From 4af77916e462afe123cd57d4ca24165c9c78e72c Mon Sep 17 00:00:00 2001
From: "nelsonb%netscape.com" <devnull@localhost>
Date: Fri, 9 Nov 2001 05:45:21 +0000
Subject: Added a new -o option, to override check on received client auth
 certs, forcing those certs to be OK.  -v will now test the
 SSL_LocalCertificate() function.  Bug 78959.

---
 security/nss/cmd/selfserv/selfserv.c | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

(limited to 'security/nss/cmd/selfserv')

diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index faed1768a..cfb978c1e 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -318,7 +318,9 @@ printSecurityInfo(PRFileDesc *fd)
     	}
     }
     if (requestCert)
-	cert = SSL_RevealCert(fd);
+	cert = SSL_PeerCertificate(fd);
+    else
+	cert = SSL_LocalCertificate(fd);
     if (cert) {
 	char * ip = CERT_NameToAscii(&cert->issuer);
 	char * sp = CERT_NameToAscii(&cert->subject);
@@ -336,6 +338,19 @@ printSecurityInfo(PRFileDesc *fd)
     FLUSH;
 }
 
+static int MakeCertOK;
+
+static SECStatus
+myBadCertHandler( void *arg, PRFileDesc *fd)
+{
+    int err = PR_GetError();
+    if (!MakeCertOK)
+	fprintf(stderr, 
+	    "selfserv: -- SSL: Client Certificate Invalid, err %d.\n%s\n", 
+            err, SECU_Strerror(err));
+    return (MakeCertOK ? SECSuccess : SECFailure);
+}
+
 /**************************************************************************
 ** Begin thread management routines and data.
 **************************************************************************/
@@ -1191,6 +1206,10 @@ server_main(
 	    }
 	}
     }
+
+    if (MakeCertOK)
+	SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
+
     /* end of ssl configuration. */
 
 
@@ -1353,7 +1372,10 @@ main(int argc, char **argv)
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
-    optstate = PL_CreateOptState(argc, argv, "2:3DM:RTc:d:p:mn:hi:f:rt:vw:xl");
+    /* please keep this list of options in ASCII collating sequence.
+    ** numbers, then capital letters, then lower case, alphabetical. 
+    */
+    optstate = PL_CreateOptState(argc, argv, "2:3DM:RTc:d:f:hi:lmn:op:rt:vw:x");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	++optionsFound;
 	switch(optstate->option) {
@@ -1363,8 +1385,6 @@ main(int argc, char **argv)
 
 	case 'D': noDelay = PR_TRUE; break;
 
-        case 'l': useLocalThreads = PR_TRUE; break;
-
 	case 'M': 
 	    maxProcs = PORT_Atoi(optstate->value); 
 	    if (maxProcs < 1)         maxProcs = 1;
@@ -1383,11 +1403,15 @@ main(int argc, char **argv)
 
 	case 'h': Usage(progName); exit(0); break;
 
+	case 'i': pidFile = optstate->value; break;
+
+        case 'l': useLocalThreads = PR_TRUE; break;
+
 	case 'm': useModelSocket = PR_TRUE; break;
 
 	case 'n': nickName = strdup(optstate->value); break;
 
-	case 'i': pidFile = optstate->value; break;
+	case 'o': MakeCertOK = 1; break;
 
 	case 'p': port = PORT_Atoi(optstate->value); break;
 
-- 
cgit v1.2.1