mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 03:30:17 +01:00
44b7f056d9
bug1001332, 56b691c003ad, bug1086145, bug1054069, bug1155922, bug991783, bug1125025, bug1162521, bug1162644, bug1132941, bug1164364, bug1166205, bug1166163, bug1166515, bug1138554, bug1167046, bug1167043, bug1169451, bug1172128, bug1170322, bug102794, bug1128184, bug557830, bug1174648, bug1180244, bug1177784, bug1173413, bug1169174, bug1084669, bug951455, bug1183395, bug1177430, bug1183827, bug1160139, bug1154106, bug1142209, bug1185033, bug1193467, bug1182667(with sha512 changes backed out, which breaks VC6 compilation), bug1158489, bug337796
1394 lines
37 KiB
C
1394 lines
37 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "secutil.h"
|
|
|
|
#if defined(XP_UNIX)
|
|
#include <unistd.h>
|
|
#endif
|
|
|
|
#if defined(_WINDOWS)
|
|
#include <process.h> /* for getpid() */
|
|
#endif
|
|
|
|
#include <signal.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <stdarg.h>
|
|
|
|
#include "nspr.h"
|
|
#include "prio.h"
|
|
#include "prerror.h"
|
|
#include "prnetdb.h"
|
|
#include "prclist.h"
|
|
#include "plgetopt.h"
|
|
#include "pk11func.h"
|
|
#include "nss.h"
|
|
#include "nssb64.h"
|
|
#include "sechash.h"
|
|
#include "cert.h"
|
|
#include "certdb.h"
|
|
#include "ocsp.h"
|
|
#include "ocspti.h"
|
|
#include "ocspi.h"
|
|
|
|
#ifndef PORT_Sprintf
|
|
#define PORT_Sprintf sprintf
|
|
#endif
|
|
|
|
#ifndef PORT_Strstr
|
|
#define PORT_Strstr strstr
|
|
#endif
|
|
|
|
#ifndef PORT_Malloc
|
|
#define PORT_Malloc PR_Malloc
|
|
#endif
|
|
|
|
static int handle_connection( PRFileDesc *, PRFileDesc *, int );
|
|
|
|
/* data and structures for shutdown */
|
|
static int stopping;
|
|
|
|
static PRBool noDelay;
|
|
static int verbose;
|
|
|
|
static PRThread * acceptorThread;
|
|
|
|
static PRLogModuleInfo *lm;
|
|
|
|
#define PRINTF if (verbose) printf
|
|
#define FPRINTF if (verbose) fprintf
|
|
#define FLUSH if (verbose) { fflush(stdout); fflush(stderr); }
|
|
#define VLOG(arg) PR_LOG(lm,PR_LOG_DEBUG,arg)
|
|
|
|
static void
|
|
Usage(const char *progName)
|
|
{
|
|
fprintf(stderr,
|
|
|
|
"Usage: %s -p port [-Dbv]\n"
|
|
" [-t threads] [-i pid_file]\n"
|
|
" [-A nickname -C crl-filename]... [-O method]\n"
|
|
" [-d dbdir] [-f password_file] [-w password] [-P dbprefix]\n"
|
|
"-D means disable Nagle delays in TCP\n"
|
|
"-b means try binding to the port and exit\n"
|
|
"-v means verbose output\n"
|
|
"-t threads -- specify the number of threads to use for connections.\n"
|
|
"-i pid_file file to write the process id of httpserv\n"
|
|
"Parameters -A, -C and -O are used to provide an OCSP server at /ocsp?\n"
|
|
"-A a nickname of a CA certificate\n"
|
|
"-C a CRL filename corresponding to the preceding CA nickname\n"
|
|
"-O allowed HTTP methods for OCSP requests: get, post, all, random, get-unknown\n"
|
|
" random means: randomly fail if request method is GET, POST always works\n"
|
|
" get-unknown means: status unknown for GET, correct status for POST\n"
|
|
"Multiple pairs of parameters -A and -C are allowed.\n"
|
|
"If status for a cert from an unknown CA is requested, the cert from the\n"
|
|
"first -A parameter will be used to sign the unknown status response.\n"
|
|
"NSS database parameters are used only if OCSP parameters are used.\n"
|
|
,progName);
|
|
}
|
|
|
|
static const char *
|
|
errWarn(char * funcString)
|
|
{
|
|
PRErrorCode perr = PR_GetError();
|
|
const char * errString = SECU_Strerror(perr);
|
|
|
|
fprintf(stderr, "httpserv: %s returned error %d:\n%s\n",
|
|
funcString, perr, errString);
|
|
return errString;
|
|
}
|
|
|
|
static void
|
|
errExit(char * funcString)
|
|
{
|
|
errWarn(funcString);
|
|
exit(3);
