diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-15 19:40:10 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-15 19:40:10 +0000 |
| commit | 3dddc19b84c0975579edc0f5aefde869d85c55b1 (patch) | |
| tree | b5ed6bb5d908a0c00034635e8526c47f34aa8634 | |
| parent | 0d613f805038971b2daa22b356dda041220570b8 (diff) | |
| download | nss-hg-3dddc19b84c0975579edc0f5aefde869d85c55b1.tar.gz | |
more Stan conversions being saved
| -rw-r--r-- | security/nss/lib/ssl/authcert.c | 6 | ||||
| -rw-r--r-- | security/nss/lib/ssl/manifest.mn | 1 | ||||
| -rw-r--r-- | security/nss/lib/ssl/nsskea.c | 62 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl.h | 1 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl3con.c | 308 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssl3gthr.c | 13 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslauth.c | 73 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslcon.c | 15 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssldef.c | 5 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslerr.c | 7 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslgathr.c | 5 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslinfo.c | 29 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslmutex.c | 45 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslmutex.h | 15 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslnonce.c | 40 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslreveal.c | 8 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslsecur.c | 202 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslsnce.c | 4 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslsock.c | 96 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslt.h | 13 | ||||
| -rw-r--r-- | security/nss/lib/ssl/ssltrace.c | 5 |
21 files changed, 425 insertions, 528 deletions
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c index af2003f5d..c53ed4993 100644 --- a/security/nss/lib/ssl/authcert.c +++ b/security/nss/lib/ssl/authcert.c @@ -35,7 +35,7 @@ * $Id$ */ -#ifndef /* NSSPKI_H */ +#ifndef NSSPKI_H #include "nsspki.h" #endif /* NSSPKI_H */ @@ -51,12 +51,12 @@ SSL_GetClientAuthData(void * arg, NSSTrustDomain * td, NSSDER ** caNames, NSSCert ** pRetCert, - NSSPrivateKey ** pRetKey); + NSSPrivateKey ** pRetKey) { NSSCert * cert = NULL; NSSPrivateKey * privkey = NULL; NSSUTF8 * chosenNickName = (NSSUTF8 *)arg; /* CONST */ - NSSCallback pinCallback = NULL; + NSSCallback * pinCallback = NULL; pinCallback = SSL_RevealPinArg(socket); diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn index f8c2a58f0..723b62ffb 100644 --- a/security/nss/lib/ssl/manifest.mn +++ b/security/nss/lib/ssl/manifest.mn @@ -33,6 +33,7 @@ CORE_DEPTH = ../../.. # DEFINES = -DTRACE +DEFINES += -DSTAN_BUILD PRIVATE_EXPORTS = \ diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c index 3faee3e73..ec8be5f72 100644 --- a/security/nss/lib/ssl/nsskea.c +++ b/security/nss/lib/ssl/nsskea.c @@ -49,61 +49,31 @@ #include "ssl.h" /* for SSLKEAType */ +/* XXX this should be a cert fn, do we still need SSLKEAType? */ SSLKEAType SSL_FindCertKEAType(NSSCert *cert) { - SSLKEAType keaType = kt_null; - int tag; + SSLKEAType keaType = ssl_kea_null; + NSSPublicKey *pubKey; + NSSKeyPairType keyPairType; if (!cert) goto loser; - if (NSSCert_GetType(cert) == NSSCertType_PKIX) { - NSSPKIXCertificate *pkixCert; - NSSPKIXTBSCertificate *tbsCert; - NSSPKIXSubjectPublicKeyInfo *spki; - NSSPKIXAlgorithmIdentifier *bkAlg; + pubKey = NSSCert_GetPublicKey(cert); + if (!pubKey) goto loser; - pkixCert = (NSSPKIXCertificate *)NSSCert_GetDecoding(cert); - if (!pkixCert) { - goto loser; - } - tbsCert = NSSPKIXCertificate_GetTBSCertificate(pkixCert); - if (!tbsCert) { - goto loser; - } - spki = NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo(tbsCert); - if (!spki) { - goto loser; - } - bkAlg = NSSPKIXSubjectPublicKeyInfo_GetAlgorithm(spki); - if (!bkAlg) { - goto loser; - } - oid = NSSPKIXAlgorithmIdentifier_GetAlgorithm(bkAlg); - if (!oid) { - goto loser; - } - } else { - goto loser; - } - - switch (NSSOID_GetTag(oid)) { - case NSS_OID_X500_RSA_ENCRYPTION: - case NSS_OID_PKCS1_RSA_ENCRYPTION: - keaType = kt_rsa; - break; - case NSS_OID_MISSI_KEA_DSS_OLD: - case NSS_OID_MISSI_KEA_DSS: - case NSS_OID_MISSI_DSS_OLD: - case NSS_OID_MISSI_DSS: - keaType = kt_fortezza; - break; - case NSS_OID_X942_DIFFIE_HELMAN_KEY: - keaType = kt_dh; - break; + keyPairType = NSSPublicKey_GetKeyType(pubKey); + switch (keyPairType) { + case NSSKeyPairType_RSA: keaType = ssl_kea_rsa; break; +#ifdef FORTEZZA + case NSSKeyPairType_FORTEZZA: keaType = ssl_kea_fortezza; break; +#endif /* FORTEZZA */ + case NSSKeyPairType_DH: keaType = ssl_kea_dh; break; default: - keaType = kt_null; + keaType = ssl_kea_null; } + + NSSPublicKey_Destroy(pubKey); loser: diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 4a535bebc..375131561 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -69,6 +69,7 @@ SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers; ** Imports fd into SSL, returning a new socket. Copies SSL configuration ** from model. */ +/* XXX split into two, one w/ model, one w/o but with td? */ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *modelOpt, NSSTrustDomain *td, PRFileDesc *fd); diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 8742eb49f..81ecd6ce1 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -37,6 +37,7 @@ */ #include <stdio.h> +#include <string.h> /* XXX for memxxx */ #include "prtime.h" #include "prinrval.h" @@ -68,6 +69,16 @@ #include "nsslocks.h" +/* XXX */ +#define SSL_ERROR_INVALID_KEY_TYPE 5555 +#define SSL_ERROR_UNSUPPORTED_KEY_EXCHANGE_ALG 5556 +#define NSS_ERROR_INVALID_ARGS 5557 +static const NSSUsages s_ssl_client_usage; +static const NSSAlgNParam *s_rsa_unwrap_ap = NULL; +static const NSSAlgNParam *s_tls_prf_ap = NULL; +static const NSSAlgNParam *s_md5_ap = NULL; +static const NSSAlgNParam *s_sha1_ap = NULL; + static void ssl3_CleanupPeerCerts(ssl3State *ssl3); static NSSSymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec, @@ -700,7 +711,7 @@ ssl3_SignHashes(SSL3Hashes *hash, NSSPrivateKey *key, NSSItem *buf, hashItem.size = sizeof(hash->sha); break; default: - nss_SetError(SEC_ERROR_INVALID_KEY); + ssl_MapLowLevelError(SSL_ERROR_INVALID_KEY_TYPE); goto done; } PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.size)); @@ -715,10 +726,10 @@ ssl3_SignHashes(SSL3Hashes *hash, NSSPrivateKey *key, NSSItem *buf, rv = DSAU_EncodeDerSig(&derSig, buf); if (rv == SECSuccess) { - NSS_ZFreeIf(buf->data); /* discard unencoded signature. */ + nss_ZFreeIf(buf->data); /* discard unencoded signature. */ *buf = derSig; /* give caller encoded signature. */ } else if (derSig.data) { - NSS_ZFreeIf(derSig.data); + nss_ZFreeIf(derSig.data); } #endif } @@ -726,7 +737,7 @@ ssl3_SignHashes(SSL3Hashes *hash, NSSPrivateKey *key, NSSItem *buf, PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->size)); done: if (rv != SECSuccess && buf->data) { - NSS_ZFreeIf(buf->data); + nss_ZFreeIf(buf->data); buf->data = NULL; } return rv; @@ -776,7 +787,7 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, NSSCert *cert, break; default: NSSPublicKey_Destroy(key); - nss_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + ssl_MapLowLevelError(SSL_ERROR_INVALID_KEY_TYPE); return SECFailure; } @@ -791,7 +802,7 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, NSSCert *cert, } NSSPublicKey_Destroy(key); if (signature) { - NSS_ZFreeIf(signature->data); + nss_ZFreeIf(signature->data); } return rv; } @@ -812,7 +823,6 @@ ssl3_ComputeExportRSAKeyHash(NSSItem modulus, NSSItem publicExponent, unsigned int bufLen; NSSItem * it = NULL; PRUint8 buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8]; - NSSAlgNParam *ap; bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.size + 2 + publicExponent.size; if (bufLen <= sizeof buf) { @@ -848,18 +858,10 @@ ssl3_ComputeExportRSAKeyHash(NSSItem modulus, NSSItem publicExponent, goto done; } - ap = NSSOID_CreateAlgNParam(NSSOID_CreateFromTag(NSS_OID_MD5), - NULL, NULL); - if (!ap) { - ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); - rv = SECFailure; - goto done; - } - hashData.data = hashes->md5; hashData.size = sizeof hashes->md5; - it = NSSCryptoContext_Digest(hash, ap, &hashIt, NULL, &hashData, NULL); - NSSAlgNParam_Destroy(ap); + it = NSSCryptoContext_Digest(hash, s_md5_ap, &hashIt, + NULL, &hashData, NULL); PR_ASSERT(it != NULL || it->size == MD5_LENGTH); if (it == NULL) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); @@ -867,18 +869,10 @@ ssl3_ComputeExportRSAKeyHash(NSSItem modulus, NSSItem publicExponent, goto done; } - ap = NSSOID_CreateAlgNParam(NSSOID_CreateFromTag(NSS_OID_SHA1), - NULL, NULL); - if (!ap) { - ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); - rv = SECFailure; - goto done; - } - hashData.data = hashes->sha; hashData.size = sizeof hashes->sha; - it = NSSCryptoContext_Digest(hash, ap, &hashIt, NULL, &hashData, NULL); - NSSAlgNParam_Destroy(ap); + it = NSSCryptoContext_Digest(hash, s_sha1_ap, &hashIt, + NULL, &hashData, NULL); PR_ASSERT(it != NULL || it->size == SHA1_LENGTH); if (it == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); @@ -893,7 +887,7 @@ ssl3_ComputeExportRSAKeyHash(NSSItem modulus, NSSItem publicExponent, done: if (hash != NULL) NSSCryptoContext_Destroy(hash); if (hashIt.data != buf && hashIt.data != NULL) - NSS_ZFreeIf(hashIt.data); + nss_ZFreeIf(hashIt.data); return rv; } @@ -996,7 +990,7 @@ ssl3_ComputeDHKeyHash(NSSItem dh_p, NSSItem dh_g, NSSItem dh_Ys, done: if (hash != NULL) NSSCryptoContext_Destroy(hash); if (hashIt.data != buf && hashIt.data != NULL) - NSS_ZFreeIf(hashIt.data); + nss_ZFreeIf(hashIt.data); return rv; } @@ -2370,7 +2364,7 @@ ssl3_ConsumeHandshakeVariable(sslSocket *ss, NSSItem *i, PRInt32 bytes, /* XXX inconsistent. In other places, we don't send alerts for * our own memory failures. But here we do... */ (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure); - nss_SetError(SEC_ERROR_NO_MEMORY); + nss_SetError(NSS_ERROR_NO_MEMORY); return SECFailure; } i->size = count; @@ -2462,16 +2456,15 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; } - in.data = mac_pad_1; - in.size = mac_defs[ssl_mac_md5].pad_size; + + NSSITEM_INIT(&in, mac_pad_1, mac_defs[ssl_mac_md5].pad_size); status = NSSCryptoContext_ContinueDigest(md5, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; } - out.data = md5_inner; - out.size = sizeof(md5_inner); + NSSITEM_INIT(&out, md5_inner, sizeof(md5_inner)); if (NSSCryptoContext_FinishDigest(md5, &out, NULL) == NULL) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; @@ -2499,16 +2492,14 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, goto loser; } - in.data = mac_pad_1; - in.size = mac_defs[ssl_mac_md5].pad_size; + NSSITEM_INIT(&in, mac_pad_1, mac_defs[ssl_mac_md5].pad_size); status = NSSCryptoContext_ContinueDigest(sha, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); goto loser; } - out.data = md5_inner; - out.size = sizeof(md5_inner); + NSSITEM_INIT(&out, md5_inner, sizeof(md5_inner)); if (NSSCryptoContext_FinishDigest(sha, &out, NULL) == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); goto loser; @@ -2530,15 +2521,15 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; } - in.data = mac_pad_2; - in.size = mac_defs[ssl_mac_md5].pad_size; + + NSSITEM_INIT(&in, mac_pad_2, mac_defs[ssl_mac_md5].pad_size); status = NSSCryptoContext_ContinueDigest(md5, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; } - in.data = md5_inner; - in.size = MD5_LENGTH; + + NSSITEM_INIT(&in, md5_inner, MD5_LENGTH); status = NSSCryptoContext_ContinueDigest(md5, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); @@ -2546,8 +2537,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, } } - out.data = hashes->md5; - out.size = sizeof(hashes->md5); + NSSITEM_INIT(&out, hashes->md5, sizeof(hashes->md5)); if (NSSCryptoContext_FinishDigest(md5, &out, NULL) == NULL) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); goto loser; @@ -2570,15 +2560,13 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); goto loser; } - in.data = mac_pad_2; - in.size = mac_defs[ssl_mac_sha].pad_size; + NSSITEM_INIT(&in, mac_pad_2, mac_defs[ssl_mac_sha].pad_size); status = NSSCryptoContext_ContinueDigest(sha, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); goto loser; } - in.data = sha_inner; - in.size = SHA1_LENGTH; + NSSITEM_INIT(&in, sha_inner, SHA1_LENGTH); status = NSSCryptoContext_ContinueDigest(sha, &in); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); @@ -2586,8 +2574,7 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, } } - out.data = hashes->sha; - out.size = sizeof(hashes->sha); + NSSITEM_INIT(&out, hashes->sha, sizeof(hashes->sha)); if (NSSCryptoContext_FinishDigest(sha, &out, NULL) == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); goto loser; @@ -3925,7 +3912,7 @@ ssl3_SendClientKeyExchange(sslSocket *ss) default: /* got an unknown or unsupported Key Exchange Algorithm. */ SEND_ALERT - nss_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + nss_SetError(SSL_ERROR_UNSUPPORTED_KEY_EXCHANGE_ALG); break; } @@ -4103,7 +4090,6 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->ssl3->hs.suite_def = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp); PR_ASSERT(ss->ssl3->hs.suite_def); if (!ss->ssl3->hs.suite_def) { - nss_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE); goto loser; /* we don't send alerts for our screw-ups. */ } @@ -4191,7 +4177,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags); - errCode = PORT_GetError(); + errCode = NSS_GetError(); PK11_FreeSymKey(wrapKey); if (ss->ssl3->pwSpec->master_secret == NULL) { break; /* errorCode set just after call to UnwrapSymKey. */ @@ -4356,7 +4342,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) rv = ssl3_ComputeExportRSAKeyHash(keyInfo.u.rsa.modulus, keyInfo.u.rsa.publicExponent, &ss->ssl3->hs.client_random, - &ss->ssl3->hs.server_random, &hashes); + &ss->ssl3->hs.server_random, + &hashes, ss->td); if (rv != SECSuccess) { errCode = ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE); @@ -4603,7 +4590,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) */ ssl3->clientCertChain = NSSCert_BuildChain(ssl3->clientCertificate, NSSTime_Now(), - ssl_client_usage, + &s_ssl_client_usage, NULL, NULL, 0, NULL, NULL /* XXX */); if (ssl3->clientCertChain == NULL) { @@ -5223,7 +5210,7 @@ compression_found: rv = ssl3_SendServerHello(ss); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } @@ -5303,19 +5290,19 @@ compression_found: /* NULL value for PMS signifies re-use of the old MS */ rv = ssl3_InitPendingCipherSpec(ss, NULL); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } rv = ssl3_SendChangeCipherSpecs(ss); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } rv = ssl3_SendFinished(ss, 0); ssl3->hs.ws = wait_change_cipher; if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } @@ -5344,7 +5331,7 @@ compression_found: sid = ssl3_NewSessionID(ss, PR_TRUE); if (sid == NULL) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; /* memory error is set. */ } ss->sec.ci.sid = sid; @@ -5510,7 +5497,7 @@ suite_found: ++ssl3stats.hch_sid_cache_misses; sid = ssl3_NewSessionID(ss, PR_TRUE); if (sid == NULL) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; /* memory error is set. */ } ss->sec.ci.sid = sid; @@ -5519,7 +5506,7 @@ suite_found: /* We have to update the handshake hashes before we can send stuff */ rv = ssl3_UpdateHandshakeHashes(ss, buffer, length); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } @@ -5527,7 +5514,7 @@ suite_found: rv = ssl3_SendServerHelloSequence(ss); ssl_ReleaseXmitBufLock(ss); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } @@ -6215,20 +6202,18 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, PR_ASSERT( ssl_HaveRecvBufLock(ss) ); PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss) ); - enc_pms.data = b; - enc_pms.size = length; - if (ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */ PRInt32 kLen; - kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.size); + kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); if (kLen < 0) { nss_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); return SECFailure; } - if ((unsigned)kLen < enc_pms.size) { - enc_pms.size = kLen; + if ((unsigned)kLen < length) { + length = kLen; } } + NSSITEM_INIT(&enc_pms, b, length); /* * decrypt pms out of the incoming buffer into volatile domain */ @@ -6343,7 +6328,7 @@ const ssl3KEADef * kea_def; default: (void) ssl3_HandshakeFailure(ss); - nss_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + nss_SetError(SSL_ERROR_UNSUPPORTED_KEY_EXCHANGE_ALG); return SECFailure; } ss->ssl3->hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher; @@ -6373,6 +6358,7 @@ ssl3_SendCertificate(sslSocket *ss) { SECStatus rv; NSSCertChain *certChain; + NSSDER derChain; int len = 0; int i; @@ -6390,33 +6376,27 @@ ssl3_SendCertificate(sslSocket *ss) certChain = sc->serverCertChain; ss->sec.authKeyBits = sc->serverKeyBits; ss->sec.authAlgorithm = ss->ssl3->hs.kea_def->signKeyType; - ss->sec.localCert = nssCertificate_AddRef(sc->serverCert); + ss->sec.localCert = NSSCertChain_GetLeaf(sc->serverCertChain); } else { certChain = ss->ssl3->clientCertChain; ss->sec.localCert = nssCertificate_AddRef(ss->ssl3->clientCertificate); } - if (certChain) { - for (i = 0; i < certChain->size; i++) { - len += certChain->certs[i].size + 3; - } + if (NSSCertChain_Encode(certChain, &derChain, NULL) == NULL) { + return SECFailure; } - rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3); + rv = ssl3_AppendHandshakeHeader(ss, certificate, derChain.size); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ } - rv = ssl3_AppendHandshakeNumber(ss, len, 3); + rv = ssl3_AppendHandshakeNumber(ss, derChain.size, 3); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ } - for (i = 0; i < NSSCertChain_GetNumCerts(certChain); i++) { - NSSCert *c = NSSCertChain_GetCert(certChain, i); - NSSDER *der = nssCert_GetEncoding(c); - rv = ssl3_AppendHandshakeVariable(ss, der->data, der->size, 3); - if (rv != SECSuccess) { - return rv; /* err set by AppendHandshake. */ - } + rv = ssl3_AppendHandshakeVariable(ss, derChain.data, derChain.size, 3); + if (rv != SECSuccess) { + return rv; /* err set by AppendHandshake. */ } return SECSuccess; @@ -6439,20 +6419,17 @@ ssl3_CleanupPeerCerts(ssl3State *ssl3) static SECStatus ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) { - ssl3CertNode * c; - ssl3CertNode * certs = NULL; ssl3State * ssl3 = ss->ssl3; NSSCert *cert; - PRInt32 remaining = 0; - PRInt32 size; + PRInt32 size = 0; SECStatus rv; PRBool isServer = (PRBool)(!!ss->sec.isServer); PRBool trusted = PR_FALSE; PRBool isTLS; SSL3AlertDescription desc = bad_certificate; int errCode = SSL_ERROR_RX_MALFORMED_CERTIFICATE; - NSSDER ** derChain; - NSSArena * arena; + NSSDER derChain; + PRStatus status; SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake", SSL_GETPID(), ss->fd)); @@ -6483,106 +6460,48 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ** normal no_certificates message to maximize interoperability. */ if (length) { - remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (remaining < 0) + size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); + if (size < 0) goto loser; /* fatal alert already sent by ConsumeHandshake. */ } - if (!remaining) { + if (!size) { if (!