Commits

sqs committed e6c2c3b

revert vfyserv.c to pre-TLS-SRP-patch state

Comments (0)

Files changed (1)

security/nss/cmd/vfyserv/vfyserv.c

 #include "secmod.h"
 #include "secitem.h"
 
-#include "plbase64.h"
 
 #include <stdlib.h>
 #include <errno.h>
 #include "secutil.h"
 #include "ocsp.h"
 
-#include "srp_groups.h"
-
 #include "vfyserv.h"
 
-#include "t_pwd.h"
-#define SRP_SALT_LENGTH MAXSALTLEN
-#define SRP_BUFLEN MAXPARAMLEN
-
 #define RD_BUF_SIZE (60 * 1024)
 
 extern int ssl2CipherSuites[];
 char *certNickname = NULL;
 char *hostName = NULL;
 secuPWData  pwdata          = { PW_NONE, 0 };
-PRFileDesc *srpvfile = NULL;
 unsigned short port = 0;
 PRBool dumpChain;
-int disableSSL2 = 0;
-int disableSSL3 = 0;
-int disableTLS = 0;
-
 
 static void
 Usage(const char *progName)
     PRFileDesc *pr_stderr;
 
     pr_stderr = PR_STDERR;
-    /* TODO(sqs): add docs for -2 -3 -T */
+
     PR_fprintf(pr_stderr, "Usage:\n"
                "   %s  [-c ] [-o] [-p port] [-d dbdir] [-w password] [-f pwfile]\n"
-               "   \t\t[-C cipher(s)]  [-l <url> -t <nickname> ] [-K srpvfile]\n"
-               "   \t\thostname",
+               "   \t\t[-C cipher(s)]  [-l <url> -t <nickname> ] hostname",
                progName);
     PR_fprintf (pr_stderr, "\nWhere:\n");
     PR_fprintf (pr_stderr,
     PR_fprintf (pr_stderr,
                 "  %-13s OCSP Trusted Responder Cert nickname\n\n",
                 "-t nickname");
-    PR_fprintf (pr_stderr,
-                "  %-13s srpvfile\n",
-                "-K srpvfile");
 
 	exit(1);
 }
 		goto loser;
 	}
 
-        secStatus = SSL_OptionSet(sslSocket, SSL_ENABLE_SSL2, !disableSSL2);
-        if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_ENABLE_SSL2");
-		goto loser;
-        }
-
-        /* disable ssl2 and ssl2-compatible client hellos. */
-        secStatus = SSL_OptionSet(sslSocket, SSL_V2_COMPATIBLE_HELLO, !disableSSL2);
-        if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_V2_COMPATIBLE_HELLO");
-		goto loser;
-        }
-
-        secStatus = SSL_OptionSet(sslSocket, SSL_ENABLE_SSL3, !disableSSL3);
-        if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_ENABLE_SSL3");
-		goto loser;
-        }
-
-        secStatus = SSL_OptionSet(sslSocket, SSL_ENABLE_TLS, !disableTLS);
-        if (secStatus != SECSuccess) {
-		errWarn("SSL_OptionSet:SSL_ENABLE_TLS");
-		goto loser;
-        }
-
 	/* Set SSL callback routines. */
 	secStatus = SSL_GetClientAuthDataHook(sslSocket,
 	                          (SSLGetClientAuthData)myGetClientAuthData,
 }
 
