Bug 199082: checked in Nelson's patch, which

a) changes selfserv to test the return value from NSS_Shutdown.
b) changes SECMOD_Shutdown to set the error code SEC_ERROR_BUSY before
   returning SECFailure.
c) Adds a new function SSL_ShutdownServerSessionIDCache to ssl.h.
d) Changes selfserv to call SSL_ShutdownServerSessionIDCache before calling
NSS_Shutdown.
Modified Files:
	cmd/selfserv/selfserv.c lib/pk11wrap/pk11util.c
	lib/ssl/ssl.def lib/ssl/ssl.h lib/ssl/ssl3con.c
	lib/ssl/sslimpl.h lib/ssl/sslsnce.c

7 files changed, 68 insertions, 5 deletions

diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index 5a4dff262..41f1efe8b 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1739,7 +1739,13 @@ main(int argc, char **argv)
     free(nickName);
     free(passwd);
 
-    NSS_Shutdown();
+    SSL_ShutdownServerSessionIDCache();
+
+    if (NSS_Shutdown() != SECSuccess) {
+	SECU_PrintError(progName, "NSS_Shutdown");
+	PR_Cleanup();
+	exit(1);
+    }
     PR_Cleanup();
     printf("selfserv: normal termination\n");
     return 0;
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
index 9c66a6491..1a32d04b9 100644
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -112,7 +112,11 @@ SECMOD_Shutdown() {
 	PORT_Assert(secmod_PrivateModuleCount == 0);
     }
 #endif
-    return (secmod_PrivateModuleCount == 0) ? SECSuccess : SECFailure;
+    if (secmod_PrivateModuleCount) {
+    	PORT_SetError(SEC_ERROR_BUSY);
+	return SECFailure;
+    }
+    return SECSuccess;
 }
 
 
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
index 7833ae741..33083caea 100644
--- a/security/nss/lib/ssl/ssl.def
+++ b/security/nss/lib/ssl/ssl.def
@@ -115,3 +115,9 @@ SSL_SetMaxServerCacheLocks;
 ;+    local:
 ;+*;
 ;+};
+;+NSS_3.7.4 {       # NSS 3.7.4 release
+;+    global:
+SSL_ShutdownServerSessionIDCache;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 59b511f31..cbc5dcc6d 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -365,6 +365,11 @@ SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
 SSL_IMPORT void SSL_ClearSessionCache(void);
 
 /*
+** Close the server's SSL session cache.
+*/
+SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void);
+
+/*
 ** Set peer information so we can correctly look up SSL session later.
 ** You only have to do this if you're tunneling through a proxy.
 */
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 09fb81152..3f1977c61 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -3320,6 +3320,33 @@ typedef struct {
     PK11SymKey *      symWrapKey[kt_kea_size];
 } ssl3SymWrapKey;
 
+static PZLock *          symWrapKeysLock;
+static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
+
+SECStatus
+SSL3_ShutdownServerCache(void)
+{
+    int             i, j;
+
+    if (!symWrapKeysLock)
+    	return SECSuccess;	/* was never initialized */
+    PZ_Lock(symWrapKeysLock);
+    /* get rid of all symWrapKeys */
+    for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
+    	for (j = 0; j < kt_kea_size; ++j) {
+	    PK11SymKey **   pSymWrapKey;
+	    pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
+	    if (*pSymWrapKey) {
+		PK11_FreeSymKey(*pSymWrapKey);
+	    	*pSymWrapKey = NULL;
+	    }
+	}
+    }
+
+    PZ_Unlock(symWrapKeysLock);
+    return SECSuccess;
+}
+
 /* Try to get wrapping key for mechanism from in-memory array.
  * If that fails, look for one on disk.
  * If that fails, generate a new one, put the new one on disk,
@@ -3344,9 +3371,6 @@ getWrappingKey( sslSocket *       ss,
     SECItem                  wrappedKey;
     SSLWrappedSymWrappingKey wswk;
 
-    static PZLock *          symWrapKeysLock;
-    static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
-
     svrPrivKey  = ss->serverCerts[exchKeyType].serverKey;
     PORT_Assert(svrPrivKey != NULL);
     if (!svrPrivKey) {
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index c53e53757..90a99100e 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1261,6 +1261,9 @@ ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
 extern PRBool
 ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
 
+/* get rid of the symmetric wrapping key references. */
+extern SECStatus SSL3_ShutdownServerCache(void);
+
 /********************** misc calls *********************/
 
 extern int ssl_MapLowLevelError(int hiLevelError);
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
index 85c985b79..da475c15a 100644
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -1158,6 +1158,21 @@ SSL_ConfigServerSessionIDCache(	int      maxCacheEntries,
     		maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE);
 }
 
+SECStatus
+SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache)
+{
+    /* if single process, close down, clean up.
+    ** if multi-process, TBD.
+    */
+}
+
+SECStatus
+SSL_ShutdownServerSessionIDCache(void)
+{
+    SSL3_ShutdownServerCache();
+    return SSL_ShutdownServerSessionIDCacheInstance(&globalCache);
+}
+
 /* Use this function, instead of SSL_ConfigServerSessionIDCache,
  * if the cache will be shared by multiple processes.
  */