summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwtc%netscape.com <devnull@localhost>2003-03-26 00:31:13 +0000
committerwtc%netscape.com <devnull@localhost>2003-03-26 00:31:13 +0000
commite173c4d2d1aa382b60e27ca9120a77eea7a2a876 (patch)
tree21fb4431534853be93027ad8f0f9dc51255cc734
parent73b2d535e6c237636d00108856ec3f739082e5fd (diff)
downloadnss-hg-e173c4d2d1aa382b60e27ca9120a77eea7a2a876.tar.gz
Bug 199082: checked in Nelson's patch, which
a) changes selfserv to test the return value from NSS_Shutdown. b) changes SECMOD_Shutdown to set the error code SEC_ERROR_BUSY before returning SECFailure. c) Adds a new function SSL_ShutdownServerSessionIDCache to ssl.h. d) Changes selfserv to call SSL_ShutdownServerSessionIDCache before calling NSS_Shutdown. Modified Files: cmd/selfserv/selfserv.c lib/pk11wrap/pk11util.c lib/ssl/ssl.def lib/ssl/ssl.h lib/ssl/ssl3con.c lib/ssl/sslimpl.h lib/ssl/sslsnce.c
-rw-r--r--security/nss/cmd/selfserv/selfserv.c8
-rw-r--r--security/nss/lib/pk11wrap/pk11util.c6
-rw-r--r--security/nss/lib/ssl/ssl.def6
-rw-r--r--security/nss/lib/ssl/ssl.h5
-rw-r--r--security/nss/lib/ssl/ssl3con.c30
-rw-r--r--security/nss/lib/ssl/sslimpl.h3
-rw-r--r--security/nss/lib/ssl/sslsnce.c15
7 files changed, 68 insertions, 5 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index 5a4dff262..41f1efe8b 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -1739,7 +1739,13 @@ main(int argc, char **argv)
free(nickName);
free(passwd);
- NSS_Shutdown();
+ SSL_ShutdownServerSessionIDCache();
+
+ if (NSS_Shutdown() != SECSuccess) {
+ SECU_PrintError(progName, "NSS_Shutdown");
+ PR_Cleanup();
+ exit(1);
+ }
PR_Cleanup();
printf("selfserv: normal termination\n");
return 0;
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
index 9c66a6491..1a32d04b9 100644
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -112,7 +112,11 @@ SECMOD_Shutdown() {
PORT_Assert(secmod_PrivateModuleCount == 0);
}
#endif
- return (secmod_PrivateModuleCount == 0) ? SECSuccess : SECFailure;
+ if (secmod_PrivateModuleCount) {
+ PORT_SetError(SEC_ERROR_BUSY);
+ return SECFailure;
+ }
+ return SECSuccess;
}
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
index 7833ae741..33083caea 100644
--- a/security/nss/lib/ssl/ssl.def
+++ b/security/nss/lib/ssl/ssl.def
@@ -115,3 +115,9 @@ SSL_SetMaxServerCacheLocks;
;+ local:
;+*;
;+};
+;+NSS_3.7.4 { # NSS 3.7.4 release
+;+ global:
+SSL_ShutdownServerSessionIDCache;
+;+ local:
+;+*;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 59b511f31..cbc5dcc6d 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -365,6 +365,11 @@ SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
SSL_IMPORT void SSL_ClearSessionCache(void);
/*
+** Close the server's SSL session cache.
+*/
+SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void);
+
+/*
** Set peer information so we can correctly look up SSL session later.
** You only have to do this if you're tunneling through a proxy.
*/
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 09fb81152..3f1977c61 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -3320,6 +3320,33 @@ typedef struct {
PK11SymKey * symWrapKey[kt_kea_size];
} ssl3SymWrapKey;
+static PZLock * symWrapKeysLock;
+static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
+
+SECStatus
+SSL3_ShutdownServerCache(void)
+{
+ int i, j;
+
+ if (!symWrapKeysLock)
+ return SECSuccess; /* was never initialized */
+ PZ_Lock(symWrapKeysLock);
+ /* get rid of all symWrapKeys */
+ for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) {
+ for (j = 0; j < kt_kea_size; ++j) {
+ PK11SymKey ** pSymWrapKey;
+ pSymWrapKey = &symWrapKeys[i].symWrapKey[j];
+ if (*pSymWrapKey) {
+ PK11_FreeSymKey(*pSymWrapKey);
+ *pSymWrapKey = NULL;
+ }
+ }
+ }
+
+ PZ_Unlock(symWrapKeysLock);
+ return SECSuccess;
+}
+
/* Try to get wrapping key for mechanism from in-memory array.
* If that fails, look for one on disk.
* If that fails, generate a new one, put the new one on disk,
@@ -3344,9 +3371,6 @@ getWrappingKey( sslSocket * ss,
SECItem wrappedKey;
SSLWrappedSymWrappingKey wswk;
- static PZLock * symWrapKeysLock;
- static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS];
-
svrPrivKey = ss->serverCerts[exchKeyType].serverKey;
PORT_Assert(svrPrivKey != NULL);
if (!svrPrivKey) {
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index c53e53757..90a99100e 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1261,6 +1261,9 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex,
extern PRBool
ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
+/* get rid of the symmetric wrapping key references. */
+extern SECStatus SSL3_ShutdownServerCache(void);
+
/********************** misc calls *********************/
extern int ssl_MapLowLevelError(int hiLevelError);
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
index 85c985b79..da475c15a 100644
--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -1158,6 +1158,21 @@ SSL_ConfigServerSessionIDCache( int maxCacheEntries,
maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE);
}
+SECStatus
+SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache)
+{
+ /* if single process, close down, clean up.
+ ** if multi-process, TBD.
+ */
+}
+
+SECStatus
+SSL_ShutdownServerSessionIDCache(void)
+{
+ SSL3_ShutdownServerCache();
+ return SSL_ShutdownServerSessionIDCacheInstance(&globalCache);
+}
+
/* Use this function, instead of SSL_ConfigServerSessionIDCache,
* if the cache will be shared by multiple processes.
*/