Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1258)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/ssl/sslsnce.c

Issue 1844813002: Uprev NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« net/socket/nss_ssl_util.cc ('K') | « net/third_party/nss/ssl/sslsecur.c ('k') | net/third_party/nss/ssl/sslsock.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* This file implements the SERVER Session ID cache. 1 /* This file implements the SERVER Session ID cache.
2 * NOTE: The contents of this file are NOT used by the client. 2 * NOTE: The contents of this file are NOT used by the client.
3 * 3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public 4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 7
8 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 8 /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server
9 * cache sids! 9 * cache sids!
10 * 10 *
11 * About record locking among different server processes: 11 * About record locking among different server processes:
12 * 12 *
13 * All processes that are part of the same conceptual server (serving on 13 * All processes that are part of the same conceptual server (serving on
14 * the same address and port) MUST share a common SSL session cache. 14 * the same address and port) MUST share a common SSL session cache.
15 * This code makes the content of the shared cache accessible to all 15 * This code makes the content of the shared cache accessible to all
16 * processes on the same "server". This code works on Unix and Win32 only. 16 * processes on the same "server". This code works on Unix and Win32 only.
17 * 17 *
18 * We use NSPR anonymous shared memory and move data to & from shared memory. 18 * We use NSPR anonymous shared memory and move data to & from shared memory.
19 * We must do explicit locking of the records for all reads and writes. 19 * We must do explicit locking of the records for all reads and writes.
20 * The set of Cache entries are divided up into "sets" of 128 entries. 20 * The set of Cache entries are divided up into "sets" of 128 entries.
21 * Each set is protected by a lock. There may be one or more sets protected 21 * Each set is protected by a lock. There may be one or more sets protected
22 * by each lock. That is, locks to sets are 1:N. 22 * by each lock. That is, locks to sets are 1:N.
23 * There is one lock for the entire cert cache. 23 * There is one lock for the entire cert cache.
24 * There is one lock for the set of wrapped sym wrap keys. 24 * There is one lock for the set of wrapped sym wrap keys.
25 * 25 *
26 * The anonymous shared memory is laid out as if it were declared like this: 26 * The anonymous shared memory is laid out as if it were declared like this:
27 * 27 *
28 * struct { 28 * struct {
29 * cacheDescriptor desc; 29 * cacheDescriptor desc;
30 * sidCacheLock sidCacheLocks[ numSIDCacheLocks]; 30 * sidCacheLock sidCacheLocks[ numSIDCacheLocks];
31 * sidCacheLock keyCacheLock; 31 * sidCacheLock keyCacheLock;
32 * sidCacheLock certCacheLock; 32 * sidCacheLock certCacheLock;
33 * sidCacheSet sidCacheSets[ numSIDCacheSets ]; 33 * sidCacheSet sidCacheSets[ numSIDCacheSets ];
34 * sidCacheEntry sidCacheData[ numSIDCacheEntries]; 34 * sidCacheEntry sidCacheData[ numSIDCacheEntries];
35 * certCacheEntry certCacheData[numCertCacheEntries]; 35 * certCacheEntry certCacheData[numCertCacheEntries];
36 * SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS]; 36 * SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS];
37 * PRUint8 keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN] 37 * PRUint8 keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN]
38 * encKeyCacheEntry ticketEncKey; // Wrapped in non-bypass mode 38 * encKeyCacheEntry ticketEncKey; // Wrapped in non-bypass mode
39 * encKeyCacheEntry ticketMacKey; // Wrapped in non-bypass mode 39 * encKeyCacheEntry ticketMacKey; // Wrapped in non-bypass mode
40 * PRBool ticketKeysValid; 40 * PRBool ticketKeysValid;
41 * sidCacheLock srvNameCacheLock; 41 * sidCacheLock srvNameCacheLock;
42 * srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ]; 42 * srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ];
43 * } cacheMemCacheData; 43 * } cacheMemCacheData;
44 */ 44 */
45 #include "seccomon.h" 45 #include "seccomon.h"
46 46
47 #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS ) 47 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_OS2) || defined(XP_BEOS)
48 48
49 #include "cert.h" 49 #include "cert.h"
50 #include "ssl.h" 50 #include "ssl.h"
51 #include "sslimpl.h" 51 #include "sslimpl.h"
52 #include "sslproto.h" 52 #include "sslproto.h"
53 #include "pk11func.h" 53 #include "pk11func.h"
54 #include "base64.h" 54 #include "base64.h"
55 #include "keyhi.h" 55 #include "keyhi.h"
56 #ifdef NO_PKCS11_BYPASS 56 #ifdef NO_PKCS11_BYPASS
57 #include "blapit.h" 57 #include "blapit.h"
(...skipping 13 matching lines...) Expand all
71 #include <signal.h> 71 #include <signal.h>
72 #include "unix_err.h" 72 #include "unix_err.h"
73 73
74 #else 74 #else
75 75
76 #ifdef XP_WIN32 76 #ifdef XP_WIN32
77 #include <wtypes.h> 77 #include <wtypes.h>
78 #include "win32err.h" 78 #include "win32err.h"
79 #endif 79 #endif
80 80
81 #endif 81 #endif
82 #include <sys/types.h> 82 #include <sys/types.h>
83 83
84 #define SET_ERROR_CODE /* reminder */ 84 #define SET_ERROR_CODE /* reminder */
85 85
86 #include "nspr.h" 86 #include "nspr.h"
87 #include "sslmutex.h" 87 #include "sslmutex.h"
88 88
89 /* 89 /*
90 ** Format of a cache entry in the shared memory. 90 ** Format of a cache entry in the shared memory.
91 */ 91 */
92 struct sidCacheEntryStr { 92 struct sidCacheEntryStr {
93 /* 16 */ PRIPv6Addr addr;» /* client's IP address */ 93 /* 16 */ PRIPv6Addr addr; /* client's IP address */
94 /* 4 */ PRUint32 creationTime; 94 /* 4 */ PRUint32 creationTime;
95 /* 4 */ PRUint32 lastAccessTime;» 95 /* 4 */ PRUint32 lastAccessTime;
96 /* 4 */ PRUint32 expirationTime; 96 /* 4 */ PRUint32 expirationTime;
97 /* 2 */ PRUint16» version; 97 /* 2 */ PRUint16 version;
98 /* 1 */ PRUint8» valid; 98 /* 1 */ PRUint8 valid;
99 /* 1 */ PRUint8 sessionIDLength; 99 /* 1 */ PRUint8 sessionIDLength;
100 /* 32 */ PRUint8 sessionID[SSL3_SESSIONID_BYTES]; 100 /* 32 */ PRUint8 sessionID[SSL3_SESSIONID_BYTES];
101 /* 2 */ PRUint16 authAlgorithm; 101 /* 2 */ PRUint16 authAlgorithm;
102 /* 2 */ PRUint16 authKeyBits; 102 /* 2 */ PRUint16 authKeyBits;
103 /* 2 */ PRUint16 keaType; 103 /* 2 */ PRUint16 keaType;
104 /* 2 */ PRUint16 keaKeyBits; 104 /* 2 */ PRUint16 keaKeyBits;
105 /* 72 - common header total */ 105 /* 72 - common header total */
106 106
107 union { 107 union {
108 » struct { 108 struct {
109 /* 64 */ PRUint8» masterKey[SSL_MAX_MASTER_KEY_BYTES]; 109 /* 64 */ PRUint8 masterKey[SSL_MAX_MASTER_KEY_BYTES];
110 /* 32 */ PRUint8» cipherArg[SSL_MAX_CYPHER_ARG_BYTES]; 110 /* 32 */ PRUint8 cipherArg[SSL_MAX_CYPHER_ARG_BYTES];
111 111
112 /* 1 */ PRUint8» cipherType; 112 /* 1 */ PRUint8 cipherType;
113 /* 1 */ PRUint8» masterKeyLen; 113 /* 1 */ PRUint8 masterKeyLen;
114 /* 1 */ PRUint8» keyBits; 114 /* 1 */ PRUint8 keyBits;
115 /* 1 */ PRUint8» secretKeyBits; 115 /* 1 */ PRUint8 secretKeyBits;
116 /* 1 */ PRUint8» cipherArgLen; 116 /* 1 */ PRUint8 cipherArgLen;
117 /*101 */} ssl2; 117 /*101 */} ssl2;
118 118
119 » struct { 119 struct {
120 /* 2 */ ssl3CipherSuite cipherSuite; 120 /* 2 */ ssl3CipherSuite cipherSuite;
121 /* 2 */ PRUint16 compression; » /* SSLCompressionMethod */ 121 /* 2 */ PRUint16 compression; /* SSLCompressionMethod */
122 122
123 /* 54 */ ssl3SidKeys keys;» /* keys, wrapped as needed. */ 123 /* 54 */ ssl3SidKeys keys; /* keys, wrapped as needed. */
124 124
125 /* 4 */ PRUint32 masterWrapMech; 125 /* 4 */ PRUint32 masterWrapMech;
126 /* 4 */ SSL3KEAType exchKeyType; 126 /* 4 */ SSL3KEAType exchKeyType;
127 /* 4 */ PRInt32 certIndex; 127 /* 4 */ PRInt32 certIndex;
128 /* 4 */ PRInt32 srvNameIndex; 128 /* 4 */ PRInt32 srvNameIndex;
129 /* 32 */ PRUint8 srvNameHash[SHA256_LENGTH]; /* SHA256 name hash */ 129 /* 32 */ PRUint8 srvNameHash[SHA256_LENGTH]; /* SHA256 name hash */
130 /*108 */} ssl3; 130 /*108 */} ssl3;
131
131 /* force sizeof(sidCacheEntry) to be a multiple of cache line size */ 132 /* force sizeof(sidCacheEntry) to be a multiple of cache line size */
132 struct { 133 struct {
133 /*120 */ PRUint8 filler[120]; /* 72+120==192, a multiple of 16 */ 134 /*120 */ PRUint8 filler[120]; /* 72+120==192, a multiple of 16 */
134 » } forceSize; 135 } forceSize;
135 } u; 136 } u;
136 }; 137 };
137 typedef struct sidCacheEntryStr sidCacheEntry; 138 typedef struct sidCacheEntryStr sidCacheEntry;
138 139
139 /* The length of this struct is supposed to be a power of 2, e.g. 4KB */ 140 /* The length of this struct is supposed to be a power of 2, e.g. 4KB */
140 struct certCacheEntryStr { 141 struct certCacheEntryStr {
141 PRUint16 certLength;» » » » /* 2 */ 142 PRUint16 certLength; /* 2 */
142 PRUint16 sessionIDLength;» » » /* 2 */ 143 PRUint16 sessionIDLength; /* 2 */
143 PRUint8 » sessionID[SSL3_SESSIONID_BYTES];» /* 32 */ 144 PRUint8 sessionID[SSL3_SESSIONID_BYTES]; /* 32 */
144 PRUint8 » cert[SSL_MAX_CACHED_CERT_LEN];» » /* 4060 */ 145 PRUint8 cert[SSL_MAX_CACHED_CERT_LEN]; /* 4060 */
145 };» » » » » » /* total 4096 */ 146 }; /* total 4096 */
146 typedef struct certCacheEntryStr certCacheEntry; 147 typedef struct certCacheEntryStr certCacheEntry;
147 148
148 struct sidCacheLockStr { 149 struct sidCacheLockStr {
149 PRUint32» timeStamp; 150 PRUint32 timeStamp;
150 sslMutex» mutex; 151 sslMutex mutex;
151 sslPID» pid; 152 sslPID pid;
152 }; 153 };
153 typedef struct sidCacheLockStr sidCacheLock; 154 typedef struct sidCacheLockStr sidCacheLock;
154 155
155 struct sidCacheSetStr { 156 struct sidCacheSetStr {
156 PRIntn» next; 157 PRIntn next;
157 }; 158 };
158 typedef struct sidCacheSetStr sidCacheSet; 159 typedef struct sidCacheSetStr sidCacheSet;
159 160
160 struct encKeyCacheEntryStr { 161 struct encKeyCacheEntryStr {
161 PRUint8» bytes[512]; 162 PRUint8 bytes[512];
162 PRInt32» length; 163 PRInt32 length;
163 }; 164 };
164 typedef struct encKeyCacheEntryStr encKeyCacheEntry; 165 typedef struct encKeyCacheEntryStr encKeyCacheEntry;
165 166
166 #define SSL_MAX_DNS_HOST_NAME 1024 167 #define SSL_MAX_DNS_HOST_NAME 1024
167 168
168 struct srvNameCacheEntryStr { 169 struct srvNameCacheEntryStr {
169 PRUint16 type; /* 2 */ 170 PRUint16 type; /* 2 */
170 PRUint16 nameLen; /* 2 */ 171 PRUint16 nameLen; /* 2 */
171 PRUint8» name[SSL_MAX_DNS_HOST_NAME + 12]; /* 1034 */ 172 PRUint8 name[SSL_MAX_DNS_HOST_NAME + 12]; /* 1034 */
172 PRUint8 » nameHash[SHA256_LENGTH]; /* 32 */ 173 PRUint8 nameHash[SHA256_LENGTH]; /* 32 */
173 /* 1072 */ 174 /* 1072 */
174 }; 175 };
175 typedef struct srvNameCacheEntryStr srvNameCacheEntry; 176 typedef struct srvNameCacheEntryStr srvNameCacheEntry;
176 177
177
178 struct cacheDescStr { 178 struct cacheDescStr {
179 179
180 PRUint32 cacheMemSize; 180 PRUint32 cacheMemSize;
181 181
182 PRUint32» » numSIDCacheLocks; 182 PRUint32 numSIDCacheLocks;
183 PRUint32» » numSIDCacheSets; 183 PRUint32 numSIDCacheSets;
184 PRUint32» » numSIDCacheSetsPerLock; 184 PRUint32 numSIDCacheSetsPerLock;
185 185
186 PRUint32 numSIDCacheEntries; 186 PRUint32 numSIDCacheEntries;
187 PRUint32 sidCacheSize; 187 PRUint32 sidCacheSize;
188 188
189 PRUint32 numCertCacheEntries; 189 PRUint32 numCertCacheEntries;
190 PRUint32 certCacheSize; 190 PRUint32 certCacheSize;
191 191
192 PRUint32 numKeyCacheEntries; 192 PRUint32 numKeyCacheEntries;
193 PRUint32 keyCacheSize; 193 PRUint32 keyCacheSize;
194 194
195 PRUint32 numSrvNameCacheEntries; 195 PRUint32 numSrvNameCacheEntries;
196 PRUint32 srvNameCacheSize; 196 PRUint32 srvNameCacheSize;
197 197
198 PRUint32» » ssl2Timeout; 198 PRUint32 ssl2Timeout;
199 PRUint32» » ssl3Timeout; 199 PRUint32 ssl3Timeout;
200 200
201 PRUint32 numSIDCacheLocksInitialized; 201 PRUint32 numSIDCacheLocksInitialized;
202 202
203 /* These values are volatile, and are accessed through sharedCache-> */ 203 /* These values are volatile, and are accessed through sharedCache-> */
204 PRUint32» » nextCertCacheEntry;» /* certCacheLock protects */ 204 PRUint32 nextCertCacheEntry; /* certCacheLock protects */
205 PRBool » stopPolling; 205 PRBool stopPolling;
206 PRBool» » everInherited; 206 PRBool everInherited;
207 207
208 /* The private copies of these values are pointers into shared mem */ 208 /* The private copies of these values are pointers into shared mem */
209 /* The copies of these values in shared memory are merely offsets */ 209 /* The copies of these values in shared memory are merely offsets */
210 sidCacheLock * sidCacheLocks; 210 sidCacheLock *sidCacheLocks;
211 sidCacheLock * keyCacheLock; 211 sidCacheLock *keyCacheLock;
212 sidCacheLock * certCacheLock; 212 sidCacheLock *certCacheLock;
213 sidCacheLock * srvNameCacheLock; 213 sidCacheLock *srvNameCacheLock;
214 sidCacheSet * sidCacheSets; 214 sidCacheSet *sidCacheSets;
215 sidCacheEntry * sidCacheData; 215 sidCacheEntry *sidCacheData;
216 certCacheEntry * certCacheData; 216 certCacheEntry *certCacheData;
217 SSLWrappedSymWrappingKey * keyCacheData; 217 SSLWrappedSymWrappingKey *keyCacheData;
218 PRUint8 * ticketKeyNameSuffix; 218 PRUint8 *ticketKeyNameSuffix;
219 encKeyCacheEntry * ticketEncKey; 219 encKeyCacheEntry *ticketEncKey;
220 encKeyCacheEntry * ticketMacKey; 220 encKeyCacheEntry *ticketMacKey;
221 PRUint32 * ticketKeysValid; 221 PRUint32 *ticketKeysValid;
222 srvNameCacheEntry * srvNameCacheData; 222 srvNameCacheEntry *srvNameCacheData;
223 223
224 /* Only the private copies of these pointers are valid */ 224 /* Only the private copies of these pointers are valid */
225 char * cacheMem; 225 char *cacheMem;
226 struct cacheDescStr * sharedCache; /* shared copy of this struct */ 226 struct cacheDescStr *sharedCache; /* shared copy of this struct */
227 PRFileMap * cacheMemMap; 227 PRFileMap *cacheMemMap;
228 PRThread * poller; 228 PRThread *poller;
229 PRUint32 mutexTimeout; 229 PRUint32 mutexTimeout;
230 PRBool shared; 230 PRBool shared;
231 }; 231 };
232 typedef struct cacheDescStr cacheDesc; 232 typedef struct cacheDescStr cacheDesc;
233 233
234 static cacheDesc globalCache; 234 static cacheDesc globalCache;
235 235
236 static const char envVarName[] = { SSL_ENV_VAR_NAME }; 236 static const char envVarName[] = { SSL_ENV_VAR_NAME };
237 237
238 static PRBool isMultiProcess = PR_FALSE; 238 static PRBool isMultiProcess = PR_FALSE;
239 239
240 240 #define DEF_SID_CACHE_ENTRIES 10000
241 #define DEF_SID_CACHE_ENTRIES 10000
242 #define DEF_CERT_CACHE_ENTRIES 250 241 #define DEF_CERT_CACHE_ENTRIES 250
243 #define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */ 242 #define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
244 #define DEF_KEY_CACHE_ENTRIES 250 243 #define DEF_KEY_CACHE_ENTRIES 250
245 #define DEF_NAME_CACHE_ENTRIES 1000 244 #define DEF_NAME_CACHE_ENTRIES 1000
246 245
247 #define SID_CACHE_ENTRIES_PER_SET 128 246 #define SID_CACHE_ENTRIES_PER_SET 128
248 #define SID_ALIGNMENT 16 247 #define SID_ALIGNMENT 16
249 248
250 #define DEF_SSL2_TIMEOUT» 100 /* seconds */ 249 #define DEF_SSL2_TIMEOUT 100 /* seconds */
251 #define MAX_SSL2_TIMEOUT» 100 /* seconds */ 250 #define MAX_SSL2_TIMEOUT 100 /* seconds */
252 #define MIN_SSL2_TIMEOUT» 5 /* seconds */ 251 #define MIN_SSL2_TIMEOUT 5 /* seconds */
253 252
254 #define DEF_SSL3_TIMEOUT 86400L /* 24 hours */ 253 #define DEF_SSL3_TIMEOUT 86400L /* 24 hours */
255 #define MAX_SSL3_TIMEOUT 86400L /* 24 hours */ 254 #define MAX_SSL3_TIMEOUT 86400L /* 24 hours */
256 #define MIN_SSL3_TIMEOUT 5 /* seconds */ 255 #define MIN_SSL3_TIMEOUT 5 /* seconds */
257 256
258 #if defined(AIX) || defined(LINUX) || defined(NETBSD) || defined(OPENBSD) 257 #if defined(AIX) || defined(LINUX) || defined(NETBSD) || defined(OPENBSD)
259 #define MAX_SID_CACHE_LOCKS 8» /* two FDs per lock */ 258 #define MAX_SID_CACHE_LOCKS 8 /* two FDs per lock */
260 #elif defined(OSF1) 259 #elif defined(OSF1)
261 #define MAX_SID_CACHE_LOCKS 16» /* one FD per lock */ 260 #define MAX_SID_CACHE_LOCKS 16 /* one FD per lock */
262 #else 261 #else
263 #define MAX_SID_CACHE_LOCKS 256 262 #define MAX_SID_CACHE_LOCKS 256
264 #endif 263 #endif
265 264
266 #define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size)) 265 #define SID_HOWMANY(val, size) (((val) + ((size)-1)) / (size))
267 #define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size))) 266 #define SID_ROUNDUP(val, size) ((size)*SID_HOWMANY((val), (size)))
268
269 267
270 static sslPID myPid; 268 static sslPID myPid;
271 static PRUint32 ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS; 269 static PRUint32 ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
272 270
273 /* forward static function declarations */ 271 /* forward static function declarations */
274 static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, 272 static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s,
275 unsigned nl); 273 unsigned nl);
276 static SECStatus LaunchLockPoller(cacheDesc *cache); 274 static SECStatus LaunchLockPoller(cacheDesc *cache);
277 static SECStatus StopLockPoller(cacheDesc *cache); 275 static SECStatus StopLockPoller(cacheDesc *cache);
278 276
279
280 struct inheritanceStr { 277 struct inheritanceStr {
281 PRUint32 cacheMemSize; 278 PRUint32 cacheMemSize;
282 PRUint32 fmStrLen; 279 PRUint32 fmStrLen;
283 }; 280 };
284 281
285 typedef struct inheritanceStr inheritance; 282 typedef struct inheritanceStr inheritance;
286 283
287 #if defined(_WIN32) || defined(XP_OS2) 284 #if defined(_WIN32) || defined(XP_OS2)
288 285
289 #define DEFAULT_CACHE_DIRECTORY "\\temp" 286 #define DEFAULT_CACHE_DIRECTORY "\\temp"
290 287
291 #endif /* _win32 */ 288 #endif /* _win32 */
292 289
293 #if defined(XP_UNIX) || defined(XP_BEOS) 290 #if defined(XP_UNIX) || defined(XP_BEOS)
294 291
295 #define DEFAULT_CACHE_DIRECTORY "/tmp" 292 #define DEFAULT_CACHE_DIRECTORY "/tmp"
296 293
297 #endif /* XP_UNIX || XP_BEOS */ 294 #endif /* XP_UNIX || XP_BEOS */
298 295
299
300 /************************************************************************/ 296 /************************************************************************/
301 297
302 static PRUint32 298 static PRUint32
303 LockSidCacheLock(sidCacheLock *lock, PRUint32 now) 299 LockSidCacheLock(sidCacheLock *lock, PRUint32 now)
304 { 300 {
305 SECStatus rv = sslMutex_Lock(&lock->mutex); 301 SECStatus rv = sslMutex_Lock(&lock->mutex);
306 if (rv != SECSuccess) 302 if (rv != SECSuccess)
307 » return 0; 303 return 0;
308 if (!now) 304 if (!now)
309 » now = ssl_Time(); 305 now = ssl_Time();
310 lock->timeStamp = now; 306 lock->timeStamp = now;
311 lock->pid = myPid; 307 lock->pid = myPid;
312 return now; 308 return now;
313 } 309 }
314 310
315 static SECStatus 311 static SECStatus
316 UnlockSidCacheLock(sidCacheLock *lock) 312 UnlockSidCacheLock(sidCacheLock *lock)
317 { 313 {
318 SECStatus rv; 314 SECStatus rv;
319 315
320 lock->pid = 0; 316 lock->pid = 0;
321 rv = sslMutex_Unlock(&lock->mutex); 317 rv = sslMutex_Unlock(&lock->mutex);
322 return rv; 318 return rv;
323 } 319 }
324 320
325 /* returns the value of ssl_Time on success, zero on failure. */ 321 /* returns the value of ssl_Time on success, zero on failure. */
326 static PRUint32 322 static PRUint32
327 LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now) 323 LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now)
328 { 324 {
329 PRUint32 lockNum = set % cache->numSIDCacheLocks; 325 PRUint32 lockNum = set % cache->numSIDCacheLocks;
330 sidCacheLock * lock = cache->sidCacheLocks + lockNum; 326 sidCacheLock *lock = cache->sidCacheLocks + lockNum;
331 327
332 return LockSidCacheLock(lock, now); 328 return LockSidCacheLock(lock, now);
333 } 329 }
334 330
335 static SECStatus 331 static SECStatus
336 UnlockSet(cacheDesc *cache, PRUint32 set) 332 UnlockSet(cacheDesc *cache, PRUint32 set)
337 { 333 {
338 PRUint32 lockNum = set % cache->numSIDCacheLocks; 334 PRUint32 lockNum = set % cache->numSIDCacheLocks;
339 sidCacheLock * lock = cache->sidCacheLocks + lockNum; 335 sidCacheLock *lock = cache->sidCacheLocks + lockNum;
340 336
341 return UnlockSidCacheLock(lock); 337 return UnlockSidCacheLock(lock);
342 } 338 }
343 339
344 /************************************************************************/ 340 /************************************************************************/
345 341
346
347 /* Put a certificate in the cache. Update the cert index in the sce. 342 /* Put a certificate in the cache. Update the cert index in the sce.