 
-/* 
- * Callback function that supplies SSL with SRP parameters for specified user.
- * It fills *srp with info extracted from srpvfile
- * 
- * file format: $user\tgroup\tsalt\tverifier\n
- */
-
-SECStatus
-mySRPParamLookup(PRFileDesc *s, SECKEYSRPParams *srp, PRFileDesc * srpvfile)
-{
-    char *uname    = NULL;
-    char *tmp      = NULL;
-    char *pos      = NULL;
-    char *verifier = NULL;
-    char *salt     = NULL;
-    char *b64verifier = NULL;
-    char *b64salt     = NULL;
-    char buffer[SRP_BUFLEN];
-    unsigned int i, bytes, group;
-    unsigned int ulen;
-    
-    PR_Seek(srpvfile, 0, SEEK_SET);
-
-    ulen = srp->u.len;
-    
-    /* prepare search string */
-    uname = PORT_Alloc(2+ulen);
-    PORT_Memcpy(uname, srp->u.data, ulen);
-    uname[ulen] = '\t';
-    uname[ulen+1] = '\0';
-
-    /* search file for username */
-    while (ulen < (bytes = PR_Read(srpvfile, buffer, SRP_BUFLEN-1)) ) { /* XXX -1 ?*/
-        buffer[ulen+1] = '\0';
-        if ((0 == PL_strcmp(buffer, uname))) {
-            /* seek to end of '$user\t' */
-            /* read at least one full line to buffer */
-            PR_Seek(srpvfile, ulen+1-bytes, SEEK_CUR);
-            bytes = PR_Read(srpvfile, buffer, SRP_BUFLEN-1);
-            break;
-        } else {
-            /* seek to end of first line in buffer and continue loop */
-            pos = PL_strstr(buffer+ulen+2,"\n");
-            PR_Seek(srpvfile, (pos-buffer+1)-bytes, SEEK_CUR);
-        }
-
-    }
-    PORT_Free(uname);
-
-    /* if the username was not found. */
-    if (bytes < 1) {
-        /* A server may want to hide (non)existant accounts by
-         * generating some dummy parameters here. Note that for
-         * simulation of a specific user, the same salt and group
-         * parameters must be sent on every login. */
-        return SECFailure;
-    }
-
-    /* user found, line buffered, extract associated parameters */
-    buffer[bytes] = '\0';
-            
-    tmp = buffer; i=0;
-    while (tmp[i] != '\t' && tmp[i] != '\0') i++;
-    if (tmp[i] == '\0')
-        goto parse_fail;
-    tmp[i] = '\0';
-    group = PORT_Atoi(tmp);
-
-    tmp+=i+1; i = 0;
-    while (tmp[i] != '\t' && tmp[i] != '\0') i++;
-    if (tmp[i] == '\0')
-        goto parse_fail;
-    tmp[i] = '\0';
-    b64verifier = tmp;
-
-    tmp+=i+1; i = 0;
-    while (tmp[i] != '\n' && tmp[i] != '\0') i++;
-    if (tmp[i] == '\0')
-        goto parse_fail;
-    tmp[i] = '\0';
-    b64salt = tmp;
-
-    SECITEM_AllocItem(NULL, &srp->secret, group/8);
-    SECITEM_AllocItem(NULL, &srp->s, SRP_SALT_LENGTH);
-    SECITEM_AllocItem(NULL, &srp->N, group/8);
-    SECITEM_AllocItem(NULL, &srp->g, 1);
-    
-    verifier = PL_Base64Decode(b64verifier, 0, NULL);
-    salt     = PL_Base64Decode(b64salt,     0, NULL);
-    
-    PORT_Memcpy(srp->secret.data, verifier, group/8);
-    PORT_Memcpy(srp->s.data, salt, SRP_SALT_LENGTH);
-
-    /* get corresponding group parameters */
-    switch (group) {
-        case 1024:
-            PL_Base64Decode((char *)&known_srp_groups[0], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x02;
-            break;
-        case 1536:
-            PL_Base64Decode((char *)&known_srp_groups[1], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x02;
-            break;
-        case 2048:
-            PL_Base64Decode((char *)&known_srp_groups[2], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x02;
-            break;
-        case 3072:
-            PL_Base64Decode((char *)&known_srp_groups[3], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x05;
-            break;
-        case 4096:
-            PL_Base64Decode((char *)&known_srp_groups[4], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x05;
-            break;
-        case 6144:
-            PL_Base64Decode((char *)&known_srp_groups[5], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x05;
-            break;
-        case 8192:
-            PL_Base64Decode((char *)&known_srp_groups[6], 0, (char *)srp->N.data);
-            srp->g.data[0] = 0x13;
-            break;
-        default:
-            printf("Invalid group size %d\n",group);
-            return SECFailure;
-    }
-    
-    return SECSuccess;
-
-parse_fail:
-    printf("Error parsing srpvfile for user '%s'\n", uname+1);
-    return SECFailure;
-}
-
 const char requestString[] = {"GET /testfile HTTP/1.0\r\n\r\n" };
 
 SECStatus
 		return SECFailure;
 	}
 
-        if (srpvfile) {
-            secStatus = SSL_GetSRPParamsHook(sslSocket,
-                            (SSLGetSRPParamsCB)mySRPParamLookup, srpvfile);
-	    if (secStatus != SECSuccess) {
-		    errWarn("SSL_SRPParamLookupCallback");
-		    return secStatus;
-	    }
-        }
-
 	secStatus = SSL_SetPKCS11PinArg(sslSocket, &pwdata);
 	if (secStatus != SECSuccess) {
 		errWarn("SSL_SetPKCS11PinArg");
 		errWarn("PR_EnumerateHostEnt");
 		return SECFailure;
 	}
-        
-        /* TODO(sqs): to make this work with TLS-SRP, probably need to have something like the following:
-    if (useCommandLineLogin) {
-        if (userlogin && userpasswd) {
-            SSL_UserPasswdHook(s, userPasswdCallback, NULL);
-            SSL_SetUserLogin(s, userlogin, userpasswd);
-        } else {
-            fprintf(stderr, "Login *and* password must be specified.\n");
-        }
-    }
-
-then run it like:
-LD_LIBRARY_PATH=../../../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/lib/ ../../../../dist/Linux2.6_x86_64_glibc_PTH_64_DBG.OBJ/bin/vfyserv 173.255.214.119 -d ../tstclnt/certs/ -C :C01D -K /var/www/tls-srp.test.trustedhttp.org/srp/tpasswd -2 -3
-         */
 
  	ip = PR_ntohl(addr->inet.ip);
 	fprintf(stderr,
 	char *               cipherString = NULL;
 	char *               respUrl = NULL;
 	char *               respCertName = NULL;
-        char *               srpvfilename = NULL;
 	SECStatus            secStatus;
 	PLOptState *         optstate;
 	PLOptStatus          status;
 	progName = PORT_Strdup(argv[0]);
 
 	hostName = NULL;
-	optstate = PL_CreateOptState(argc, argv, "23TC:cd:f:K:l:n:p:ot:w:");
+	optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
 	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 		switch(optstate->option) {
-                case '2': disableSSL2 = 1;                            break;
-                case '3': disableSSL3 = 1;                            break;
-                case 'T': disableTLS = 1;                             break;
 		case 'C' : cipherString = PL_strdup(optstate->value); break;
  		case 'c' : dumpChain = PR_TRUE;                       break;
 		case 'd' : certDir = PL_strdup(optstate->value);      break;
-                case 'K' : srpvfilename = PL_strdup(optstate->value); break;
 		case 'l' : respUrl = PL_strdup(optstate->value);      break;
 		case 'p' : port = PORT_Atoi(optstate->value);         break;
 		case 'o' : doOcspCheck = PR_TRUE;                     break;
 	    }
 	}
 
-        if (srpvfilename) {
-            srpvfile = PR_Open(srpvfilename, PR_RDONLY, 0);
-            if (srpvfile == NULL) {
-                SECU_PrintError (progName, "error opening srpvfile");
-                goto cleanup;
-            }
-        }
-
 	client_main(port, connections, hostName);
 
 cleanup: