summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorian.mcgreer%sun.com <devnull@localhost>2003-02-11 16:38:08 +0000
committerian.mcgreer%sun.com <devnull@localhost>2003-02-11 16:38:08 +0000
commit681a90a262cd988747175bbbd41c24cbfccebcbc (patch)
tree415ba1025e22b2e61dcfaa21e57ce8606c88925f
parent4d2bc7e18152503dfc4347839857b1121f41347c (diff)
downloadnss-hg-681a90a262cd988747175bbbd41c24cbfccebcbc.tar.gz
fix leaks/bugs found with purify
rename certificate.c and symmkey.c to reflect object names
Diffstat
-rw-r--r--security/nss/lib/base/arena.c8
-rw-r--r--security/nss/lib/base/item.c10
-rw-r--r--security/nss/lib/dev/dev.h4
-rw-r--r--security/nss/lib/dev/devtoken.c29
-rw-r--r--security/nss/lib/nss/nss.def2
-rw-r--r--security/nss/lib/nss/nssinit.c6
-rw-r--r--security/nss/lib/pki/asymmkey.c86
-rw-r--r--security/nss/lib/pki/cert.c (renamed from security/nss/lib/pki/certificate.c)51
-rw-r--r--security/nss/lib/pki/cryptocontext.c6
-rw-r--r--security/nss/lib/pki/manifest.mn4
-rw-r--r--security/nss/lib/pki/nsspki.h6
-rw-r--r--security/nss/lib/pki/pkibase.c50
-rw-r--r--security/nss/lib/pki/symkey.c (renamed from security/nss/lib/pki/symmkey.c)59
-rw-r--r--security/nss/lib/pki/trustdomain.c1
-rw-r--r--security/nss/lib/pki/volatiledomain.c144
-rw-r--r--security/nss/lib/pki1/oid.c21
-rw-r--r--security/nss/lib/pkix/src/AlgorithmID.c10
-rw-r--r--security/nss/lib/pkix/src/Extensions.c9
-rw-r--r--security/nss/lib/pkix/src/SPKI.c10
-rw-r--r--security/nss/lib/pkix/src/TBSCertificate.c1
-rw-r--r--security/nss/lib/ssl/ssl3con.c47
-rw-r--r--security/nss/lib/ssl/sslcon.c4
-rw-r--r--security/nss/lib/ssl/sslimpl.h2
-rw-r--r--security/nss/lib/ssl/sslsock.c5
24 files changed, 413 insertions, 162 deletions
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c
index d3e63ba71..c4129a30a 100644
--- a/security/nss/lib/base/arena.c
+++ b/security/nss/lib/base/arena.c
@@ -375,6 +375,14 @@ nssArena_Destroy (
nss_arena_call_destructor_chain(arena->first_destructor);
#endif /* ARENA_DESTRUCTOR_LIST */
+ {
+ const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+ if (!ev) {
+ PL_FreeArenaPool(arena);
+ } else {
+ PL_FinishArenaPool(arena);
+ }
+ }
PL_FinishArenaPool(&arena->pool);
lock = arena->lock;
arena->lock = (PRLock *)NULL;
diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c
index fd76cbff5..9e4c7b1bc 100644
--- a/security/nss/lib/base/item.c
+++ b/security/nss/lib/base/item.c
@@ -152,7 +152,15 @@ nssItem_Duplicate (
NSSItem *rvOpt
)
{
- return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+ if (obj->size > 0 && obj->data) {
+ return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+ } else if (rvOpt) {
+ rvOpt->size = 0;
+ rvOpt->data = NULL;
+ return rvOpt;
+ } else {
+ return (NSSItem *)NULL;
+ }
}
/*
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
index 9e0759b68..e4a72b2b4 100644
--- a/security/nss/lib/dev/dev.h
+++ b/security/nss/lib/dev/dev.h
