diff options
Diffstat (limited to 'security/nss/cmd/selfserv/selfserv.c')
| -rw-r--r-- | security/nss/cmd/selfserv/selfserv.c | 110 |
1 files changed, 53 insertions, 57 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index fac428e10..1784c9ee3 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -57,7 +57,7 @@ int NumSidCacheEntries = 1024; -static int handle_connection(PRFileDesc *, PRFileDesc *, int); +static int handle_connection(PRFileDesc *, PRFileDesc *); static const char envVarName[] = { SSL_ENV_VAR_NAME }; static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" }; @@ -165,9 +165,8 @@ PrintUsageHeader(const char *progName) " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" " [-V [min-version]:[max-version]] [-a sni_name]\n" " [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n" - " [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]" - " [-e ec_nickname]" - "\n" + " [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n" + " [-I groups] [-J signatureschemes] [-e ec_nickname]\n" " -U [0|1] -H [0|1|2] -W [0|1]\n" "\n", progName); @@ -179,7 +178,7 @@ PrintParameterUsage() fputs( "-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n" " All versions are enabled by default.\n" - " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n" + " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n" " Example: \"-V ssl3:\" enables SSL 3 and newer.\n" "-D means disable Nagle delays in TCP\n" "-R means disable detection of rollback from TLS to SSL3\n" @@ -195,7 +194,6 @@ PrintParameterUsage() "-s means disable SSL socket locking for performance\n" "-u means enable Session Ticket extension for TLS.\n" "-v means verbose output\n" - "-z means enable compression.\n" "-L seconds means log statistics every 'seconds' seconds (default=30).\n" "-M maxProcs tells how many processes to run in a multi-process server\n" "-N means do NOT use the server session cache. Incompatible with -M.\n" @@ -228,6 +226,13 @@ PrintParameterUsage() "-I comma separated list of enabled groups for TLS key exchange.\n" " The following values are valid:\n" " P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n" + "-J comma separated list of enabled signature schemes in preference order.\n" + " The following values are valid:\n" + " rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n" + " ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n" + " ecdsa_secp521r1_sha512,\n" + " rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n" + " rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n" "-Z enable 0-RTT (for TLS 1.3; also use -u)\n", stderr); } @@ -509,7 +514,6 @@ typedef struct jobStr { PRCList link; PRFileDesc *tcp_sock; PRFileDesc *model_sock; - int requestCert; } JOB; static PZLock *qLock; /* this lock protects all data immediately below */ @@ -541,7 +545,7 @@ setupJobs(int maxJobs) return SECSuccess; } -typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c); +typedef int startFn(PRFileDesc *a, PRFileDesc *b); typedef enum { rs_idle = 0, rs_running = 1, @@ -550,7 +554,6 @@ typedef enum { rs_idle = 0, typedef struct perThreadStr { PRFileDesc *a; PRFileDesc *b; - int c; int rv; startFn *startFunc; PRThread *prThread; @@ -564,7 +567,7 @@ thread_wrapper(void *arg) { perThread *slot = (perThread *)arg; - slot->rv = (*slot->startFunc)(slot->a, slot->b, slot->c); + slot->rv = (*slot->startFunc)(slot->a, slot->b); /* notify the thread exit handler. */ PZ_Lock(qLock); @@ -575,7 +578,7 @@ thread_wrapper(void *arg) } int -jobLoop(PRFileDesc *a, PRFileDesc *b, int c) +jobLoop(PRFileDesc *a, PRFileDesc *b) { PRCList *myLink = 0; JOB *myJob; @@ -595,8 +598,7 @@ jobLoop(PRFileDesc *a, PRFileDesc *b, int c) /* myJob will be null when stopping is true and jobQ is empty */ if (!myJob) break; - handle_connection(myJob->tcp_sock, myJob->model_sock, - myJob->requestCert); + handle_connection(myJob->tcp_sock, myJob->model_sock); PZ_Lock(qLock); PR_APPEND_LINK(myLink, &freeJobs); PZ_NotifyCondVar(freeListNotEmptyCv); @@ -609,7 +611,6 @@ launch_threads( startFn *startFunc, PRFileDesc *a, PRFileDesc *b, - int c, PRBool local) { int i; @@ -645,7 +646,6 @@ launch_threads( slot->state = rs_running; slot->a = a; slot->b = b; - slot->c = c; slot->startFunc = startFunc; slot->prThread = PR_CreateThread(PR_USER_THREAD, thread_wrapper, slot, PR_PRIORITY_NORMAL, @@ -800,13 +800,14 @@ PRBool NoReuse = PR_FALSE; PRBool hasSidCache = PR_FALSE; PRBool disableLocking = PR_FALSE; PRBool enableSessionTickets = PR_FALSE; -PRBool enableCompression = PR_FALSE; PRBool failedToNegotiateName = PR_FALSE; PRBool enableExtendedMasterSecret = PR_FALSE; PRBool zeroRTT = PR_FALSE; PRBool enableALPN = PR_FALSE; SSLNamedGroup *enabledGroups = NULL; unsigned int enabledGroupsCount = 0; +const SSLSignatureScheme *enabledSigSchemes = NULL; +unsigned int enabledSigSchemeCount = 0; static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX]; static int virtServerNameIndex = 1; @@ -893,8 +894,7 @@ int /* returns count */ int do_writes( PRFileDesc *ssl_sock, - PRFileDesc *model_sock, - int requestCert) + PRFileDesc *model_sock) { int sent = 0; int count = 0; @@ -925,8 +925,7 @@ do_writes( static int handle_fdx_connection( PRFileDesc *tcp_sock, - PRFileDesc *model_sock, - int requestCert) + PRFileDesc *model_sock) { PRFileDesc *ssl_sock = NULL; SECStatus result; @@ -960,8 +959,7 @@ handle_fdx_connection( lockedVars_AddToCount(&lv, 1); /* Attempt to launch the writer thread. */ - result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv, - requestCert); + result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv); if (result == SECSuccess) do { @@ -1093,7 +1091,7 @@ makeCorruptedOCSPResponse(PLArenaPool *arena) } SECItemArray * -makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm, +makeSignedOCSPResponse(PLArenaPool *arena, CERTCertificate *cert, secuPWData *pwdata) { SECItemArray *result = NULL; @@ -1117,7 +1115,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm, nextUpdate = now + (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /* plus 1 day */ - switch (osm) { + switch (ocspStaplingMode) { case osm_good: case osm_badsig: sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now, @@ -1150,7 +1148,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm, singleResponses[1] = NULL; ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena, - (osm == osm_badsig) + (ocspStaplingMode == osm_badsig) ? NULL : ca, ocspResponderID_byName, now, singleResponses, @@ -1175,7 +1173,7 @@ makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm, } void -setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode, +setupCertStatus(PLArenaPool *arena, CERTCertificate *cert, int index, secuPWData *pwdata) { if (ocspStaplingMode == osm_random) { @@ -1213,7 +1211,7 @@ setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode, case osm_unknown: case osm_badsig: multiOcspResponses = - makeSignedOCSPResponse(arena, ocspStaplingMode, cert, + makeSignedOCSPResponse(arena, cert, pwdata); break; case osm_corrupted: @@ -1236,10 +1234,7 @@ setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode, } int -handle_connection( - PRFileDesc *tcp_sock, - PRFileDesc *model_sock, - int requestCert) +handle_connection(PRFileDesc *tcp_sock, PRFileDesc *model_sock) { PRFileDesc *ssl_sock = NULL; PRFileDesc *local_file_fd = NULL; @@ -1272,7 +1267,6 @@ handle_connection( VLOG(("selfserv: handle_connection: starting\n")); if (useModelSocket && model_sock) { - SECStatus rv; ssl_sock = SSL_ImportFD(model_sock, tcp_sock); if (!ssl_sock) { errWarn("SSL_ImportFD with model"); @@ -1588,8 +1582,7 @@ sigusr1_handler(int