |
|
2441 |
|
| 2396 |
if (debugCache) { |
2442 |
if (debugCache) { |
| 2397 |
nss_DumpCertificateCacheInfo(); |
2443 |
nss_DumpCertificateCacheInfo(); |
| 2398 |
} |
2444 |
} |
| 2399 |
if (nickName) { |
2445 |
if (nickName) { |
| 2400 |
PORT_Free(nickName); |
2446 |
PORT_Free(nickName); |
| 2401 |
} |
2447 |
} |
| 2402 |
if (expectedHostNameVal) { |
2448 |
if (expectedHostNameVal) { |
| 2403 |
PORT_Free(expectedHostNameVal); |
2449 |
PORT_Free(expectedHostNameVal); |
| 2404 |
} |
2450 |
} |
|
|
2451 |
if (bindName) { |
| 2452 |
PORT_Free(bindName); |
| 2453 |
} |
| 2405 |
if (passwd) { |
2454 |
if (passwd) { |
| 2406 |
PORT_Free(passwd); |
2455 |
PORT_Free(passwd); |
| 2407 |
} |
2456 |
} |
| 2408 |
if (pwfile) { |
2457 |
if (pwfile) { |
| 2409 |
PORT_Free(pwfile); |
2458 |
PORT_Free(pwfile); |
| 2410 |
} |
2459 |
} |
| 2411 |
if (certPrefix && certPrefix != emptyString) { |
2460 |
if (certPrefix && certPrefix != emptyString) { |
| 2412 |
PORT_Free(certPrefix); |
2461 |
PORT_Free(certPrefix); |
| 2413 |
} |
2462 |
} |
| 2414 |
#ifdef NSS_ENABLE_ECC |
2463 |
#ifdef NSS_ENABLE_ECC |