|
|
}
|
|
|
|
#define MAX_VIRT_SERVER_NAME_ARRAY_INDEX 10
|
|
|
|
/**************************************************************************
|
|
** Begin thread management routines and data.
|
|
**************************************************************************/
|
|
#define MIN_THREADS 3
|
|
#define DEFAULT_THREADS 8
|
|
#define MAX_THREADS 4096
|
|
#define MAX_PROCS 25
|
|
static int maxThreads = DEFAULT_THREADS;
|
|
|
|
|
|
typedef struct jobStr {
|
|
PRCList link;
|
|
PRFileDesc *tcp_sock;
|
|
PRFileDesc *model_sock;
|
|
int requestCert;
|
|
} JOB;
|
|
|
|
static PZLock * qLock; /* this lock protects all data immediately below */
|
|
static PRLock * lastLoadedCrlLock; /* this lock protects lastLoadedCrl variable */
|
|
static PZCondVar * jobQNotEmptyCv;
|
|
static PZCondVar * freeListNotEmptyCv;
|
|
static PZCondVar * threadCountChangeCv;
|
|
static int threadCount;
|
|
static PRCList jobQ;
|
|
static PRCList freeJobs;
|
|
static JOB *jobTable;
|
|
|
|
SECStatus
|
|
setupJobs(int maxJobs)
|
|
{
|
|
int i;
|
|
|
|
jobTable = (JOB *)PR_Calloc(maxJobs, sizeof(JOB));
|
|
if (!jobTable)
|
|
return SECFailure;
|
|
|
|
PR_INIT_CLIST(&jobQ);
|
|
PR_INIT_CLIST(&freeJobs);
|
|
|
|
for (i = 0; i < maxJobs; ++i) {
|
|
JOB * pJob = jobTable + i;
|
|
PR_APPEND_LINK(&pJob->link, &freeJobs);
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c);
|
|
|
|
typedef enum { rs_idle = 0, rs_running = 1, rs_zombie = 2 } runState;
|
|
|
|
typedef struct perThreadStr {
|
|
PRFileDesc *a;
|
|
PRFileDesc *b;
|
|
int c;
|
|
int rv;
|
|
startFn * startFunc;
|
|
PRThread * prThread;
|
|
runState state;
|
|
} perThread;
|
|
|
|
static perThread *threads;
|
|
|
|
void
|
|
thread_wrapper(void * arg)
|
|
{
|
|
perThread * slot = (perThread *)arg;
|
|
|
|
slot->rv = (* slot->startFunc)(slot->a, slot->b, slot->c);
|
|
|
|
/* notify the thread exit handler. */
|
|
PZ_Lock(qLock);
|
|
slot->state = rs_zombie;
|
|
--threadCount;
|
|
PZ_NotifyAllCondVar(threadCountChangeCv);
|
|
PZ_Unlock(qLock);
|
|
}
|
|
|
|
int
|
|
jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
|
|
{
|
|
PRCList * myLink = 0;
|
|
JOB * myJob;
|
|
|
|
PZ_Lock(qLock);
|
|
do {
|
|
myLink = 0;
|
|
while (PR_CLIST_IS_EMPTY(&jobQ) && !stopping) {
|
|
PZ_WaitCondVar(jobQNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
|
|
}
|
|
if (!PR_CLIST_IS_EMPTY(&jobQ)) {
|
|
myLink = PR_LIST_HEAD(&jobQ);
|
|
PR_REMOVE_AND_INIT_LINK(myLink);
|
|
}
|
|
PZ_Unlock(qLock);
|
|
myJob = (JOB *)myLink;
|
|
/* myJob will be null when stopping is true and jobQ is empty */
|
|
if (!myJob)
|
|
break;
|
|
handle_connection( myJob->tcp_sock, myJob->model_sock,
|
|
myJob->requestCert);
|
|
PZ_Lock(qLock);
|
|
PR_APPEND_LINK(myLink, &freeJobs);
|
|
PZ_NotifyCondVar(freeListNotEmptyCv);
|
|
} while (PR_TRUE);
|
|
return 0;
|
|
}
|
|
|
|
|
|
SECStatus
|
|
launch_threads(
|
|
startFn *startFunc,
|
|
PRFileDesc *a,
|
|
PRFileDesc *b,
|
|
int c,
|
|
PRBool local)
|
|
{
|
|
int i;
|
|
SECStatus rv = SECSuccess;
|
|
|
|
/* create the thread management serialization structs */
|
|
qLock = PZ_NewLock(nssILockSelfServ);
|
|
jobQNotEmptyCv = PZ_NewCondVar(qLock);
|
|
freeListNotEmptyCv = PZ_NewCondVar(qLock);
|
|
threadCountChangeCv = PZ_NewCondVar(qLock);
|
|
|
|
/* create monitor for crl reload procedure */
|
|
lastLoadedCrlLock = PR_NewLock();
|
|
|
|
/* allocate the array of thread slots */
|
|
threads = PR_Calloc(maxThreads, sizeof(perThread));
|
|
if ( NULL == threads ) {
|
|
fprintf(stderr, "Oh Drat! Can't allocate the perThread array\n");
|
|
return SECFailure;
|
|
}
|
|
/* 5 is a little extra, intended to keep the jobQ from underflowing.
|
|
** That is, from going empty while not stopping and clients are still
|
|
** trying to contact us.
|
|
*/
|
|
rv = setupJobs(maxThreads + 5);
|
|
if (rv != SECSuccess)
|
|
return rv;
|
|
|
|
PZ_Lock(qLock);
|
|
for (i = 0; i < maxThreads; ++i) {
|
|
perThread * slot = threads + i;
|
|
|
|
slot->state = rs_running;
|
|
slot->a = a;
|
|
slot->b = b;
|
|
slot->c = c;
|
|
slot->startFunc = startFunc;
|
|
slot->prThread = PR_CreateThread(PR_USER_THREAD,
|
|
thread_wrapper, slot, PR_PRIORITY_NORMAL,
|
|
(PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD,
|
|
PR_UNJOINABLE_THREAD, 0);
|
|
if (slot->prThread == NULL) {
|
|
printf("httpserv: Failed to launch thread!\n");
|
|
slot->state = rs_idle;
|
|
rv = SECFailure;
|
|
break;
|
|
}
|
|
|
|
++threadCount;
|
|
}
|
|
PZ_Unlock(qLock);
|
|
|
|
return rv;
|
|
}
|
|
|
|
#define DESTROY_CONDVAR(name) if (name) { \
|
|
PZ_DestroyCondVar(name); name = NULL; }
|
|
#define DESTROY_LOCK(name) if (name) { \
|
|
PZ_DestroyLock(name); name = NULL; }
|
|
|
|
|
|
void
|
|
terminateWorkerThreads(void)
|
|
{
|
|
VLOG(("httpserv: server_thead: waiting on stopping"));
|
|
PZ_Lock(qLock);
|
|
PZ_NotifyAllCondVar(jobQNotEmptyCv);
|
|
while (threadCount > 0) {
|
|
PZ_WaitCondVar(threadCountChangeCv, PR_INTERVAL_NO_TIMEOUT);
|
|
}
|
|
/* The worker threads empty the jobQ before they terminate. */
|
|
PORT_Assert(PR_CLIST_IS_EMPTY(&jobQ));
|
|
PZ_Unlock(qLock);
|
|
|
|
DESTROY_CONDVAR(jobQNotEmptyCv);
|
|
DESTROY_CONDVAR(freeListNotEmptyCv);
|
|
DESTROY_CONDVAR(threadCountChangeCv);
|
|
|
|
PR_DestroyLock(lastLoadedCrlLock);
|
|
DESTROY_LOCK(qLock);
|
|
PR_Free(jobTable);
|
|
PR_Free(threads);