348 */ 343 */
349 static PRUint32 344 static PRUint32
350 CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce) 345 CacheCert(cacheDesc *cache, CERTCertificate *cert, sidCacheEntry *sce)
351 { 346 {
352 PRUint32 now; 347 PRUint32 now;
353 certCacheEntry cce; 348 certCacheEntry cce;
354 349
355 if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) || 350 if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) ||
356 (cert->derCert.len <= 0) || 351 (cert->derCert.len <= 0) ||
357 » (cert->derCert.data == NULL)) { 352 (cert->derCert.data == NULL)) {
358 » PORT_SetError(SEC_ERROR_INVALID_ARGS); 353 PORT_SetError(SEC_ERROR_INVALID_ARGS);
359 » return 0; 354 return 0;
360 } 355 }
361 356
362 cce.sessionIDLength = sce->sessionIDLength; 357 cce.sessionIDLength = sce->sessionIDLength;
363 PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength); 358 PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength);
364 359
365 cce.certLength = cert->derCert.len; 360 cce.certLength = cert->derCert.len;
366 PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength); 361 PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength);
367 362
368 /* get lock on cert cache */ 363 /* get lock on cert cache */
369 now = LockSidCacheLock(cache->certCacheLock, 0); 364 now = LockSidCacheLock(cache->certCacheLock, 0);
370 if (now) { 365 if (now) {
371 366
372 » /* Find where to place the next cert cache entry. */ 367 /* Find where to place the next cert cache entry. */
373 » cacheDesc * sharedCache = cache->sharedCache; 368 cacheDesc *sharedCache = cache->sharedCache;
374 » PRUint32 ndx = sharedCache->nextCertCacheEntry; 369 PRUint32 ndx = sharedCache->nextCertCacheEntry;
375 370
376 » /* write the entry */ 371 /* write the entry */
377 » cache->certCacheData[ndx] = cce; 372 cache->certCacheData[ndx] = cce;
378 373
379 » /* remember where we put it. */ 374 /* remember where we put it. */
380 » sce->u.ssl3.certIndex = ndx; 375 sce->u.ssl3.certIndex = ndx;
381 376
382 » /* update the "next" cache entry index */ 377 /* update the "next" cache entry index */
383 » sharedCache->nextCertCacheEntry = 378 sharedCache->nextCertCacheEntry =
384 » » » » » (ndx + 1) % cache->numCertCacheEntries; 379 (ndx + 1) % cache->numCertCacheEntries;
385 380
386 » UnlockSidCacheLock(cache->certCacheLock); 381 UnlockSidCacheLock(cache->certCacheLock);
387 } 382 }
388 return now; 383 return now;
389
390 } 384 }
391 385
392 /* Server configuration hash tables need to account the SECITEM.type 386 /* Server configuration hash tables need to account the SECITEM.type
393 * field as well. These functions accomplish that. */ 387 * field as well. These functions accomplish that. */
394 static PLHashNumber 388 static PLHashNumber
395 Get32BitNameHash(const SECItem *name) 389 Get32BitNameHash(const SECItem *name)
396 { 390 {
397 PLHashNumber rv = SECITEM_Hash(name); 391 PLHashNumber rv = SECITEM_Hash(name);
398 392
399 PRUint8 *rvc = (PRUint8 *)&rv; 393 PRUint8 *rvc = (PRUint8 *)&rv;
400 rvc[ name->len % sizeof(rv) ] ^= name->type; 394 rvc[name->len % sizeof(rv)] ^= name->type;
401 395
402 return rv; 396 return rv;
403 } 397 }
404 398
405 /* Put a name in the cache. Update the cert index in the sce. 399 /* Put a name in the cache. Update the cert index in the sce.
406 */ 400 */
407 static PRUint32 401 static PRUint32
408 CacheSrvName(cacheDesc * cache, SECItem *name, sidCacheEntry *sce) 402 CacheSrvName(cacheDesc *cache, SECItem *name, sidCacheEntry *sce)
409 { 403 {
410 PRUint32 now; 404 PRUint32 now;
411 PRUint32 ndx; 405 PRUint32 ndx;
412 srvNameCacheEntry snce; 406 srvNameCacheEntry snce;
413 407
414 if (!name || name->len <= 0 || 408 if (!name || name->len <= 0 ||
415 name->len > SSL_MAX_DNS_HOST_NAME) { 409 name->len > SSL_MAX_DNS_HOST_NAME) {
416 » PORT_SetError(SEC_ERROR_INVALID_ARGS); 410 PORT_SetError(SEC_ERROR_INVALID_ARGS);
417 » return 0; 411 return 0;
418 } 412 }
419 413
420 snce.type = name->type; 414 snce.type = name->type;
421 snce.nameLen = name->len; 415 snce.nameLen = name->len;
422 PORT_Memcpy(snce.name, name->data, snce.nameLen); 416 PORT_Memcpy(snce.name, name->data, snce.nameLen);
423 #ifdef NO_PKCS11_BYPASS 417 #ifdef NO_PKCS11_BYPASS
424 HASH_HashBuf(HASH_AlgSHA256, snce.nameHash, name->data, name->len); 418 HASH_HashBuf(HASH_AlgSHA256, snce.nameHash, name->data, name->len);
425 #else 419 #else
426 SHA256_HashBuf(snce.nameHash, (unsigned char*)name->data, 420 SHA256_HashBuf(snce.nameHash, (unsigned char *)name->data,
427 name->len); 421 name->len);
428 #endif 422 #endif
429 /* get index of the next name */ 423 /* get index of the next name */
430 ndx = Get32BitNameHash(name); 424 ndx = Get32BitNameHash(name);
431 /* get lock on cert cache */ 425 /* get lock on cert cache */
432 now = LockSidCacheLock(cache->srvNameCacheLock, 0); 426 now = LockSidCacheLock(cache->srvNameCacheLock, 0);
433 if (now) { 427 if (now) {
434 if (cache->numSrvNameCacheEntries > 0) { 428 if (cache->numSrvNameCacheEntries > 0) {
435 /* Fit the index into array */ 429 /* Fit the index into array */
436 ndx %= cache->numSrvNameCacheEntries; 430 ndx %= cache->numSrvNameCacheEntries;
437 /* write the entry */ 431 /* write the entry */
438 cache->srvNameCacheData[ndx] = snce; 432 cache->srvNameCacheData[ndx] = snce;
439 /* remember where we put it. */ 433 /* remember where we put it. */
440 sce->u.ssl3.srvNameIndex = ndx; 434 sce->u.ssl3.srvNameIndex = ndx;
441 /* Copy hash into sid hash */ 435 /* Copy hash into sid hash */
442 PORT_Memcpy(sce->u.ssl3.srvNameHash, snce.nameHash, SHA256_LENGTH); 436 PORT_Memcpy(sce->u.ssl3.srvNameHash, snce.nameHash, SHA256_LENGTH);
443 } 437 }
444 » UnlockSidCacheLock(cache->srvNameCacheLock); 438 UnlockSidCacheLock(cache->srvNameCacheLock);
445 } 439 }
446 return now; 440 return now;
447 } 441 }
448 442
449 /* 443 /*
450 ** Convert local SID to shared memory one 444 ** Convert local SID to shared memory one
451 */ 445 */
452 static void 446 static void
453 ConvertFromSID(sidCacheEntry *to, sslSessionID *from) 447 ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
454 { 448 {
455 to->valid = 1; 449 to->valid = 1;
456 to->version = from->version; 450 to->version = from->version;
457 to->addr = from->addr; 451 to->addr = from->addr;
458 to->creationTime = from->creationTime; 452 to->creationTime = from->creationTime;
459 to->lastAccessTime = from->lastAccessTime; 453 to->lastAccessTime = from->lastAccessTime;
460 to->expirationTime = from->expirationTime; 454 to->expirationTime = from->expirationTime;
461 to->authAlgorithm» = from->authAlgorithm; 455 to->authAlgorithm = from->authAlgorithm;
462 to->authKeyBits» = from->authKeyBits; 456 to->authKeyBits = from->authKeyBits;
463 to->keaType»» = from->keaType; 457 to->keaType = from->keaType;
464 to->keaKeyBits» = from->keaKeyBits; 458 to->keaKeyBits = from->keaKeyBits;
465 459
466 if (from->version < SSL_LIBRARY_VERSION_3_0) { 460 if (from->version < SSL_LIBRARY_VERSION_3_0) {
467 » if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) || 461 if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) ||
468 » (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) { 462 (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) {
469 » SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d", 463 SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d",
470 » » myPid, from->u.ssl2.masterKey.len, 464 myPid, from->u.ssl2.masterKey.len,
471 » » from->u.ssl2.cipherArg.len)); 465 from->u.ssl2.cipherArg.len));
472 » to->valid = 0; 466 to->valid = 0;
473 » return; 467 return;
474 » } 468 }
475 469
476 » to->u.ssl2.cipherType = from->u.ssl2.cipherType; 470 to->u.ssl2.cipherType = from->u.ssl2.cipherType;
477 » to->u.ssl2.masterKeyLen = from->u.ssl2.masterKey.len; 471 to->u.ssl2.masterKeyLen = from->u.ssl2.masterKey.len;
478 » to->u.ssl2.cipherArgLen = from->u.ssl2.cipherArg.len; 472 to->u.ssl2.cipherArgLen = from->u.ssl2.cipherArg.len;
479 » to->u.ssl2.keyBits = from->u.ssl2.keyBits; 473 to->u.ssl2.keyBits = from->u.ssl2.keyBits;
480 » to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; 474 to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
481 » to->sessionIDLength = SSL2_SESSIONID_BYTES; 475 to->sessionIDLength = SSL2_SESSIONID_BYTES;
482 » PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES) ; 476 PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES) ;
483 » PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data, 477 PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data,
484 » » from->u.ssl2.masterKey.len); 478 from->u.ssl2.masterKey.len);
485 » PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data, 479 PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data,
486 » » from->u.ssl2.cipherArg.len); 480 from->u.ssl2.cipherArg.len);
487 #ifdef DEBUG 481 #ifdef DEBUG
488 » PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0, 482 PORT_Memset(to->u.ssl2.masterKey + from->u.ssl2.masterKey.len, 0,
489 » » sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len); 483 sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len);
490 » PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0, 484 PORT_Memset(to->u.ssl2.cipherArg + from->u.ssl2.cipherArg.len, 0,
491 » » sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len); 485 sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
492 #endif 486 #endif
493 » SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d " 487 SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
494 » » "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid, 488 "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
495 » » to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen, 489 myPid,
496 » » to->creationTime, to->addr.pr_s6_addr32[0], 490 to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
497 » » to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], 491 to->creationTime, to->addr.pr_s6_addr32[0],
498 » » to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType)); 492 to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
493 to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
499 } else { 494 } else {
500 » /* This is an SSL v3 session */ 495 /* This is an SSL v3 session */
501 496
502 » to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; 497 to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite;
503 » to->u.ssl3.compression = (PRUint16)from->u.ssl3.compression; 498 to->u.ssl3.compression = (PRUint16)from->u.ssl3.compression;
504 » to->u.ssl3.keys = from->u.ssl3.keys; 499 to->u.ssl3.keys = from->u.ssl3.keys;
505 » to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; 500 to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech;
506 » to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; 501 to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType;
507 » to->sessionIDLength = from->u.ssl3.sessionIDLength; 502 to->sessionIDLength = from->u.ssl3.sessionIDLength;
508 » to->u.ssl3.certIndex = -1; 503 to->u.ssl3.certIndex = -1;
509 » to->u.ssl3.srvNameIndex = -1; 504 to->u.ssl3.srvNameIndex = -1;
510 » PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID, 505 PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID,
511 » » to->sessionIDLength); 506 to->sessionIDLength);
512 507
513 » SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x " 508 SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x "
514 » "cipherSuite=%d", 509 "cipherSuite=%d",
515 » » myPid, to->creationTime, to->addr.pr_s6_addr32[0], 510 myPid, to->creationTime, to->addr.pr_s6_addr32[0],
516 » » to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], 511 to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
517 » » to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite)); 512 to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite));
518 } 513 }
519 } 514 }
520 515
521 /* 516 /*
522 ** Convert shared memory cache-entry to local memory based one 517 ** Convert shared memory cache-entry to local memory based one
523 ** This is only called from ServerSessionIDLookup(). 518 ** This is only called from ServerSessionIDLookup().
524 */ 519 */
525 static sslSessionID * 520 static sslSessionID *
526 ConvertToSID(sidCacheEntry * from, 521 ConvertToSID(sidCacheEntry *from,
527 certCacheEntry * pcce, 522 certCacheEntry *pcce,
528 srvNameCacheEntry *psnce, 523 srvNameCacheEntry *psnce,
529 CERTCertDBHandle * dbHandle) 524 CERTCertDBHandle *dbHandle)
530 { 525 {
531 sslSessionID *to; 526 sslSessionID *to;
532 PRUint16 version = from->version; 527 PRUint16 version = from->version;
533 528
534 to = PORT_ZNew(sslSessionID); 529 to = PORT_ZNew(sslSessionID);
535 if (!to) { 530 if (!to) {
536 » return 0; 531 return 0;
537 } 532 }
538 533
539 if (version < SSL_LIBRARY_VERSION_3_0) { 534 if (version < SSL_LIBRARY_VERSION_3_0) {
540 » /* This is an SSL v2 session */ 535 /* This is an SSL v2 session */
541 » to->u.ssl2.masterKey.data = 536 to->u.ssl2.masterKey.data =
542 » (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen); 537 (unsigned char *)PORT_Alloc(from->u.ssl2.masterKeyLen);
543 » if (!to->u.ssl2.masterKey.data) { 538 if (!to->u.ssl2.masterKey.data) {
544 » goto loser; 539 goto loser;
545 » } 540 }
546 » if (from->u.ssl2.cipherArgLen) { 541 if (from->u.ssl2.cipherArgLen) {
547 » to->u.ssl2.cipherArg.data = 542 to->u.ssl2.cipherArg.data =
548 » » (unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen); 543 (unsigned char *)PORT_Alloc(from->u.ssl2.cipherArgLen);
549 » if (!to->u.ssl2.cipherArg.data) { 544 if (!to->u.ssl2.cipherArg.data) {
550 » » goto loser; 545 goto loser;
551 » } 546 }
552 » PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg, 547 PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg,
553 » » from->u.ssl2.cipherArgLen); 548 from->u.ssl2.cipherArgLen);
554 » } 549 }
555 550
556 » to->u.ssl2.cipherType = from->u.ssl2.cipherType; 551 to->u.ssl2.cipherType = from->u.ssl2.cipherType;
557 » to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen; 552 to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen;
558 » to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen; 553 to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen;
559 » to->u.ssl2.keyBits = from->u.ssl2.keyBits; 554 to->u.ssl2.keyBits = from->u.ssl2.keyBits;
560 » to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; 555 to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
561 /*» to->sessionIDLength = SSL2_SESSIONID_BYTES; */ 556 /* to->sessionIDLength = SSL2_SESSIONID_BYTES; */
562 » PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES) ; 557 PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES) ;
563 » PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey, 558 PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey,
564 » » from->u.ssl2.masterKeyLen); 559 from->u.ssl2.masterKeyLen);
565 560
566 » SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d " 561 SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
567 » » "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", 562 "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
568 » » myPid, to->u.ssl2.masterKey.len, 563 myPid, to->u.ssl2.masterKey.len,
569 » » to->u.ssl2.cipherArg.len, to->creationTime, 564 to->u.ssl2.cipherArg.len, to->creationTime,
570 » » to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1], 565 to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
571 » » to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], 566 to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
572 » » to->u.ssl2.cipherType)); 567 to->u.ssl2.cipherType));
573 } else { 568 } else {
574 » /* This is an SSL v3 session */ 569 /* This is an SSL v3 session */
575 570
576 » to->u.ssl3.sessionIDLength = from->sessionIDLength; 571 to->u.ssl3.sessionIDLength = from->sessionIDLength;
577 » to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; 572 to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite;
578 » to->u.ssl3.compression = (SSLCompressionMethod)from->u.ssl3.compres sion; 573 to->u.ssl3.compression = (SSLCompressionMethod)from->u.ssl3.compression;
579 » to->u.ssl3.keys = from->u.ssl3.keys; 574 to->u.ssl3.keys = from->u.ssl3.keys;
580 » to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; 575 to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech;
581 » to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; 576 to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType;
582 » if (from->u.ssl3.srvNameIndex != -1 && psnce) { 577 if (from->u.ssl3.srvNameIndex != -1 && psnce) {
583 SECItem name; 578 SECItem name;
584 SECStatus rv; 579 SECStatus rv;
585 name.type = psnce->type; 580 name.type = psnce->type;
586 name.len = psnce->nameLen; 581 name.len = psnce->nameLen;
587 name.data = psnce->name; 582 name.data = psnce->name;
588 rv = SECITEM_CopyItem(NULL, &to->u.ssl3.srvName, &name); 583 rv = SECITEM_CopyItem(NULL, &to->u.ssl3.srvName, &name);
589 if (rv != SECSuccess) { 584 if (rv != SECSuccess) {
590 goto loser; 585 goto loser;
591 } 586 }
592 } 587 }
593 588
594 » PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength ); 589 PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength );
595 590
596 » /* the portions of the SID that are only restored on the client 591 /* the portions of the SID that are only restored on the client
597 » * are set to invalid values on the server. 592 * are set to invalid values on the server.
