Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/ssl/sslsnce.c

 /* This file implements the SERVER Session ID cache. 
  * NOTE:  The contents of this file are NOT used by the client.
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
@@ skipping 18 matching lines @@
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsnce.c,v 1.54 2010/07/05 19:31:56 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: sslsnce.c,v 1.59 2011/10/22 16:45:40 emaldona%redhat.com Exp $ */
 
 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
  * cache sids!
  *
  * About record locking among different server processes:
  *
  * All processes that are part of the same conceptual server (serving on 
  * the same address and port) MUST share a common SSL session cache. 
  * This code makes the content of the shared cache accessible to all
  * processes on the same "server".  This code works on Unix and Win32 only.
@@ skipping 969 matching lines @@
     return ((long)ptib->tib_ordinal); /* thread id */
 }
 #endif
 
 static void
 CloseCache(cacheDesc *cache)
 {
     int locks_initialized = cache->numSIDCacheLocksInitialized;
 
     if (cache->cacheMem) {
-        /* If everInherited is true, this shared cache was (and may still
-        ** be) in use by multiple processes.  We do not wish to destroy
-        ** the mutexes while they are still in use.  
-        */
-        if (cache->sharedCache &&
-            PR_FALSE == cache->sharedCache->everInherited) {
+        if (cache->sharedCache) {
             sidCacheLock *pLock = cache->sidCacheLocks;
             for (; locks_initialized > 0; --locks_initialized, ++pLock ) {
-                sslMutex_Destroy(&pLock->mutex);
+                /* If everInherited is true, this shared cache was (and may
+                ** still be) in use by multiple processes.  We do not wish to
+                ** destroy the mutexes while they are still in use, but we do
+                ** want to free mutex resources associated with this process.
+                */
+                sslMutex_Destroy(&pLock->mutex,
+                                 cache->sharedCache->everInherited);
             }
         }
         if (cache->shared) {
             PR_MemUnmap(cache->cacheMem, cache->cacheMemSize);
         } else {
             PORT_Free(cache->cacheMem);
         }
         cache->cacheMem = NULL;
     }
     if (cache->cacheMemMap) {
@@ skipping 276 matching lines @@
                                               int      maxCacheEntries, 
                                               int      maxCertCacheEntries,
                                               int      maxSrvNameCacheEntries)
 {
     SECStatus rv;
 
     PORT_Assert(sizeof(sidCacheEntry) == 224);
     PORT_Assert(sizeof(certCacheEntry) == 4096);
     PORT_Assert(sizeof(srvNameCacheEntry) == 1072);
 
+    rv = ssl_Init();
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
     myPid = SSL_GETPID();
     if (!directory) {
         directory = DEFAULT_CACHE_DIRECTORY;
     }
     rv = InitCache(cache, maxCacheEntries, maxCertCacheEntries,
                    maxSrvNameCacheEntries, ssl2_timeout, ssl3_timeout, 
                    directory, shared);
     if (rv) {
         SET_ERROR_CODE
         return SECFailure;
@@ skipping 160 matching lines @@
     char *          myEnvString = NULL;
     unsigned int    decoLen;
     ptrdiff_t       ptr;
     inheritance     inherit;
     cacheDesc       my;
 #ifdef WINNT
     sidCacheLock* newLocks;
     int           locks_initialized = 0;
     int           locks_to_initialize = 0;
 #endif
+    SECStatus     status = ssl_Init();
+
+    if (status != SECSuccess) {
+        return status;
+    }
 
     myPid = SSL_GETPID();
 