|
|
}
|
|
|
|
/**************************************************************************
|
|
** End thread management routines.
|
|
**************************************************************************/
|
|
|
|
PRBool NoReuse = PR_FALSE;
|
|
PRBool disableLocking = PR_FALSE;
|
|
static secuPWData pwdata = { PW_NONE, 0 };
|
|
|
|
struct caRevoInfoStr
|
|
{
|
|
PRCList link;
|
|
char *nickname;
|
|
char *crlFilename;
|
|
CERTCertificate *cert;
|
|
CERTOCSPCertID *id;
|
|
CERTSignedCrl *crl;
|
|
};
|
|
typedef struct caRevoInfoStr caRevoInfo;
|
|
/* Created during app init. No locks necessary,
|
|
* because later on, only read access will occur. */
|
|
static caRevoInfo *caRevoInfos = NULL;
|
|
|
|
static enum {
|
|
ocspGetOnly, ocspPostOnly, ocspGetAndPost, ocspRandomGetFailure, ocspGetUnknown
|
|
} ocspMethodsAllowed = ocspGetAndPost;
|
|
|
|
static const char stopCmd[] = { "GET /stop " };
|
|
static const char getCmd[] = { "GET " };
|
|
static const char outHeader[] = {
|
|
"HTTP/1.0 200 OK\r\n"
|
|
"Server: Generic Web Server\r\n"
|
|
"Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
|
|
"Content-type: text/plain\r\n"
|
|
"\r\n"
|
|
};
|
|
static const char outOcspHeader[] = {
|
|
"HTTP/1.0 200 OK\r\n"
|
|
"Server: Generic OCSP Server\r\n"
|
|
"Content-type: application/ocsp-response\r\n"
|
|
"\r\n"
|
|
};
|
|
static const char outBadRequestHeader[] = {
|
|
"HTTP/1.0 400 Bad Request\r\n"
|
|
"Server: Generic OCSP Server\r\n"
|
|
"\r\n"
|
|
};
|
|
|
|
void stop_server()
|
|
{
|
|
stopping = 1;
|
|
PR_Interrupt(acceptorThread);
|
|
PZ_TraceFlush();
|
|
}
|
|
|
|
/* Will only work if the original input to url encoding was
|
|
* a base64 encoded buffer. Will only decode the sequences used
|
|
* for encoding the special base64 characters, and fail if any
|
|
* other encoded chars are found.
|
|
* Will return SECSuccess if input could be processed.
|
|
* Coversion is done in place.
|
|
*/
|
|
static SECStatus
|
|
urldecode_base64chars_inplace(char *buf)
|
|
{
|
|
char *walk;
|
|
size_t remaining_bytes;
|
|
|
|
if (!buf || !*buf)
|
|
return SECFailure;
|
|
|
|
walk = buf;
|
|
remaining_bytes = strlen(buf) + 1; /* include terminator */
|
|
|
|
while (*walk) {
|
|
if (*walk == '%') {
|
|
if (!PL_strncasecmp(walk, "%2B", 3)) {
|
|
*walk = '+';
|
|
} else if (!PL_strncasecmp(walk, "%2F", 3)) {
|
|
*walk = '/';
|
|
} else if (!PL_strncasecmp(walk, "%3D", 3)) {
|
|
*walk = '=';
|
|
} else {
|
|
return SECFailure;
|
|
}
|
|
remaining_bytes -= 3;
|
|
++walk;
|
|
memmove(walk, walk+2, remaining_bytes);
|
|
} else {
|
|
++walk;
|
|
--remaining_bytes;
|
|
}
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
int
|
|
handle_connection(
|
|
PRFileDesc *tcp_sock,
|
|
PRFileDesc *model_sock,
|
|
int requestCert
|
|
)
|
|
{
|
|
PRFileDesc * ssl_sock = NULL;
|
|
PRFileDesc * local_file_fd = NULL;
|
|
char * pBuf; /* unused space at end of buf */
|
|
const char * errString;
|
|
PRStatus status;
|
|
int bufRem; /* unused bytes at end of buf */
|
|
int bufDat; /* characters received in buf */
|
|
int newln = 0; /* # of consecutive newlns */
|
|
int firstTime = 1;
|
|
int reqLen;
|
|
int rv;
|
|
int numIOVs;
|
|
PRSocketOptionData opt;
|
|
PRIOVec iovs[16];
|
|
char msgBuf[160];
|
|
char buf[10240];
|
|
char fileName[513];
|
|
char *getData = NULL; /* inplace conversion */
|
|
SECItem postData;
|
|
PRBool isOcspRequest = PR_FALSE;
|
|
PRBool isPost;
|
|
|
|
postData.data = NULL;
|
|
postData.len = 0;
|
|
|
|
pBuf = buf;
|
|
bufRem = sizeof buf;
|
|
|
|
VLOG(("httpserv: handle_connection: starting"));
|
|
opt.option = PR_SockOpt_Nonblocking;
|
|
opt.value.non_blocking = PR_FALSE;
|
|
PR_SetSocketOption(tcp_sock, &opt);
|
|
|
|
VLOG(("httpserv: handle_connection: starting\n"));
|
|
ssl_sock = tcp_sock;
|
|
|
|
if (noDelay) {
|
|
opt.option = PR_SockOpt_NoDelay;
|
|
opt.value.no_delay = PR_TRUE;
|
|
status = PR_SetSocketOption(ssl_sock, &opt);
|
|
if (status != PR_SUCCESS) {
|
|
errWarn("PR_SetSocketOption(PR_SockOpt_NoDelay, PR_TRUE)");
|
|
if (ssl_sock) {
|
|
PR_Close(ssl_sock);
|
|
}
|
|
return SECFailure;
|
|
}
|
|
}
|
|
|
|
while (1) {
|
|
const char *post;
|
|
const char *foundStr = NULL;
|
|
const char *tmp = NULL;
|
|
|
|
newln = 0;
|
|
reqLen = 0;
|
|
|
|
rv = PR_Read(ssl_sock, pBuf, bufRem - 1);
|
|
if (rv == 0 ||
|
|
(rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) {
|
|
if (verbose)
|
|
errWarn("HDX PR_Read hit EOF");
|
|
break;
|
|
}
|
|
if (rv < 0) {
|
|
errWarn("HDX PR_Read");
|
|
goto cleanup;
|
|
}
|
|
/* NULL termination */
|
|
pBuf[rv] = 0;
|
|
if (firstTime) {
|
|
firstTime = 0;
|
|
}
|
|
|
|
pBuf += rv;
|
|
bufRem -= rv;
|
|
bufDat = pBuf - buf;
|
|
/* Parse the input, starting at the beginning of the buffer.
|
|
* Stop when we detect two consecutive \n's (or \r\n's)
|
|
* as this signifies the end of the GET or POST portion.
|
|
* The posted data follows.
|
|
*/
|
|
while (reqLen < bufDat && newln < 2) {
|
|
int octet = buf[reqLen++];
|
|
if (octet == '\n') {
|
|
newln++;
|
|
} else if (octet != '\r') {
|
|
newln = 0;
|
|
}
|
|
}
|
|
|
|
/* came to the end of the buffer, or second newln
|
|
* If we didn't get an empty line (CRLFCRLF) then keep on reading.
|
|
*/
|
|
if (newln < 2)
|
|
continue;
|
|
|
|
/* we're at the end of the HTTP request.
|
|
* If the request is a POST, then there will be one more
|
|
* line of data.
|
|
* This parsing is a hack, but ok for SSL test purposes.