@@ -688,9 +688,7 @@ nssToken_DeriveSSLSessionKeys (
nssCryptokiObject *masterSecret,
PRUint32 keySize,
NSSSymKeyType keyType,
- nssCryptokiObject **rvSessionKeys, /* [4] */
- NSSItem *rvClientIV,
- NSSItem *rvServerIV
+ nssCryptokiObject **rvSessionKeys /* [4] */
);
NSS_EXTERN PRStatus
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index 2df87b0a0..151fd376e 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -50,7 +50,9 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
/* The number of object handles to grab during each call to C_FindObjects */
#define OBJECT_STACK_SIZE 16
+#ifndef BITS_PER_BYTE
#define BITS_PER_BYTE 8
+#endif
struct NSSTokenStr
{
@@ -1174,8 +1176,14 @@ nssToken_FindPublicKeyByID (
*/
PRStatus status;
NSSPublicKeyInfo keyInfo;
- status = nssCryptokiPublicKey_GetAttributes(rvKey, NULL,
- &keyInfo, NULL);
+ NSSArena *tmparena = nssArena_Create();
+ if (tmparena) {
+ status = nssCryptokiPublicKey_GetAttributes(rvKey, tmparena,
+ &keyInfo, NULL);
+ nssArena_Destroy(tmparena);
+ } else {
+ status = PR_FAILURE;
+ }
if (status == PR_FAILURE) {
nssCryptokiObject_Destroy(rvKey);
rvKey = NULL;
@@ -2012,9 +2020,7 @@ nssToken_DeriveSSLSessionKeys (
nssCryptokiObject *masterSecret,
PRUint32 keySize,
NSSSymKeyType keyType,
- nssCryptokiObject **rvSessionKeys, /* [4] */
- NSSItem *rvClientIV,
- NSSItem *rvServerIV
+ nssCryptokiObject **rvSessionKeys /* [4] */
)
{
CK_RV ckrv;
@@ -2025,7 +2031,6 @@ nssToken_DeriveSSLSessionKeys (
CK_KEY_TYPE ckKeyType = nssCK_GetSymKeyType(keyType);
CK_ULONG ktSize;
void *epv = nssToken_GetCryptokiEPV(token);
- PRUint32 ivSize;
PRUint32 i, keyNum;
mechanism = nssAlgNParam_GetMechanism(ap);
@@ -2082,18 +2087,6 @@ nssToken_DeriveSSLSessionKeys (
return PR_FAILURE;
}
keyNum++;
- ivSize = kmp->ulIVSizeInBits / 8; /* XXX */
- if (nssItem_Create(NULL, rvClientIV, ivSize, kmo->pIVClient) == NULL) {
- for (i=0; i<keyNum; i++)
- nssCryptokiObject_Destroy(rvSessionKeys[i]);
- return PR_FAILURE;
- }
- if (nssItem_Create(NULL, rvServerIV, ivSize, kmo->pIVServer) == NULL) {
- for (i=0; i<keyNum; i++)
- nssCryptokiObject_Destroy(rvSessionKeys[i]);
- nss_ZFreeIf(rvClientIV->data); rvClientIV->data = NULL;
- return PR_FAILURE;
- }
return PR_SUCCESS;
}
return PR_FAILURE;
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 8fc76c659..34214acc8 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -293,7 +293,7 @@ NSSVolatileDomain_Destroy;
;+#NSSVolatileDomain_ImportCert;
NSSVolatileDomain_ImportEncodedCert;
;+#NSSVolatileDomain_ImportEncodedCertChain;
-NSSVolatileDomain_ImportPublicKey;
+NSSVolatileDomain_ImportPublicKeyByInfo;
NSSVolatileDomain_ImportEncodedPrivateKey;
NSSVolatileDomain_FindBestCertByNickname;
NSSVolatileDomain_FindCertsByNickname;
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index e05b1d31d..3f1fc11d7 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -546,14 +546,14 @@ NSS_NoDB_Init(const char * configdir)