598 » */ 593 */
599 » to->u.ssl3.clientWriteKey = NULL; 594 to->u.ssl3.clientWriteKey = NULL;
600 » to->u.ssl3.serverWriteKey = NULL; 595 to->u.ssl3.serverWriteKey = NULL;
601 596
602 » to->urlSvrName = NULL; 597 to->urlSvrName = NULL;
603 598
604 » to->u.ssl3.masterModuleID = (SECMODModuleID)-1; /* invalid value */ 599 to->u.ssl3.masterModuleID = (SECMODModuleID)-1; /* invalid value */
605 » to->u.ssl3.masterSlotID = (CK_SLOT_ID)-1; /* invalid value */ 600 to->u.ssl3.masterSlotID = (CK_SLOT_ID)-1; /* invalid value */
606 » to->u.ssl3.masterWrapIndex = 0; 601 to->u.ssl3.masterWrapIndex = 0;
607 » to->u.ssl3.masterWrapSeries = 0; 602 to->u.ssl3.masterWrapSeries = 0;
608 » to->u.ssl3.masterValid = PR_FALSE; 603 to->u.ssl3.masterValid = PR_FALSE;
609 604
610 » to->u.ssl3.clAuthModuleID = (SECMODModuleID)-1; /* invalid value */ 605 to->u.ssl3.clAuthModuleID = (SECMODModuleID)-1; /* invalid value */
611 » to->u.ssl3.clAuthSlotID = (CK_SLOT_ID)-1; /* invalid value */ 606 to->u.ssl3.clAuthSlotID = (CK_SLOT_ID)-1; /* invalid value */
612 » to->u.ssl3.clAuthSeries = 0; 607 to->u.ssl3.clAuthSeries = 0;
613 » to->u.ssl3.clAuthValid = PR_FALSE; 608 to->u.ssl3.clAuthValid = PR_FALSE;
614 609
615 » if (from->u.ssl3.certIndex != -1 && pcce) { 610 if (from->u.ssl3.certIndex != -1 && pcce) {
616 » SECItem derCert; 611 SECItem derCert;
617 612
618 » derCert.len = pcce->certLength; 613 derCert.len = pcce->certLength;
619 » derCert.data = pcce->cert; 614 derCert.data = pcce->cert;
620 615
621 » to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL, 616 to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL,
622 » » » » » PR_FALSE, PR_TRUE); 617 PR_FALSE, PR_TRUE);
623 » if (to->peerCert == NULL) 618 if (to->peerCert == NULL)
624 » » goto loser; 619 goto loser;
625 » } 620 }
626 } 621 }
627 622
628 to->version = from->version; 623 to->version = from->version;
629 to->creationTime = from->creationTime; 624 to->creationTime = from->creationTime;
630 to->lastAccessTime = from->lastAccessTime; 625 to->lastAccessTime = from->lastAccessTime;
631 to->expirationTime = from->expirationTime; 626 to->expirationTime = from->expirationTime;
632 to->cached = in_server_cache; 627 to->cached = in_server_cache;
633 to->addr = from->addr; 628 to->addr = from->addr;
634 to->references = 1; 629 to->references = 1;
635 to->authAlgorithm» = from->authAlgorithm; 630 to->authAlgorithm = from->authAlgorithm;
636 to->authKeyBits» = from->authKeyBits; 631 to->authKeyBits = from->authKeyBits;
637 to->keaType»» = from->keaType; 632 to->keaType = from->keaType;
638 to->keaKeyBits» = from->keaKeyBits; 633 to->keaKeyBits = from->keaKeyBits;
639 634
640 return to; 635 return to;
641 636
642 loser: 637 loser:
643 if (to) { 638 if (to) {
644 » if (version < SSL_LIBRARY_VERSION_3_0) { 639 if (version < SSL_LIBRARY_VERSION_3_0) {
645 » if (to->u.ssl2.masterKey.data) 640 if (to->u.ssl2.masterKey.data)
646 » » PORT_Free(to->u.ssl2.masterKey.data); 641 PORT_Free(to->u.ssl2.masterKey.data);
647 » if (to->u.ssl2.cipherArg.data) 642 if (to->u.ssl2.cipherArg.data)
648 » » PORT_Free(to->u.ssl2.cipherArg.data); 643 PORT_Free(to->u.ssl2.cipherArg.data);
649 » } else { 644 } else {
650 SECITEM_FreeItem(&to->u.ssl3.srvName, PR_FALSE); 645 SECITEM_FreeItem(&to->u.ssl3.srvName, PR_FALSE);
651 } 646 }
652 » PORT_Free(to); 647 PORT_Free(to);
653 } 648 }
654 return NULL; 649 return NULL;
655 } 650 }
656 651
657
658
659 /* 652 /*
660 ** Perform some mumbo jumbo on the ip-address and the session-id value to 653 ** Perform some mumbo jumbo on the ip-address and the session-id value to
661 ** compute a hash value. 654 ** compute a hash value.
662 */ 655 */
663 static PRUint32 656 static PRUint32
664 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl) 657 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl)
665 { 658 {
666 PRUint32 rv; 659 PRUint32 rv;
667 PRUint32 x[8]; 660 PRUint32 x[8];
668 661
669 memset(x, 0, sizeof x); 662 memset(x, 0, sizeof x);
670 if (nl > sizeof x) 663 if (nl > sizeof x)
671 » nl = sizeof x; 664 nl = sizeof x;
672 memcpy(x, s, nl); 665 memcpy(x, s, nl);
673 666
674 rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^ 667 rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^
675 » addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^ 668 addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^
676 x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7]) 669 x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7]) %
677 » % cache->numSIDCacheSets; 670 cache->numSIDCacheSets;
678 return rv; 671 return rv;
679 } 672 }
680 673
681
682
683 /* 674 /*
684 ** Look something up in the cache. This will invalidate old entries 675 ** Look something up in the cache. This will invalidate old entries
685 ** in the process. Caller has locked the cache set! 676 ** in the process. Caller has locked the cache set!
686 ** Returns PR_TRUE if found a valid match. PR_FALSE otherwise. 677 ** Returns PR_TRUE if found a valid match. PR_FALSE otherwise.
687 */ 678 */
688 static sidCacheEntry * 679 static sidCacheEntry *
689 FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now, 680 FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now,
690 const PRIPv6Addr *addr, unsigned char *sessionID, 681 const PRIPv6Addr *addr, unsigned char *sessionID,
691 » unsigned sessionIDLength) 682 unsigned sessionIDLength)
692 { 683 {
693 PRUint32 ndx = cache->sidCacheSets[setNum].next; 684 PRUint32 ndx = cache->sidCacheSets[setNum].next;
694 int i; 685 int i;
695 686
696 sidCacheEntry * set = cache->sidCacheData + 687 sidCacheEntry *set = cache->sidCacheData +
697 » » » (setNum * SID_CACHE_ENTRIES_PER_SET); 688 (setNum * SID_CACHE_ENTRIES_PER_SET);
698 689
699 for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) { 690 for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) {
700 » sidCacheEntry * sce; 691 sidCacheEntry *sce;
701 692
702 » ndx = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET; 693 ndx = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET;
703 » sce = set + ndx; 694 sce = set + ndx;
704 695
705 » if (!sce->valid) 696 if (!sce->valid)
706 » continue; 697 continue;
707 698
708 » if (now > sce->expirationTime) { 699 if (now > sce->expirationTime) {
709 » /* SessionID has timed out. Invalidate the entry. */ 700 /* SessionID has timed out. Invalidate the entry. */
710 » SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x " 701 SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x "
711 » » » "time+=%x", 702 "time+=%x",
712 » » » myPid, sce->addr.pr_s6_addr32[0], 703 myPid, sce->addr.pr_s6_addr32[0],
713 » » » sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2], 704 sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2],
714 » » » sce->addr.pr_s6_addr32[3], now, 705 sce->addr.pr_s6_addr32[3], now,
715 » » » sce->expirationTime )); 706 sce->expirationTime));
716 » sce->valid = 0; 707 sce->valid = 0;
717 » continue; 708 continue;
718 » } 709 }
719 710
720 » /* 711 /*
721 » ** Next, examine specific session-id/addr data to see if the cache 712 ** Next, examine specific session-id/addr data to see if the cache
722 » ** entry matches our addr+session-id value 713 ** entry matches our addr+session-id value
723 » */ 714 */
724 » if (sessionIDLength == sce->sessionIDLength && 715 if (sessionIDLength == sce->sessionIDLength &&
725 » !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) && 716 !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) &&
726 » !memcmp(sce->sessionID, sessionID, sessionIDLength)) { 717 !memcmp(sce->sessionID, sessionID, sessionIDLength)) {
727 » /* Found it */ 718 /* Found it */
728 » return sce; 719 return sce;
729 » } 720 }
730 } 721 }
731 722
732 PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); 723 PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
733 return NULL; 724 return NULL;
734 } 725 }
735 726
736 /************************************************************************/ 727 /************************************************************************/
737 728
738 /* This is the primary function for finding entries in the server's sid cache. 729 /* This is the primary function for finding entries in the server's sid cache.
739 * Although it is static, this function is called via the global function 730 * Although it is static, this function is called via the global function
740 * pointer ssl_sid_lookup. 731 * pointer ssl_sid_lookup.
741 */ 732 */
742 static sslSessionID * 733 static sslSessionID *
743 ServerSessionIDLookup(const PRIPv6Addr *addr, 734 ServerSessionIDLookup(const PRIPv6Addr *addr,
744 » » » unsigned char *sessionID, 735 unsigned char *sessionID,
745 » » » unsigned int sessionIDLength, 736 unsigned int sessionIDLength,
746 CERTCertDBHandle * dbHandle) 737 CERTCertDBHandle *dbHandle)
747 { 738 {
748 sslSessionID * sid = 0; 739 sslSessionID *sid = 0;
749 sidCacheEntry * psce; 740 sidCacheEntry *psce;
750 certCacheEntry *pcce = 0; 741 certCacheEntry *pcce = 0;
751 srvNameCacheEntry *psnce = 0; 742 srvNameCacheEntry *psnce = 0;
752 cacheDesc * cache = &globalCache; 743 cacheDesc *cache = &globalCache;
753 PRUint32 now; 744 PRUint32 now;
754 PRUint32 set; 745 PRUint32 set;
755 PRInt32 cndx; 746 PRInt32 cndx;
756 sidCacheEntry sce; 747 sidCacheEntry sce;
757 certCacheEntry cce; 748 certCacheEntry cce;
758 srvNameCacheEntry snce; 749 srvNameCacheEntry snce;
759 750
760 set = SIDindex(cache, addr, sessionID, sessionIDLength); 751 set = SIDindex(cache, addr, sessionID, sessionIDLength);
761 now = LockSet(cache, set, 0); 752 now = LockSet(cache, set, 0);
762 if (!now) 753 if (!now)
763 » return NULL; 754 return NULL;
764 755
765 psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength); 756 psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength);
766 if (psce) { 757 if (psce) {
767 » if (psce->version >= SSL_LIBRARY_VERSION_3_0) { 758 if (psce->version >= SSL_LIBRARY_VERSION_3_0) {
768 » if ((cndx = psce->u.ssl3.certIndex) != -1) { 759 if ((cndx = psce->u.ssl3.certIndex) != -1) {
769 760
770 PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now); 761 PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now);
771 if (gotLock) { 762 if (gotLock) {
772 pcce = &cache->certCacheData[cndx]; 763 pcce = &cache->certCacheData[cndx];
773 764
774 /* See if the cert's session ID matches the sce cache. */ 765 /* See if the cert's session ID matches the sce cache. */
775 if ((pcce->sessionIDLength == psce->sessionIDLength) && 766 if ((pcce->sessionIDLength == psce->sessionIDLength) &&
776 !PORT_Memcmp(pcce->sessionID, psce->sessionID, 767 !PORT_Memcmp(pcce->sessionID, psce->sessionID,
777 pcce->sessionIDLength)) { 768 pcce->sessionIDLength)) {
778 cce = *pcce; 769 cce = *pcce;
779 } else { 770 } else {
780 /* The cert doesen't match the SID cache entry, 771 /* The cert doesen't match the SID cache entry,
781 ** so invalidate the SID cache entry. 772 ** so invalidate the SID cache entry.
782 */ 773 */
783 psce->valid = 0; 774 psce->valid = 0;
784 psce = 0; 775 psce = 0;
785 pcce = 0; 776 pcce = 0;
786 } 777 }
787 UnlockSidCacheLock(cache->certCacheLock); 778 UnlockSidCacheLock(cache->certCacheLock);
788 } else { 779 } else {
789 /* what the ??. Didn't get the cert cache lock. 780 /* what the ??. Didn't get the cert cache lock.
790 ** Don't invalidate the SID cache entry, but don't find it. 781 ** Don't invalidate the SID cache entry, but don't find it.
791 */ 782 */
792 PORT_Assert(!("Didn't get cert Cache Lock!")); 783 PORT_Assert(!("Didn't get cert Cache Lock!"));
793 psce = 0; 784 psce = 0;
794 pcce = 0; 785 pcce = 0;
795 } 786 }
796 } 787 }
797 if (psce && ((cndx = psce->u.ssl3.srvNameIndex) != -1)) { 788 if (psce && ((cndx = psce->u.ssl3.srvNameIndex) != -1)) {
798 PRUint32 gotLock = LockSidCacheLock(cache->srvNameCacheLock, 789 PRUint32 gotLock = LockSidCacheLock(cache->srvNameCacheLock,
799 now); 790 now);
800 if (gotLock) { 791 if (gotLock) {
801 psnce = &cache->srvNameCacheData[cndx]; 792 psnce = &cache->srvNameCacheData[cndx];
802 793
803 if (!PORT_Memcmp(psnce->nameHash, psce->u.ssl3.srvNameHash, 794 if (!PORT_Memcmp(psnce->nameHash, psce->u.ssl3.srvNameHash,
804 SHA256_LENGTH)) { 795 SHA256_LENGTH)) {
805 snce = *psnce; 796 snce = *psnce;
806 } else { 797 } else {
807 /* The name doesen't match the SID cache entry, 798 /* The name doesen't match the SID cache entry,
808 ** so invalidate the SID cache entry. 799 ** so invalidate the SID cache entry.
809 */ 800 */
810 psce->valid = 0; 801 psce->valid = 0;
811 psce = 0; 802 psce = 0;
812 psnce = 0; 803 psnce = 0;
813 } 804 }
814 UnlockSidCacheLock(cache->srvNameCacheLock); 805 UnlockSidCacheLock(cache->srvNameCacheLock);
815 } else { 806 } else {
816 /* what the ??. Didn't get the cert cache lock. 807 /* what the ??. Didn't get the cert cache lock.
817 ** Don't invalidate the SID cache entry, but don't find it. 808 ** Don't invalidate the SID cache entry, but don't find it.
818 */ 809 */
819 PORT_Assert(!("Didn't get name Cache Lock!")); 810 PORT_Assert(!("Didn't get name Cache Lock!"));
820 psce = 0; 811 psce = 0;
821 psnce = 0; 812 psnce = 0;
822 } 813 }
823
824 } 814 }
825 } 815 }
826 » if (psce) { 816 if (psce) {
827 » psce->lastAccessTime = now; 817 psce->lastAccessTime = now;
828 » sce = *psce;» /* grab a copy while holding the lock */ 818 sce = *psce; /* grab a copy while holding the lock */
829 » } 819 }
830 } 820 }
831 UnlockSet(cache, set); 821 UnlockSet(cache, set);
832 if (psce) { 822 if (psce) {
833 » /* sce conains a copy of the cache entry. 823 /* sce conains a copy of the cache entry.
834 » ** Convert shared memory format to local format 824 ** Convert shared memory format to local format
835 » */ 825 */
836 » sid = ConvertToSID(&sce, pcce ? &cce : 0, psnce ? &snce : 0, dbHandle); 826 sid = ConvertToSID(&sce, pcce ? &cce : 0, psnce ? &snce : 0, dbHandle);
837 } 827 }
838 return sid; 828 return sid;
839 } 829 }
840 830
841 /* 831 /*
842 ** Place a sid into the cache, if it isn't already there. 832 ** Place a sid into the cache, if it isn't already there.
843 */ 833 */
844 static void 834 static void
845 ServerSessionIDCache(sslSessionID *sid) 835 ServerSessionIDCache(sslSessionID *sid)
846 { 836 {
847 sidCacheEntry sce; 837 sidCacheEntry sce;
848 PRUint32 now = 0; 838 PRUint32 now = 0;
849 PRUint16 version = sid->version; 839 PRUint16 version = sid->version;
850 cacheDesc * cache = &globalCache; 840 cacheDesc *cache = &globalCache;
851 841
852 if ((version >= SSL_LIBRARY_VERSION_3_0) && 842 if ((version >= SSL_LIBRARY_VERSION_3_0) &&
853 » (sid->u.ssl3.sessionIDLength == 0)) { 843 (sid->u.ssl3.sessionIDLength == 0)) {
854 » return; 844 return;
855 } 845 }
856 846
857 if (sid->cached == never_cached || sid->cached == invalid_cache) { 847 if (sid->cached == never_cached || sid->cached == invalid_cache) {
858 » PRUint32 set; 848 PRUint32 set;
859 849
860 » PORT_Assert(sid->creationTime != 0); 850 PORT_Assert(sid->creationTime != 0);
861 » if (!sid->creationTime) 851 if (!sid->creationTime)
862 » sid->lastAccessTime = sid->creationTime = ssl_Time(); 852 sid->lastAccessTime = sid->creationTime = ssl_Time();
863 » if (version < SSL_LIBRARY_VERSION_3_0) { 853 if (version < SSL_LIBRARY_VERSION_3_0) {
864 » /* override caller's expiration time, which uses client timeout 854 /* override caller's expiration time, which uses client timeout
865 » * duration, not server timeout duration. 855 * duration, not server timeout duration.