|
|
*/
|
|
post = PORT_Strstr(buf, "POST ");
|
|
if (!post || *post != 'P')
|
|
break;
|
|
|
|
postData.data = (void*)(buf + reqLen);
|
|
|
|
tmp = "content-length: ";
|
|
foundStr = PL_strcasestr(buf, tmp);
|
|
if (foundStr) {
|
|
int expectedPostLen;
|
|
int havePostLen;
|
|
|
|
expectedPostLen = atoi(foundStr+strlen(tmp));
|
|
havePostLen = bufDat - reqLen;
|
|
if (havePostLen >= expectedPostLen) {
|
|
postData.len = expectedPostLen;
|
|
break;
|
|
}
|
|
} else {
|
|
/* use legacy hack */
|
|
/* It's a post, so look for the next and final CR/LF. */
|
|
while (reqLen < bufDat && newln < 3) {
|
|
int octet = buf[reqLen++];
|
|
if (octet == '\n') {
|
|
newln++;
|
|
}
|
|
}
|
|
if (newln == 3)
|
|
break;
|
|
}
|
|
} /* read loop */
|
|
|
|
bufDat = pBuf - buf;
|
|
if (bufDat) do { /* just close if no data */
|
|
/* Have either (a) a complete get, (b) a complete post, (c) EOF */
|
|
if (reqLen > 0) {
|
|
PRBool isGetOrPost = PR_FALSE;
|
|
unsigned skipChars = 0;
|
|
isPost = PR_FALSE;
|
|
|
|
if (!strncmp(buf, getCmd, sizeof getCmd - 1)) {
|
|
isGetOrPost = PR_TRUE;
|
|
skipChars = 4;
|
|
}
|
|
else if (!strncmp(buf, "POST ", 5)) {
|
|
isGetOrPost = PR_TRUE;
|
|
isPost = PR_TRUE;
|
|
skipChars = 5;
|
|
}
|
|
|
|
if (isGetOrPost) {
|
|
char * fnBegin = buf;
|
|
char * fnEnd;
|
|
char * fnstart = NULL;
|
|
PRFileInfo info;
|
|
|
|
fnBegin += skipChars;
|
|
|
|
fnEnd = strpbrk(fnBegin, " \r\n");
|
|
if (fnEnd) {
|
|
int fnLen = fnEnd - fnBegin;
|
|
if (fnLen < sizeof fileName) {
|
|
strncpy(fileName, fnBegin, fnLen);
|
|
fileName[fnLen] = 0; /* null terminate */
|
|
fnstart = fileName;
|
|
/* strip initial / because our root is the current directory*/
|
|
while (*fnstart && *fnstart=='/')
|
|
++fnstart;
|
|
}
|
|
}
|
|
if (fnstart) {
|
|
if (!strncmp(fnstart, "ocsp", 4)) {
|
|
if (isPost) {
|
|
if (postData.data) {
|
|
isOcspRequest = PR_TRUE;
|
|
}
|
|
} else {
|
|
if (!strncmp(fnstart, "ocsp/", 5)) {
|
|
isOcspRequest = PR_TRUE;
|
|
getData = fnstart + 5;
|
|
}
|
|
}
|
|
} else {
|
|
/* try to open the file named.
|
|
* If successful, then write it to the client.
|
|
*/
|
|
status = PR_GetFileInfo(fnstart, &info);
|
|
if (status == PR_SUCCESS &&
|
|
info.type == PR_FILE_FILE &&
|
|
info.size >= 0 ) {
|
|
local_file_fd = PR_Open(fnstart, PR_RDONLY, 0);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
numIOVs = 0;
|
|
|
|
iovs[numIOVs].iov_base = (char *)outHeader;
|
|
iovs[numIOVs].iov_len = (sizeof(outHeader)) - 1;
|
|
numIOVs++;
|
|
|
|
if (isOcspRequest && caRevoInfos) {
|
|
CERTOCSPRequest *request = NULL;
|
|
PRBool failThisRequest = PR_FALSE;
|
|
|
|
if (ocspMethodsAllowed == ocspGetOnly && postData.len) {
|
|
failThisRequest = PR_TRUE;
|
|
} else if (ocspMethodsAllowed == ocspPostOnly && getData) {
|
|
failThisRequest = PR_TRUE;
|
|
} else if (ocspMethodsAllowed == ocspRandomGetFailure && getData) {
|
|
if (!(rand() % 2)) {
|
|
failThisRequest = PR_TRUE;
|
|
}
|
|
}
|
|
|
|
if (failThisRequest) {
|
|
PR_Write(ssl_sock, outBadRequestHeader, strlen(outBadRequestHeader));
|
|
break;
|
|
}
|
|
/* get is base64, post is binary.
|
|
* If we have base64, convert into the (empty) postData array.
|
|
*/
|
|
if (getData) {
|
|
if (urldecode_base64chars_inplace(getData) == SECSuccess) {
|
|
NSSBase64_DecodeBuffer(NULL, &postData, getData, strlen(getData));
|
|
}
|
|
}
|
|
if (postData.len) {
|
|
request = CERT_DecodeOCSPRequest(&postData);
|
|
}
|
|
if (!request || !request->tbsRequest ||
|
|
!request->tbsRequest->requestList ||
|
|
!request->tbsRequest->requestList[0]) {
|
|
PORT_Sprintf(msgBuf, "Cannot decode OCSP request.\r\n");
|
|
|
|
iovs[numIOVs].iov_base = msgBuf;
|
|
iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
|
|
numIOVs++;
|
|
} else {
|
|
/* TODO: support more than one request entry */
|
|
CERTOCSPCertID *reqid = request->tbsRequest->requestList[0]->reqCert;
|
|
const caRevoInfo *revoInfo = NULL;
|
|
PRBool unknown = PR_FALSE;
|
|
PRBool revoked = PR_FALSE;
|
|
PRTime nextUpdate = 0;
|
|
PRTime revoDate = 0;
|
|
PRCList *caRevoIter;
|
|
|
|
caRevoIter = &caRevoInfos->link;
|
|
do {
|
|
CERTOCSPCertID *caid;
|
|
|
|
revoInfo = (caRevoInfo*)caRevoIter;
|
|
caid = revoInfo->id;
|
|
|
|
if (SECOID_CompareAlgorithmID(&reqid->hashAlgorithm,
|
|
&caid->hashAlgorithm) == SECEqual
|
|
&&
|
|
SECITEM_CompareItem(&reqid->issuerNameHash,
|
|
&caid->issuerNameHash) == SECEqual
|
|
&&
|
|
SECITEM_CompareItem(&reqid->issuerKeyHash,
|
|
&caid->issuerKeyHash) == SECEqual) {
|
|
break;
|
|
}
|
|
revoInfo = NULL;
|
|
caRevoIter = PR_NEXT_LINK(caRevoIter);
|
|
} while (caRevoIter != &caRevoInfos->link);
|
|
|
|
if (!revoInfo) {
|
|
unknown = PR_TRUE;
|
|
revoInfo = caRevoInfos;
|
|
} else {
|
|
CERTCrl *crl = &revoInfo->crl->crl;
|
|
CERTCrlEntry *entry = NULL;
|
|
DER_DecodeTimeChoice(&nextUpdate, &crl->nextUpdate);
|
|
if (crl->entries) {
|
|
int iv = 0;
|
|
/* assign, not compare */
|
|
while ((entry = crl->entries[iv++])) {
|
|
if (SECITEM_CompareItem(&reqid->serialNumber,
|
|
&entry->serialNumber) == SECEqual) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (entry) {
|
|
/* revoked status response */
|
|
revoked = PR_TRUE;
|
|
DER_DecodeTimeChoice(&revoDate, &entry->revocationDate);
|
|
} else {
|
|
/* else good status response */
|
|
if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
|
|