sig) SECStatus do_accepts( PRFileDesc *listen_sock, - PRFileDesc *model_sock, - int requestCert) + PRFileDesc *model_sock) { PRNetAddr addr; PRErrorCode perr; @@ -1659,7 +1652,6 @@ do_accepts( JOB *myJob = (JOB *)myLink; myJob->tcp_sock = tcp_sock; myJob->model_sock = model_sock; - myJob->requestCert = requestCert; } PR_APPEND_LINK(myLink, &jobQ); @@ -1818,7 +1810,6 @@ handshakeCallback(PRFileDesc *fd, void *client_data) void server_main( PRFileDesc *listen_sock, - int requestCert, SECKEYPrivateKey **privKey, CERTCertificate **cert, const char *expectedHostNameVal) @@ -1872,13 +1863,6 @@ server_main( } } - if (enableCompression) { - rv = SSL_OptionSet(model_sock, SSL_ENABLE_DEFLATE, PR_TRUE); - if (rv != SECSuccess) { - errExit("error enabling compression "); - } - } - if (virtServerNameIndex > 1) { rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig, (void *)&virtServerNameArray); @@ -1985,6 +1969,13 @@ server_main( } } + if (enabledSigSchemes) { + rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes, enabledSigSchemeCount); + if (rv < 0) { + errExit("SSL_SignatureSchemePrefSet failed"); + } + } + /* This cipher is not on by default. The Acceptance test * would like it to be. Turn this cipher on. */ @@ -2021,7 +2012,7 @@ server_main( /* end of ssl configuration. */ /* Now, do the accepting, here in the main thread. */ - rv = do_accepts(listen_sock, model_sock, requestCert); + rv = do_accepts(listen_sock, model_sock); terminateWorkerThreads(); @@ -2229,9 +2220,10 @@ main(int argc, char **argv) /* please keep this list of options in ASCII collating sequence. ** numbers, then capital letters, then lower case, alphabetical. ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed - ** in 3.28, please leave some time before resuing those. */ + ** in 3.28, please leave some time before resuing those. + ** 'z' was removed in 3.39. */ optstate = PL_CreateOptState(argc, argv, - "2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz"); + "2:A:C:DGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch (optstate->option) { @@ -2444,10 +2436,6 @@ main(int argc, char **argv) debugCache = PR_TRUE; break; - case 'z': - enableCompression = PR_TRUE; - break; - case 'Z': zeroRTT = PR_TRUE; break; @@ -2466,6 +2454,16 @@ main(int argc, char **argv) } break; + case 'J': + rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Bad signature scheme specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(5); + } + break; + default: case '?': fprintf(stderr, "Unrecognized or bad option specified.\n"); @@ -2654,9 +2652,8 @@ main(int argc, char **argv) } } if (cipher > 0) { - SECStatus status; - status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); - if (status != SECSuccess) + rv = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); + if (rv != SECSuccess) SECU_PrintError(progName, "SSL_CipherPrefSet()"); } else { fprintf(stderr, @@ -2684,7 +2681,7 @@ main(int argc, char **argv) exit(11); } if (privKey[i]->keyType != ecKey) - setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata); + setupCertStatus(certStatusArena, cert[i], i, &pwdata); } if (configureWeakDHE > 0) { @@ -2697,7 +2694,7 @@ main(int argc, char **argv) } /* allocate the array of thread slots, and launch the worker threads. */ - rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads); + rv = launch_threads(&jobLoop, 0, 0, useLocalThreads); if (rv == SECSuccess && logStats) { loggerThread = PR_CreateThread(PR_SYSTEM_THREAD, @@ -2712,7 +2709,7 @@ main(int argc, char **argv) } if (rv == SECSuccess) { - server_main(listen_sock, requestCert, privKey, cert, + server_main(listen_sock, privKey, cert, expectedHostNameVal); } @@ -2731,7 +2728,6 @@ cleanup: } { - int i; for (i = 0; i < certNicknameIndex; i++) { if (cert[i]) { CERT_DestroyCertificate(cert[i]); |