     /* If this child was created by fork(), and not by exec() on unix,
     ** then isMultiProcess will already be set.
     ** If not, we'll set it below.
     */
     if (isMultiProcess) {
         if (cache && cache->sharedCache) {
             cache->sharedCache->everInherited = PR_TRUE;
@@ skipping 332 matching lines @@
             != SECSuccess) {
         SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.",
                     SSL_GETPID(), "unknown", keyName));
         return PR_FALSE;
     }
     cacheEntry->length = wrappedKey.len;
     return PR_TRUE;
 }
 
 static PRBool
-GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
-                          unsigned char *keyName, PK11SymKey **aesKey,
-                          PK11SymKey **macKey)
+GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey,
+                   PK11SymKey **macKey)
 {
     PK11SlotInfo *slot;
     CK_MECHANISM_TYPE mechanismArray[2];
     PK11SymKey *aesKeyTmp = NULL;
     PK11SymKey *macKeyTmp = NULL;
     cacheDesc *cache = &globalCache;
+    uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
+    uint8 *ticketKeyNameSuffix;
 
-    if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
+    if (!cache->cacheMem) {
+        /* cache is not initalized. Use stack buffer */
+        ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
+    } else {
+        ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
+    }
+
+    if (PK11_GenerateRandom(ticketKeyNameSuffix,
             SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) {
         SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.",
                     SSL_GETPID(), "unknown"));
         goto loser;
     }
 
     mechanismArray[0] = CKM_AES_CBC;
     mechanismArray[1] = CKM_SHA256_HMAC;
 
     slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg);
     if (slot) {
-        aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL, 32, pwArg);
-        macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL, SHA256_LENGTH,
-                                pwArg);
+        aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL,
+                                AES_256_KEY_LENGTH, pwArg);
+        macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL,
+                                SHA256_LENGTH, pwArg);
         PK11_FreeSlot(slot);
     }
 
     if (aesKeyTmp == NULL || macKeyTmp == NULL) {
         SSL_DBG(("%d: SSL[%s]: Unable to generate session ticket keys.",
                     SSL_GETPID(), "unknown"));
         goto loser;
     }
-
-    /* Export the keys to the shared cache in wrapped form. */
-    if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey))
-        goto loser;
-    if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey))
-        goto loser;
-
-    PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
-        SESS_TICKET_KEY_VAR_NAME_LEN);
+    PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN);
     *aesKey = aesKeyTmp;
     *macKey = macKeyTmp;
     return PR_TRUE;
+
+loser:
+    if (aesKeyTmp)
+        PK11_FreeSymKey(aesKeyTmp);
+    if (macKeyTmp)
+        PK11_FreeSymKey(macKeyTmp);
+    return PR_FALSE;
+}
+
+static PRBool
+GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
+                          unsigned char *keyName, PK11SymKey **aesKey,
+                          PK11SymKey **macKey)
+{
+    PK11SymKey *aesKeyTmp = NULL;
+    PK11SymKey *macKeyTmp = NULL;
+    cacheDesc *cache = &globalCache;
+
+    if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) {
+        goto loser;
+    }
+
+    if (cache->cacheMem) {
+        /* Export the keys to the shared cache in wrapped form. */
+        if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey))
+            goto loser;
+        if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey))
+            goto loser;
+    }
+    *aesKey = aesKeyTmp;
+    *macKey = macKeyTmp;
+    return PR_TRUE;
 
 loser:
     if (aesKeyTmp)
         PK11_FreeSymKey(aesKeyTmp);
     if (macKeyTmp)
         PK11_FreeSymKey(macKeyTmp);
     return PR_FALSE;
 }
 
 static PRBool
@@ skipping 43 matching lines @@
 ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
                                SECKEYPublicKey *svrPubKey, void *pwArg,
                                unsigned char *keyName, PK11SymKey **aesKey,
                                PK11SymKey **macKey)
 {
     PRUint32 now = 0;
     PRBool rv = PR_FALSE;
     PRBool keysGenerated = PR_FALSE;
     cacheDesc *cache = &globalCache;
 
+    if (!cache->cacheMem) {
+        /* cache is uninitialized. Generate keys and return them
+         * without caching. */
+        return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
+    }
+
     now = LockSidCacheLock(cache->keyCacheLock, now);
     if (!now)
         return rv;
 
     if (!*(cache->ticketKeysValid)) {
         /* Keys do not exist, create them. */
         if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName,
                 aesKey, macKey))
             goto loser;
         keysGenerated = PR_TRUE;
         *(cache->ticketKeysValid) = 1;
     }
 
     rv = PR_TRUE;
 
  loser:
     UnlockSidCacheLock(cache->keyCacheLock);
     if (rv && !keysGenerated)
         rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey);
     return rv;
 }
 