unknown = PR_TRUE;
|
|
nextUpdate = PR_Now() + (PRTime)60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
|
|
revoDate = PR_Now() - (PRTime)60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
|
|
}
|
|
}
|
|
}
|
|
|
|
{
|
|
PRTime now = PR_Now();
|
|
PLArenaPool *arena = NULL;
|
|
CERTOCSPSingleResponse *sr;
|
|
CERTOCSPSingleResponse **singleResponses;
|
|
SECItem *ocspResponse;
|
|
|
|
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
|
|
if (unknown) {
|
|
sr = CERT_CreateOCSPSingleResponseUnknown(arena, reqid, now,
|
|
&nextUpdate);
|
|
} else if (revoked) {
|
|
sr = CERT_CreateOCSPSingleResponseRevoked(arena, reqid, now,
|
|
&nextUpdate, revoDate, NULL);
|
|
} else {
|
|
sr = CERT_CreateOCSPSingleResponseGood(arena, reqid, now,
|
|
&nextUpdate);
|
|
}
|
|
|
|
/* meaning of value 2: one entry + one end marker */
|
|
singleResponses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse*, 2);
|
|
singleResponses[0] = sr;
|
|
singleResponses[1] = NULL;
|
|
ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
|
|
revoInfo->cert, ocspResponderID_byName, now,
|
|
singleResponses, &pwdata);
|
|
|
|
if (!ocspResponse) {
|
|
PORT_Sprintf(msgBuf, "Failed to encode response\r\n");
|
|
iovs[numIOVs].iov_base = msgBuf;
|
|
iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
|
|
numIOVs++;
|
|
} else {
|
|
PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader));
|
|
PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len);
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
} else if (local_file_fd) {
|
|
PRInt32 bytes;
|
|
int errLen;
|
|
bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
|
|
sizeof outHeader - 1,
|
|
PR_TRANSMITFILE_KEEP_OPEN,
|
|
PR_INTERVAL_NO_TIMEOUT);
|
|
if (bytes >= 0) {
|
|
bytes -= sizeof outHeader - 1;
|
|
FPRINTF(stderr,
|
|
"httpserv: PR_TransmitFile wrote %d bytes from %s\n",
|
|
bytes, fileName);
|
|
break;
|
|
}
|
|
errString = errWarn("PR_TransmitFile");
|
|
errLen = PORT_Strlen(errString);
|
|
errLen = PR_MIN(errLen, sizeof msgBuf - 1);
|
|
PORT_Memcpy(msgBuf, errString, errLen);
|
|
msgBuf[errLen] = 0;
|
|
|
|
iovs[numIOVs].iov_base = msgBuf;
|
|
iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
|
|
numIOVs++;
|
|
} else if (reqLen <= 0) { /* hit eof */
|
|
PORT_Sprintf(msgBuf, "Get or Post incomplete after %d bytes.\r\n",
|
|
bufDat);
|
|
|
|
iovs[numIOVs].iov_base = msgBuf;
|
|
iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
|
|
numIOVs++;
|
|
} else if (reqLen < bufDat) {
|
|
PORT_Sprintf(msgBuf, "Discarded %d characters.\r\n",
|
|
bufDat - reqLen);
|
|
|
|
iovs[numIOVs].iov_base = msgBuf;
|
|
iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
|
|
numIOVs++;
|
|
}
|
|
|
|
if (reqLen > 0) {
|
|
if (verbose > 1)
|
|
fwrite(buf, 1, reqLen, stdout); /* display it */
|
|
|
|
iovs[numIOVs].iov_base = buf;
|
|
iovs[numIOVs].iov_len = reqLen;
|
|
numIOVs++;
|
|
}
|
|
|
|
rv = PR_Writev(ssl_sock, iovs, numIOVs, PR_INTERVAL_NO_TIMEOUT);
|
|
if (rv < 0) {
|
|
errWarn("PR_Writev");
|
|
break;
|
|
}
|
|
|
|
} while (0);
|
|
|
|
cleanup:
|
|
if (ssl_sock) {
|
|
PR_Close(ssl_sock);
|
|
} else if (tcp_sock) {
|
|
PR_Close(tcp_sock);
|
|
}
|
|
if (local_file_fd)
|
|
PR_Close(local_file_fd);
|
|
VLOG(("httpserv: handle_connection: exiting\n"));
|
|
|
|
/* do a nice shutdown if asked. */
|
|
if (!strncmp(buf, stopCmd, sizeof stopCmd - 1)) {
|
|
VLOG(("httpserv: handle_connection: stop command"));
|
|
stop_server();
|
|
}
|
|
VLOG(("httpserv: handle_connection: exiting"));
|
|
return SECSuccess; /* success */
|
|
}
|
|
|
|
#ifdef XP_UNIX
|
|
|
|
void sigusr1_handler(int sig)
|
|
{
|
|
VLOG(("httpserv: sigusr1_handler: stop server"));
|
|
stop_server();
|
|
}
|
|
|
|
#endif
|
|
|
|
SECStatus
|
|
do_accepts(
|
|
PRFileDesc *listen_sock,
|
|
PRFileDesc *model_sock,
|
|
int requestCert
|
|
)
|
|
{
|
|
PRNetAddr addr;
|
|
PRErrorCode perr;
|
|
#ifdef XP_UNIX
|
|
struct sigaction act;
|
|
#endif
|
|
|
|
VLOG(("httpserv: do_accepts: starting"));
|
|
PR_SetThreadPriority( PR_GetCurrentThread(), PR_PRIORITY_HIGH);
|
|
|
|
acceptorThread = PR_GetCurrentThread();
|
|
#ifdef XP_UNIX
|
|
/* set up the signal handler */
|
|
act.sa_handler = sigusr1_handler;
|
|
sigemptyset(&act.sa_mask);
|
|
act.sa_flags = 0;
|
|
if (sigaction(SIGUSR1, &act, NULL)) {
|
|
fprintf(stderr, "Error installing signal handler.\n");
|
|
exit(1);
|
|
}
|
|
#endif
|
|
while (!stopping) {
|
|
PRFileDesc *tcp_sock;
|
|
PRCList *myLink;
|
|
|
|
FPRINTF(stderr, "\n\n\nhttpserv: About to call accept.\n");
|
|
tcp_sock = PR_Accept(listen_sock, &addr, PR_INTERVAL_NO_TIMEOUT);
|
|
if (tcp_sock == NULL) {
|
|
perr = PR_GetError();
|
|
if ((perr != PR_CONNECT_RESET_ERROR &&
|
|
perr != PR_PENDING_INTERRUPT_ERROR) || verbose) {
|
|
errWarn("PR_Accept");
|
|
}
|
|
if (perr == PR_CONNECT_RESET_ERROR) {
|
|
FPRINTF(stderr,
|
|
"Ignoring PR_CONNECT_RESET_ERROR error - continue\n");
|
|
continue;
|
|
}
|
|
stopping = 1;
|
|
break;
|
|
}
|
|
|
|
VLOG(("httpserv: do_accept: Got connection\n"));
|
|
|
|
PZ_Lock(qLock);
|
|
while (PR_CLIST_IS_EMPTY(&freeJobs) && !stopping) {
|
|
PZ_WaitCondVar(freeListNotEmptyCv, PR_INTERVAL_NO_TIMEOUT);
|
|
}
|
|
if (stopping) {
|
|
PZ_Unlock(qLock);
|
|
if (tcp_sock) {
|
|
PR_Close(tcp_sock);
|
|
}
|
|
break;
|
|
}
|
|
myLink = PR_LIST_HEAD(&freeJobs);
|
|
PR_REMOVE_AND_INIT_LINK(myLink);