866 » */ 856 */
867 » sid->expirationTime = sid->creationTime + cache->ssl2Timeout; 857 sid->expirationTime = sid->creationTime + cache->ssl2Timeout;
868 » SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x tim e=%x " 858 SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x tim e=%x "
869 » » » "cipher=%d", myPid, sid->cached, 859 "cipher=%d",
870 » » » sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], 860 myPid, sid->cached,
871 » » » sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], 861 sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
872 » » » sid->creationTime, sid->u.ssl2.cipherType)); 862 sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
873 » PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID, 863 sid->creationTime, sid->u.ssl2.cipherType));
874 » » » SSL2_SESSIONID_BYTES)); 864 PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
875 » PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, 865 SSL2_SESSIONID_BYTES));
876 » » » sid->u.ssl2.masterKey.len)); 866 PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
877 » PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, 867 sid->u.ssl2.masterKey.len));
878 » » » sid->u.ssl2.cipherArg.len)); 868 PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
869 sid->u.ssl2.cipherArg.len));
870 } else {
871 /* override caller's expiration time, which uses client timeout
872 * duration, not server timeout duration.
873 */
874 sid->expirationTime = sid->creationTime + cache->ssl3Timeout;
875 SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x tim e=%x "
876 "cipherSuite=%d",
877 myPid, sid->cached,
878 sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
879 sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
880 sid->creationTime, sid->u.ssl3.cipherSuite));
881 PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
882 sid->u.ssl3.sessionIDLength));
883 }
879 884
880 » } else { 885 ConvertFromSID(&sce, sid);
881 » /* override caller's expiration time, which uses client timeout
882 » * duration, not server timeout duration.
883 » */
884 » sid->expirationTime = sid->creationTime + cache->ssl3Timeout;
885 » SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x tim e=%x "
886 » » » "cipherSuite=%d", myPid, sid->cached,
887 » » » sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
888 » » » sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
889 » » » sid->creationTime, sid->u.ssl3.cipherSuite));
890 » PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
891 » » » sid->u.ssl3.sessionIDLength));
892 » }
893 886
894 » ConvertFromSID(&sce, sid); 887 if (version >= SSL_LIBRARY_VERSION_3_0) {
895
896 » if (version >= SSL_LIBRARY_VERSION_3_0) {
897 SECItem *name = &sid->u.ssl3.srvName; 888 SECItem *name = &sid->u.ssl3.srvName;
898 if (name->len && name->data) { 889 if (name->len && name->data) {
899 now = CacheSrvName(cache, name, &sce); 890 now = CacheSrvName(cache, name, &sce);
900 } 891 }
901 if (sid->peerCert != NULL) { 892 if (sid->peerCert != NULL) {
902 now = CacheCert(cache, sid->peerCert, &sce); 893 now = CacheCert(cache, sid->peerCert, &sce);
903 } 894 }
904 » } 895 }
905 896
906 » set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength); 897 set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength);
907 » now = LockSet(cache, set, now); 898 now = LockSet(cache, set, now);
908 » if (now) { 899 if (now) {
909 » PRUint32 next = cache->sidCacheSets[set].next; 900 PRUint32 next = cache->sidCacheSets[set].next;
910 » PRUint32 ndx = set * SID_CACHE_ENTRIES_PER_SET + next; 901 PRUint32 ndx = set * SID_CACHE_ENTRIES_PER_SET + next;
911 902
912 » /* Write out new cache entry */ 903 /* Write out new cache entry */
913 » cache->sidCacheData[ndx] = sce; 904 cache->sidCacheData[ndx] = sce;
914 905
915 » cache->sidCacheSets[set].next = 906 cache->sidCacheSets[set].next =
916 » » » » » (next + 1) % SID_CACHE_ENTRIES_PER_SET; 907 (next + 1) % SID_CACHE_ENTRIES_PER_SET;
917 908
918 » UnlockSet(cache, set); 909 UnlockSet(cache, set);
919 » sid->cached = in_server_cache; 910 sid->cached = in_server_cache;
920 » } 911 }
921 } 912 }
922 } 913 }
923 914
924 /* 915 /*
925 ** Although this is static, it is called from ssl via global function pointer 916 ** Although this is static, it is called from ssl via global function pointer
926 **» ssl_sid_uncache. This invalidates the referenced cache entry. 917 ** ssl_sid_uncache. This invalidates the referenced cache entry.
927 */ 918 */
928 static void 919 static void
929 ServerSessionIDUncache(sslSessionID *sid) 920 ServerSessionIDUncache(sslSessionID *sid)
930 { 921 {
931 cacheDesc * cache = &globalCache; 922 cacheDesc *cache = &globalCache;
932 PRUint8 * sessionID; 923 PRUint8 *sessionID;
933 unsigned int sessionIDLength; 924 unsigned int sessionIDLength;
934 PRErrorCode err; 925 PRErrorCode err;
935 PRUint32 set; 926 PRUint32 set;
936 PRUint32 now; 927 PRUint32 now;
937 sidCacheEntry *psce; 928 sidCacheEntry *psce;
938 929
939 if (sid == NULL) 930 if (sid == NULL)
940 » return; 931 return;
941 932
942 /* Uncaching a SID should never change the error code. 933 /* Uncaching a SID should never change the error code.
943 ** So save it here and restore it before exiting. 934 ** So save it here and restore it before exiting.
944 */ 935 */
945 err = PR_GetError(); 936 err = PR_GetError();
946 937
947 if (sid->version < SSL_LIBRARY_VERSION_3_0) { 938 if (sid->version < SSL_LIBRARY_VERSION_3_0) {
948 » sessionID = sid->u.ssl2.sessionID; 939 sessionID = sid->u.ssl2.sessionID;
949 » sessionIDLength = SSL2_SESSIONID_BYTES; 940 sessionIDLength = SSL2_SESSIONID_BYTES;
950 » SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=% x " 941 SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=% x "
951 » » "cipher=%d", myPid, sid->cached, 942 "cipher=%d",
952 » » sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], 943 myPid, sid->cached,
953 » » sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], 944 sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
954 » » sid->creationTime, sid->u.ssl2.cipherType)); 945 sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
955 » PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); 946 sid->creationTime, sid->u.ssl2.cipherType));
956 » PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, 947 PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
957 » » sid->u.ssl2.masterKey.len)); 948 PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
958 » PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, 949 sid->u.ssl2.masterKey.len));
959 » » sid->u.ssl2.cipherArg.len)); 950 PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
951 sid->u.ssl2.cipherArg.len));
960 } else { 952 } else {
961 » sessionID = sid->u.ssl3.sessionID; 953 sessionID = sid->u.ssl3.sessionID;
962 » sessionIDLength = sid->u.ssl3.sessionIDLength; 954 sessionIDLength = sid->u.ssl3.sessionIDLength;
963 » SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time= %x " 955 SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time= %x "
964 » » "cipherSuite=%d", myPid, sid->cached, 956 "cipherSuite=%d",
965 » » sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], 957 myPid, sid->cached,
966 » » sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], 958 sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
967 » » sid->creationTime, sid->u.ssl3.cipherSuite)); 959 sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
968 » PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); 960 sid->creationTime, sid->u.ssl3.cipherSuite));
961 PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
969 } 962 }
970 set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength); 963 set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength);
971 now = LockSet(cache, set, 0); 964 now = LockSet(cache, set, 0);
972 if (now) { 965 if (now) {
973 » psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength); 966 psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength);
974 » if (psce) { 967 if (psce) {
975 » psce->valid = 0; 968 psce->valid = 0;
976 » } 969 }
977 » UnlockSet(cache, set); 970 UnlockSet(cache, set);
978 } 971 }
979 sid->cached = invalid_cache; 972 sid->cached = invalid_cache;
980 PORT_SetError(err); 973 PORT_SetError(err);
981 } 974 }
982 975
983 #ifdef XP_OS2 976 #ifdef XP_OS2
984 977
985 #define INCL_DOSPROCESS 978 #define INCL_DOSPROCESS
986 #include <os2.h> 979 #include <os2.h>
987 980
988 long gettid(void) 981 long
982 gettid(void)
989 { 983 {
990 PTIB ptib; 984 PTIB ptib;
991 PPIB ppib; 985 PPIB ppib;
992 DosGetInfoBlocks(&ptib, &ppib); 986 DosGetInfoBlocks(&ptib, &ppib);
993 return ((long)ptib->tib_ordinal); /* thread id */ 987 return ((long)ptib->tib_ordinal); /* thread id */
994 } 988 }
995 #endif 989 #endif
996 990
997 static void 991 static void
998 CloseCache(cacheDesc *cache) 992 CloseCache(cacheDesc *cache)
999 { 993 {
1000 int locks_initialized = cache->numSIDCacheLocksInitialized; 994 int locks_initialized = cache->numSIDCacheLocksInitialized;
1001 995
1002 if (cache->cacheMem) { 996 if (cache->cacheMem) {
1003 » if (cache->sharedCache) { 997 if (cache->sharedCache) {
1004 » sidCacheLock *pLock = cache->sidCacheLocks; 998 sidCacheLock *pLock = cache->sidCacheLocks;
1005 » for (; locks_initialized > 0; --locks_initialized, ++pLock ) { 999 for (; locks_initialized > 0; --locks_initialized, ++pLock) {
1006 » » /* If everInherited is true, this shared cache was (and may 1000 /* If everInherited is true, this shared cache was (and may
1007 » » ** still be) in use by multiple processes. We do not wish to 1001 ** still be) in use by multiple processes. We do not wish to
1008 » » ** destroy the mutexes while they are still in use, but we do 1002 ** destroy the mutexes while they are still in use, but we do
1009 » » ** want to free mutex resources associated with this process. 1003 ** want to free mutex resources associated with this process.
1010 » » */ 1004 */
1011 » » sslMutex_Destroy(&pLock->mutex, 1005 sslMutex_Destroy(&pLock->mutex,
1012 » » » » cache->sharedCache->everInherited); 1006 cache->sharedCache->everInherited);
1013 » } 1007 }
1014 » } 1008 }
1015 » if (cache->shared) { 1009 if (cache->shared) {
1016 » PR_MemUnmap(cache->cacheMem, cache->cacheMemSize); 1010 PR_MemUnmap(cache->cacheMem, cache->cacheMemSize);
1017 » } else { 1011 } else {
1018 » PORT_Free(cache->cacheMem); 1012 PORT_Free(cache->cacheMem);
1019 » } 1013 }
1020 » cache->cacheMem = NULL; 1014 cache->cacheMem = NULL;
1021 } 1015 }
1022 if (cache->cacheMemMap) { 1016 if (cache->cacheMemMap) {
1023 » PR_CloseFileMap(cache->cacheMemMap); 1017 PR_CloseFileMap(cache->cacheMemMap);
1024 » cache->cacheMemMap = NULL; 1018 cache->cacheMemMap = NULL;
1025 } 1019 }
1026 memset(cache, 0, sizeof *cache); 1020 memset(cache, 0, sizeof *cache);
1027 } 1021 }
1028 1022
1029 static SECStatus 1023 static SECStatus
1030 InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, 1024 InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries,
1031 int maxSrvNameCacheEntries, PRUint32 ssl2_timeout, 1025 int maxSrvNameCacheEntries, PRUint32 ssl2_timeout,
1032 PRUint32 ssl3_timeout, const char *directory, PRBool shared) 1026 PRUint32 ssl3_timeout, const char *directory, PRBool shared)
1033 { 1027 {
1034 ptrdiff_t ptr; 1028 ptrdiff_t ptr;
1035 sidCacheLock *pLock; 1029 sidCacheLock *pLock;
1036 char * cacheMem; 1030 char *cacheMem;
1037 PRFileMap * cacheMemMap; 1031 PRFileMap *cacheMemMap;
1038 char * cfn = NULL;» /* cache file name */ 1032 char *cfn = NULL; /* cache file name */
1039 int locks_initialized = 0; 1033 int locks_initialized = 0;
1040 int locks_to_initialize = 0; 1034 int locks_to_initialize = 0;
1041 PRUint32 init_time; 1035 PRUint32 init_time;
1042 1036
1043 if ( (!cache) || (maxCacheEntries < 0) || (!directory) ) { 1037 if ((!cache) || (maxCacheEntries < 0) || (!directory)) {
1044 PORT_SetError(SEC_ERROR_INVALID_ARGS); 1038 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1045 return SECFailure; 1039 return SECFailure;
1046 } 1040 }
1047 1041
1048 if (cache->cacheMem) { 1042 if (cache->cacheMem) {
1049 » /* Already done */ 1043 /* Already done */
1050 » return SECSuccess; 1044 return SECSuccess;
1051 } 1045 }
1052 1046
1053 /* make sure loser can clean up properly */ 1047 /* make sure loser can clean up properly */
1054 cache->shared = shared; 1048 cache->shared = shared;
1055 cache->cacheMem = cacheMem = NULL; 1049 cache->cacheMem = cacheMem = NULL;
1056 cache->cacheMemMap = cacheMemMap = NULL; 1050 cache->cacheMemMap = cacheMemMap = NULL;
1057 cache->sharedCache = (cacheDesc *)0; 1051 cache->sharedCache = (cacheDesc *)0;
1058 1052
1059 cache->numSIDCacheLocksInitialized = 0; 1053 cache->numSIDCacheLocksInitialized = 0;
1060 cache->nextCertCacheEntry = 0; 1054 cache->nextCertCacheEntry = 0;
1061 cache->stopPolling = PR_FALSE; 1055 cache->stopPolling = PR_FALSE;
1062 cache->everInherited = PR_FALSE; 1056 cache->everInherited = PR_FALSE;
1063 cache->poller = NULL; 1057 cache->poller = NULL;
1064 cache->mutexTimeout = 0; 1058 cache->mutexTimeout = 0;
1065 1059
1066 cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries 1060 cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries
1067 : DEF_SID_CACHE_ENTRIES; 1061 : DEF_SID_CACHE_ENTRIES;
1068 cache->numSIDCacheSets = 1062 cache->numSIDCacheSets =
1069 » SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET); 1063 SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET);
1070 1064
1071 cache->numSIDCacheEntries = 1065 cache->numSIDCacheEntries =
1072 » cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET; 1066 cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET;
1073 1067
1074 cache->numSIDCacheLocks = 1068 cache->numSIDCacheLocks =
1075 » PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks); 1069 PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks);
1076 1070
1077 cache->numSIDCacheSetsPerLock = 1071 cache->numSIDCacheSetsPerLock =
1078 » SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks); 1072 SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
1079 1073
1080 cache->numCertCacheEntries = (maxCertCacheEntries > 0) ? 1074 cache->numCertCacheEntries = (maxCertCacheEntries > 0) ? maxCertCacheEntries
1081 maxCertCacheEntries : 0; 1075 : 0;
1082 cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ? 1076 cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ? maxSrvNameCa cheEntries
1083 maxSrvNameCacheEntries : DEF_NAME_C ACHE_ENTRIES; 1077 : DEF_NAME_CAC HE_ENTRIES;
1084 1078
1085 /* compute size of shared memory, and offsets of all pointers */ 1079 /* compute size of shared memory, and offsets of all pointers */
1086 ptr = 0; 1080 ptr = 0;
1087 cache->cacheMem = (char *)ptr; 1081 cache->cacheMem = (char *)ptr;
1088 ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT); 1082 ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT);
1089 1083
1090 cache->sidCacheLocks = (sidCacheLock *)ptr; 1084 cache->sidCacheLocks = (sidCacheLock *)ptr;
1091 cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks; 1085 cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks;
1092 cache->certCacheLock = cache->keyCacheLock + 1; 1086 cache->certCacheLock = cache->keyCacheLock + 1;
1093 cache->srvNameCacheLock = cache->certCacheLock + 1; 1087 cache->srvNameCacheLock = cache->certCacheLock + 1;
1094 ptr = (ptrdiff_t)(cache->srvNameCacheLock + 1); 1088 ptr = (ptrdiff_t)(cache->srvNameCacheLock + 1);
1095 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1089 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1096 1090
1097 cache->sidCacheSets = (sidCacheSet *)ptr; 1091 cache->sidCacheSets = (sidCacheSet *)ptr;
1098 ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets); 1092 ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets);
1099 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1093 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1100 1094
1101 cache->sidCacheData = (sidCacheEntry *)ptr; 1095 cache->sidCacheData = (sidCacheEntry *)ptr;
1102 ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries); 1096 ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries);
1103 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1097 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1104 1098
1105 cache->certCacheData = (certCacheEntry *)ptr; 1099 cache->certCacheData = (certCacheEntry *)ptr;
1106 cache->sidCacheSize = 1100 cache->sidCacheSize =
1107 » (char *)cache->certCacheData - (char *)cache->sidCacheData; 1101 (char *)cache->certCacheData - (char *)cache->sidCacheData;
1108 1102
1109 if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) { 1103 if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) {
1110 /* This is really a poor way to computer this! */ 1104 /* This is really a poor way to computer this! */
1111 cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry ); 1105 cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry );
1112 if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) 1106 if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES)
1113 » cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES; 1107 cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES;
1114 } 1108 }
1115 ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries); 1109 ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries);
1116 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1110 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1117 1111
1118 cache->keyCacheData = (SSLWrappedSymWrappingKey *)ptr; 1112 cache->keyCacheData = (SSLWrappedSymWrappingKey *)ptr;
1119 cache->certCacheSize = 1113 cache->certCacheSize =
1120 » (char *)cache->keyCacheData - (char *)cache->certCacheData; 1114 (char *)cache->keyCacheData - (char *)cache->certCacheData;
1121 1115
1122 cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS; 1116 cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS;
1123 ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries); 1117 ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries);
1124 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1118 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1125 1119
1126 cache->keyCacheSize = (char *)ptr - (char *)cache->keyCacheData; 1120 cache->keyCacheSize = (char *)ptr - (char *)cache->keyCacheData;
1127 1121
1128 cache->ticketKeyNameSuffix = (PRUint8 *)ptr; 1122 cache->ticketKeyNameSuffix = (PRUint8 *)ptr;
1129 ptr = (ptrdiff_t)(cache->ticketKeyNameSuffix + 1123 ptr = (ptrdiff_t)(cache->ticketKeyNameSuffix +
1130 » SESS_TICKET_KEY_VAR_NAME_LEN); 1124 SESS_TICKET_KEY_VAR_NAME_LEN);
1131 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1125 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1132 1126
1133 cache->ticketEncKey = (encKeyCacheEntry *)ptr; 1127 cache->ticketEncKey = (encKeyCacheEntry *)ptr;
1134 ptr = (ptrdiff_t)(cache->ticketEncKey + 1); 1128 ptr = (ptrdiff_t)(cache->ticketEncKey + 1);
1135 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1129 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1136 1130
1137 cache->ticketMacKey = (encKeyCacheEntry *)ptr; 1131 cache->ticketMacKey = (encKeyCacheEntry *)ptr;
1138 ptr = (ptrdiff_t)(cache->ticketMacKey + 1); 1132 ptr = (ptrdiff_t)(cache->ticketMacKey + 1);
1139 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1133 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1140 1134
1141 cache->ticketKeysValid = (PRUint32 *)ptr; 1135 cache->ticketKeysValid = (PRUint32 *)ptr;
1142 ptr = (ptrdiff_t)(cache->ticketKeysValid + 1); 1136 ptr = (ptrdiff_t)(cache->ticketKeysValid + 1);
1143 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1137 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1144 1138
1145 cache->srvNameCacheData = (srvNameCacheEntry *)ptr; 1139 cache->srvNameCacheData = (srvNameCacheEntry *)ptr;
1146 cache->srvNameCacheSize = 1140 cache->srvNameCacheSize =
1147 cache->numSrvNameCacheEntries * sizeof(srvNameCacheEntry); 1141 cache->numSrvNameCacheEntries * sizeof(srvNameCacheEntry);
1148 ptr = (ptrdiff_t)(cache->srvNameCacheData + cache->numSrvNameCacheEntries); 1142 ptr = (ptrdiff_t)(cache->srvNameCacheData + cache->numSrvNameCacheEntries);
1149 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); 1143 ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
1150 1144
1151 cache->cacheMemSize = ptr; 1145 cache->cacheMemSize = ptr;
1152 1146
1153 if (ssl2_timeout) { 1147 if (ssl2_timeout) {
1154 » if (ssl2_timeout > MAX_SSL2_TIMEOUT) { 1148 if (ssl2_timeout > MAX_SSL2_TIMEOUT) {
1155 » ssl2_timeout = MAX_SSL2_TIMEOUT; 1149 ssl2_timeout = MAX_SSL2_TIMEOUT;
1156 » } 1150 }
1157 » if (ssl2_timeout < MIN_SSL2_TIMEOUT) { 1151 if (ssl2_timeout < MIN_SSL2_TIMEOUT) {
1158 » ssl2_timeout = MIN_SSL2_TIMEOUT; 1152 ssl2_timeout = MIN_SSL2_TIMEOUT;
1159 » } 1153 }
1160 » cache->ssl2Timeout = ssl2_timeout; 1154 cache->ssl2Timeout = ssl2_timeout;
1161 } else { 1155 } else {
1162 » cache->ssl2Timeout = DEF_SSL2_TIMEOUT; 1156 cache->ssl2Timeout = DEF_SSL2_TIMEOUT;
1163 } 1157 }
1164 1158
1165 if (ssl3_timeout) { 1159 if (ssl3_timeout) {
1166 » if (ssl3_timeout > MAX_SSL3_TIMEOUT) { 1160 if (ssl3_timeout > MAX_SSL3_TIMEOUT) {
1167 » ssl3_timeout = MAX_SSL3_TIMEOUT; 1161 ssl3_timeout = MAX_SSL3_TIMEOUT;
1168 » } 1162 }
1169 » if (ssl3_timeout < MIN_SSL3_TIMEOUT) { 1163 if (ssl3_timeout < MIN_SSL3_TIMEOUT) {
1170 » ssl3_timeout = MIN_SSL3_TIMEOUT; 1164 ssl3_timeout = MIN_SSL3_TIMEOUT;
1171 » } 1165 }
1172 » cache->ssl3Timeout = ssl3_timeout; 1166 cache->ssl3Timeout = ssl3_timeout;
1173 } else { 1167 } else {
1174 » cache->ssl3Timeout = DEF_SSL3_TIMEOUT; 1168 cache->ssl3Timeout = DEF_SSL3_TIMEOUT;
1175 } 1169 }
1176 1170
1177 if (shared) { 1171 if (shared) {
1178 » /* Create file names */ 1172 /* Create file names */
1179 #if defined(XP_UNIX) || defined(XP_BEOS) 1173 #if defined(XP_UNIX) || defined(XP_BEOS)
1180 » /* there's some confusion here about whether PR_OpenAnonFileMap wants 1174 /* there's some confusion here about whether PR_OpenAnonFileMap wants
1181 » ** a directory name or a file name for its first argument. 1175 ** a directory name or a file name for its first argument.