(isTLS && isServer)) goto alert_loser; /* This is TLS's version of a no_certificate alert. */ /* I'm a server. I've requested a client cert. He hasn't got one. */ rv = ssl3_HandleNoCertificate(ss); if (rv != SECSuccess) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); goto loser; } goto cert_block; } - /* XXX left off here */ - arena = NSSArena_Create(); - if (!arena) { - goto loser; + derChain.data = nss_ZAlloc(NULL, length); + if (!derChain.data) { + goto loser; /* don't send alerts on memory errors */ } + derChain.size = length; - derChain = nss_ZNEWARRAY(arena, NSSDER *, arraySize + 1); - if (!derChain) { - goto loser; - } - - /* First get the peer cert. */ - remaining -= 3; - if (remaining < 0) - goto decode_loser; - - size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (size < 0) - goto loser; /* fatal alert already sent by ConsumeHandshake. */ - - remaining -= size; - if (remaining < 0) - goto decode_loser; - - derChain[numCerts] = NSSItem_Create(arena, NULL, size, NULL); - if (!derChain[numCerts]) { - } - - rv = ssl3_ConsumeHandshake(ss, derChain[numCerts]->data, size, - &b, &length); + rv = ssl3_ConsumeHandshake(ss, derChain.data, length, &b, &length); if (rv != SECSuccess) { - goto loser; /* fatal alert already sent by ConsumeHandshake. */ + goto loser; } - numCerts++; -#if 0 - ss->sec.peerCert = NSSVolatileDomain_ImportEncodedCert(ss->vd, &derCert, - NULL, NULL); - nss_ZFreeIf(derCert.data); - if (ss->sec.peerCert == NULL) { - /* We should report an alert if the cert was bad, but not if the - * problem was just some local problem, like memory error. - */ - goto ambiguous_err; + ssl3->peerCertChain = NSSVolatileDomain_ImportEncodedCertChain(ss->vd, + &derChain, + NULL); + if (!ssl3->peerCertChain) { + goto loser; } -#endif - - /* Now get all of the CA certs. */ - while (remaining != 0) { - remaining -= 3; - if (remaining < 0) - goto decode_loser; - size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length); - if (size < 0) - goto loser; /* fatal alert already sent by ConsumeHandshake. */ - - remaining -= size; - if (remaining < 0) - goto decode_loser; - - derChain[numCerts] = NSSItem_Create(arena, NULL, size, NULL); - if (!derChain[numCerts]) { - } - - rv = ssl3_ConsumeHandshake(ss, derChain[numCerts.data], size, - &b, &length); - if (rv != SECSuccess) - goto loser; /* fatal alert already sent by ConsumeHandshake. */ - -#if 0 - if (c->cert->trust) - trusted = PR_TRUE; -#endif - - numCerts++; + ss->sec.peerCert = NSSCertChain_GetLeaf(ssl3->peerCertChain); + if (!ss->sec.peerCert) { + goto loser; } - if (remaining != 0) - goto decode_loser; - - /* XXX ??? + /* XXX ??? this should happen inside NSSCertChain or something... SECKEY_UpdateCertPQG(ss->sec.peerCert); */ @@ -6603,7 +6522,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, PR_TRUE, isServer); if (rv) { - errCode = PORT_GetError(); + errCode = NSS_GetError(); if (!ss->handleBadCert) { goto bad_cert; } @@ -6613,8 +6532,6 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* someone will handle this connection asynchronously*/ SSL_DBG(("%d: SSL3[%d]: go to async cert handler", SSL_GETPID(), ss->fd)); - ssl3->peerCertChain = certs; - certs = NULL; ssl_SetAlwaysBlock(ss); goto cert_block; } @@ -6624,6 +6541,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* cert is good */ } +#ifdef IMPLEMENT_SSL_STEP_UP /* start SSL Step Up, if appropriate */ cert = ss->sec.peerCert; if (!isServer && @@ -6637,27 +6555,28 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ssl3->policy = SSL_RESTRICTED; ssl3->hs.rehandshake = PR_TRUE; } +#endif /* IMPLEMENT_SSL_STEP_UP */ +#ifdef IMPLEMENT_SESSION_ID_CACHE ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); +#endif /* IMPLEMENT_SESSION_ID_CACHE */ if (!ss->sec.isServer) { /* set the server authentication and key exchange types and sizes ** from the value in the cert. If the key exchange key is different, ** it will get fixed when we handle the server key exchange message. */ - SECKEYPublicKey * pubKey = CERT_ExtractPublicKey(cert); + NSSPublicKey *pubKey = NSSCert_GetPublicKey(cert); ss->sec.authAlgorithm = ssl3->hs.kea_def->signKeyType; ss->sec.keaType = ssl3->hs.kea_def->exchKeyType; if (pubKey) { ss->sec.keaKeyBits = ss->sec.authKeyBits = - SECKEY_PublicKeyStrength(pubKey) * BPB; - SECKEY_DestroyPublicKey(pubKey); + NSSPublicKey_GetKeyStrength(pubKey); + NSSPublicKey_Destroy(pubKey); pubKey = NULL; } } - ssl3->peerCertChain = certs; certs = NULL; arena = NULL; - cert_block: if (ss->sec.isServer) { ssl3->hs.ws = wait_client_key; @@ -6677,11 +6596,10 @@ cert_block: return rv; ambiguous_err: - errCode = PORT_GetError(); + errCode = NSS_GetError(); switch (errCode) { case PR_OUT_OF_MEMORY_ERROR: - case SEC_ERROR_BAD_DATABASE: - case SEC_ERROR_NO_MEMORY: + case NSS_ERROR_NO_MEMORY: if (isTLS) { desc = internal_error; goto alert_loser; @@ -6691,6 +6609,7 @@ ambiguous_err: /* fall through to bad_cert. */ bad_cert: /* caller has set errCode. */ +#ifdef DEFINE_MORE_ERROR_TYPES switch (errCode) { case SEC_ERROR_LIBRARY_FAILURE: desc = unsupported_certificate; break; case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired; break; @@ -6712,6 +6631,7 @@ bad_cert: /* caller has set errCode. */ case SEC_ERROR_BAD_SIGNATURE: default: desc = bad_certificate; break; } +#endif /* DEFINE_MORE_ERROR_TYPES */ SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d", SSL_GETPID(), ss->fd, errCode)); @@ -6724,11 +6644,10 @@ alert_loser: (void)SSL3_SendAlert(ss, alert_fatal, desc); loser: - ssl3->peerCertChain = certs; certs = NULL; arena = NULL; ssl3_CleanupPeerCerts(ssl3); if (ss->sec.peerCert != NULL) { - CERT_DestroyCertificate(ss->sec.peerCert); + NSSCert_Destroy(ss->sec.peerCert); ss->sec.peerCert = NULL; } (void)ssl_MapLowLevelError(errCode); @@ -6803,6 +6722,9 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, NSSCryptoContext *prf_context; const char *label; unsigned int len; + NSSItem it; + PRStatus status; + SECStatus rv; label = isServer ? "server finished" : "client finished"; len = 15; @@ -6832,7 +6754,7 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, goto loser; } - rv = SECFailure; + rv = SECSuccess; loser: PR_ASSERT(rv != SECSuccess); @@ -7163,12 +7085,12 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (ss->ssl3->hs.msg_type == client_hello) { SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes", SSL_GETPID(), ss->fd )); - status = NSSCryptoContext_BeginDigest(ss->ssl3->hs.md5); + status = NSSCryptoContext_BeginDigest(ss->ssl3->hs.md5, NULL, NULL); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); return rv; } - status = NSSCryptoContext_BeginDigest(ss->ssl3->hs.sha); + status = NSSCryptoContext_BeginDigest(ss->ssl3->hs.sha, NULL, NULL); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); return rv; @@ -7622,8 +7544,8 @@ process_it: static void ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) { - spec->cipher_def = &bulk_cipher_defs[ssl_cipher_null]; - PR_ASSERT(spec->cipher_def->cipher == ssl_cipher_null); + spec->cipher_def = &bulk_cipher_defs[cipher_null]; + PR_ASSERT(spec->cipher_def->cipher == cipher_null); spec->mac_def = &mac_defs[ssl_mac_null]; PR_ASSERT(spec->mac_def->mac == ssl_mac_null); spec->encode = Null_Cipher; @@ -7633,11 +7555,9 @@ ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec) spec->master_secret = NULL; spec->client.write_key = NULL; - spec->client.write_mac_key = NULL; spec->client.write_mac_context = NULL; spec->server.write_key = NULL; - spec->server.write_mac_key = NULL; spec->server.write_mac_context = NULL; spec->write_seq_num.high = 0; @@ -7678,7 +7598,7 @@ ssl3_InitState(sslSocket *ss) if (ss->ssl3 != NULL) return SECSuccess; - ssl3 = nss_ZAlloc(NULL, ssl3State); /* zero on purpose */ + ssl3 = nss_ZNEW(NULL, ssl3State); /* zero on purpose */ if (ssl3 == NULL) return SECFailure; /* PORT_ZAlloc has set memory error code. */ @@ -7691,7 +7611,9 @@ ssl3_InitState(sslSocket *ss) ssl3->hs.rehandshake = PR_FALSE; ssl3_InitCipherSpec(ss, ssl3->crSpec); ssl3_InitCipherSpec(ss, ssl3->prSpec); +#ifdef