|
|
/* could release qLock here and reaquire it 7 lines below, but
|
|
** why bother for 4 assignment statements?
|
|
*/
|
|
{
|
|
JOB * myJob = (JOB *)myLink;
|
|
myJob->tcp_sock = tcp_sock;
|
|
myJob->model_sock = model_sock;
|
|
myJob->requestCert = requestCert;
|
|
}
|
|
|
|
PR_APPEND_LINK(myLink, &jobQ);
|
|
PZ_NotifyCondVar(jobQNotEmptyCv);
|
|
PZ_Unlock(qLock);
|
|
}
|
|
|
|
FPRINTF(stderr, "httpserv: Closing listen socket.\n");
|
|
VLOG(("httpserv: do_accepts: exiting"));
|
|
if (listen_sock) {
|
|
PR_Close(listen_sock);
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
PRFileDesc *
|
|
getBoundListenSocket(unsigned short port)
|
|
{
|
|
PRFileDesc * listen_sock;
|
|
int listenQueueDepth = 5 + (2 * maxThreads);
|
|
PRStatus prStatus;
|
|
PRNetAddr addr;
|
|
PRSocketOptionData opt;
|
|
|
|
addr.inet.family = PR_AF_INET;
|
|
addr.inet.ip = PR_INADDR_ANY;
|
|
addr.inet.port = PR_htons(port);
|
|
|
|
listen_sock = PR_NewTCPSocket();
|
|
if (listen_sock == NULL) {
|
|
errExit("PR_NewTCPSocket");
|
|
}
|
|
|
|
opt.option = PR_SockOpt_Nonblocking;
|
|
opt.value.non_blocking = PR_FALSE;
|
|
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
|
if (prStatus < 0) {
|
|
PR_Close(listen_sock);
|
|
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
|
}
|
|
|
|
opt.option=PR_SockOpt_Reuseaddr;
|
|
opt.value.reuse_addr = PR_TRUE;
|
|
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
|
if (prStatus < 0) {
|
|
PR_Close(listen_sock);
|
|
errExit("PR_SetSocketOption(PR_SockOpt_Reuseaddr)");
|
|
}
|
|
|
|
#ifndef WIN95
|
|
/* Set PR_SockOpt_Linger because it helps prevent a server bind issue
|
|
* after clean shutdown . See bug 331413 .
|
|
* Don't do it in the WIN95 build configuration because clean shutdown is
|
|
* not implemented, and PR_SockOpt_Linger causes a hang in ssl.sh .
|
|
* See bug 332348 */
|
|
opt.option=PR_SockOpt_Linger;
|
|
opt.value.linger.polarity = PR_TRUE;
|
|
opt.value.linger.linger = PR_SecondsToInterval(1);
|
|
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
|
if (prStatus < 0) {
|
|
PR_Close(listen_sock);
|
|
errExit("PR_SetSocketOption(PR_SockOpt_Linger)");
|
|
}
|
|
#endif
|
|
|
|
prStatus = PR_Bind(listen_sock, &addr);
|
|
if (prStatus < 0) {
|
|
PR_Close(listen_sock);
|
|
errExit("PR_Bind");
|
|
}
|
|
|
|
prStatus = PR_Listen(listen_sock, listenQueueDepth);
|
|
if (prStatus < 0) {
|
|
PR_Close(listen_sock);
|
|
errExit("PR_Listen");
|
|
}
|
|
return listen_sock;
|
|
}
|
|
|
|
void
|
|
server_main(
|
|
PRFileDesc * listen_sock,
|
|
int requestCert,
|
|
SECKEYPrivateKey ** privKey,
|
|
CERTCertificate ** cert,
|
|
const char *expectedHostNameVal)
|
|
{
|
|
PRFileDesc *model_sock = NULL;
|
|
|
|
/* Now, do the accepting, here in the main thread. */
|
|
do_accepts(listen_sock, model_sock, requestCert);
|
|
|
|
terminateWorkerThreads();
|
|
|
|
if (model_sock) {
|
|
PR_Close(model_sock);
|
|
}
|
|
|
|
}
|
|
|
|
int numChildren;
|
|
PRProcess * child[MAX_PROCS];
|
|
|
|
PRProcess *
|
|
haveAChild(int argc, char **argv, PRProcessAttr * attr)
|
|
{
|
|
PRProcess * newProcess;
|
|
|
|
newProcess = PR_CreateProcess(argv[0], argv, NULL, attr);
|
|
if (!newProcess) {
|
|
errWarn("Can't create new process.");
|
|
} else {
|
|
child[numChildren++] = newProcess;
|
|
}
|
|
return newProcess;
|
|
}
|
|
|
|
/* slightly adjusted version of ocsp_CreateCertID (not using issuer) */
|
|
static CERTOCSPCertID *
|
|
ocsp_CreateSelfCAID(PLArenaPool *arena, CERTCertificate *cert, PRTime time)
|
|
{
|
|
CERTOCSPCertID *certID;
|
|
void *mark = PORT_ArenaMark(arena);
|
|
SECStatus rv;
|
|
|
|
PORT_Assert(arena != NULL);
|
|
|
|
certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
|
|
if (certID == NULL) {
|
|
goto loser;
|
|
}
|
|
|
|
rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
|
|
NULL);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
|
|
if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_SHA1,
|
|
&(certID->issuerNameHash)) == NULL) {
|
|
goto loser;
|
|
}
|
|
certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
|
|
certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
|
|
|
|
if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD5,
|
|
&(certID->issuerMD5NameHash)) == NULL) {
|
|
goto loser;
|
|
}
|
|
|
|
if (CERT_GetSubjectNameDigest(arena, cert, SEC_OID_MD2,
|
|
&(certID->issuerMD2NameHash)) == NULL) {
|
|
goto loser;
|
|
}
|
|
|
|
if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_SHA1,
