diff options
author | wtc%netscape.com <devnull@localhost> | 2003-03-26 00:31:13 +0000 |
---|---|---|
committer | wtc%netscape.com <devnull@localhost> | 2003-03-26 00:31:13 +0000 |
commit | e173c4d2d1aa382b60e27ca9120a77eea7a2a876 (patch) | |
tree | 21fb4431534853be93027ad8f0f9dc51255cc734 | |
parent | 73b2d535e6c237636d00108856ec3f739082e5fd (diff) | |
download | nss-hg-e173c4d2d1aa382b60e27ca9120a77eea7a2a876.tar.gz |
Bug 199082: checked in Nelson's patch, which
a) changes selfserv to test the return value from NSS_Shutdown.
b) changes SECMOD_Shutdown to set the error code SEC_ERROR_BUSY before
returning SECFailure.
c) Adds a new function SSL_ShutdownServerSessionIDCache to ssl.h.
d) Changes selfserv to call SSL_ShutdownServerSessionIDCache before calling
NSS_Shutdown.
Modified Files:
cmd/selfserv/selfserv.c lib/pk11wrap/pk11util.c
lib/ssl/ssl.def lib/ssl/ssl.h lib/ssl/ssl3con.c
lib/ssl/sslimpl.h lib/ssl/sslsnce.c
-rw-r--r-- | security/nss/cmd/selfserv/selfserv.c | 8 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11util.c | 6 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl.def | 6 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl.h | 5 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssl3con.c | 30 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslimpl.h | 3 | ||||
-rw-r--r-- | security/nss/lib/ssl/sslsnce.c | 15 |
7 files changed, 68 insertions, 5 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index 5a4dff262..41f1efe8b 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -1739,7 +1739,13 @@ main(int argc, char **argv) free(nickName); free(passwd); - NSS_Shutdown(); + SSL_ShutdownServerSessionIDCache(); + + if (NSS_Shutdown() != SECSuccess) { + SECU_PrintError(progName, "NSS_Shutdown"); + PR_Cleanup(); + exit(1); + } PR_Cleanup(); printf("selfserv: normal termination\n"); return 0; diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 9c66a6491..1a32d04b9 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -112,7 +112,11 @@ SECMOD_Shutdown() { PORT_Assert(secmod_PrivateModuleCount == 0); } #endif - return (secmod_PrivateModuleCount == 0) ? SECSuccess : SECFailure; + if (secmod_PrivateModuleCount) { + PORT_SetError(SEC_ERROR_BUSY); + return SECFailure; + } + return SECSuccess; } diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 7833ae741..33083caea 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -115,3 +115,9 @@ SSL_SetMaxServerCacheLocks; ;+ local: ;+*; ;+}; +;+NSS_3.7.4 { # NSS 3.7.4 release +;+ global: +SSL_ShutdownServerSessionIDCache; +;+ local: +;+*; +;+}; diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 59b511f31..cbc5dcc6d 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -365,6 +365,11 @@ SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd); SSL_IMPORT void SSL_ClearSessionCache(void); /* +** Close the server's SSL session cache. +*/ +SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void); + +/* ** Set peer information so we can correctly look up SSL session later. ** You only have to do this if you're tunneling through a proxy. */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 09fb81152..3f1977c61 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -3320,6 +3320,33 @@ typedef struct { PK11SymKey * symWrapKey[kt_kea_size]; } ssl3SymWrapKey; +static PZLock * symWrapKeysLock; +static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; + +SECStatus +SSL3_ShutdownServerCache(void) +{ + int i, j; + + if (!symWrapKeysLock) + return SECSuccess; /* was never initialized */ + PZ_Lock(symWrapKeysLock); + /* get rid of all symWrapKeys */ + for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { + for (j = 0; j < kt_kea_size; ++j) { + PK11SymKey ** pSymWrapKey; + pSymWrapKey = &symWrapKeys[i].symWrapKey[j]; + if (*pSymWrapKey) { + PK11_FreeSymKey(*pSymWrapKey); + *pSymWrapKey = NULL; + } + } + } + + PZ_Unlock(symWrapKeysLock); + return SECSuccess; +} + /* Try to get wrapping key for mechanism from in-memory array. * If that fails, look for one on disk. * If that fails, generate a new one, put the new one on disk, @@ -3344,9 +3371,6 @@ getWrappingKey( sslSocket * ss, SECItem wrappedKey; SSLWrappedSymWrappingKey wswk; - static PZLock * symWrapKeysLock; - static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; - svrPrivKey = ss->serverCerts[exchKeyType].serverKey; PORT_Assert(svrPrivKey != NULL); if (!svrPrivKey) { diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index c53e53757..90a99100e 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -1261,6 +1261,9 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, extern PRBool ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); +/* get rid of the symmetric wrapping key references. */ +extern SECStatus SSL3_ShutdownServerCache(void); + /********************** misc calls *********************/ extern int ssl_MapLowLevelError(int hiLevelError); diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 85c985b79..da475c15a 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -1158,6 +1158,21 @@ SSL_ConfigServerSessionIDCache( int maxCacheEntries, maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE); } +SECStatus +SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache) +{ + /* if single process, close down, clean up. + ** if multi-process, TBD. + */ +} + +SECStatus +SSL_ShutdownServerSessionIDCache(void) +{ + SSL3_ShutdownServerCache(); + return SSL_ShutdownServerSessionIDCacheInstance(&globalCache); +} + /* Use this function, instead of SSL_ConfigServerSessionIDCache, * if the cache will be shared by multiple processes. */ |