 PRBool
 ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
                          unsigned char *macKey)
 {
     PRBool rv = PR_FALSE;
     PRUint32 now = 0;
     cacheDesc *cache = &globalCache;
+    uint8 ticketMacKey[AES_256_KEY_LENGTH], ticketEncKey[SHA256_LENGTH];
+    uint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
+    uint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix;
+    PRBool cacheIsEnabled = PR_TRUE;
 
-    /* Grab lock. */
-    now = LockSidCacheLock(cache->keyCacheLock, now);
-    if (!now)
-        return rv;
+    if (!cache->cacheMem) { /* cache is uninitialized */
+        cacheIsEnabled = PR_FALSE;
+        ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
+        ticketEncKeyPtr = ticketEncKey;
+        ticketMacKeyPtr = ticketMacKey;
+    } else {
+        /* these values have constant memory locations in the cache.
+         * Ok to reference them without holding the lock. */
+        ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
+        ticketEncKeyPtr = cache->ticketEncKey->bytes;
+        ticketMacKeyPtr = cache->ticketMacKey->bytes;
+    }
 
-    if (!*(cache->ticketKeysValid)) {
-        if (PK11_GenerateRandom(cache->ticketKeyNameSuffix,
+    if (cacheIsEnabled) {
+        /* Grab lock if initialized. */
+        now = LockSidCacheLock(cache->keyCacheLock, now);
+        if (!now)
+            return rv;
+    }
+    /* Going to regenerate keys on every call if cache was not
+     * initialized. */
+    if (!cacheIsEnabled || !*(cache->ticketKeysValid)) {
+        if (PK11_GenerateRandom(ticketKeyNameSuffix,
                 SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess)
             goto loser;
-        if (PK11_GenerateRandom(cache->ticketEncKey->bytes, 32) != SECSuccess)
+        if (PK11_GenerateRandom(ticketEncKeyPtr,
+                                AES_256_KEY_LENGTH) != SECSuccess)
             goto loser;
-        if (PK11_GenerateRandom(cache->ticketMacKey->bytes,
-                SHA256_LENGTH) != SECSuccess)
+        if (PK11_GenerateRandom(ticketMacKeyPtr,
+                                SHA256_LENGTH) != SECSuccess)
             goto loser;
-        *(cache->ticketKeysValid) = 1;
+        if (cacheIsEnabled) {
+            *(cache->ticketKeysValid) = 1;
+        }
     }
 
     rv = PR_TRUE;
 
  loser:
-    UnlockSidCacheLock(cache->keyCacheLock);
+    if (cacheIsEnabled) {
+        UnlockSidCacheLock(cache->keyCacheLock);
+    }
     if (rv) {
-        PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
-            SESS_TICKET_KEY_VAR_NAME_LEN);
-        PORT_Memcpy(encKey, cache->ticketEncKey->bytes, 32);
-        PORT_Memcpy(macKey, cache->ticketMacKey->bytes, SHA256_LENGTH);
+        PORT_Memcpy(keyName, ticketKeyNameSuffix,
+                    SESS_TICKET_KEY_VAR_NAME_LEN);
+        PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH);
+        PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH);
     }
     return rv;
 }
 
 /* The caller passes in the new value it wants
  * to set.  This code tests the wrapped sym key entry in the shared memory.
  * If it is uninitialized, this function writes the caller's value into 
  * the disk entry, and returns false.  
  * Otherwise, it overwrites the caller's wswk with the value obtained from 
  * the disk, and returns PR_TRUE.  
@@ skipping 113 matching lines @@
 }
 
 SECStatus 
 SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
 {
     PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServerCacheLocks)");
     return SECFailure;
 }
 
 #endif /* XP_UNIX || XP_WIN32 */