|
|
&certID->issuerKeyHash) == NULL) {
|
|
goto loser;
|
|
}
|
|
certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
|
|
certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
|
|
/* cache the other two hash algorithms as well */
|
|
if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD5,
|
|
&certID->issuerMD5KeyHash) == NULL) {
|
|
goto loser;
|
|
}
|
|
if (CERT_GetSubjectPublicKeyDigest(arena, cert, SEC_OID_MD2,
|
|
&certID->issuerMD2KeyHash) == NULL) {
|
|
goto loser;
|
|
}
|
|
|
|
PORT_ArenaUnmark(arena, mark);
|
|
return certID;
|
|
|
|
loser:
|
|
PORT_ArenaRelease(arena, mark);
|
|
return NULL;
|
|
}
|
|
|
|
/* slightly adjusted version of CERT_CreateOCSPCertID */
|
|
CERTOCSPCertID*
|
|
cert_CreateSelfCAID(CERTCertificate *cert, PRTime time)
|
|
{
|
|
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
CERTOCSPCertID *certID;
|
|
PORT_Assert(arena != NULL);
|
|
if (!arena)
|
|
return NULL;
|
|
|
|
certID = ocsp_CreateSelfCAID(arena, cert, time);
|
|
if (!certID) {
|
|
PORT_FreeArena(arena, PR_FALSE);
|
|
return NULL;
|
|
}
|
|
certID->poolp = arena;
|
|
return certID;
|
|
}
|
|
|
|
int
|
|
main(int argc, char **argv)
|
|
{
|
|
char * progName = NULL;
|
|
const char * dir = ".";
|
|
char * passwd = NULL;
|
|
char * pwfile = NULL;
|
|
const char * pidFile = NULL;
|
|
char * tmp;
|
|
PRFileDesc * listen_sock;
|
|
int optionsFound = 0;
|
|
unsigned short port = 0;
|
|
SECStatus rv;
|
|
PRStatus prStatus;
|
|
PRBool bindOnly = PR_FALSE;
|
|
PRBool useLocalThreads = PR_FALSE;
|
|
PLOptState *optstate;
|
|
PLOptStatus status;
|
|
char emptyString[] = { "" };
|
|
char* certPrefix = emptyString;
|
|
caRevoInfo *revoInfo = NULL;
|
|
PRCList *caRevoIter = NULL;
|
|
PRBool provideOcsp = PR_FALSE;
|
|
|
|
tmp = strrchr(argv[0], '/');
|
|
tmp = tmp ? tmp + 1 : argv[0];
|
|
progName = strrchr(tmp, '\\');
|
|
progName = progName ? progName + 1 : tmp;
|
|
|
|
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
|
|
|
|
/* please keep this list of options in ASCII collating sequence.
|
|
** numbers, then capital letters, then lower case, alphabetical.
|
|
*/
|
|
optstate = PL_CreateOptState(argc, argv,
|
|
"A:C:DO:P:bd:f:hi:p:t:vw:");
|
|
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
|
|
++optionsFound;
|
|
switch(optstate->option) {
|
|
/* A first, must be followed by C. Any other order is an error.
|
|
* A creates the object. C completes and moves into list.
|
|
*/
|
|
case 'A':
|
|
provideOcsp = PR_TRUE;
|
|
if (revoInfo) { Usage(progName); exit(0); }
|
|
revoInfo = PORT_New(caRevoInfo);
|
|
revoInfo->nickname = PORT_Strdup(optstate->value);
|
|
break;
|
|
case 'C':
|
|
if (!revoInfo) { Usage(progName); exit(0); }
|
|
revoInfo->crlFilename = PORT_Strdup(optstate->value);
|
|
if (!caRevoInfos) {
|
|
PR_INIT_CLIST(&revoInfo->link);
|
|
caRevoInfos = revoInfo;
|
|
} else {
|
|
PR_APPEND_LINK(&revoInfo->link, &caRevoInfos->link);
|
|
}
|
|
revoInfo = NULL;
|
|
break;
|
|
|
|
case 'O':
|
|
if (!PL_strcasecmp(optstate->value, "all")) {
|
|
ocspMethodsAllowed = ocspGetAndPost;
|
|
} else if (!PL_strcasecmp(optstate->value, "get")) {
|
|
ocspMethodsAllowed = ocspGetOnly;
|
|
} else if (!PL_strcasecmp(optstate->value, "post")) {
|
|
ocspMethodsAllowed = ocspPostOnly;
|
|
} else if (!PL_strcasecmp(optstate->value, "random")) {
|
|
ocspMethodsAllowed = ocspRandomGetFailure;
|
|
} else if (!PL_strcasecmp(optstate->value, "get-unknown")) {
|
|
ocspMethodsAllowed = ocspGetUnknown;
|
|
} else {
|
|
Usage(progName); exit(0);
|
|
}
|
|
break;
|
|
|
|
case 'D': noDelay = PR_TRUE; break;
|
|
|
|
case 'P': certPrefix = PORT_Strdup(optstate->value); break;
|
|
|
|
case 'b': bindOnly = PR_TRUE; break;
|
|
|
|
case 'd': dir = optstate->value; break;
|
|
|
|
case 'f':
|
|
pwdata.source = PW_FROMFILE;
|
|
pwdata.data = pwfile = PORT_Strdup(optstate->value);
|
|
break;
|
|
|
|
case 'h': Usage(progName); exit(0); break;
|
|
|
|
case 'i': pidFile = optstate->value; break;
|
|
|
|
case 'p': port = PORT_Atoi(optstate->value); break;
|
|
|
|
case 't':
|
|
maxThreads = PORT_Atoi(optstate->value);
|
|
if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS;
|
|
if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS;
|
|
break;
|
|
|
|
case 'v': verbose++; break;
|
|
|
|
case 'w':
|
|
pwdata.source = PW_PLAINTEXT;
|
|
pwdata.data = passwd = PORT_Strdup(optstate->value);
|
|
break;
|
|
|
|
default:
|
|
case '?':
|
|
fprintf(stderr, "Unrecognized or bad option specified.\n");