1182 » cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid); 1176 cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid);
1183 » */ 1177 */
1184 » cfn = PR_smprintf("%s", directory); 1178 cfn = PR_smprintf("%s", directory);
1185 #elif defined(XP_WIN32) 1179 #elif defined(XP_WIN32)
1186 » cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 1180 cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid,
1187 » » » GetCurrentThreadId()); 1181 GetCurrentThreadId());
1188 #elif defined(XP_OS2) 1182 #elif defined(XP_OS2)
1189 » cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 1183 cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid,
1190 » » » gettid()); 1184 gettid());
1191 #else 1185 #else
1192 #error "Don't know how to create file name for this platform!" 1186 #error "Don't know how to create file name for this platform!"
1193 #endif 1187 #endif
1194 » if (!cfn) { 1188 if (!cfn) {
1195 » goto loser; 1189 goto loser;
1196 » } 1190 }
1197 1191
1198 » /* Create cache */ 1192 /* Create cache */
1199 » cacheMemMap = PR_OpenAnonFileMap(cfn, cache->cacheMemSize, 1193 cacheMemMap = PR_OpenAnonFileMap(cfn, cache->cacheMemSize,
1200 » » » » » PR_PROT_READWRITE); 1194 PR_PROT_READWRITE);
1201 1195
1202 » PR_smprintf_free(cfn); 1196 PR_smprintf_free(cfn);
1203 » if(!cacheMemMap) { 1197 if (!cacheMemMap) {
1204 » goto loser; 1198 goto loser;
1205 » } 1199 }
1206 1200
1207 cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize); 1201 cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize);
1208 } else { 1202 } else {
1209 cacheMem = PORT_Alloc(cache->cacheMemSize); 1203 cacheMem = PORT_Alloc(cache->cacheMemSize);
1210 } 1204 }
1211 1205
1212 if (! cacheMem) { 1206 if (!cacheMem) {
1213 goto loser; 1207 goto loser;
1214 } 1208 }
1215 1209
1216 /* Initialize shared memory. This may not be necessary on all platforms */ 1210 /* Initialize shared memory. This may not be necessary on all platforms */
1217 memset(cacheMem, 0, cache->cacheMemSize); 1211 memset(cacheMem, 0, cache->cacheMemSize);
1218 1212
1219 /* Copy cache descriptor header into shared memory */ 1213 /* Copy cache descriptor header into shared memory */
1220 memcpy(cacheMem, cache, sizeof *cache); 1214 memcpy(cacheMem, cache, sizeof *cache);
1221 1215
1222 /* save private copies of these values */ 1216 /* save private copies of these values */
1223 cache->cacheMemMap = cacheMemMap; 1217 cache->cacheMemMap = cacheMemMap;
1224 cache->cacheMem = cacheMem; 1218 cache->cacheMem = cacheMem;
1225 cache->sharedCache = (cacheDesc *)cacheMem; 1219 cache->sharedCache = (cacheDesc *)cacheMem;
1226 1220
1227 /* Fix pointers in our private copy of cache descriptor to point to 1221 /* Fix pointers in our private copy of cache descriptor to point to
1228 ** spaces in shared memory 1222 ** spaces in shared memory
1229 */ 1223 */
1230 cache->sidCacheLocks = (sidCacheLock *) 1224 cache->sidCacheLocks = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache-> sidCacheLocks);
1231 (cache->cacheMem + (ptrdiff_t)cache->sidCacheLocks); 1225 cache->keyCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache->k eyCacheLock);
1232 cache->keyCacheLock = (sidCacheLock *) 1226 cache->certCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cache-> certCacheLock);
1233 (cache->cacheMem + (ptrdiff_t)cache->keyCacheLock); 1227 cache->srvNameCacheLock = (sidCacheLock *)(cache->cacheMem + (ptrdiff_t)cach e->srvNameCacheLock);
1234 cache->certCacheLock = (sidCacheLock *) 1228 cache->sidCacheSets = (sidCacheSet *)(cache->cacheMem + (ptrdiff_t)cache->si dCacheSets);
1235 (cache->cacheMem + (ptrdiff_t)cache->certCacheLock); 1229 cache->sidCacheData = (sidCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache-> sidCacheData);
1236 cache->srvNameCacheLock = (sidCacheLock *) 1230 cache->certCacheData = (certCacheEntry *)(cache->cacheMem + (ptrdiff_t)cache ->certCacheData);
1237 (cache->cacheMem + (ptrdiff_t)cache->srvNameCacheLock); 1231 cache->keyCacheData = (SSLWrappedSymWrappingKey *)(cache->cacheMem + (ptrdif f_t)cache->keyCacheData);
1238 cache->sidCacheSets = (sidCacheSet *) 1232 cache->ticketKeyNameSuffix = (PRUint8 *)(cache->cacheMem + (ptrdiff_t)cache- >ticketKeyNameSuffix);
1239 (cache->cacheMem + (ptrdiff_t)cache->sidCacheSets); 1233 cache->ticketEncKey = (encKeyCacheEntry *)(cache->cacheMem + (ptrdiff_t)cach e->ticketEncKey);
1240 cache->sidCacheData = (sidCacheEntry *) 1234 cache->ticketMacKey = (encKeyCacheEntry *)(cache->cacheMem + (ptrdiff_t)cach e->ticketMacKey);
1241 (cache->cacheMem + (ptrdiff_t)cache->sidCacheData); 1235 cache->ticketKeysValid = (PRUint32 *)(cache->cacheMem + (ptrdiff_t)cache->ti cketKeysValid);
1242 cache->certCacheData = (certCacheEntry *) 1236 cache->srvNameCacheData = (srvNameCacheEntry *)(cache->cacheMem + (ptrdiff_t )cache->srvNameCacheData);
1243 (cache->cacheMem + (ptrdiff_t)cache->certCacheData);
1244 cache->keyCacheData = (SSLWrappedSymWrappingKey *)
1245 (cache->cacheMem + (ptrdiff_t)cache->keyCacheData);
1246 cache->ticketKeyNameSuffix = (PRUint8 *)
1247 (cache->cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
1248 cache->ticketEncKey = (encKeyCacheEntry *)
1249 (cache->cacheMem + (ptrdiff_t)cache->ticketEncKey);
1250 cache->ticketMacKey = (encKeyCacheEntry *)
1251 (cache->cacheMem + (ptrdiff_t)cache->ticketMacKey);
1252 cache->ticketKeysValid = (PRUint32 *)
1253 (cache->cacheMem + (ptrdiff_t)cache->ticketKeysValid);
1254 cache->srvNameCacheData = (srvNameCacheEntry *)
1255 (cache->cacheMem + (ptrdiff_t)cache->srvNameCacheData);
1256 1237
1257 /* initialize the locks */ 1238 /* initialize the locks */
1258 init_time = ssl_Time(); 1239 init_time = ssl_Time();
1259 pLock = cache->sidCacheLocks; 1240 pLock = cache->sidCacheLocks;
1260 for (locks_to_initialize = cache->numSIDCacheLocks + 3; 1241 for (locks_to_initialize = cache->numSIDCacheLocks + 3;
1261 locks_initialized < locks_to_initialize; 1242 locks_initialized < locks_to_initialize;
1262 » ++locks_initialized, ++pLock ) { 1243 ++locks_initialized, ++pLock) {
1263 1244
1264 » SECStatus err = sslMutex_Init(&pLock->mutex, shared); 1245 SECStatus err = sslMutex_Init(&pLock->mutex, shared);
1265 » if (err) { 1246 if (err) {
1266 » cache->numSIDCacheLocksInitialized = locks_initialized; 1247 cache->numSIDCacheLocksInitialized = locks_initialized;
1267 » goto loser; 1248 goto loser;
1268 » } 1249 }
1269 pLock->timeStamp = init_time; 1250 pLock->timeStamp = init_time;
1270 » pLock->pid = 0; 1251 pLock->pid = 0;
1271 } 1252 }
1272 cache->numSIDCacheLocksInitialized = locks_initialized; 1253 cache->numSIDCacheLocksInitialized = locks_initialized;
1273 1254
1274 return SECSuccess; 1255 return SECSuccess;
1275 1256
1276 loser: 1257 loser:
1277 CloseCache(cache); 1258 CloseCache(cache);
1278 return SECFailure; 1259 return SECFailure;
1279 } 1260 }
1280 1261
1281 PRUint32 1262 PRUint32
1282 SSL_GetMaxServerCacheLocks(void) 1263 SSL_GetMaxServerCacheLocks(void)
1283 { 1264 {
1284 return ssl_max_sid_cache_locks + 2; 1265 return ssl_max_sid_cache_locks + 2;
1285 /* The extra two are the cert cache lock and the key cache lock. */ 1266 /* The extra two are the cert cache lock and the key cache lock. */
1286 } 1267 }
1287 1268
1288 SECStatus 1269 SECStatus
1289 SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) 1270 SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
1290 { 1271 {
1291 /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock. 1272 /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock.
1292 ** We'd like to test for a maximum value, but not all platforms' header 1273 ** We'd like to test for a maximum value, but not all platforms' header
1293 ** files provide a symbol or function or other means of determining 1274 ** files provide a symbol or function or other means of determining
1294 ** the maximum, other than trial and error. 1275 ** the maximum, other than trial and error.
1295 */ 1276 */
1296 if (maxLocks < 3) { 1277 if (maxLocks < 3) {
1297 » PORT_SetError(SEC_ERROR_INVALID_ARGS); 1278 PORT_SetError(SEC_ERROR_INVALID_ARGS);
1298 » return SECFailure; 1279 return SECFailure;
1299 } 1280 }
1300 ssl_max_sid_cache_locks = maxLocks - 2; 1281 ssl_max_sid_cache_locks = maxLocks - 2;
1301 /* The extra two are the cert cache lock and the key cache lock. */ 1282 /* The extra two are the cert cache lock and the key cache lock. */
1302 return SECSuccess; 1283 return SECSuccess;
1303 } 1284 }
1304 1285
1305 static SECStatus 1286 static SECStatus
1306 ssl_ConfigServerSessionIDCacheInstanceWithOpt(cacheDesc *cache, 1287 ssl_ConfigServerSessionIDCacheInstanceWithOpt(cacheDesc *cache,
1307 PRUint32 ssl2_timeout, 1288 PRUint32 ssl2_timeout,
1308 PRUint32 ssl3_timeout, 1289 PRUint32 ssl3_timeout,
1309 const char * directory, 1290 const char *directory,
1310 PRBool shared, 1291 PRBool shared,
1311 int maxCacheEntries, 1292 int maxCacheEntries,
1312 int maxCertCacheEntries, 1293 int maxCertCacheEntries,
1313 int maxSrvNameCacheEntries) 1294 int maxSrvNameCacheEntries)
1314 { 1295 {
1315 SECStatus rv; 1296 SECStatus rv;
1316 1297
1317 PORT_Assert(sizeof(sidCacheEntry) == 192); 1298 PORT_Assert(sizeof(sidCacheEntry) == 192);
1318 PORT_Assert(sizeof(certCacheEntry) == 4096); 1299 PORT_Assert(sizeof(certCacheEntry) == 4096);
1319 PORT_Assert(sizeof(srvNameCacheEntry) == 1072); 1300 PORT_Assert(sizeof(srvNameCacheEntry) == 1072);
1320 1301
1321 rv = ssl_Init(); 1302 rv = ssl_Init();
1322 if (rv != SECSuccess) { 1303 if (rv != SECSuccess) {
1323 » return rv; 1304 return rv;
1324 } 1305 }
1325 1306
1326 myPid = SSL_GETPID(); 1307 myPid = SSL_GETPID();
1327 if (!directory) { 1308 if (!directory) {
1328 » directory = DEFAULT_CACHE_DIRECTORY; 1309 directory = DEFAULT_CACHE_DIRECTORY;
1329 } 1310 }
1330 rv = InitCache(cache, maxCacheEntries, maxCertCacheEntries, 1311 rv = InitCache(cache, maxCacheEntries, maxCertCacheEntries,
1331 maxSrvNameCacheEntries, ssl2_timeout, ssl3_timeout, 1312 maxSrvNameCacheEntries, ssl2_timeout, ssl3_timeout,
1332 directory, shared); 1313 directory, shared);
1333 if (rv) { 1314 if (rv) {
1334 » SET_ERROR_CODE 1315 SET_ERROR_CODE
1335 » return SECFailure; 1316 return SECFailure;
1336 } 1317 }
1337 1318
1338 ssl_sid_lookup = ServerSessionIDLookup; 1319 ssl_sid_lookup = ServerSessionIDLookup;
1339 ssl_sid_cache = ServerSessionIDCache; 1320 ssl_sid_cache = ServerSessionIDCache;
1340 ssl_sid_uncache = ServerSessionIDUncache; 1321 ssl_sid_uncache = ServerSessionIDUncache;
1341 return SECSuccess; 1322 return SECSuccess;
1342 } 1323 }
1343 1324
1344 SECStatus 1325 SECStatus
1345 SSL_ConfigServerSessionIDCacheInstance(»cacheDesc *cache, 1326 SSL_ConfigServerSessionIDCacheInstance(cacheDesc *cache,
1346 int maxCacheEntries, 1327 int maxCacheEntries,
1347 PRUint32 ssl2_timeout, 1328 PRUint32 ssl2_timeout,
1348 PRUint32 ssl3_timeout, 1329 PRUint32 ssl3_timeout,
1349 const char * directory, PRBool shared) 1330 const char *directory, PRBool shared)
1350 { 1331 {
1351 return ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache, 1332 return ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache,
1352 ssl2_timeout, 1333 ssl2_timeout,
1353 ssl3_timeout, 1334 ssl3_timeout,
1354 directory, 1335 directory,
1355 shared, 1336 shared,
1356 maxCacheEntries, 1337 maxCacheEntries,
1357 -1, -1); 1338 -1, -1);
1358 } 1339 }
1359 1340
1360 SECStatus 1341 SECStatus
1361 SSL_ConfigServerSessionIDCache(»int maxCacheEntries, 1342 SSL_ConfigServerSessionIDCache(int maxCacheEntries,
1362 » » » » PRUint32 ssl2_timeout, 1343 PRUint32 ssl2_timeout,
1363 » » » »PRUint32 ssl3_timeout, 1344 PRUint32 ssl3_timeout,
1364 » » » const char * directory) 1345 const char *directory)
1365 { 1346 {
1366 ssl_InitSessionCacheLocks(); 1347 ssl_InitSessionCacheLocks();
1367 return SSL_ConfigServerSessionIDCacheInstance(&globalCache, 1348 return SSL_ConfigServerSessionIDCacheInstance(&globalCache,
1368 » » maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE ); 1349 maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE);
1369 } 1350 }
1370 1351
1371 SECStatus 1352 SECStatus
1372 SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache) 1353 SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache)
1373 { 1354 {
1374 CloseCache(cache); 1355 CloseCache(cache);
1375 return SECSuccess; 1356 return SECSuccess;
1376 } 1357 }
1377 1358
1378 SECStatus 1359 SECStatus
1379 SSL_ShutdownServerSessionIDCache(void) 1360 SSL_ShutdownServerSessionIDCache(void)
1380 { 1361 {
1381 #if defined(XP_UNIX) || defined(XP_BEOS) 1362 #if defined(XP_UNIX) || defined(XP_BEOS)
1382 /* Stop the thread that polls cache for expired locks on Unix */ 1363 /* Stop the thread that polls cache for expired locks on Unix */
1383 StopLockPoller(&globalCache); 1364 StopLockPoller(&globalCache);
1384 #endif 1365 #endif
1385 SSL3_ShutdownServerCache(); 1366 SSL3_ShutdownServerCache();
1386 return SSL_ShutdownServerSessionIDCacheInstance(&globalCache); 1367 return SSL_ShutdownServerSessionIDCacheInstance(&globalCache);
1387 } 1368 }
1388 1369
1389 /* Use this function, instead of SSL_ConfigServerSessionIDCache, 1370 /* Use this function, instead of SSL_ConfigServerSessionIDCache,
1390 * if the cache will be shared by multiple processes. 1371 * if the cache will be shared by multiple processes.