extern void nss_DumpModuleLog(void);
+NSS_EXTERN void nss_FreeOIDTable(void);
+
PRStatus
NSS_Shutdown(void)
{
PRStatus rv = PR_SUCCESS;
nss_DumpModuleLog();
-#if 0
- SECOID_Shutdown();
-#endif
+ nss_FreeOIDTable();
NSSTrustDomain_Destroy(g_default_trust_domain);
nss_DestroyGlobalModuleList();
nss_IsInitted = PR_FALSE;
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
index ab8d64466..8fc2b84b8 100644
--- a/security/nss/lib/pki/asymmkey.c
+++ b/security/nss/lib/pki/asymmkey.c
@@ -112,13 +112,23 @@ nssPrivateKey_CreateFromInstance (
NSSVolatileDomain *vdOpt
)
{
+ PRStatus status;
nssPKIObject *pkio;
+ NSSPrivateKey *rvKey = NULL;
pkio = nssPKIObject_Create(NULL, instance, td, vdOpt);
- if (pkio) {
- return nssPrivateKey_Create(pkio);
+ if (!pkio) {
+ return (NSSPrivateKey *)NULL;
+ }
+ rvKey = nssPrivateKey_Create(pkio);
+ if (rvKey && vdOpt) {
+ status = nssVolatileDomain_ImportPrivateKey(vdOpt, rvKey);
+ if (status == PR_FAILURE) {
+ nssPrivateKey_Destroy(rvKey);
+ rvKey = NULL;
+ }
}
- return (NSSPrivateKey *)NULL;
+ return rvKey;
}
NSS_IMPLEMENT NSSPrivateKey *
@@ -204,6 +214,15 @@ nssPrivateKey_FindInstanceForAlgorithm (
return nssPKIObject_FindInstanceForAlgorithm(&vk->object, ap);
}
+NSS_IMPLEMENT void
+nssPrivateKey_SetVolatileDomain (
+ NSSPrivateKey *vk,
+ NSSVolatileDomain *vd
+)
+{
+ vk->object.vd = vd; /* volatile domain holds ref */
+}
+
NSS_IMPLEMENT PRStatus
NSSPrivateKey_DeleteStoredObject (
NSSPrivateKey *vk,
@@ -546,7 +565,7 @@ nssPrivateKey_GetVolatileDomain (
PRStatus *statusOpt
)
{
- return vk->object.vd;
+ return nssPKIObject_GetVolatileDomain(&vk->object, statusOpt);
}
NSS_IMPLEMENT NSSTrustDomain *
@@ -903,20 +922,6 @@ NSSPrivateKey_CreateCryptoContext (
return nssPrivateKey_CreateCryptoContext(vk, apOpt, uhh);
}
-NSS_IMPLEMENT void
-nssPrivateKeyArray_Destroy (
- NSSPrivateKey **vkeys
-)
-{
- NSSPrivateKey **vk = vkeys;
- if (vkeys) {
- while (vk++) {
- nssPrivateKey_Destroy(*vk);
- }
- }
- nss_ZFreeIf(vkeys);
-}
-
struct NSSPublicKeyStr
{
nssPKIObject object;
@@ -964,13 +969,23 @@ nssPublicKey_CreateFromInstance (
NSSArena *arenaOpt
)
{
+ PRStatus status;
nssPKIObject *pkio;
+ NSSPublicKey *rvKey = NULL;
pkio = nssPKIObject_Create(arenaOpt, instance, td, vdOpt);
- if (pkio) {
- return nssPublicKey_Create(pkio);
+ if (!pkio) {
+ return (NSSPublicKey *)NULL;
}
- return (NSSPublicKey *)NULL;
+ rvKey = nssPublicKey_Create(pkio);
+ if (rvKey && vdOpt) {
+ status = nssVolatileDomain_ImportPublicKey(vdOpt, rvKey);
+ if (status == PR_FAILURE) {
+ nssPublicKey_Destroy(rvKey);
+ rvKey = NULL;
+ }
+ }
+ return rvKey;
}
/* XXX same here */
@@ -1131,6 +1146,15 @@ nssPublicKey_FindInstanceForAlgorithm (
return nssPKIObject_FindInstanceForAlgorithm(&bk->object, ap);
}
+NSS_IMPLEMENT void
+nssPublicKey_SetVolatileDomain (
+ NSSPublicKey *bk,
+ NSSVolatileDomain *vd
+)
+{
+ bk->object.vd = vd; /* volatile domain holds ref */
+}
+
NSS_IMPLEMENT PRStatus