|
|
fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
|
|
exit(4);
|
|
break;
|
|
}
|
|
}
|
|
PL_DestroyOptState(optstate);
|
|
if (status == PL_OPT_BAD) {
|
|
fprintf(stderr, "Unrecognized or bad option specified.\n");
|
|
fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
|
|
exit(5);
|
|
}
|
|
if (!optionsFound) {
|
|
Usage(progName);
|
|
exit(51);
|
|
}
|
|
|
|
/* The -b (bindOnly) option is only used by the ssl.sh test
|
|
* script on Linux to determine whether a previous httpserv
|
|
* process has fully died and freed the port. (Bug 129701)
|
|
*/
|
|
if (bindOnly) {
|
|
listen_sock = getBoundListenSocket(port);
|
|
if (!listen_sock) {
|
|
exit(1);
|
|
}
|
|
if (listen_sock) {
|
|
PR_Close(listen_sock);
|
|
}
|
|
exit(0);
|
|
}
|
|
|
|
if (port == 0) {
|
|
fprintf(stderr, "Required argument 'port' must be non-zero value\n");
|
|
exit(7);
|
|
}
|
|
|
|
if (pidFile) {
|
|
FILE *tmpfile=fopen(pidFile,"w+");
|
|
|
|
if (tmpfile) {
|
|
fprintf(tmpfile,"%d",getpid());
|
|
fclose(tmpfile);
|
|
}
|
|
}
|
|
|
|
tmp = getenv("TMP");
|
|
if (!tmp)
|
|
tmp = getenv("TMPDIR");
|
|
if (!tmp)
|
|
tmp = getenv("TEMP");
|
|
/* we're an ordinary single process server. */
|
|
listen_sock = getBoundListenSocket(port);
|
|
prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
|
|
if (prStatus != PR_SUCCESS)
|
|
errExit("PR_SetFDInheritable");
|
|
|
|
lm = PR_NewLogModule("TestCase");
|
|
|
|
/* set our password function */
|
|
PK11_SetPasswordFunc(SECU_GetModulePassword);
|
|
|
|
if (provideOcsp) {
|
|
/* Call the NSS initialization routines */
|
|
rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
|
|
if (rv != SECSuccess) {
|
|
fputs("NSS_Init failed.\n", stderr);
|
|
exit(8);
|
|
}
|
|
|
|
if (caRevoInfos) {
|
|
caRevoIter = &caRevoInfos->link;
|
|
do {
|
|
PRFileDesc *inFile;
|
|
int rv = SECFailure;
|
|
SECItem crlDER;
|
|
crlDER.data = NULL;
|
|
|
|
revoInfo = (caRevoInfo*)caRevoIter;
|
|
revoInfo->cert = CERT_FindCertByNickname(
|
|
CERT_GetDefaultCertDB(), revoInfo->nickname);
|
|
if (!revoInfo->cert) {
|
|
fprintf(stderr, "cannot find cert with nickname %s\n",
|
|
revoInfo->nickname);
|
|
exit(1);
|
|
}
|
|
inFile = PR_Open(revoInfo->crlFilename, PR_RDONLY, 0);
|
|
if (inFile) {
|
|
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
|
|
PR_Close(inFile);
|
|
inFile = NULL;
|
|
}
|
|
if (rv != SECSuccess) {
|
|
fprintf(stderr, "unable to read crl file %s\n",
|
|
revoInfo->crlFilename);
|
|
exit(1);
|
|
}
|
|
revoInfo->crl =
|
|
CERT_DecodeDERCrlWithFlags(NULL, &crlDER, SEC_CRL_TYPE,
|
|
CRL_DECODE_DEFAULT_OPTIONS);
|
|
if (!revoInfo->crl) {
|
|
fprintf(stderr, "unable to decode crl file %s\n",
|
|
revoInfo->crlFilename);
|
|
exit(1);
|
|
}
|
|
if (CERT_CompareName(&revoInfo->crl->crl.name,
|
|
&revoInfo->cert->subject) != SECEqual) {
|
|
fprintf(stderr, "CRL %s doesn't match cert identified by preceding nickname %s\n",
|
|
revoInfo->crlFilename, revoInfo->nickname);
|
|
exit(1);
|
|
}
|
|
revoInfo->id = cert_CreateSelfCAID(revoInfo->cert, PR_Now());
|
|
caRevoIter = PR_NEXT_LINK(caRevoIter);
|
|
} while (caRevoIter != &caRevoInfos->link);
|
|
}
|
|
}
|
|
|
|
/* allocate the array of thread slots, and launch the worker threads. */
|
|
rv = launch_threads(&jobLoop, 0, 0, 0, useLocalThreads);
|
|
|
|
if (rv == SECSuccess) {
|
|
server_main(listen_sock, 0, 0, 0,
|
|
0);
|
|
}
|
|
|
|
VLOG(("httpserv: server_thread: exiting"));
|
|
|
|
if (provideOcsp) {
|
|
if (caRevoInfos) {
|
|
PRCList *caRevoIter;
|
|
|
|
caRevoIter = &caRevoInfos->link;
|
|
do {
|
|
caRevoInfo *revoInfo = (caRevoInfo*)caRevoIter;
|
|
if (revoInfo->nickname)
|
|
PORT_Free(revoInfo->nickname);
|
|
if (revoInfo->crlFilename)
|
|
PORT_Free(revoInfo->crlFilename);
|
|
if (revoInfo->cert)
|
|
CERT_DestroyCertificate(revoInfo->cert);
|
|
if (revoInfo->id)
|
|
CERT_DestroyOCSPCertID(revoInfo->id);
|
|
if (revoInfo->crl)
|
|
SEC_DestroyCrl(revoInfo->crl);
|
|
|
|
caRevoIter = PR_NEXT_LINK(caRevoIter);
|
|
} while (caRevoIter != &caRevoInfos->link);
|
|
|
|
}
|
|
if (NSS_Shutdown() != SECSuccess) {
|
|
SECU_PrintError(progName, "NSS_Shutdown");
|
|
PR_Cleanup();
|
|
exit(1);
|
|
}
|
|
}
|
|
if (passwd) {
|
|
PORT_Free(passwd);
|
|
}
|
|
if (pwfile) {
|
|
PORT_Free(pwfile);
|
|
}
|
|
if (certPrefix && certPrefix != emptyString) {
|
|
PORT_Free(certPrefix);
|
|
}
|
|
PR_Cleanup();
|
|
printf("httpserv: normal termination\n");
|
|
return 0;
|
|
}
|
|
|