1391 */ 1372 */
1392 static SECStatus 1373 static SECStatus
1393 ssl_ConfigMPServerSIDCacheWithOpt( PRUint32 ssl2_timeout, 1374 ssl_ConfigMPServerSIDCacheWithOpt(PRUint32 ssl2_timeout,
1394 PRUint32 ssl3_timeout, 1375 PRUint32 ssl3_timeout,
1395 const char * directory, 1376 const char *directory,
1396 int maxCacheEntries, 1377 int maxCacheEntries,
1397 int maxCertCacheEntries, 1378 int maxCertCacheEntries,
1398 int maxSrvNameCacheEntries) 1379 int maxSrvNameCacheEntries)
1399 { 1380 {
1400 char *» envValue; 1381 char *envValue;
1401 char *» inhValue; 1382 char *inhValue;
1402 cacheDesc * cache = &globalCache; 1383 cacheDesc *cache = &globalCache;
1403 PRUint32 fmStrLen; 1384 PRUint32 fmStrLen;
1404 SECStatus » result; 1385 SECStatus result;
1405 PRStatus » prStatus; 1386 PRStatus prStatus;
1406 SECStatus» putEnvFailed; 1387 SECStatus putEnvFailed;
1407 inheritance inherit; 1388 inheritance inherit;
1408 char fmString[PR_FILEMAP_STRING_BUFSIZE]; 1389 char fmString[PR_FILEMAP_STRING_BUFSIZE];
1409 1390
1410 isMultiProcess = PR_TRUE; 1391 isMultiProcess = PR_TRUE;
1411 result = ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache, 1392 result = ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache,
1412 ssl2_timeout, ssl3_timeout, directory, PR_TRUE, 1393 ssl2_timeout, ssl3_ti meout, directory, PR_TRUE,
1413 maxCacheEntries, maxCacheEntries, maxSrvNameCacheEntries); 1394 maxCacheEntries, maxC acheEntries, maxSrvNameCacheEntries);
1414 if (result != SECSuccess) 1395 if (result != SECSuccess)
1415 return result; 1396 return result;
1416 1397
1417 prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, 1398 prStatus = PR_ExportFileMapAsString(cache->cacheMemMap,
1418 sizeof fmString, fmString); 1399 sizeof fmString, fmString);
1419 if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) { 1400 if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) {
1420 » SET_ERROR_CODE 1401 SET_ERROR_CODE
1421 » return SECFailure; 1402 return SECFailure;
1422 } 1403 }
1423 1404
1424 inherit.cacheMemSize» = cache->cacheMemSize; 1405 inherit.cacheMemSize = cache->cacheMemSize;
1425 inherit.fmStrLen = fmStrLen; 1406 inherit.fmStrLen = fmStrLen;
1426 1407
1427 inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit); 1408 inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit);
1428 if (!inhValue || !strlen(inhValue)) { 1409 if (!inhValue || !strlen(inhValue)) {
1429 » SET_ERROR_CODE 1410 SET_ERROR_CODE
1430 » return SECFailure; 1411 return SECFailure;
1431 } 1412 }
1432 envValue = PR_smprintf("%s,%s", inhValue, fmString); 1413 envValue = PR_smprintf("%s,%s", inhValue, fmString);
1433 if (!envValue || !strlen(envValue)) { 1414 if (!envValue || !strlen(envValue)) {
1434 » SET_ERROR_CODE 1415 SET_ERROR_CODE
1435 » return SECFailure; 1416 return SECFailure;
1436 } 1417 }
1437 PORT_Free(inhValue); 1418 PORT_Free(inhValue);
1438 1419
1439 putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue); 1420 putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
1440 PR_smprintf_free(envValue); 1421 PR_smprintf_free(envValue);
1441 if (putEnvFailed) { 1422 if (putEnvFailed) {
1442 SET_ERROR_CODE 1423 SET_ERROR_CODE
1443 result = SECFailure; 1424 result = SECFailure;
1444 } 1425 }
1445 1426
1446 #if defined(XP_UNIX) || defined(XP_BEOS) 1427 #if defined(XP_UNIX) || defined(XP_BEOS)
1447 /* Launch thread to poll cache for expired locks on Unix */ 1428 /* Launch thread to poll cache for expired locks on Unix */
1448 LaunchLockPoller(cache); 1429 LaunchLockPoller(cache);
1449 #endif 1430 #endif
1450 return result; 1431 return result;
1451 } 1432 }
1452 1433
1453 /* Use this function, instead of SSL_ConfigServerSessionIDCache, 1434 /* Use this function, instead of SSL_ConfigServerSessionIDCache,
1454 * if the cache will be shared by multiple processes. 1435 * if the cache will be shared by multiple processes.
1455 */ 1436 */
1456 SECStatus 1437 SECStatus
1457 SSL_ConfigMPServerSIDCache(» int maxCacheEntries, 1438 SSL_ConfigMPServerSIDCache(int maxCacheEntries,
1458 » » » » PRUint32 ssl2_timeout, 1439 PRUint32 ssl2_timeout,
1459 » » » »PRUint32 ssl3_timeout, 1440 PRUint32 ssl3_timeout,
1460 » » const char * directory) 1441 const char *directory)
1461 { 1442 {
1462 return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, 1443 return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout,
1463 ssl3_timeout, 1444 ssl3_timeout,
1464 directory, 1445 directory,
1465 maxCacheEntries, 1446 maxCacheEntries,
1466 -1, -1); 1447 -1, -1);
1467 } 1448 }
1468 1449
1469 SECStatus 1450 SECStatus
1470 SSL_ConfigServerSessionIDCacheWithOpt( 1451 SSL_ConfigServerSessionIDCacheWithOpt(
1471 » » » » PRUint32 ssl2_timeout, 1452 PRUint32 ssl2_timeout,
1472 » » » »PRUint32 ssl3_timeout, 1453 PRUint32 ssl3_timeout,
1473 const char * directory, 1454 const char *directory,
1474 int maxCacheEntries, 1455 int maxCacheEntries,
1475 int maxCertCacheEntries, 1456 int maxCertCacheEntries,
1476 int maxSrvNameCacheEntries, 1457 int maxSrvNameCacheEntries,
1477 PRBool enableMPCache) 1458 PRBool enableMPCache)
1478 { 1459 {
1479 if (!enableMPCache) { 1460 if (!enableMPCache) {
1480 ssl_InitSessionCacheLocks(); 1461 ssl_InitSessionCacheLocks();
1481 return ssl_ConfigServerSessionIDCacheInstanceWithOpt(&globalCache, 1462 return ssl_ConfigServerSessionIDCacheInstanceWithOpt(&globalCache,
1482 ssl2_timeout, ssl3_timeout, directory, PR_FALSE, 1463 ssl2_timeout, ssl3_ timeout, directory, PR_FALSE,
1483 maxCacheEntries, maxCertCacheEntries, maxSrvNameCacheEntries); 1464 maxCacheEntries, ma xCertCacheEntries, maxSrvNameCacheEntries);
1484 } else { 1465 } else {
1485 return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, ssl3_timeout, 1466 return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, ssl3_timeout,
1486 directory, maxCacheEntries, maxCertCacheEntries, 1467 directory, maxCacheEntries, max CertCacheEntries,
1487 maxSrvNameCacheEntries); 1468 maxSrvNameCacheEntries);
1488 } 1469 }
1489 } 1470 }
1490 1471
1491 SECStatus 1472 SECStatus
1492 SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) 1473 SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char *envString)
1493 { 1474 {
1494 unsigned char * decoString = NULL; 1475 unsigned char *decoString = NULL;
1495 char * fmString = NULL; 1476 char *fmString = NULL;
1496 char * myEnvString = NULL; 1477 char *myEnvString = NULL;
1497 unsigned int decoLen; 1478 unsigned int decoLen;
1498 inheritance inherit; 1479 inheritance inherit;
1499 cacheDesc my; 1480 cacheDesc my;
1500 #ifdef WINNT 1481 #ifdef WINNT
1501 sidCacheLock* newLocks; 1482 sidCacheLock *newLocks;
1502 int locks_initialized = 0; 1483 int locks_initialized = 0;
1503 int locks_to_initialize = 0; 1484 int locks_to_initialize = 0;
1504 #endif 1485 #endif
1505 SECStatus status = ssl_Init(); 1486 SECStatus status = ssl_Init();
1506 1487
1507 if (status != SECSuccess) { 1488 if (status != SECSuccess) {
1508 » return status; 1489 return status;
1509 } 1490 }
1510 1491
1511 myPid = SSL_GETPID(); 1492 myPid = SSL_GETPID();
1512 1493
1513 /* If this child was created by fork(), and not by exec() on unix, 1494 /* If this child was created by fork(), and not by exec() on unix,
1514 ** then isMultiProcess will already be set. 1495 ** then isMultiProcess will already be set.
1515 ** If not, we'll set it below. 1496 ** If not, we'll set it below.
1516 */ 1497 */
1517 if (isMultiProcess) { 1498 if (isMultiProcess) {
1518 » if (cache && cache->sharedCache) { 1499 if (cache && cache->sharedCache) {
1519 » cache->sharedCache->everInherited = PR_TRUE; 1500 cache->sharedCache->everInherited = PR_TRUE;
1520 » } 1501 }
1521 » return SECSuccess;» /* already done. */ 1502 return SECSuccess; /* already done. */
1522 } 1503 }
1523 1504
1524 ssl_InitSessionCacheLocks(); 1505 ssl_InitSessionCacheLocks();
1525 1506
1526 ssl_sid_lookup = ServerSessionIDLookup; 1507 ssl_sid_lookup = ServerSessionIDLookup;
1527 ssl_sid_cache = ServerSessionIDCache; 1508 ssl_sid_cache = ServerSessionIDCache;
1528 ssl_sid_uncache = ServerSessionIDUncache; 1509 ssl_sid_uncache = ServerSessionIDUncache;
1529 1510
1530 if (!envString) { 1511 if (!envString) {
1531 » envString = getenv(envVarName); 1512 envString = PR_GetEnvSecure(envVarName);
1532 » if (!envString) { 1513 if (!envString) {
1533 » SET_ERROR_CODE 1514 SET_ERROR_CODE
1534 » return SECFailure; 1515 return SECFailure;
1535 » } 1516 }
1536 } 1517 }
1537 myEnvString = PORT_Strdup(envString); 1518 myEnvString = PORT_Strdup(envString);
1538 if (!myEnvString) 1519 if (!myEnvString)
1539 » return SECFailure; 1520 return SECFailure;
1540 fmString = strchr(myEnvString, ','); 1521 fmString = strchr(myEnvString, ',');
1541 if (!fmString) 1522 if (!fmString)
1542 » goto loser; 1523 goto loser;
1543 *fmString++ = 0; 1524 *fmString++ = 0;
1544 1525
1545 decoString = ATOB_AsciiToData(myEnvString, &decoLen); 1526 decoString = ATOB_AsciiToData(myEnvString, &decoLen);
1546 if (!decoString) { 1527 if (!decoString) {
1547 » SET_ERROR_CODE 1528 SET_ERROR_CODE
1548 » goto loser; 1529 goto loser;
1549 } 1530 }
1550 if (decoLen != sizeof inherit) { 1531 if (decoLen != sizeof inherit) {
1551 » SET_ERROR_CODE 1532 SET_ERROR_CODE
1552 » goto loser; 1533 goto loser;
1553 } 1534 }
1554 1535
1555 PORT_Memcpy(&inherit, decoString, sizeof inherit); 1536 PORT_Memcpy(&inherit, decoString, sizeof inherit);
1556 1537
1557 if (strlen(fmString) != inherit.fmStrLen ) { 1538 if (strlen(fmString) != inherit.fmStrLen) {
1558 » goto loser; 1539 goto loser;
1559 } 1540 }
1560 1541
1561 memset(cache, 0, sizeof *cache); 1542 memset(cache, 0, sizeof *cache);
1562 cache->cacheMemSize»= inherit.cacheMemSize; 1543 cache->cacheMemSize = inherit.cacheMemSize;
1563 1544
1564 /* Create cache */ 1545 /* Create cache */
1565 cache->cacheMemMap = PR_ImportFileMapFromString(fmString); 1546 cache->cacheMemMap = PR_ImportFileMapFromString(fmString);
1566 if(! cache->cacheMemMap) { 1547 if (!cache->cacheMemMap) {
1567 » goto loser; 1548 goto loser;
1568 } 1549 }
1569 cache->cacheMem = PR_MemMap(cache->cacheMemMap, 0, cache->cacheMemSize); 1550 cache->cacheMem = PR_MemMap(cache->cacheMemMap, 0, cache->cacheMemSize);
1570 if (! cache->cacheMem) { 1551 if (!cache->cacheMem) {
1571 » goto loser; 1552 goto loser;
1572 } 1553 }
1573 cache->sharedCache = (cacheDesc *)cache->cacheMem; 1554 cache->sharedCache = (cacheDesc *)cache->cacheMem;
1574 1555
1575 if (cache->sharedCache->cacheMemSize != cache->cacheMemSize) { 1556 if (cache->sharedCache->cacheMemSize != cache->cacheMemSize) {
1576 » SET_ERROR_CODE 1557 SET_ERROR_CODE
1577 » goto loser; 1558 goto loser;
1578 } 1559 }
1579 1560
1580 /* We're now going to overwrite the local cache instance with the 1561 /* We're now going to overwrite the local cache instance with the
1581 ** shared copy of the cache struct, then update several values in 1562 ** shared copy of the cache struct, then update several values in
1582 ** the local cache using the values for cache->cacheMemMap and 1563 ** the local cache using the values for cache->cacheMemMap and
1583 ** cache->cacheMem computed just above. So, we copy cache into 1564 ** cache->cacheMem computed just above. So, we copy cache into
1584 ** the automatic variable "my", to preserve the variables while 1565 ** the automatic variable "my", to preserve the variables while
1585 ** cache is overwritten. 1566 ** cache is overwritten.
1586 */ 1567 */
1587 my = *cache; /* save values computed above. */ 1568 my = *cache; /* save values computed ab ove. */
1588 memcpy(cache, cache->sharedCache, sizeof *cache); /* overwrite */ 1569 memcpy(cache, cache->sharedCache, sizeof *cache); /* overwrite */
1589 1570
1590 /* Fix pointers in our private copy of cache descriptor to point to 1571 /* Fix pointers in our private copy of cache descriptor to point to
1591 ** spaces in shared memory, whose address is now in "my". 1572 ** spaces in shared memory, whose address is now in "my".
1592 */ 1573 */
1593 cache->sidCacheLocks = (sidCacheLock *) 1574 cache->sidCacheLocks = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->sidC acheLocks);
1594 (my.cacheMem + (ptrdiff_t)cache->sidCacheLocks); 1575 cache->keyCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->keyCa cheLock);
1595 cache->keyCacheLock = (sidCacheLock *) 1576 cache->certCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->cert CacheLock);
1596 (my.cacheMem + (ptrdiff_t)cache->keyCacheLock); 1577 cache->srvNameCacheLock = (sidCacheLock *)(my.cacheMem + (ptrdiff_t)cache->s rvNameCacheLock);
1597 cache->certCacheLock = (sidCacheLock *) 1578 cache->sidCacheSets = (sidCacheSet *)(my.cacheMem + (ptrdiff_t)cache->sidCac heSets);
1598 (my.cacheMem + (ptrdiff_t)cache->certCacheLock); 1579 cache->sidCacheData = (sidCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->sidC acheData);
1599 cache->srvNameCacheLock = (sidCacheLock *) 1580 cache->certCacheData = (certCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->ce rtCacheData);
1600 (my.cacheMem + (ptrdiff_t)cache->srvNameCacheLock); 1581 cache->keyCacheData = (SSLWrappedSymWrappingKey *)(my.cacheMem + (ptrdiff_t) cache->keyCacheData);
1601 cache->sidCacheSets = (sidCacheSet *) 1582 cache->ticketKeyNameSuffix = (PRUint8 *)(my.cacheMem + (ptrdiff_t)cache->tic ketKeyNameSuffix);
1602 (my.cacheMem + (ptrdiff_t)cache->sidCacheSets); 1583 cache->ticketEncKey = (encKeyCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->t icketEncKey);
1603 cache->sidCacheData = (sidCacheEntry *) 1584 cache->ticketMacKey = (encKeyCacheEntry *)(my.cacheMem + (ptrdiff_t)cache->t icketMacKey);
1604 (my.cacheMem + (ptrdiff_t)cache->sidCacheData); 1585 cache->ticketKeysValid = (PRUint32 *)(my.cacheMem + (ptrdiff_t)cache->ticket KeysValid);
1605 cache->certCacheData = (certCacheEntry *) 1586 cache->srvNameCacheData = (srvNameCacheEntry *)(my.cacheMem + (ptrdiff_t)cac he->srvNameCacheData);
1606 (my.cacheMem + (ptrdiff_t)cache->certCacheData);
1607 cache->keyCacheData = (SSLWrappedSymWrappingKey *)
1608 (my.cacheMem + (ptrdiff_t)cache->keyCacheData);
1609 cache->ticketKeyNameSuffix = (PRUint8 *)
1610 (my.cacheMem + (ptrdiff_t)cache->ticketKeyNameSuffix);
1611 cache->ticketEncKey = (encKeyCacheEntry *)
1612 (my.cacheMem + (ptrdiff_t)cache->ticketEncKey);
1613 cache->ticketMacKey = (encKeyCacheEntry *)
1614 (my.cacheMem + (ptrdiff_t)cache->ticketMacKey);
1615 cache->ticketKeysValid = (PRUint32 *)
1616 (my.cacheMem + (ptrdiff_t)cache->ticketKeysValid);
1617 cache->srvNameCacheData = (srvNameCacheEntry *)
1618 (my.cacheMem + (ptrdiff_t)cache->srvNameCacheData);
1619 1587
1620 cache->cacheMemMap = my.cacheMemMap; 1588 cache->cacheMemMap = my.cacheMemMap;
1621 cache->cacheMem = my.cacheMem; 1589 cache->cacheMem = my.cacheMem;
1622 cache->sharedCache = (cacheDesc *)cache->cacheMem; 1590 cache->sharedCache = (cacheDesc *)cache->cacheMem;
1623 1591
1624 #ifdef WINNT 1592 #ifdef WINNT
1625 /* On Windows NT we need to "fix" the sidCacheLocks here to support fibers 1593 /* On Windows NT we need to "fix" the sidCacheLocks here to support fibers
1626 ** When NT fibers are used in a multi-process server, a second level of 1594 ** When NT fibers are used in a multi-process server, a second level of
1627 ** locking is needed to prevent a deadlock, in case a fiber acquires the 1595 ** locking is needed to prevent a deadlock, in case a fiber acquires the
1628 ** cross-process mutex, yields, and another fiber is later scheduled on 1596 ** cross-process mutex, yields, and another fiber is later scheduled on
1629 ** the same native thread and tries to acquire the cross-process mutex. 1597 ** the same native thread and tries to acquire the cross-process mutex.
1630 ** We do this by using a PRLock in the sslMutex. However, it is stored in 1598 ** We do this by using a PRLock in the sslMutex. However, it is stored in
1631 ** shared memory as part of sidCacheLocks, and we don't want to overwrite 1599 ** shared memory as part of sidCacheLocks, and we don't want to overwrite
1632 ** the PRLock of the parent process. So we need to make new, private 1600 ** the PRLock of the parent process. So we need to make new, private
1633 ** copies of sidCacheLocks before modifying the sslMutex with our own 1601 ** copies of sidCacheLocks before modifying the sslMutex with our own
1634 ** PRLock 1602 ** PRLock
1635 */ 1603 */
1636 1604
1637 /* note from jpierre : this should be free'd in child processes when 1605 /* note from jpierre : this should be free'd in child processes when
1638 ** a function is added to delete the SSL session cache in the future. 1606 ** a function is added to delete the SSL session cache in the future.
1639 */ 1607 */
1640 locks_to_initialize = cache->numSIDCacheLocks + 3; 1608 locks_to_initialize = cache->numSIDCacheLocks + 3;
1641 newLocks = PORT_NewArray(sidCacheLock, locks_to_initialize); 1609 newLocks = PORT_NewArray(sidCacheLock, locks_to_initialize);
1642 if (!newLocks) 1610 if (!newLocks)
1643 » goto loser; 1611 goto loser;
1644 /* copy the old locks */ 1612 /* copy the old locks */
1645 memcpy(newLocks, cache->sidCacheLocks, 1613 memcpy(newLocks, cache->sidCacheLocks,
1646 locks_to_initialize * sizeof(sidCacheLock)); 1614 locks_to_initialize * sizeof(sidCacheLock));
1647 cache->sidCacheLocks = newLocks; 1615 cache->sidCacheLocks = newLocks;
1648 /* fix the locks */»» 1616 /* fix the locks */
1649 for (; locks_initialized < locks_to_initialize; ++locks_initialized) { 1617 for (; locks_initialized < locks_to_initialize; ++locks_initialized) {
1650 /* now, make a local PRLock in this sslMutex for this child process */ 1618 /* now, make a local PRLock in this sslMutex for this child process */
1651 » SECStatus err; 1619 SECStatus err;
1652 err = sslMutex_2LevelInit(&newLocks[locks_initialized].mutex); 1620 err = sslMutex_2LevelInit(&newLocks[locks_initialized].mutex);
1653 » if (err != SECSuccess) { 1621 if (err != SECSuccess) {
1654 » cache->numSIDCacheLocksInitialized = locks_initialized; 1622 cache->numSIDCacheLocksInitialized = locks_initialized;
1655 » goto loser; 1623 goto loser;
1656 » } 1624 }
1657 } 1625 }
1658 cache->numSIDCacheLocksInitialized = locks_initialized; 1626 cache->numSIDCacheLocksInitialized = locks_initialized;
1659 1627
1660 /* also fix the key and cert cache which use the last 2 lock entries */ 1628 /* also fix the key and cert cache which use the last 2 lock entries */
1661 cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks; 1629 cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks;
1662 cache->certCacheLock = cache->keyCacheLock + 1; 1630 cache->certCacheLock = cache->keyCacheLock + 1;
1663 cache->srvNameCacheLock = cache->certCacheLock + 1; 1631 cache->srvNameCacheLock = cache->certCacheLock + 1;
1664 #endif 1632 #endif
1665 1633
1666 PORT_Free(myEnvString); 1634 PORT_Free(myEnvString);
1667 PORT_Free(decoString); 1635 PORT_Free(decoString);
1668 1636
1669 /* mark that we have inherited this. */ 1637 /* mark that we have inherited this. */
1670 cache->sharedCache->everInherited = PR_TRUE; 1638 cache->sharedCache->everInherited = PR_TRUE;
1671 isMultiProcess = PR_TRUE; 1639 isMultiProcess = PR_TRUE;
1672 1640
1673 return SECSuccess; 1641 return SECSuccess;
1674 1642
1675 loser: 1643 loser:
1676 PORT_Free(myEnvString); 1644 PORT_Free(myEnvString);
1677 if (decoString) 1645 if (decoString)
1678 » PORT_Free(decoString); 1646 PORT_Free(decoString);
1679 CloseCache(cache); 1647 CloseCache(cache);
1680 return SECFailure; 1648 return SECFailure;
1681 } 1649 }
1682 1650
1683 SECStatus 1651 SECStatus
1684 SSL_InheritMPServerSIDCache(const char * envString) 1652 SSL_InheritMPServerSIDCache(const char *envString)
1685 { 1653 {
1686 return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString); 1654 return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString);
1687 } 1655 }
1688 1656
1689 #if defined(XP_UNIX) || defined(XP_BEOS) 1657 #if defined(XP_UNIX) || defined(XP_BEOS)
1690 1658
1691 #define SID_LOCK_EXPIRATION_TIMEOUT 30 /* seconds */ 1659 #define SID_LOCK_EXPIRATION_TIMEOUT 30 /* seconds */
1692 1660
1693 static void 1661 static void
1694 LockPoller(void * arg) 1662 LockPoller(void *arg)
1695 { 1663 {
1696 cacheDesc * cache = (cacheDesc *)arg; 1664 cacheDesc *cache = (cacheDesc *)arg;
1697 cacheDesc * sharedCache = cache->sharedCache; 1665 cacheDesc *sharedCache = cache->sharedCache;
1698 sidCacheLock * pLock; 1666 sidCacheLock *pLock;
1699 PRIntervalTime timeout; 1667 PRIntervalTime timeout;
1700 PRUint32 now; 1668 PRUint32 now;
1701 PRUint32 then; 1669 PRUint32 then;
1702 int locks_polled = 0; 1670 int locks_polled = 0;
1703 int locks_to_poll = cache->numSIDCacheLocks + 2; 1671 int locks_to_poll = cache->numSIDCacheLocks + 2;
1704 PRUint32 expiration = cache->mutexTimeout; 1672 PRUint32 expiration = cache->mutexTimeout;
1705 1673
1706 timeout = PR_SecondsToInterval(expiration); 1674 timeout = PR_SecondsToInterval(expiration);
1707 while(!sharedCache->stopPolling) { 1675 while (!sharedCache->stopPolling) {
1708 » PR_Sleep(timeout); 1676 PR_Sleep(timeout);
1709 » if (sharedCache->stopPolling) 1677 if (sharedCache->stopPolling)
1710 » break; 1678 break;
1711 1679
1712 » now = ssl_Time(); 1680 now = ssl_Time();
1713 » then = now - expiration; 1681 then = now - expiration;
1714 » for (pLock = cache->sidCacheLocks, locks_polled = 0; 1682 for (pLock = cache->sidCacheLocks, locks_polled = 0;
1715 » locks_to_poll > locks_polled && !sharedCache->stopPolling; 1683 locks_to_poll > locks_polled && !sharedCache->stopPolling;
1716 » ++locks_polled, ++pLock ) { 1684 ++locks_polled, ++pLock) {
1717 » pid_t pid; 1685 pid_t pid;
1718 1686
1719 » if (pLock->timeStamp < then && 1687 if (pLock->timeStamp < then &&
1720 » pLock->timeStamp != 0 && 1688 pLock->timeStamp != 0 &&
1721 » » (pid = pLock->pid) != 0) { 1689 (pid = pLock->pid) != 0) {
1722 1690
1723 » » /* maybe we should try the lock? */ 1691 /* maybe we should try the lock? */
1724 » » int result = kill(pid, 0); 1692 int result = kill(pid, 0);
1725 » » if (result < 0 && errno == ESRCH) { 1693 if (result < 0 && errno == ESRCH) {
1726 » » SECStatus rv; 1694 SECStatus rv;
1727 » » /* No process exists by that pid any more. 1695 /* No process exists by that pid any more.
1728 » » ** Treat this mutex as abandoned. 1696 ** Treat this mutex as abandoned.
1729 » » */ 1697 */
1730 » » pLock->timeStamp = now; 1698 pLock->timeStamp = now;
1731 » » pLock->pid = 0; 1699 pLock->pid = 0;
1732 » » rv = sslMutex_Unlock(&pLock->mutex); 1700 rv = sslMutex_Unlock(&pLock->mutex);
1733 » » if (rv != SECSuccess) { 1701 if (rv != SECSuccess) {
1734 » » » /* Now what? */ 1702 /* Now what? */
1735 » » } 1703 }
1736 » » } 1704 }
1737 » } 1705 }
1738 » } /* end of loop over locks */ 1706 } /* end of loop over locks */
1739 } /* end of entire polling loop */ 1707 } /* end of entire polling loop */
1740 } 1708 }
1741 1709
1742 /* Launch thread to poll cache for expired locks */ 1710 /* Launch thread to poll cache for expired locks */
1743 static SECStatus 1711 static SECStatus
1744 LaunchLockPoller(cacheDesc *cache) 1712 LaunchLockPoller(cacheDesc *cache)
1745 { 1713 {
1746 const char * timeoutString; 1714 const char *timeoutString;
1747 PRThread * pollerThread; 1715 PRThread *pollerThread;
1748 1716
1749 cache->mutexTimeout = SID_LOCK_EXPIRATION_TIMEOUT; 1717 cache->mutexTimeout = SID_LOCK_EXPIRATION_TIMEOUT;
1750 timeoutString = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT"); 1718 timeoutString = PR_GetEnvSecure("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
1751 if (timeoutString) { 1719 if (timeoutString) {
1752 » long newTime = strtol(timeoutString, 0, 0); 1720 long newTime = strtol(timeoutString, 0, 0);
1753 » if (newTime == 0) 1721 if (newTime == 0)
1754 » return SECSuccess; /* application doesn't want poller thread */ 1722 return SECSuccess; /* application doesn't want poller thread */
1755 » if (newTime > 0) 1723 if (newTime > 0)
1756 » cache->mutexTimeout = (PRUint32)newTime; 1724 cache->mutexTimeout = (PRUint32)newTime;
1757 » /* if error (newTime < 0) ignore it and use default */ 1725 /* if error (newTime < 0) ignore it and use default */
1758 } 1726 }
1759 1727
1760 pollerThread = 1728 pollerThread =
1761 » PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, 1729 PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL,
1762 » PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0); 1730 PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
1763 if (!pollerThread) { 1731 if (!pollerThread) {
1764 » return SECFailure; 1732 return SECFailure;
1765 } 1733 }
1766 cache->poller = pollerThread; 1734 cache->poller = pollerThread;
1767 return SECSuccess; 1735 return SECSuccess;
1768 } 1736 }
1769 1737
1770 /* Stop the thread that polls cache for expired locks */ 1738 /* Stop the thread that polls cache for expired locks */
1771 static SECStatus 1739 static SECStatus
1772 StopLockPoller(cacheDesc *cache) 1740 StopLockPoller(cacheDesc *cache)
1773 { 1741 {
1774 if (!cache->poller) { 1742 if (!cache->poller) {
1775 » return SECSuccess; 1743 return SECSuccess;
1776 } 1744 }
1777 cache->sharedCache->stopPolling = PR_TRUE; 1745 cache->sharedCache->stopPolling = PR_TRUE;
1778 if (PR_Interrupt(cache->poller) != PR_SUCCESS) { 1746 if (PR_Interrupt(cache->poller) != PR_SUCCESS) {
1779 » return SECFailure; 1747 return SECFailure;
1780 } 1748 }
1781 if (PR_JoinThread(cache->poller) != PR_SUCCESS) { 1749 if (PR_JoinThread(cache->poller) != PR_SUCCESS) {
1782 » return SECFailure; 1750 return SECFailure;
1783 } 1751 }
1784 cache->poller = NULL; 1752 cache->poller = NULL;
1785 return SECSuccess; 1753 return SECSuccess;
1786 } 1754 }
1787 #endif 1755 #endif
1788 1756
1789 /************************************************************************ 1757 /************************************************************************
1790 * Code dealing with shared wrapped symmetric wrapping keys below * 1758 * Code dealing with shared wrapped symmetric wrapping keys below *
1791 ************************************************************************/ 1759 ************************************************************************/
1792 1760
1793 /* If now is zero, it implies that the lock is not held, and must be 1761 /* If now is zero, it implies that the lock is not held, and must be
1794 ** aquired here. 1762 ** aquired here.
1795 */ 1763 */
1796 static PRBool 1764 static PRBool
1797 getSvrWrappingKey(PRInt32 symWrapMechIndex, 1765 getSvrWrappingKey(PRInt32 symWrapMechIndex,
1798 SSL3KEAType exchKeyType, 1766 SSL3KEAType exchKeyType,
1799 SSLWrappedSymWrappingKey *wswk, 1767 SSLWrappedSymWrappingKey *wswk,
1800 » cacheDesc * cache, 1768 cacheDesc *cache,
1801 » PRUint32 lockTime) 1769 PRUint32 lockTime)
1802 { 1770 {
1803 PRUint32 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; 1771 PRUint32 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
1804 SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx; 1772 SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx;
1805 PRUint32 now = 0; 1773 PRUint32 now = 0;
1806 PRBool rv = PR_FALSE; 1774 PRBool rv = PR_FALSE;
1807 1775
1808 if (!cache->cacheMem) { /* cache is uninitialized */ 1776 if (!cache->cacheMem) { /* cache is uninitialized */
1809 » PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); 1777 PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
1810 » return rv; 1778 return rv;
1811 } 1779 }
1812 if (!lockTime) { 1780 if (!lockTime) {
1813 » lockTime = now = LockSidCacheLock(cache->keyCacheLock, now); 1781 lockTime = now = LockSidCacheLock(cache->keyCacheLock, now);
1814 » if (!lockTime) { 1782 if (!lockTime) {
1815 » return rv; 1783 return rv;
1816 » } 1784 }
1817 } 1785 }
1818 if (pwswk->exchKeyType == exchKeyType && 1786 if (pwswk->exchKeyType == exchKeyType &&
1819 » pwswk->symWrapMechIndex == symWrapMechIndex && 1787 pwswk->symWrapMechIndex == symWrapMechIndex &&
1820 » pwswk->wrappedSymKeyLen != 0) { 1788 pwswk->wrappedSymKeyLen != 0) {
1821 » *wswk = *pwswk; 1789 *wswk = *pwswk;
1822 » rv = PR_TRUE; 1790 rv = PR_TRUE;
1823 } 1791 }
1824 if (now) { 1792 if (now) {
1825 » UnlockSidCacheLock(cache->keyCacheLock); 1793 UnlockSidCacheLock(cache->keyCacheLock);
1826 } 1794 }
1827 return rv; 1795 return rv;
1828 } 1796 }
1829 1797
1830 PRBool 1798 PRBool
1831 ssl_GetWrappingKey( PRInt32 symWrapMechIndex, 1799 ssl_GetWrappingKey(PRInt32 symWrapMechIndex,
1832 SSL3KEAType exchKeyType, 1800 SSL3KEAType exchKeyType,
1833 » » SSLWrappedSymWrappingKey *wswk) 1801 SSLWrappedSymWrappingKey *wswk)
1834 { 1802 {
1835 PRBool rv; 1803 PRBool rv;
1836 1804
1837 PORT_Assert( (unsigned)exchKeyType < kt_kea_size); 1805 PORT_Assert((unsigned)exchKeyType < kt_kea_size);
1838 PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); 1806 PORT_Assert((unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
1839 if ((unsigned)exchKeyType < kt_kea_size && 1807 if ((unsigned)exchKeyType < kt_kea_size &&
1840 (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) { 1808 (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
1841 » rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, 1809 rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk,
1842 » &globalCache, 0); 1810 &globalCache, 0);
1843 } else { 1811 } else {
1844 » rv = PR_FALSE; 1812 rv = PR_FALSE;
1845 } 1813 }
1846 1814
1847 return rv; 1815 return rv;
1848 } 1816 }
1849 1817
1850 /* Wrap and cache a session ticket key. */ 1818 /* Wrap and cache a session ticket key. */
1851 static PRBool 1819 static PRBool
1852 WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey, 1820 WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey,
1853 const char *keyName, encKeyCacheEntry* cacheEntry) 1821 const char *keyName, encKeyCacheEntry *cacheEntry)
1854 { 1822 {
1855 SECItem wrappedKey = {siBuffer, NULL, 0}; 1823 SECItem wrappedKey = { siBuffer, NULL, 0 };
1856 1824
1857 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey); 1825 wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey);
1858 PORT_Assert(wrappedKey.len <= sizeof(cacheEntry->bytes)); 1826 PORT_Assert(wrappedKey.len <= sizeof(cacheEntry->bytes));
1859 if (wrappedKey.len > sizeof(cacheEntry->bytes)) 1827 if (wrappedKey.len > sizeof(cacheEntry->bytes))
1860 » return PR_FALSE; 1828 return PR_FALSE;
1861 wrappedKey.data = cacheEntry->bytes; 1829 wrappedKey.data = cacheEntry->bytes;
1862 1830
1863 if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey) 1831 if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey) !=
1864 » != SECSuccess) { 1832 SECSuccess) {
1865 » SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.", 1833 SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.",
1866 » » SSL_GETPID(), "unknown", keyName)); 1834 SSL_GETPID(), "unknown", keyName));
1867 » return PR_FALSE; 1835 return PR_FALSE;
1868 } 1836 }
1869 cacheEntry->length = wrappedKey.len; 1837 cacheEntry->length = wrappedKey.len;
1870 return PR_TRUE; 1838 return PR_TRUE;
1871 } 1839 }
1872 1840
1873 static PRBool 1841 static PRBool
1874 GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey, 1842 GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey,
1875 PK11SymKey **macKey) 1843 PK11SymKey **macKey)
1876 { 1844 {
1877 PK11SlotInfo *slot; 1845 PK11SlotInfo *slot;
1878 CK_MECHANISM_TYPE mechanismArray[2]; 1846 CK_MECHANISM_TYPE mechanismArray[2];
1879 PK11SymKey *aesKeyTmp = NULL; 1847 PK11SymKey *aesKeyTmp = NULL;
1880 PK11SymKey *macKeyTmp = NULL; 1848 PK11SymKey *macKeyTmp = NULL;
1881 cacheDesc *cache = &globalCache; 1849 cacheDesc *cache = &globalCache;
1882 PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN]; 1850 PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
1883 PRUint8 *ticketKeyNameSuffix; 1851 PRUint8 *ticketKeyNameSuffix;
1884 1852
1885 if (!cache->cacheMem) { 1853 if (!cache->cacheMem) {
1886 /* cache is not initalized. Use stack buffer */ 1854 /* cache is not initalized. Use stack buffer */
1887 ticketKeyNameSuffix = ticketKeyNameSuffixLocal; 1855 ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
1888 } else { 1856 } else {
1889 ticketKeyNameSuffix = cache->ticketKeyNameSuffix; 1857 ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
1890 } 1858 }
1891 1859
1892 if (PK11_GenerateRandom(ticketKeyNameSuffix, 1860 if (PK11_GenerateRandom(ticketKeyNameSuffix,
1893 » SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) { 1861 SESS_TICKET_KEY_VAR_NAME_LEN) !=
1894 » SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.", 1862 SECSuccess) {
1895 » » SSL_GETPID(), "unknown")); 1863 SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.",
1896 » goto loser; 1864 SSL_GETPID(), "unknown"));
1865 goto loser;
1897 } 1866 }
1898 1867
1899 mechanismArray[0] = CKM_AES_CBC; 1868 mechanismArray[0] = CKM_AES_CBC;
1900 mechanismArray[1] = CKM_SHA256_HMAC; 1869 mechanismArray[1] = CKM_SHA256_HMAC;
1901 1870
1902 slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg); 1871 slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg);
1903 if (slot) { 1872 if (slot) {
1904 » aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL, 1873 aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL,
1905 AES_256_KEY_LENGTH, pwArg); 1874 AES_256_KEY_LENGTH, pwArg);
1906 » macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL, 1875 macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL,
1907 SHA256_LENGTH, pwArg); 1876 SHA256_LENGTH, pwArg);
1908 » PK11_FreeSlot(slot); 1877 PK11_FreeSlot(slot);
1909 } 1878 }
1910 1879
1911 if (aesKeyTmp == NULL || macKeyTmp == NULL) { 1880 if (aesKeyTmp == NULL || macKeyTmp == NULL) {
1912 » SSL_DBG(("%d: SSL[%s]: Unable to generate session ticket keys.", 1881 SSL_DBG(("%d: SSL[%s]: Unable to generate session ticket keys.",
1913 » » SSL_GETPID(), "unknown")); 1882 SSL_GETPID(), "unknown"));
1914 » goto loser; 1883 goto loser;
1915 } 1884 }
1916 PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN); 1885 PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN);
1917 *aesKey = aesKeyTmp; 1886 *aesKey = aesKeyTmp;
1918 *macKey = macKeyTmp; 1887 *macKey = macKeyTmp;
1919 return PR_TRUE; 1888 return PR_TRUE;
1920 1889
1921 loser: 1890 loser:
1922 if (aesKeyTmp) 1891 if (aesKeyTmp)
1923 » PK11_FreeSymKey(aesKeyTmp); 1892 PK11_FreeSymKey(aesKeyTmp);
1924 if (macKeyTmp) 1893 if (macKeyTmp)
1925 » PK11_FreeSymKey(macKeyTmp); 1894 PK11_FreeSymKey(macKeyTmp);
1926 return PR_FALSE; 1895 return PR_FALSE;
1927 } 1896 }
1928 1897
1929 static PRBool 1898 static PRBool
1930 GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg, 1899 GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg,
1931 unsigned char *keyName, PK11SymKey **aesKey, 1900 unsigned char *keyName, PK11SymKey **aesKey,
1932 PK11SymKey **macKey) 1901 PK11SymKey **macKey)
1933 { 1902 {
1934 PK11SymKey *aesKeyTmp = NULL; 1903 PK11SymKey *aesKeyTmp = NULL;
1935 PK11SymKey *macKeyTmp = NULL; 1904 PK11SymKey *macKeyTmp = NULL;
1936 cacheDesc *cache = &globalCache; 1905 cacheDesc *cache = &globalCache;
1937 1906
1938 if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) { 1907 if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) {
1939 goto loser; 1908 goto loser;
1940 } 1909 }
1941 1910
1942 if (cache->cacheMem) { 1911 if (cache->cacheMem) {
1943 /* Export the keys to the shared cache in wrapped form. */ 1912 /* Export the keys to the shared cache in wrapped form. */
1944 if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey) ) 1913 if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey) )
1945 goto loser; 1914 goto loser;
1946 if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey) ) 1915 if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey) )
1947 goto loser; 1916 goto loser;
1948 } 1917 }
1949 *aesKey = aesKeyTmp; 1918 *aesKey = aesKeyTmp;
1950 *macKey = macKeyTmp; 1919 *macKey = macKeyTmp;
1951 return PR_TRUE; 1920 return PR_TRUE;
1952 1921
1953 loser: 1922 loser:
1954 if (aesKeyTmp) 1923 if (aesKeyTmp)
1955 » PK11_FreeSymKey(aesKeyTmp); 1924 PK11_FreeSymKey(aesKeyTmp);
1956 if (macKeyTmp) 1925 if (macKeyTmp)
1957 » PK11_FreeSymKey(macKeyTmp); 1926 PK11_FreeSymKey(macKeyTmp);
1958 return PR_FALSE; 1927 return PR_FALSE;
1959 } 1928 }
1960 1929
1961 static PRBool 1930 static PRBool
1962 UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName, 1931 UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName,
1963 PK11SymKey **aesKey, PK11SymKey **macKey) 1932 PK11SymKey **aesKey, PK11SymKey **macKey)
1964 { 1933 {
1965 SECItem wrappedKey = {siBuffer, NULL, 0}; 1934 SECItem wrappedKey = { siBuffer, NULL, 0 };
1966 PK11SymKey *aesKeyTmp = NULL; 1935 PK11SymKey *aesKeyTmp = NULL;
1967 PK11SymKey *macKeyTmp = NULL; 1936 PK11SymKey *macKeyTmp = NULL;
1968 cacheDesc *cache = &globalCache; 1937 cacheDesc *cache = &globalCache;
1969 1938
1970 wrappedKey.data = cache->ticketEncKey->bytes; 1939 wrappedKey.data = cache->ticketEncKey->bytes;
1971 wrappedKey.len = cache->ticketEncKey->length; 1940 wrappedKey.len = cache->ticketEncKey->length;
1972 PORT_Assert(wrappedKey.len <= sizeof(cache->ticketEncKey->bytes)); 1941 PORT_Assert(wrappedKey.len <= sizeof(cache->ticketEncKey->bytes));
1973 aesKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, 1942 aesKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
1974 » CKM_AES_CBC, CKA_DECRYPT, 0); 1943 CKM_AES_CBC, CKA_DECRYPT, 0);
1975 1944
1976 wrappedKey.data = cache->ticketMacKey->bytes; 1945 wrappedKey.data = cache->ticketMacKey->bytes;
1977 wrappedKey.len = cache->ticketMacKey->length; 1946 wrappedKey.len = cache->ticketMacKey->length;
1978 PORT_Assert(wrappedKey.len <= sizeof(cache->ticketMacKey->bytes)); 1947 PORT_Assert(wrappedKey.len <= sizeof(cache->ticketMacKey->bytes));
1979 macKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, 1948 macKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
1980 » CKM_SHA256_HMAC, CKA_SIGN, 0); 1949 CKM_SHA256_HMAC, CKA_SIGN, 0);
1981 1950
1982 if (aesKeyTmp == NULL || macKeyTmp == NULL) { 1951 if (aesKeyTmp == NULL || macKeyTmp == NULL) {
1983 » SSL_DBG(("%d: SSL[%s]: Unable to unwrap session ticket keys.", 1952 SSL_DBG(("%d: SSL[%s]: Unable to unwrap session ticket keys.",
1984 » » SSL_GETPID(), "unknown")); 1953 SSL_GETPID(), "unknown"));
1985 » goto loser; 1954 goto loser;
1986 } 1955 }
1987 SSL_DBG(("%d: SSL[%s]: Successfully unwrapped session ticket keys.", 1956 SSL_DBG(("%d: SSL[%s]: Successfully unwrapped session ticket keys.",
1988 » » SSL_GETPID(), "unknown")); 1957 SSL_GETPID(), "unknown"));
1989 1958
1990 PORT_Memcpy(keyName, cache->ticketKeyNameSuffix, 1959 PORT_Memcpy(keyName, cache->ticketKeyNameSuffix,
1991 » SESS_TICKET_KEY_VAR_NAME_LEN); 1960 SESS_TICKET_KEY_VAR_NAME_LEN);
1992 *aesKey = aesKeyTmp; 1961 *aesKey = aesKeyTmp;
1993 *macKey = macKeyTmp; 1962 *macKey = macKeyTmp;
1994 return PR_TRUE; 1963 return PR_TRUE;
1995 1964
1996 loser: 1965 loser:
1997 if (aesKeyTmp) 1966 if (aesKeyTmp)
1998 » PK11_FreeSymKey(aesKeyTmp); 1967 PK11_FreeSymKey(aesKeyTmp);
1999 if (macKeyTmp) 1968 if (macKeyTmp)
2000 » PK11_FreeSymKey(macKeyTmp); 1969 PK11_FreeSymKey(macKeyTmp);
2001 return PR_FALSE; 1970 return PR_FALSE;
2002 } 1971 }
2003 1972
2004 PRBool 1973 PRBool
2005 ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, 1974 ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
2006 SECKEYPublicKey *svrPubKey, void *pwArg, 1975 SECKEYPublicKey *svrPubKey, void *pwArg,
2007 unsigned char *keyName, PK11SymKey **aesKey, 1976 unsigned char *keyName, PK11SymKey **aesKey,
2008 PK11SymKey **macKey) 1977 PK11SymKey **macKey)
2009 { 1978 {
2010 PRUint32 now = 0; 1979 PRUint32 now = 0;
2011 PRBool rv = PR_FALSE; 1980 PRBool rv = PR_FALSE;
2012 PRBool keysGenerated = PR_FALSE; 1981 PRBool keysGenerated = PR_FALSE;
2013 cacheDesc *cache = &globalCache; 1982 cacheDesc *cache = &globalCache;
2014 1983
2015 if (!cache->cacheMem) { 1984 if (!cache->cacheMem) {
2016 /* cache is uninitialized. Generate keys and return them 1985 /* cache is uninitialized. Generate keys and return them
2017 * without caching. */ 1986 * without caching. */
2018 return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); 1987 return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
2019 } 1988 }
2020 1989
2021 now = LockSidCacheLock(cache->keyCacheLock, now); 1990 now = LockSidCacheLock(cache->keyCacheLock, now);
2022 if (!now) 1991 if (!now)
2023 » return rv; 1992 return rv;
2024 1993
2025 if (!*(cache->ticketKeysValid)) { 1994 if (!*(cache->ticketKeysValid)) {
2026 » /* Keys do not exist, create them. */ 1995 /* Keys do not exist, create them. */
2027 » if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName, 1996 if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName,
2028 » » aesKey, macKey)) 1997 aesKey, macKey))
2029 » goto loser; 1998 goto loser;
2030 » keysGenerated = PR_TRUE; 1999 keysGenerated = PR_TRUE;
2031 » *(cache->ticketKeysValid) = 1; 2000 *(cache->ticketKeysValid) = 1;
2032 } 2001 }
2033 2002
2034 rv = PR_TRUE; 2003 rv = PR_TRUE;
2035 2004
2036 loser: 2005 loser:
2037 UnlockSidCacheLock(cache->keyCacheLock); 2006 UnlockSidCacheLock(cache->keyCacheLock);
2038 if (rv && !keysGenerated) 2007 if (rv && !keysGenerated)
2039 » rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey); 2008 rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey);
2040 return rv; 2009 return rv;
2041 } 2010 }
2042 2011
2043 PRBool 2012 PRBool
2044 ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey, 2013 ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
2045 unsigned char *macKey) 2014 unsigned char *macKey)
2046 { 2015 {
2047 PRBool rv = PR_FALSE; 2016 PRBool rv = PR_FALSE;
2048 PRUint32 now = 0; 2017 PRUint32 now = 0;
2049 cacheDesc *cache = &globalCache; 2018 cacheDesc *cache = &globalCache;
(...skipping 17 matching lines...) Expand all
2067 2036
2068 if (cacheIsEnabled) { 2037 if (cacheIsEnabled) {
2069 /* Grab lock if initialized. */ 2038 /* Grab lock if initialized. */
2070 now = LockSidCacheLock(cache->keyCacheLock, now); 2039 now = LockSidCacheLock(cache->keyCacheLock, now);
2071 if (!now) 2040 if (!now)
2072 return rv; 2041 return rv;
2073 } 2042 }
2074 /* Going to regenerate keys on every call if cache was not 2043 /* Going to regenerate keys on every call if cache was not
2075 * initialized. */ 2044 * initialized. */
2076 if (!cacheIsEnabled || !*(cache->ticketKeysValid)) { 2045 if (!cacheIsEnabled || !*(cache->ticketKeysValid)) {
2077 » if (PK11_GenerateRandom(ticketKeyNameSuffix, 2046 if (PK11_GenerateRandom(ticketKeyNameSuffix,
2078 » » SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) 2047 SESS_TICKET_KEY_VAR_NAME_LEN) !=
2079 » goto loser; 2048 SECSuccess)
2080 » if (PK11_GenerateRandom(ticketEncKeyPtr, 2049 goto loser;
2050 if (PK11_GenerateRandom(ticketEncKeyPtr,
2081 AES_256_KEY_LENGTH) != SECSuccess) 2051 AES_256_KEY_LENGTH) != SECSuccess)
2082 » goto loser; 2052 goto loser;
2083 » if (PK11_GenerateRandom(ticketMacKeyPtr, 2053 if (PK11_GenerateRandom(ticketMacKeyPtr,
2084 SHA256_LENGTH) != SECSuccess) 2054 SHA256_LENGTH) != SECSuccess)
2085 » goto loser; 2055 goto loser;
2086 if (cacheIsEnabled) { 2056 if (cacheIsEnabled) {
2087 *(cache->ticketKeysValid) = 1; 2057 *(cache->ticketKeysValid) = 1;
2088 } 2058 }
2089 } 2059 }
2090 2060
2091 rv = PR_TRUE; 2061 rv = PR_TRUE;
2092 2062
2093 loser: 2063 loser:
2094 if (cacheIsEnabled) { 2064 if (cacheIsEnabled) {
2095 UnlockSidCacheLock(cache->keyCacheLock); 2065 UnlockSidCacheLock(cache->keyCacheLock);
2096 } 2066 }
2097 if (rv) { 2067 if (rv) {
2098 » PORT_Memcpy(keyName, ticketKeyNameSuffix, 2068 PORT_Memcpy(keyName, ticketKeyNameSuffix,
2099 SESS_TICKET_KEY_VAR_NAME_LEN); 2069 SESS_TICKET_KEY_VAR_NAME_LEN);
2100 » PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH); 2070 PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH);
2101 » PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH); 2071 PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH);
2102 } 2072 }
2103 return rv; 2073 return rv;
2104 } 2074 }
2105 2075
2106 /* The caller passes in the new value it wants 2076 /* The caller passes in the new value it wants
2107 * to set. This code tests the wrapped sym key entry in the shared memory. 2077 * to set. This code tests the wrapped sym key entry in the shared memory.
2108 * If it is uninitialized, this function writes the caller's value into 2078 * If it is uninitialized, this function writes the caller's value into
2109 * the disk entry, and returns false. 2079 * the disk entry, and returns false.
2110 * Otherwise, it overwrites the caller's wswk with the value obtained from 2080 * Otherwise, it overwrites the caller's wswk with the value obtained from
2111 * the disk, and returns PR_TRUE. 2081 * the disk, and returns PR_TRUE.
2112 * This is all done while holding the locks/mutexes necessary to make 2082 * This is all done while holding the locks/mutexes necessary to make
2113 * the operation atomic. 2083 * the operation atomic.
2114 */ 2084 */
2115 PRBool 2085 PRBool
2116 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) 2086 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
2117 { 2087 {
2118 cacheDesc * cache = &globalCache; 2088 cacheDesc *cache = &globalCache;
2119 PRBool rv = PR_FALSE; 2089 PRBool rv = PR_FALSE;
2120 SSL3KEAType exchKeyType = wswk->exchKeyType; 2090 SSL3KEAType exchKeyType = wswk->exchKeyType;
2121 /* type of keys used to wrap SymWrapKey*/ 2091 /* type of keys used to wrap SymWrapKey*/
2122 PRInt32 symWrapMechIndex = wswk->symWrapMechIndex; 2092 PRInt32 symWrapMechIndex = wswk->symWrapMechIndex;
2123 PRUint32 ndx; 2093 PRUint32 ndx;
2124 PRUint32 now = 0; 2094 PRUint32 now = 0;
2125 SSLWrappedSymWrappingKey myWswk; 2095 SSLWrappedSymWrappingKey myWswk;
2126 2096
2127 if (!cache->cacheMem) { /* cache is uninitialized */ 2097 if (!cache->cacheMem) { /* cache is uninitialized */
2128 » PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); 2098 PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
2129 » return 0; 2099 return 0;
2130 } 2100 }
2131 2101
2132 PORT_Assert( (unsigned)exchKeyType < kt_kea_size); 2102 PORT_Assert((unsigned)exchKeyType < kt_kea_size);
2133 if ((unsigned)exchKeyType >= kt_kea_size) 2103 if ((unsigned)exchKeyType >= kt_kea_size)
2134 » return 0; 2104 return 0;
2135 2105
2136 PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); 2106 PORT_Assert((unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
2137 if ((unsigned)symWrapMechIndex >= SSL_NUM_WRAP_MECHS) 2107 if ((unsigned)symWrapMechIndex >= SSL_NUM_WRAP_MECHS)
2138 » return 0; 2108 return 0;
2139 2109
2140 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; 2110 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
2141 PORT_Memset(&myWswk, 0, sizeof myWswk);» /* eliminate UMRs. */ 2111 PORT_Memset(&myWswk, 0, sizeof myWswk); /* eliminate UMRs. */
2142 2112
2143 now = LockSidCacheLock(cache->keyCacheLock, now); 2113 now = LockSidCacheLock(cache->keyCacheLock, now);
2144 if (now) { 2114 if (now) {
2145 » rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, 2115 rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType,
2146 » &myWswk, cache, now); 2116 &myWswk, cache, now);
2147 » if (rv) { 2117 if (rv) {
2148 » /* we found it on disk, copy it out to the caller. */ 2118 /* we found it on disk, copy it out to the caller. */
2149 » PORT_Memcpy(wswk, &myWswk, sizeof *wswk); 2119 PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
2150 » } else { 2120 } else {
2151 » /* Wasn't on disk, and we're still holding the lock, so write it. */ 2121 /* Wasn't on disk, and we're still holding the lock, so write it. */
2152 » cache->keyCacheData[ndx] = *wswk; 2122 cache->keyCacheData[ndx] = *wswk;
2153 » } 2123 }
2154 » UnlockSidCacheLock(cache->keyCacheLock); 2124 UnlockSidCacheLock(cache->keyCacheLock);
2155 } 2125 }
2156 return rv; 2126 return rv;
2157 } 2127 }
2158 2128
2159 #else /* MAC version or other platform */ 2129 #else /* MAC version or other platform */
2160 2130
2161 #include "seccomon.h" 2131 #include "seccomon.h"
2162 #include "cert.h" 2132 #include "cert.h"
2163 #include "ssl.h" 2133 #include "ssl.h"
2164 #include "sslimpl.h" 2134 #include "sslimpl.h"
2165 2135
2166 SECStatus 2136 SECStatus
2167 SSL_ConfigServerSessionIDCache(»int maxCacheEntries, 2137 SSL_ConfigServerSessionIDCache(int maxCacheEntries,
2168 » » » » PRUint32 ssl2_timeout, 2138 PRUint32 ssl2_timeout,
2169 » » » »PRUint32 ssl3_timeout, 2139 PRUint32 ssl3_timeout,
2170 » » » const char * directory) 2140 const char *directory)
2171 { 2141 {
2172 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServe rSessionIDCache)"); 2142 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServe rSessionIDCache)");
2173 return SECFailure; 2143 return SECFailure;
2174 } 2144 }
2175 2145
2176 SECStatus 2146 SECStatus
2177 SSL_ConfigMPServerSIDCache(» int maxCacheEntries, 2147 SSL_ConfigMPServerSIDCache(int maxCacheEntries,
2178 » » » » PRUint32 ssl2_timeout, 2148 PRUint32 ssl2_timeout,
2179 » » » »PRUint32 ssl3_timeout, 2149 PRUint32 ssl3_timeout,
2180 » » const char * directory) 2150 const char *directory)
2181 { 2151 {
2182 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPSer verSIDCache)"); 2152 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPSer verSIDCache)");
2183 return SECFailure; 2153 return SECFailure;
2184 } 2154 }
2185 2155
2186 SECStatus 2156 SECStatus
2187 SSL_InheritMPServerSIDCache(const char * envString) 2157 SSL_InheritMPServerSIDCache(const char *envString)
2188 { 2158 {
2189 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPSe rverSIDCache)"); 2159 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPSe rverSIDCache)");
2190 return SECFailure; 2160 return SECFailure;
2191 } 2161 }
2192 2162
2193 PRBool 2163 PRBool
2194 ssl_GetWrappingKey( PRInt32 symWrapMechIndex, 2164 ssl_GetWrappingKey(PRInt32 symWrapMechIndex,
2195 SSL3KEAType exchKeyType, 2165 SSL3KEAType exchKeyType,
2196 » » SSLWrappedSymWrappingKey *wswk) 2166 SSLWrappedSymWrappingKey *wswk)
2197 { 2167 {
2198 PRBool rv = PR_FALSE; 2168 PRBool rv = PR_FALSE;
2199 PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrapping Key)"); 2169 PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrapping Key)");
2200 return rv; 2170 return rv;
2201 } 2171 }
2202 2172
2203 /* This is a kind of test-and-set. The caller passes in the new value it wants 2173 /* This is a kind of test-and-set. The caller passes in the new value it wants
2204 * to set. This code tests the wrapped sym key entry in the shared memory. 2174 * to set. This code tests the wrapped sym key entry in the shared memory.
2205 * If it is uninitialized, this function writes the caller's value into 2175 * If it is uninitialized, this function writes the caller's value into
2206 * the disk entry, and returns false. 2176 * the disk entry, and returns false.
2207 * Otherwise, it overwrites the caller's wswk with the value obtained from 2177 * Otherwise, it overwrites the caller's wswk with the value obtained from
2208 * the disk, and returns PR_TRUE. 2178 * the disk, and returns PR_TRUE.
2209 * This is all done while holding the locks/mutexes necessary to make 2179 * This is all done while holding the locks/mutexes necessary to make
2210 * the operation atomic. 2180 * the operation atomic.
2211 */ 2181 */
2212 PRBool 2182 PRBool
2213 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) 2183 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
2214 { 2184 {
2215 PRBool rv = PR_FALSE; 2185 PRBool rv = PR_FALSE;
2216 PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrapping Key)"); 2186 PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrapping Key)");
2217 return rv; 2187 return rv;
2218 } 2188 }
2219 2189
2220 PRUint32 2190 PRUint32
2221 SSL_GetMaxServerCacheLocks(void) 2191 SSL_GetMaxServerCacheLocks(void)
2222 { 2192 {
2223 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServe rCacheLocks)"); 2193 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServe rCacheLocks)");
2224 return -1; 2194 return -1;
2225 } 2195 }
2226 2196
2227 SECStatus 2197 SECStatus
2228 SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) 2198 SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
2229 { 2199 {
2230 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServe rCacheLocks)"); 2200 PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServe rCacheLocks)");
2231 return SECFailure; 2201 return SECFailure;
2232 } 2202 }
2233 2203
2234 #endif /* XP_UNIX || XP_WIN32 */ 2204 #endif /* XP_UNIX || XP_WIN32 */
OLDNEW
« net/socket/nss_ssl_util.cc ('K') | « net/third_party/nss/ssl/sslsecur.c ('k') | net/third_party/nss/ssl/sslsock.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698