FORTEZZA ssl3->fortezza.tek = NULL; +#endif /* FORTEZZA */ ssl3->hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; ssl_ReleaseSpecWriteLock(ss); @@ -7703,7 +7625,7 @@ ssl3_InitState(sslSocket *ss) */ SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); ssl3->hs.md5 = md5 = NSSVolatileDomain_CreateCryptoContext(ss->vd, - s_ssl_md5, + s_md5_ap, NULL); if (md5 == NULL) { ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); @@ -7716,7 +7638,7 @@ ssl3_InitState(sslSocket *ss) } sha = ssl3->hs.sha = NSSVolatileDomain_CreateCryptoContext(ss->vd, - s_ssl_sha1, + s_sha1_ap, NULL); if (sha == NULL) { ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); @@ -7750,10 +7672,10 @@ ssl3_NewKeyPair(NSSPrivateKey * privKey, NSSPublicKey * pubKey) ssl3KeyPair * pair; if (!privKey || !pubKey) { - nss_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(NSS_ERROR_INVALID_ARGS); return NULL; } - pair = nss_ZAlloc(NULL, ssl3KeyPair); + pair = nss_ZNEW(NULL, ssl3KeyPair); if (!pair) return NULL; /* error code is set. */ pair->refCount = 1; @@ -8038,7 +7960,7 @@ ssl3_DestroySSL3Info(ssl3State *ssl3) } #endif /* FORTEZZA */ /* free the SSL3Buffer (msg_body) */ - PORT_Free(ssl3->hs.msg_body.buf); + nss_ZFreeIf(ssl3->hs.msg_body.buf); /* free up the CipherSpecs */ ssl3_DestroyCipherSpec(&ssl3->specs[0]); diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c index 92e1523b6..6c53af148 100644 --- a/security/nss/lib/ssl/ssl3gthr.c +++ b/security/nss/lib/ssl/ssl3gthr.c @@ -35,7 +35,6 @@ * $Id$ */ -#include "cert.h" #include "ssl.h" #include "sslimpl.h" #include "ssl3prot.h" @@ -76,7 +75,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) gs->offset = 0; gs->writeOffset = 0; gs->readOffset = 0; - gs->inbuf.len = 0; + gs->inbuf.size = 0; } lbp = gs->inbuf.buf; @@ -111,7 +110,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) gs->offset += nb; gs->remainder -= nb; if (gs->state == GS_DATA) - gs->inbuf.len += nb; + gs->inbuf.size += nb; /* if there's more to go, read some more. */ if (gs->remainder > 0) { @@ -140,7 +139,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) gs->state = GS_DATA; gs->offset = 0; - gs->inbuf.len = 0; + gs->inbuf.size = 0; if (gs->remainder > gs->inbuf.space) { err = sslBuffer_Grow(&gs->inbuf, gs->remainder); @@ -204,10 +203,10 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags) if (rv < 0) { return ss->recvdCloseNotify ? 0 : rv; } - } while (ss->ssl3->hs.ws != idle_handshake && ss->gs.buf.len == 0); + } while (ss->ssl3->hs.ws != idle_handshake && ss->gs.buf.size == 0); ss->gs.readOffset = 0; - ss->gs.writeOffset = ss->gs.buf.len; + ss->gs.writeOffset = ss->gs.buf.size; return 1; } @@ -230,7 +229,7 @@ ssl3_GatherAppDataRecord(sslSocket *ss, int flags) PORT_Assert( ssl_HaveRecvBufLock(ss) ); do { rv = ssl3_GatherCompleteHandshake(ss, flags); - } while (rv > 0 && ss->gs.buf.len == 0); + } while (rv > 0 && ss->gs.buf.size == 0); return rv; } diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c index 6be86ec9b..c97e0fdbb 100644 --- a/security/nss/lib/ssl/sslauth.c +++ b/security/nss/lib/ssl/sslauth.c @@ -32,15 +32,14 @@ * * $Id$ */ -#include "cert.h" -#include "secitem.h" #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" -#include "pk11func.h" + +#include "nsspki.h" /* NEED LOCKS IN HERE. */ -CERTCertificate * +NSSCert * SSL_PeerCertificate(PRFileDesc *fd) { sslSocket *ss; @@ -52,13 +51,13 @@ SSL_PeerCertificate(PRFileDesc *fd) return 0; } if (ss->useSecurity && ss->sec.peerCert) { - return CERT_DupCertificate(ss->sec.peerCert); + return nssCert_AddRef(ss->sec.peerCert); } return 0; } /* NEED LOCKS IN HERE. */ -CERTCertificate * +NSSCert * SSL_LocalCertificate(PRFileDesc *fd) { sslSocket *ss; @@ -71,10 +70,10 @@ SSL_LocalCertificate(PRFileDesc *fd) } if (ss->useSecurity) { if (ss->sec.localCert) { - return CERT_DupCertificate(ss->sec.localCert); + return nssCert_AddRef(ss->sec.localCert); } if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) { - return CERT_DupCertificate(ss->sec.ci.sid->localCert); + return nssCert_AddRef(ss->sec.ci.sid->localCert); } } return NULL; @@ -114,11 +113,11 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, } else { cipherName = ssl3_cipherName[ss->sec.cipherType]; } - if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; + if (cipherName && strstr(cipherName, "DES")) isDes = PR_TRUE; /* do same key stuff for fortezza */ if (cp) { - *cp = PORT_Strdup(cipherName); + *cp = (char *)NSSUTF8_Duplicate(cipherName); } if (kp0) { @@ -141,22 +140,22 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, } if (ip || sp) { - CERTCertificate *cert; + NSSCert *cert; cert = ss->sec.peerCert; if (cert) { if (ip) { - *ip = CERT_NameToAscii(&cert->issuer); + *ip = NSSCert_GetIssuerName(cert); } if (sp) { - *sp = CERT_NameToAscii(&cert->subject); + *sp = NSSCert_GetNames(cert, sp, 1, NULL); } } else { if (ip) { - *ip = PORT_Strdup("no certificate"); + *ip = NSSUTF8_Duplicate("no certificate"); } if (sp) { - *sp = PORT_Strdup("no certificate"); + *sp = NSSUTF8_Duplicate("no certificate"); } } } @@ -234,26 +233,28 @@ SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { SECStatus rv; - CERTCertDBHandle * handle; sslSocket * ss; - SECCertUsage certUsage; + NSSUsages usage; + PRStatus status; const char * hostname = NULL; + NSSUTF8 **name; + NSSUTF8 **names; + NSSArena *arena; ss = ssl_FindSocket(fd); - PORT_Assert(ss != NULL); + PR_ASSERT(ss != NULL); if (!ss) { return SECFailure; } - handle = (CERTCertDBHandle *)arg; - /* this may seem backwards, but isn't. */ - certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; + usage.peer = isServer ? NSSUsage_SSLClient : NSSUsage_SSLServer; - rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage, - ss->pkcs11PinArg); + /* XXX checkSig? */ + status = NSSCertificate_Validate(ss->sec.peerCert, + NSSTime_Now(), &usage, NULL); - if ( rv != SECSuccess || isServer ) + if ( status == PR_FAILURE || isServer ) return rv; /* cert is OK. This is the client side of an SSL connection. @@ -261,12 +262,28 @@ SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! */ hostname = ss->url; - if (hostname && hostname[0]) - rv = CERT_VerifyCertName(ss->sec.peerCert, hostname); - else + if (hostname && hostname[0]) { + NSSArena *arena; + rv = SECFailure; + arena = NSSArena_Create(); + if (!arena) { + return SECFailure; + } + names = NSSCert_GetNames(ss->sec.peerCert, NULL, 0, arena); + if (names) { + for (name = names; *name; name++) { + if (NSSUTF8_Equal(*name, hostname, NULL)) { + rv = SECSuccess; + break; + } + } + } + NSSArena_Destroy(arena); /* clears all parts of 'names' */ + } else { rv = SECFailure; + } if (rv != SECSuccess) - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); + nss_SetError(SSL_ERROR_BAD_CERT_DOMAIN); return rv; } diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index a1bfb4ce9..0b5b5b9a5 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -35,21 +35,16 @@ * $Id$ */ -#include "nssrenam.h" -#include "cert.h" -#include "secitem.h" -#include "sechash.h" -#include "cryptohi.h" /* for SGN_ funcs */ -#include "keyhi.h" /* for SECKEY_ high level functions. */ #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" #include "ssl3prot.h" #include "sslerr.h" -#include "pk11func.h" #include "prinit.h" #include "prtime.h" /* for PR_Now() */ +#ifdef IMPLEMENT_SSL2 + #define XXX static PRBool policyWasSet; @@ -1199,6 +1194,8 @@ ssl2_UseClearSendFunc(sslSocket *ss) ss->sec.send = ssl2_SendClear; } +#endif /* IMPLEMENT_SSL2 */ + /************************************************************************ ** END of Send functions. * *************************************************************************/ @@ -1284,6 +1281,8 @@ ssl_GatherRecord1stHandshake(sslSocket *ss) return SECSuccess; } +#ifdef IMPLEMENT_SSL2 + /************************************************************************/ /* Called from ssl2_ServerSetupSessionCypher() @@ -3734,6 +3733,8 @@ loser: return SECFailure; } +#endif /* IMPLEMENT_SSL2 */ + /* This function doesn't really belong in this file. ** It's here to keep AIX compilers from optimizing it away, ** and not including it in the DSO. diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c index bb4883cf3..4f85fe72b 100644 --- a/security/nss/lib/ssl/ssldef.c +++ b/security/nss/lib/ssl/ssldef.c @@ -35,7 +35,6 @@ * $Id$ */ -#include "cert.h" #include "ssl.h" #include "sslimpl.h" @@ -222,9 +221,9 @@ int ssl_DefClose(sslSocket *ss) ** then invoke the SSL layer's PRFileDesc destructor. ** This must happen before the next layer down is closed. */ - PORT_Assert(fd->higher == NULL); + PR_ASSERT(fd->higher == NULL); if (fd->higher) { - PORT_SetError(PR_BAD_DESCRIPTOR_ERROR); + nss_SetError(PR_BAD_DESCRIPTOR_ERROR); return SECFailure; } ss->fd = NULL; diff --git a/security/nss/lib/ssl/sslerr.c b/security/nss/lib/ssl/sslerr.c index f3e57d44d..b5332524c 100644 --- a/security/nss/lib/ssl/sslerr.c +++ b/security/nss/lib/ssl/sslerr.c @@ -37,9 +37,8 @@ */ #include "prerror.h" -#include "secerr.h" +#include "nsserrors.h" #include "sslerr.h" -#include "seccomon.h" /* look at the current value of PR_GetError, and evaluate it to see * if it is meaningful or meaningless (out of context). @@ -55,14 +54,16 @@ ssl_MapLowLevelError(int hiLevelError) case 0: case PR_IO_ERROR: +#ifdef DEFINE_ERROR_CODES case SEC_ERROR_IO: case SEC_ERROR_BAD_DATA: case SEC_ERROR_LIBRARY_FAILURE: case SEC_ERROR_EXTENSION_NOT_FOUND: +#endif case SSL_ERROR_BAD_CLIENT: case SSL_ERROR_BAD_SERVER: case SSL_ERROR_SESSION_NOT_FOUND: - PORT_SetError(hiLevelError); + nss_SetError(hiLevelError); return hiLevelError; default: /* leave the majority of error codes alone. */ diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c index 9f06a25e3..abaa39f8f 100644 --- a/security/nss/lib/ssl/sslgathr.c +++ b/security/nss/lib/ssl/sslgathr.c @@ -34,11 +34,12 @@ * * $Id$ */ -#include "cert.h" #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" +#ifdef IMPLEMENT_SSL2 + /* Forward static declarations */ static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss); @@ -474,3 +475,5 @@ ssl2_HandleV3HandshakeRecord(sslSocket *ss) return SECSuccess; } + +#endif /* IMPLEMENT_SSL2 */ diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c index be32c1ae2..78429ea4a 100644 --- a/security/nss/lib/ssl/sslinfo.c +++ b/security/nss/lib/ssl/sslinfo.c @@ -32,6 +32,9 @@ * * $Id$ */ + +#include <string.h> + #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" @@ -97,8 +100,8 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) return SECSuccess; } -#define kt_kea kt_fortezza -#define calg_sj calg_fortezza +#define ssl_kea_kea ssl_kea_fortezza +#define ssl_calg_sj ssl_calg_fortezza #define CS(x) x, #x #define CK(x) x | 0xff00, #x @@ -107,17 +110,17 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) #define S_RSA "RSA", ssl_auth_rsa #define S_KEA "KEA", ssl_auth_kea -#define K_DHE "DHE", kt_dh -#define K_RSA "RSA", kt_rsa -#define K_KEA "KEA", kt_kea - -#define C_AES "AES", calg_aes -#define C_RC4 "RC4", calg_rc4 -#define C_RC2 "RC2", calg_rc2 -#define C_DES "DES", calg_des -#define C_3DES "3DES", calg_3des -#define C_NULL "NULL", calg_null -#define C_SJ "SKIPJACK", calg_sj +#define K_DHE "DHE", ssl_kea_dh +#define K_RSA "RSA", ssl_kea_rsa +#define K_KEA "KEA", ssl_kea_kea + +#define C_AES "AES", ssl_calg_aes +#define C_RC4 "RC4", ssl_calg_rc4 +#define C_RC2 "RC2", ssl_calg_rc2 +#define C_DES "DES", ssl_calg_des +#define C_3DES "3DES", ssl_calg_3des +#define C_NULL "NULL", ssl_calg_null +#define C_SJ "SKIPJACK", ssl_calg_sj #define B_256 256, 256, 256 #define B_128 128, 128, 128 diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c index 85d6e88c2..8b7470c4b 100644 --- a/security/nss/lib/ssl/sslmutex.c +++ b/security/nss/lib/ssl/sslmutex.c @@ -33,12 +33,13 @@ * $Id$ */ -#include "seccomon.h" /* This ifdef should match the one in sslsnce.c */ #if (defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)) && !defined(_WIN32_WCE) #include "sslmutex.h" #include "prerr.h" +#include "nspr.h" +#include "base.h" /* XXX */ static SECStatus single_process_sslMutex_Init(sslMutex* pMutex) { @@ -56,7 +57,7 @@ static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex) PR_ASSERT(pMutex != 0); PR_ASSERT(pMutex->u.sslLock!= 0); if (!pMutex->u.sslLock) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } PR_DestroyLock(pMutex->u.sslLock); @@ -68,7 +69,7 @@ static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex) PR_ASSERT(pMutex != 0 ); PR_ASSERT(pMutex->u.sslLock !=0); if (!pMutex->u.sslLock) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } PR_Unlock(pMutex->u.sslLock); @@ -80,7 +81,7 @@ static SECStatus single_process_sslMutex_Lock(sslMutex* pMutex) PR_ASSERT(pMutex != 0); PR_ASSERT(pMutex->u.sslLock != 0 ); if (!pMutex->u.sslLock) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } PR_Lock(pMutex->u.sslLock); @@ -182,7 +183,7 @@ sslMutex_Destroy(sslMutex *pMutex) return single_process_sslMutex_Destroy(pMutex); } if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } close(pMutex->u.pipeStr.mPipes[0]); @@ -208,7 +209,7 @@ sslMutex_Unlock(sslMutex *pMutex) } if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } /* Do Memory Barrier here. */ @@ -223,7 +224,7 @@ sslMutex_Unlock(sslMutex *pMutex) if (cc < 0) nss_MD_unix_map_default_error(errno); else - PORT_SetError(PR_UNKNOWN_ERROR); + nss_SetError(PR_UNKNOWN_ERROR); return SECFailure; } } @@ -239,7 +240,7 @@ sslMutex_Lock(sslMutex *pMutex) } if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } oldValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters); @@ -254,7 +255,7 @@ sslMutex_Lock(sslMutex *pMutex) if (cc < 0) nss_MD_unix_map_default_error(errno); else - PORT_SetError(PR_UNKNOWN_ERROR); + nss_SetError(PR_UNKNOWN_ERROR); return SECFailure; } } @@ -280,7 +281,7 @@ sslMutex_Unlock(sslMutex *pMutex) } if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } do { @@ -290,7 +291,7 @@ sslMutex_Unlock(sslMutex *pMutex) if (cc < 0) nss_MD_unix_map_default_error(errno); else - PORT_SetError(PR_UNKNOWN_ERROR); + nss_SetError(PR_UNKNOWN_ERROR); return SECFailure; } @@ -308,7 +309,7 @@ sslMutex_Lock(sslMutex *pMutex) } if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } @@ -319,7 +320,7 @@ sslMutex_Lock(sslMutex *pMutex) if (cc < 0) nss_MD_unix_map_default_error(errno); else - PORT_SetError(PR_UNKNOWN_ERROR); + nss_SetError(PR_UNKNOWN_ERROR); return SECFailure; } @@ -393,7 +394,7 @@ sslMutex_Init(sslMutex *pMutex, int shared) if (!pMutex || ((hMutex = pMutex->u.sslMutx) != 0 && hMutex != INVALID_HANDLE_VALUE)) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } attributes.bInheritHandle = (shared ? TRUE : FALSE); @@ -429,7 +430,7 @@ sslMutex_Destroy(sslMutex *pMutex) pMutex->u.sslMutx != INVALID_HANDLE_VALUE); if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || hMutex == INVALID_HANDLE_VALUE) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } @@ -458,7 +459,7 @@ sslMutex_Unlock(sslMutex *pMutex) pMutex->u.sslMutx != INVALID_HANDLE_VALUE); if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || hMutex == INVALID_HANDLE_VALUE) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } success = ReleaseMutex(hMutex); @@ -496,7 +497,7 @@ sslMutex_Lock(sslMutex *pMutex) pMutex->u.sslMutx != INVALID_HANDLE_VALUE); if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || hMutex == INVALID_HANDLE_VALUE) { - PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + nss_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; /* what else ? */ } /* acquire the mutex to be the only owner accross all other processes */ @@ -513,7 +514,7 @@ sslMutex_Lock(sslMutex *pMutex) #endif default: /* should never happen. nothing we can do. */ PR_ASSERT(!("WaitForSingleObject returned invalid value.")); - PORT_SetError(PR_UNKNOWN_ERROR); + nss_SetError(PR_UNKNOWN_ERROR); rv = SECFailure; break; @@ -617,7 +618,7 @@ sslMutex_Init(sslMutex *pMutex, int shared) return single_process_sslMutex_Init(pMutex); } PORT_Assert(!("sslMutex_Init not implemented for multi-process applications !")); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + nss_SetError(PR_NOT_IMPLEMENTED_ERROR); return SECFailure; } @@ -629,7 +630,7 @@ sslMutex_Destroy(sslMutex *pMutex) return single_process_sslMutex_Destroy(pMutex); } PORT_Assert(!("sslMutex_Destroy not implemented for multi-process applications !")); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + nss_SetError(PR_NOT_IMPLEMENTED_ERROR); return SECFailure; } @@ -641,7 +642,7 @@ sslMutex_Unlock(sslMutex *pMutex) return single_process_sslMutex_Unlock(pMutex); } PORT_Assert(!("sslMutex_Unlock not implemented for multi-process applications !")); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + nss_SetError(PR_NOT_IMPLEMENTED_ERROR); return SECFailure; } @@ -653,7 +654,7 @@ sslMutex_Lock(sslMutex *pMutex) return single_process_sslMutex_Lock(pMutex); } PORT_Assert(!("sslMutex_Lock not implemented for multi-process applications !")); - PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + nss_SetError(PR_NOT_IMPLEMENTED_ERROR); return SECFailure; } diff --git a/security/nss/lib/ssl/sslmutex.h b/security/nss/lib/ssl/sslmutex.h index 97115782f..3b617d3a8 100644 --- a/security/nss/lib/ssl/sslmutex.h +++ b/security/nss/lib/ssl/sslmutex.h @@ -57,6 +57,15 @@ #include "prtypes.h" #include "prlock.h" +/* XXX temporarily define SECStatus here, move to PRStatus and eliminate + * SECWouldBlock later + */ +typedef enum _SECStatus { + SECWouldBlock = -2, + SECFailure = -1, + SECSuccess = 0 +} SECStatus; + #if defined(WIN32) #include <wtypes.h> @@ -126,9 +135,7 @@ typedef int sslPID; #endif -#include "seccomon.h" - -SEC_BEGIN_PROTOS +PR_BEGIN_EXTERN_C extern SECStatus sslMutex_Init(sslMutex *sem, int shared); @@ -144,6 +151,6 @@ extern SECStatus sslMutex_2LevelInit(sslMutex *sem); #endif -SEC_END_PROTOS +PR_END_EXTERN_C #endif diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c index ac79c6d66..b5c5a8083 100644 --- a/security/nss/lib/ssl/sslnonce.c +++ b/security/nss/lib/ssl/sslnonce.c @@ -35,11 +35,11 @@ * $Id$ */ -#include "nssrenam.h" -#include "cert.h" -#include "secitem.h" #include "ssl.h" +#include "base.h" +#include "nsspki.h" + #include "sslimpl.h" #include "sslproto.h" #include "nssilock.h" @@ -83,29 +83,29 @@ static void ssl_DestroySID(sslSessionID *sid) { SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached)); - PORT_Assert((sid->references == 0)); + PR_ASSERT((sid->references == 0)); if (sid->cached == in_client_cache) return; /* it will get taken care of next time cache is traversed. */ if (sid->version < SSL_LIBRARY_VERSION_3_0) { - SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE); - SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE); + nss_ZFreeIf(sid->u.ssl2.masterKey.data); + nss_ZFreeIf(sid->u.ssl2.cipherArg.data); } if (sid->peerID != NULL) - PORT_Free((void *)sid->peerID); /* CONST */ + nss_ZFreeIf((void *)sid->peerID); /* CONST */ if (sid->urlSvrName != NULL) - PORT_Free((void *)sid->urlSvrName); /* CONST */ + nss_ZFreeIf((void *)sid->urlSvrName); /* CONST */ if ( sid->peerCert ) { - CERT_DestroyCertificate(sid->peerCert); + NSSCert_Destroy(sid->peerCert); } if ( sid->localCert ) { - CERT_DestroyCertificate(sid->localCert); + NSSCert_Destroy(sid->localCert); } - PORT_ZFree(sid, sizeof(sslSessionID)); + nss_ZFreeIf(sid); } /* BEWARE: This function gets called for both client and server SIDs !! @@ -118,7 +118,7 @@ ssl_DestroySID(sslSessionID *sid) static void ssl_FreeLockedSID(sslSessionID *sid) { - PORT_Assert(sid->references >= 1); + PR_ASSERT(sid->references >= 1); if (--sid->references == 0) { ssl_DestroySID(sid); } @@ -185,15 +185,15 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, /* proxy (peerID) matches */ (((peerID == NULL) && (sid->peerID == NULL)) || ((peerID != NULL) && (sid->peerID != NULL) && - PORT_Strcmp(sid->peerID, peerID) == 0)) && + strcmp(sid->peerID, peerID) == 0)) && /* is cacheable */ (sid->version < SSL_LIBRARY_VERSION_3_0 || sid->u.ssl3.resumable) && /* server hostname matches. */ (sid->urlSvrName != NULL) && - ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) || - ((sid->peerCert != NULL) && (SECSuccess == - CERT_VerifyCertName(sid->peerCert, urlSvrName))) ) + ((NSSUTF8_Equal(urlSvrName, sid->urlSvrName, NULL)) || + ((sid->peerCert != NULL) && (PR_SUCCESS == + ssl_VerifyCertName(sid->peerCert, urlSvrName))) ) ) { /* Hit */ sid->lastAccessTime = now; @@ -231,9 +231,9 @@ CacheSID(sslSessionID *sid) PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID, sizeof(sid->u.ssl2.sessionID))); PRINT_BUF(8, (0, "masterKey:", - sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len)); + sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.size)); PRINT_BUF(8, (0, "cipherArg:", - sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len)); + sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.size)); } else { if (sid->u.ssl3.sessionIDLength == 0) return; @@ -285,9 +285,9 @@ UncacheSID(sslSessionID *zap) PRINT_BUF(8, (0, "sessionID:", zap->u.ssl2.sessionID, sizeof(zap->u.ssl2.sessionID))); PRINT_BUF(8, (0, "masterKey:", - zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.len)); + zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.size)); PRINT_BUF(8, (0, "cipherArg:", - zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.len)); + zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.size)); } /* See if it's in the cache, if so nuke it */ diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c index 44ae47810..33ee72319 100644 --- a/security/nss/lib/ssl/sslreveal.c +++ b/security/nss/lib/ssl/sslreveal.c @@ -35,18 +35,16 @@ * $Id$ */ -#include "cert.h" #include "ssl.h" -#include "certt.h" #include "sslimpl.h" /* given PRFileDesc, returns a copy of certificate associated with the socket * the caller should delete the cert when done with SSL_DestroyCertificate */ -CERTCertificate * +NSSCert * SSL_RevealCert(PRFileDesc * fd) { - CERTCertificate * cert = NULL; + NSSCert * cert = NULL; sslSocket * sslsocket = NULL; sslsocket = ssl_FindSocket(fd); @@ -55,7 +53,7 @@ SSL_RevealCert(PRFileDesc * fd) * the same cert */ if (sslsocket && sslsocket->sec.peerCert) - cert = CERT_DupCertificate(sslsocket->sec.peerCert); + cert = nssCert_AddRef(sslsocket->sec.peerCert); return cert; } diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index e5c2bc136..69779560b 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -34,14 +34,15 @@ * * $Id$ */ -#include "cert.h" -#include "secitem.h" -#include "keyhi.h" + +#include <string.h> + #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" -#include "secoid.h" /* for SECOID_GetALgorithmTag */ -#include "pk11func.h" /* for PK11_GenerateRandom */ + +#include "base.h" +#include "nsspki.h" #define MAX_BLOCK_CYPHER_SIZE 32 @@ -386,9 +387,9 @@ sslBuffer_Grow(sslBuffer *b, unsigned int newLen) { if (newLen > b->space) { if (b->buf) { - b->buf = (unsigned char *) PORT_Realloc(b->buf, newLen); + b->buf = (unsigned char *) nss_ZRealloc(b->buf, newLen); } else { - b->buf = (unsigned char *) PORT_Alloc(newLen); + b->buf = (unsigned char *) nss_ZAlloc(NULL, newLen); } if (!b->buf) { return SECFailure; @@ -414,7 +415,7 @@ ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, SECStatus rv; PORT_Assert( ssl_HaveXmitBufLock(ss) ); - newlen = buf->len + len; + newlen = buf->size + len; if (newlen > buf->space) { rv = sslBuffer_Grow(buf, newlen); if (rv) { @@ -423,8 +424,8 @@ ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, } SSL_TRC(5, ("%d: SSL[%d]: saving %d bytes of data (%d total saved so far)", SSL_GETPID(), ss->fd, len, newlen)); - PORT_Memcpy(buf->buf + buf->len, data, len); - buf->len = newlen; + memcpy(buf->buf + buf->size, data, len); + buf->size = newlen; return SECSuccess; } @@ -438,7 +439,7 @@ int ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send) { int rv = 0; - int len = buf->len; + int len = buf->size; PORT_Assert( ssl_HaveXmitBufLock(ss) ); if (len != 0) { @@ -453,10 +454,10 @@ ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send) ** it depends on PORT_Memmove doing overlapping moves correctly! ** It should advance the pointer offset instead !! */ - PORT_Memmove(buf->buf, buf->buf + rv, len - rv); - buf->len = len - rv; + memmove(buf->buf, buf->buf + rv, len - rv); + buf->size = len - rv; } else { - buf->len = 0; + buf->size = 0; } } return rv; @@ -538,7 +539,7 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags) /* Dole out clear data to reader */ amount = PR_MIN(len, available); - PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount); + memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount); if (!(flags & PR_MSG_PEEK)) { ss->gs.readOffset += amount; } @@ -556,31 +557,29 @@ done: /************************************************************************/ SSLKEAType -ssl_FindCertKEAType(CERTCertificate * cert) +ssl_FindCertKEAType(NSSCert * cert) { - SSLKEAType keaType = kt_null; - int tag; + SSLKEAType keaType = ssl_kea_null; + NSSKeyPairType keyPairType; if (!cert) goto loser; - tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm)); + keyPairType = NSSCert_GetPublicKeyType(cert); - switch (tag) { - case SEC_OID_X500_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_ENCRYPTION: - keaType = kt_rsa; + switch (keyPairType) { + case NSSKeyPairType_RSA: + keaType = ssl_kea_rsa; break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keaType = kt_fortezza; +#ifdef FORTEZZA + case NSSKeyPairType_FORTEZZA: + keaType = ssl_kea_fortezza; break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - keaType = kt_dh; +#endif /* FORTEZZA */ + case NSSKeyPairType_DH: + keaType = ssl_kea_dh; break; default: - keaType = kt_null; + keaType = ssl_kea_null; } loser: @@ -593,8 +592,8 @@ ssl_FindCertKEAType(CERTCertificate * cert) /* XXX need to protect the data that gets changed here.!! */ SECStatus -SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, - SECKEYPrivateKey *key, SSL3KEAType kea) +SSL_ConfigSecureServer(PRFileDesc *fd, NSSCert *cert, + NSSPrivateKey *key, SSLKEAType kea) { SECStatus rv; sslSocket *ss; @@ -614,7 +613,7 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, } /* make sure the key exchange is recognized */ - if ((kea >= kt_kea_size) || (kea < kt_null)) { + if ((kea >= ssl_kea_size) || (kea < ssl_kea_null)) { PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); return SECFailure; } @@ -625,50 +624,46 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, } sc = ss->serverCerts + kea; - /* load the server certificate */ - if (sc->serverCert != NULL) { - CERT_DestroyCertificate(sc->serverCert); - sc->serverCert = NULL; - } + /* find the server certificate's key bits */ if (cert) { - SECKEYPublicKey * pubKey; - sc->serverCert = CERT_DupCertificate(cert); - if (!sc->serverCert) - goto loser; + NSSPublicKey * pubKey; /* get the size of the cert's public key, and remember it */ - pubKey = CERT_ExtractPublicKey(cert); + pubKey = NSSCert_GetPublicKey(cert); if (!pubKey) goto loser; - sc->serverKeyBits = SECKEY_PublicKeyStrength(pubKey) * BPB; - SECKEY_DestroyPublicKey(pubKey); + sc->serverKeyBits = NSSPublicKey_GetKeyStrength(pubKey); + NSSPublicKey_Destroy(pubKey); pubKey = NULL; } /* load the server cert chain */ if (sc->serverCertChain != NULL) { - CERT_DestroyCertificateList(sc->serverCertChain); + NSSCertChain_Destroy(sc->serverCertChain); sc->serverCertChain = NULL; } if (cert) { - sc->serverCertChain = CERT_CertChainFromCert( - sc->serverCert, certUsageSSLServer, PR_TRUE); + NSSUsages