Correct the implementation of the options for disabling SSL2, SSL3 and TLS.

Add a new -R option to selfserv, which disables detection of rollback from TLS to SSL3.0. This is necessary for testing with broken TLS clients.
author: nelsonb%netscape.com <devnull@localhost> 2000-05-24 03:44:50 +0000
committer: nelsonb%netscape.com <devnull@localhost> 2000-05-24 03:44:50 +0000
commit: 2d731d571f3bfa43272e5d52ef4c514b43a6c34e (patch)
tree: d29b917c8000c19c19bba7bfb505f6734e79ab51
parent: 065d4a55f094775d6542b63d76830a2a0770c64f (diff)
download: nss-hg-2d731d571f3bfa43272e5d52ef4c514b43a6c34e.tar.gz
2 files changed, 44 insertions, 44 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index 57d6554ad..37fdedf38 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -143,9 +143,11 @@ Usage(const char *progName)
 {
     fprintf(stderr, 
 
-"Usage: %s -n rsa_nickname -p port [-3mrvx] [-w password]\n"
+"Usage: %s -n rsa_nickname -p port [-3RTmrvx] [-w password]\n"
 "                   [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n"
 "-3 means disable SSL v3\n"
+"-T means disable TLS\n"
+"-R means disable detection of rollback from TLS to SSL3\n"
 "-m means test the model-socket feature of SSL_ImportFD.\n"
 "-r flag is interepreted as follows:\n"
 "    1 -r  means request, not require, cert on initial handshake.\n"
@@ -223,7 +225,7 @@ networkEnd(void)
 #endif
 }
 
-static void
+static const char *
 errWarn(char * funcString)
 {
     PRErrorCode  perr      = PR_GetError();
@@ -231,6 +233,7 @@ errWarn(char * funcString)
 
     fprintf(stderr, "exit after %s with error %d:\n%s\n",
             funcString, perr, errString);
+    return errString;
 }
 
 static void
@@ -529,7 +532,10 @@ destroy_thread_data(void)
 ** End   thread management routines.
 **************************************************************************/
 
-PRBool useModelSocket = PR_FALSE;
+PRBool useModelSocket  = PR_FALSE;
+PRBool disableSSL3     = PR_FALSE;
+PRBool disableTLS      = PR_FALSE;
+PRBool disableRollBack  = PR_FALSE;
 
 static const char stopCmd[] = { "GET /stop " };
 static const char outHeader[] = {
@@ -823,7 +829,7 @@ handle_connection(
 					PR_TRANSMITFILE_KEEP_OPEN,
 					PR_INTERVAL_NO_TIMEOUT);
 		if (bytes < 0) {
-		    errWarn("PR_TransmitFile");
+		    errString = errWarn("PR_TransmitFile");
 		    i = PORT_Strlen(errString);
 		    PORT_Memcpy(buf, errString, i);
 		    goto send_answer;
@@ -963,10 +969,7 @@ server_main(
     unsigned short      port, 
     int                 requestCert, 
     SECKEYPrivateKey ** privKey,
-    CERTCertificate **  cert, 
-    PRBool              useModelSocket,
-    PRBool		disableSSL3,
-    PRBool              disableTLS)
+    CERTCertificate **  cert)
 {
     PRFileDesc *listen_sock;
     PRFileDesc *model_sock	= NULL;
@@ -1026,18 +1029,19 @@ server_main(
     }
 #endif
 
-    if (disableSSL3) {
-    	rv = SSL_Enable(model_sock, SSL_ENABLE_SSL3, 0);
-	if (rv != SECSuccess) {
-	    errExit("error disabling SSLv3 ");
-	}
+    rv = SSL_Enable(model_sock, SSL_ENABLE_SSL3, !disableSSL3);
+    if (rv != SECSuccess) {
+	errExit("error enabling SSLv3 ");
     }
 
-    if (!disableTLS) {
-    	rv = SSL_Enable(model_sock, SSL_ENABLE_TLS, 1);
-	if (rv != SECSuccess) {
-	    errExit("error enabling TLS ");
-	}
+    rv = SSL_Enable(model_sock, SSL_ENABLE_TLS, !disableTLS);
+    if (rv != SECSuccess) {
+	errExit("error enabling TLS ");
+    }
+
+    rv = SSL_Enable(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack);
+    if (rv != SECSuccess) {
+	errExit("error enabling RollBack detection ");
     }
 
     for (kea = kt_rsa; kea < kt_kea_size; kea++) {
@@ -1161,13 +1165,10 @@ main(int argc, char **argv)
     char *               tmp;
     CERTCertificate *    cert   [kt_kea_size] = { NULL };
     SECKEYPrivateKey *   privKey[kt_kea_size] = { NULL };
-    int                  o;
     int                  requestCert = 0;
     unsigned short       port        = 0;
     SECStatus            rv;
     PRBool               useExportPolicy = PR_FALSE;
-    PRBool		 disableSSL3     = PR_FALSE;
-    PRBool               disableTLS      = PR_FALSE;
     PLOptState *optstate;
 
     tmp = strrchr(argv[0], '/');
@@ -1175,7 +1176,7 @@ main(int argc, char **argv)
     progName = strrchr(tmp, '\\');
     progName = progName ? progName + 1 : tmp;
 