usage = { 0, NSSUsage_SSLServer }; + sc->serverCertChain = NSSVolatileDomain_CreateChain(ss->vd, + cert, + NSSTime_Now(), + &usage, NULL); if (sc->serverCertChain == NULL) goto loser; } /* load the private key */ if (sc->serverKey != NULL) { - SECKEY_DestroyPrivateKey(sc->serverKey); + NSSPrivateKey_Destroy(sc->serverKey); sc->serverKey = NULL; } if (key) { - sc->serverKey = SECKEY_CopyPrivateKey(key); + sc->serverKey = nssPrivateKey_AddRef(key); if (sc->serverKey == NULL) goto loser; } - if (kea == kt_rsa) { + if (kea == ssl_kea_rsa) { rv = ssl3_CreateRSAStepDownKeys(ss); if (rv != SECSuccess) { return SECFailure; /* err set by ssl3_CreateRSAStepDownKeys */ @@ -677,21 +672,19 @@ SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, /* Only do this once because it's global. */ if (ssl3_server_ca_list == NULL) - ssl3_server_ca_list = CERT_GetSSLCACerts(ss->dbHandle); + ssl3_server_ca_list = NSSVolatileDomain_FindSSLCACerts(ss->vd, + NSSTime_Now(), + NULL); return SECSuccess; loser: - if (sc->serverCert != NULL) { - CERT_DestroyCertificate(sc->serverCert); - sc->serverCert = NULL; - } if (sc->serverCertChain != NULL) { - CERT_DestroyCertificateList(sc->serverCertChain); + NSSCertChain_Destroy(sc->serverCertChain); sc->serverCertChain = NULL; } if (sc->serverKey != NULL) { - SECKEY_DestroyPrivateKey(sc->serverKey); + NSSPrivateKey_Destroy(sc->serverKey); sc->serverKey = NULL; } return SECFailure; @@ -727,7 +720,7 @@ ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os) ss->sec.keyBits = os->sec.keyBits; ss->sec.secretKeyBits = os->sec.secretKeyBits; - ss->sec.peerCert = CERT_DupCertificate(os->sec.peerCert); + ss->sec.peerCert = nssCert_AddRef(os->sec.peerCert); if (os->sec.peerCert && !ss->sec.peerCert) goto loser; @@ -739,20 +732,18 @@ ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os) ss->sec.sendSequence = os->sec.sendSequence; ss->sec.rcvSequence = os->sec.rcvSequence; - if (os->sec.hash && os->sec.hashcx) { - ss->sec.hash = os->sec.hash; - ss->sec.hashcx = os->sec.hash->clone(os->sec.hashcx); + if (os->sec.hashcx) { + ss->sec.hashcx = NSSCryptoContext_Clone(os->sec.hashcx); if (os->sec.hashcx && !ss->sec.hashcx) goto loser; } else { - ss->sec.hash = NULL; ss->sec.hashcx = NULL; } - SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret); + (void)NSSItem_Duplicate(&os->sec.sendSecret, NULL, &ss->sec.sendSecret); if (os->sec.sendSecret.data && !ss->sec.sendSecret.data) goto loser; - SECITEM_CopyItem(0, &ss->sec.rcvSecret, &os->sec.rcvSecret); + (void)NSSItem_Duplicate(&os->sec.rcvSecret, NULL, &ss->sec.rcvSecret); if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data) goto loser; @@ -782,13 +773,12 @@ void ssl_ResetSecurityInfo(sslSecurityInfo *sec) { /* Destroy MAC */ - if (sec->hash && sec->hashcx) { - (*sec->hash->destroy)(sec->hashcx, PR_TRUE); + if (sec->hashcx) { + NSSCryptoContext_Destroy(sec->hashcx); sec->hashcx = NULL; - sec->hash = NULL; } - SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE); - SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE); + nss_ZFreeIf(sec->sendSecret.data); + nss_ZFreeIf(sec->rcvSecret.data); /* Destroy ciphers */ if (sec->destroy) { @@ -804,15 +794,15 @@ ssl_ResetSecurityInfo(sslSecurityInfo *sec) sec->writecx = 0; if (sec->localCert) { - CERT_DestroyCertificate(sec->localCert); + NSSCert_Destroy(sec->localCert); sec->localCert = NULL; } if (sec->peerCert) { - CERT_DestroyCertificate(sec->peerCert); + NSSCert_Destroy(sec->peerCert); sec->peerCert = NULL; } if (sec->peerKey) { - SECKEY_DestroyPublicKey(sec->peerKey); + NSSPublicKey_Destroy(sec->peerKey); sec->peerKey = NULL; } @@ -820,7 +810,7 @@ ssl_ResetSecurityInfo(sslSecurityInfo *sec) if (sec->ci.sid != NULL) { ssl_FreeSID(sec->ci.sid); } - PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space); + nss_ZFreeIf(sec->ci.sendBuf.buf); memset(&sec->ci, 0, sizeof sec->ci); } @@ -834,7 +824,7 @@ ssl_DestroySecurityInfo(sslSecurityInfo *sec) { ssl_ResetSecurityInfo(sec); - PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space); + nss_ZFreeIf(sec->writeBuf.buf); sec->writeBuf.buf = 0; memset(sec, 0, sizeof *sec); @@ -949,9 +939,9 @@ ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) if (!ssl_SocketIsBlocking(ss) && !ss->fdx) { ssl_GetXmitBufLock(ss); - if (ss->pendingBuf.len != 0) { + if (ss->pendingBuf.size != 0) { rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend); - if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) { + if ((rv < 0) && (NSS_GetError() != PR_WOULD_BLOCK_ERROR)) { ssl_ReleaseXmitBufLock(ss); return SECFailure; } @@ -977,7 +967,7 @@ ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags) rv = DoRecv(ss, (unsigned char*) buf, len, flags); SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)", - SSL_GETPID(), ss->fd, rv, PORT_GetError())); + SSL_GETPID(), ss->fd, rv, NSS_GetError())); return rv; } @@ -1003,11 +993,11 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags) } ssl_GetXmitBufLock(ss); - if (ss->pendingBuf.len != 0) { - PORT_Assert(ss->pendingBuf.len > 0); + if (ss->pendingBuf.size != 0) { + PORT_Assert(ss->pendingBuf.size > 0); rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend); - if (rv >= 0 && ss->pendingBuf.len != 0) { - PORT_Assert(ss->pendingBuf.len > 0); + if (rv >= 0 && ss->pendingBuf.size != 0) { + PORT_Assert(ss->pendingBuf.size > 0); PORT_SetError(PR_WOULD_BLOCK_ERROR); rv = SECFailure; } @@ -1098,10 +1088,10 @@ SSL_SetURL(PRFileDesc *fd, const char *url) ssl_GetSSL3HandshakeLock(ss); if ( ss->url ) { - PORT_Free((void *)ss->url); /* CONST */ + nss_ZFreeIf((void *)ss->url); /* CONST */ } - ss->url = (const char *)PORT_Strdup(url); + ss->url = (const char *)NSSUTF8_Duplicate(url, NULL); if ( ss->url == NULL ) { rv = SECFailure; } @@ -1161,11 +1151,11 @@ SSL_InvalidateSession(PRFileDesc *fd) return rv; } -SECItem * +NSSItem * SSL_GetSessionID(PRFileDesc *fd) { sslSocket * ss; - SECItem * item = NULL; + NSSItem * item = NULL; ss = ssl_FindSocket(fd); if (ss) { @@ -1173,17 +1163,17 @@ SSL_GetSessionID(PRFileDesc *fd) ssl_GetSSL3HandshakeLock(ss); if (ss->useSecurity && ss->firstHsDone && ss->sec.ci.sid) { - item = (SECItem *)PORT_Alloc(sizeof(SECItem)); + item = nss_ZNEW(NULL, NSSItem); if (item) { sslSessionID * sid = ss->sec.ci.sid; if (sid->version < SSL_LIBRARY_VERSION_3_0) { - item->len = SSL2_SESSIONID_BYTES; - item->data = (unsigned char*)PORT_Alloc(item->len); - PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len); + item->size = SSL2_SESSIONID_BYTES; + item->data = nss_ZAlloc(NULL, item->size); + memcpy(item->data, sid->u.ssl2.sessionID, item->size); } else { - item->len = sid->u.ssl3.sessionIDLength; - item->data = (unsigned char*)PORT_Alloc(item->len); - PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len); + item->size = sid->u.ssl3.sessionIDLength; + item->data = nss_ZAlloc(NULL, item->size); + memcpy(item->data, sid->u.ssl3.sessionID, item->size); } } } @@ -1194,22 +1184,6 @@ SSL_GetSessionID(PRFileDesc *fd) return item; } -SECStatus -SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) -{ - sslSocket * ss; - - ss = ssl_FindSocket(fd); - if (!ss) - return SECFailure; - if (!dbHandle) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - ss->dbHandle = dbHandle; - return SECSuccess; -} - /* * attempt to restart the handshake after asynchronously handling * a request for the client's certificate. @@ -1236,9 +1210,9 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) */ int SSL_RestartHandshakeAfterCertReq(sslSocket * ss, - CERTCertificate * cert, - SECKEYPrivateKey * key, - CERTCertificateList *certChain) + NSSCert * cert, + NSSPrivateKey * key, + NSSCertChain * certChain) { int ret; @@ -1246,8 +1220,10 @@ SSL_RestartHandshakeAfterCertReq(sslSocket * ss, if (ss->version >= SSL_LIBRARY_VERSION_3_0) { ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain); +#ifdef IMPLEMENT_SSL2 } else { ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key); +#endif /* IMPLEMENT_SSL2 */ } ssl_Release1stHandshakeLock(ss); /************************************/ diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index f4d4d08d3..5f4b2a3db 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -35,6 +35,8 @@ * $Id$ */ +#ifdef IMPLEMENT_SESSION_ID_CACHE + /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! * @@ -1621,3 +1623,5 @@ SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) } #endif /* XP_UNIX || XP_WIN32 */ + +#endif /* IMPLEMENT_SESSION_ID_CACHE */ diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 88ff796a4..19bc541e9 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -37,14 +37,18 @@ * * $Id$ */ -#include "seccomon.h" -#include "cert.h" -#include "keyhi.h" + +/* XXX */ +#include <string.h> + #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" #include "nspr.h" +#include "base.h" +#include "nsspki.h" + #define SET_ERROR_CODE /* reminder */ struct cipherPolicyStr { @@ -225,26 +229,28 @@ ssl_DupSocket(sslSocket *os) ss->v2CompatibleHello = os->v2CompatibleHello; ss->detectRollBack = os->detectRollBack; - ss->peerID = !os->peerID ? NULL : PORT_Strdup(os->peerID); - ss->url = !os->url ? NULL : PORT_Strdup(os->url); + ss->peerID = !os->peerID ? NULL : + NSSUTF8_Duplicate(os->peerID, NULL); + ss->url = !os->url ? NULL : + NSSUTF8_Duplicate(os->url, NULL); ss->ops = os->ops; ss->rTimeout = os->rTimeout; ss->wTimeout = os->wTimeout; ss->cTimeout = os->cTimeout; - ss->dbHandle = os->dbHandle; + ss->td = os->td; /* XXX ref counted? */ + ss->vd = os->vd; /* XXX ref counted? */ /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ ss->allowedByPolicy = os->allowedByPolicy; ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy; ss->chosenPreference = os->chosenPreference; - PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); + memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites); if (os->cipherSpecs) { - ss->cipherSpecs = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs); + ss->cipherSpecs = nss_ZAlloc(NULL, os->sizeCipherSpecs); if (ss->cipherSpecs) - PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, - os->sizeCipherSpecs); + memcpy(ss->cipherSpecs, os->cipherSpecs, os->sizeCipherSpecs); ss->sizeCipherSpecs = os->sizeCipherSpecs; ss->preferredCipher = os->preferredCipher; } else { @@ -260,18 +266,17 @@ ssl_DupSocket(sslSocket *os) sslServerCerts * oc = os->serverCerts; sslServerCerts * sc = ss->serverCerts; - for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) { - if (oc->serverCert && oc->serverCertChain) { - sc->serverCert = CERT_DupCertificate(oc->serverCert); - sc->serverCertChain = CERT_DupCertList(oc->serverCertChain); + for (i=ssl_kea_null; i < ssl_kea_size; i++, oc++, sc++) { + if (oc->serverCertChain) { + sc->serverCertChain = + NSSCertChain_Duplicate(oc->serverCertChain); if (!sc->serverCertChain) goto loser; } else { - sc->serverCert = NULL; sc->serverCertChain = NULL; } sc->serverKey = oc->serverKey ? - SECKEY_CopyPrivateKey(oc->serverKey) : NULL; + nssPrivateKey_AddRef(oc->serverKey) : NULL; if (oc->serverKey && !sc->serverKey) goto loser; sc->serverKeyBits = oc->serverKeyBits; @@ -356,29 +361,27 @@ ssl_DestroySocketContents(sslSocket *ss) ssl3_DestroySSL3Info(ss->ssl3); - PORT_Free(ss->saveBuf.buf); - PORT_Free(ss->pendingBuf.buf); + nss_ZFreeIf(ss->saveBuf.buf); + nss_ZFreeIf(ss->pendingBuf.buf); ssl_DestroyGather(&ss->gs); if (ss->peerID != NULL) - PORT_Free(ss->peerID); + nss_ZFreeIf(ss->peerID); if (ss->url != NULL) - PORT_Free((void *)ss->url); /* CONST */ + nss_ZFreeIf((void *)ss->url); /* CONST */ if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); + nss_ZFreeIf(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } /* Clean up server configuration */ - for (i=kt_null; i < kt_kea_size; i++) { + for (i=ssl_kea_null; i < ssl_kea_size; i++) { sslServerCerts * sc = ss->serverCerts + i; - if (sc->serverCert != NULL) - CERT_DestroyCertificate(sc->serverCert); if (sc->serverCertChain != NULL) - CERT_DestroyCertificateList(sc->serverCertChain); + NSSCertChain_Destroy(sc->serverCertChain); if (sc->serverKey != NULL) - SECKEY_DestroyPrivateKey(sc->serverKey); + NSSPrivateKey_Destroy(sc->serverKey); } if (ss->stepDownKeyPair) { ssl3_FreeKeyPair(ss->stepDownKeyPair); @@ -411,7 +414,7 @@ ssl_FreeSocket(sslSocket *ss) #ifdef DEBUG fs = &lSock; *fs = *ss; /* Copy the old socket structure, */ - PORT_Memset(ss, 0x1f, sizeof *ss); /* then blast the old struct ASAP. */ + memset(ss, 0x1f, sizeof *ss); /* then blast the old struct ASAP. */ #else #define fs ss #endif @@ -429,7 +432,7 @@ ssl_FreeSocket(sslSocket *ss) ssl_DestroyLocks(fs); - PORT_Free(ss); /* free the caller's copy, not ours. */ + nss_ZFreeIf(ss); /* free the caller's copy, not ours. */ return; } #undef fs @@ -531,7 +534,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->enableTLS = on; ss->preferredCipher = NULL; if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); + nss_ZFreeIf(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } @@ -541,7 +544,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) ss->enableSSL3 = on; ss->preferredCipher = NULL; if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); + nss_ZFreeIf(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } @@ -554,7 +557,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) } ss->preferredCipher = NULL; if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); + nss_ZFreeIf(ss->cipherSpecs); ss->cipherSpecs = NULL; ss->sizeCipherSpecs = 0; } @@ -946,7 +949,7 @@ NSS_SetFrancePolicy(void) /* LOCKS ??? XXX */ PRFileDesc * -SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) +SSL_ImportFD(PRFileDesc *model, NSSTrustDomain *td, PRFileDesc *fd) { sslSocket * ns = NULL; PRStatus rv; @@ -966,6 +969,9 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) } if (ns == NULL) return NULL; + ns->td = td; + /* XXX is this right? */ + ns->vd = NSSTrustDomain_CreateVolatileDomain(td, NULL); rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER); if (rv != PR_SUCCESS) { @@ -1017,7 +1023,7 @@ ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout) newfd = osfd->methods->accept(osfd, sockaddr, timeout); if (newfd == NULL) { SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d", - SSL_GETPID(), ss->fd, PORT_GetError())); + SSL_GETPID(), ss->fd, NSS_GetError())); } else { /* Create ssl module */ ns = ssl_DupSocket(ss); @@ -1288,7 +1294,7 @@ ssl_GetPeerInfo(sslSocket *ss) osfd = ss->fd->lower; - PORT_Memset(&sin, 0, sizeof(sin)); + memset(&sin, 0, sizeof(sin)); rv = osfd->methods->getpeername(osfd, &sin); if (rv < 0) { return SECFailure; @@ -1332,7 +1338,7 @@ SSL_SetSockPeerID(PRFileDesc *fd, char *peerID) return SECFailure; } - ss->peerID = PORT_Strdup(peerID); + ss->peerID = NSSUTF8_Duplicate(peerID, NULL); return SECSuccess; } @@ -1400,7 +1406,7 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags) *p_out_flags = PR_POLL_READ; /* it's ready already. */ return new_flags; } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) && - (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */ + (ss->pendingBuf.size != 0)) { /* write data waiting to be sent */ new_flags |= PR_POLL_WRITE; /* also select on write. */ } if (new_flags && (fd->lower->methods->poll != NULL)) { @@ -1503,14 +1509,14 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout); } if (myIov.iov_len < first_len) { - PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); + memcpy(buf, myIov.iov_base, myIov.iov_len); bufLen = myIov.iov_len; left = first_len - bufLen; while (vectors && left) { int toCopy; GET_VECTOR; toCopy = PR_MIN(left, myIov.iov_len); - PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy); + memcpy(buf + bufLen, myIov.iov_base, toCopy); bufLen += toCopy; left -= toCopy; myIov.iov_base += toCopy; @@ -1547,11 +1553,11 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, myIov.iov_len = 0; continue; } - PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len); + memcpy(buf, myIov.iov_base, myIov.iov_len); bufLen = myIov.iov_len; do { GET_VECTOR; - PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen); + memcpy(buf + bufLen, myIov.iov_base, addLen); myIov.iov_base += addLen; myIov.iov_len -= addLen; bufLen += addLen; @@ -1829,7 +1835,7 @@ ssl_NewSocket(void) #endif /* DEBUG */ /* Make a new socket and get it ready */ - ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket)); + ss = nss_ZNEW(NULL, sslSocket); if (ss) { /* This should be of type SSLKEAType, but CC on IRIX * complains during the for loop. @@ -1859,19 +1865,17 @@ ssl_NewSocket(void) ss->preferredCipher = NULL; ss->url = NULL; - for (i=kt_null; i < kt_kea_size; i++) { + for (i=ssl_kea_null; i < ssl_kea_size; i++) { sslServerCerts * sc = ss->serverCerts + i; - sc->serverCert = NULL; sc->serverCertChain = NULL; sc->serverKey = NULL; sc->serverKeyBits = 0; } ss->stepDownKeyPair = NULL; - ss->dbHandle = CERT_GetDefaultCertDB(); /* Provide default implementation of hooks */ ss->authCertificate = SSL_AuthCertificate; - ss->authCertificateArg = (void *)ss->dbHandle; + /* XXX ss->authCertificateArg = (void *)ss->dbHandle; */ ss->getClientAuthData = NULL; ss->handleBadCert = NULL; ss->badCertArg = NULL; @@ -1905,7 +1909,7 @@ ssl_NewSocket(void) loser: ssl_DestroySocketContents(ss); ssl_DestroyLocks(ss); - PORT_Free(ss); + nss_ZFreeIf(ss); ss = NULL; } } diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index fbf8eeb6e..01358f73f 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -75,19 +75,6 @@ typedef enum { ssl_kea_size /* number of ssl_kea_ algorithms */ } SSLKEAType; -#if 0 -/* The following defines are for backwards compatibility. -** They will be removed in a forthcoming release to reduce namespace pollution. -** programs that use the kt_ symbols should convert to the ssl_kt_ symbols -** soon. -*/ -#define kt_null ssl_kea_null -#define kt_rsa ssl_kea_rsa -#define kt_dh ssl_kea_dh -#define kt_fortezza ssl_kea_fortezza -#define kt_kea_size ssl_kea_size -#endif - typedef enum { ssl_sign_null = 0, ssl_sign_rsa = 1, diff --git a/security/nss/lib/ssl/ssltrace.c b/security/nss/lib/ssl/ssltrace.c index 15f064813..25c0a9c2c 100644 --- a/security/nss/lib/ssl/ssltrace.c +++ b/security/nss/lib/ssl/ssltrace.c @@ -34,8 +34,11 @@ * * $Id$ */ + +/* XXX */ +#include <string.h> + #include <stdarg.h> -#include "cert.h" #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" |