-    optstate = PL_CreateOptState(argc, argv, "T2:3c:d:p:mn:f:rvw:x");
+    optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:f:rvw:x");
     while (PL_GetNextOpt(optstate) == PL_OPT_OK) {
 	switch(optstate->option) {
 	default:
@@ -1185,6 +1186,8 @@ main(int argc, char **argv)
 
 	case '3': disableSSL3 = PR_TRUE;	break;
 
+	case 'R': disableRollBack = PR_TRUE;	break;
+
 	case 'T': disableTLS  = PR_TRUE;	break;
 
         case 'c': cipherString = strdup(optstate->value); break;
@@ -1288,10 +1291,12 @@ main(int argc, char **argv)
 	privKey[kt_fortezza] = PK11_FindKeyByAnyCert(cert[kt_fortezza], NULL);
     }
 
-    SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
+    rv = SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
+    if (rv != SECSuccess) {
+        errExit("SSL_ConfigMPServerSIDCache");
+    }
 
-    server_main(port, requestCert, privKey, cert, useModelSocket, 
-                disableSSL3, disableTLS);
+    server_main(port, requestCert, privKey, cert);
 
     NSS_Shutdown();
     PR_Cleanup();
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 18e1a15e7..badb813df 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -170,6 +170,7 @@ static void Usage(const char *progName)
     printf("%-20s Nickname of key and cert for client auth\n", "-n nickname");
     printf("%-20s Disable SSL v2.\n", "-2");
     printf("%-20s Disable SSL v3.\n", "-3");
+    printf("%-20s Disable TLS (SSL v3.1).\n", "-T");
     printf("%-20s Override bad server cert. Make it OK.\n", "-o");
     printf("%-20s Use export policy.\n", "-x");
     printf("%-20s Letter(s) chosen from the following list\n", "-c ciphers");
@@ -257,7 +258,6 @@ int main(int argc, char **argv)
     PRInt32            filesReady;
     PRInt32            ip;
     int                npds;
-    int                o;
     int                override = 0;
     int                disableSSL2 = 0;
     int                disableSSL3 = 0;
@@ -439,27 +439,22 @@ int main(int argc, char **argv)
 	}
     }
 
-    if (disableSSL2) {
-    	rv = SSL_Enable(s, SSL_ENABLE_SSL2, 0);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "error disabling SSLv2 ");
-	    return -1;
-	}
+    rv = SSL_Enable(s, SSL_ENABLE_SSL2, !disableSSL2);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling SSLv2 ");
+	return -1;
     }
 
-    if (disableSSL3) {
-    	rv = SSL_Enable(s, SSL_ENABLE_SSL3, 0);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "error disabling SSLv3 ");
-	    return -1;
-	}
+    rv = SSL_Enable(s, SSL_ENABLE_SSL3, !disableSSL3);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling SSLv3 ");
+	return -1;
     }
-    if (!disableTLS) {
-	rv = SSL_Enable(s, SSL_ENABLE_TLS, 1);
-	if (rv != SECSuccess) {
-	    SECU_PrintError(progName, "error enabling TLS ");
-	    return -1;
-	}
+
+    rv = SSL_Enable(s, SSL_ENABLE_TLS, !disableTLS);
+    if (rv != SECSuccess) {
+	SECU_PrintError(progName, "error enabling TLS ");
+	return -1;
     }
 
 #if 0
author	nelsonb%netscape.com <devnull@localhost>	2000-05-24 03:44:50 +0000
committer	nelsonb%netscape.com <devnull@localhost>	2000-05-24 03:44:50 +0000
commit	2d731d571f3bfa43272e5d52ef4c514b43a6c34e (patch)
tree	d29b917c8000c19c19bba7bfb505f6734e79ab51
parent	065d4a55f094775d6542b63d76830a2a0770c64f (diff)
download	nss-hg-2d731d571f3bfa43272e5d52ef4c514b43a6c34e.tar.gz