nssPublicKey_DeleteStoredObject (
NSSPublicKey *bk,
@@ -1170,6 +1194,9 @@ nssPublicKey_CopyToToken (
if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) {
nssCryptokiObject_Destroy(bko);
bko = NULL;
+ } else {
+ /* XXX maybe AddInstance should rethink not cloning */
+ bko = nssCryptokiObject_Clone(bko);
}
}
return bko;
@@ -1482,6 +1509,9 @@ nssPublicKey_WrapSymKey (
rvIt = nssToken_WrapKey(bko->token, bko->session, ap,
bko, mko, rvOpt, arenaOpt);
+
+ nssCryptokiObject_Destroy(bko);
+ nssCryptokiObject_Destroy(mko);
return rvIt;
}
@@ -1576,17 +1606,3 @@ NSSPublicKey_FindPrivateKey (
return NULL;
}
-NSS_IMPLEMENT void
-nssPublicKeyArray_Destroy (
- NSSPublicKey **bkeys
-)
-{
- NSSPublicKey **bk = bkeys;
- if (bkeys) {
- while (bk++) {
- nssPublicKey_Destroy(*bk);
- }
- }
- nss_ZFreeIf(bkeys);
-}
-
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/cert.c
index 616e99d57..b873d23f6 100644
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/cert.c
@@ -100,14 +100,14 @@ nssCert_Create (
rvCert->object = *object;
/* XXX should choose instance based on some criteria */
status = nssCryptokiCert_GetAttributes(object->instances[0],
- arena,
- &rvCert->kind,
- &rvCert->id,
- &rvCert->encoding,
- &rvCert->issuer,
- &rvCert->serial,
- &rvCert->subject,
- &rvCert->email);
+ arena,
+ &rvCert->kind,
+ &rvCert->id,
+ &rvCert->encoding,
+ &rvCert->issuer,
+ &rvCert->serial,
+ &rvCert->subject,
+ &rvCert->email);
if (status != PR_SUCCESS) {
return (NSSCert *)NULL;
}
@@ -383,7 +383,7 @@ nssCert_GetNames (
rvOpt = nss_ZNEWARRAY(arenaOpt, NSSUTF8 *, 2);
}
rvOpt[0] = nssUTF8_Duplicate("<not implemented>", arenaOpt);
- rvOpt[1] = NULL;
+ if (rvMaxOpt > 1) rvOpt[1] = NULL;
return rvOpt;
}
@@ -411,7 +411,7 @@ nssCert_GetIssuerNames (
rvOpt = nss_ZNEWARRAY(arenaOpt, NSSUTF8 *, 2);
}
rvOpt[0] = nssUTF8_Duplicate("<not implemented>", arenaOpt);
- rvOpt[1] = NULL;
+ if (rvMaxOpt > 1) rvOpt[1] = NULL;
return rvOpt;
}
@@ -617,16 +617,17 @@ nssCert_SetVolatileDomain (
NSSVolatileDomain *vd
)
{
- c->object.vd = vd;
+ c->object.vd = vd; /* volatile domain holds ref to cert */
c->object.td = nssVolatileDomain_GetTrustDomain(vd);
}
NSS_IMPLEMENT NSSVolatileDomain *
nssCert_GetVolatileDomain (
- NSSCert *c
+ NSSCert *c,
+ PRStatus *statusOpt
)
{
- return c->object.vd;
+ return nssPKIObject_GetVolatileDomain(&c->object, statusOpt);
}
NSS_IMPLEMENT NSSTrustDomain *
@@ -1271,20 +1272,15 @@ find_cert_issuer (
NSSCert *issuer = NULL;
NSSTrustDomain *td;
NSSVolatileDomain *vd;
- vd = nssCert_GetVolatileDomain(c);
+ vd = nssCert_GetVolatileDomain(c, NULL);
td = nssCert_GetTrustDomain(c);
if (vd) {
- issuers = nssVolatileDomain_FindCertsBySubject(vd,
- &c->issuer,
- NULL,
- 0,
- NULL);
+ issuers = nssVolatileDomain_FindCertsBySubject(vd, &c->issuer,
+ NULL, 0, NULL);
+ nssVolatileDomain_Destroy(vd);
} else {
- issuers = nssTrustDomain_FindCertsBySubject(td,
- &c->issuer,
- NULL,
- 0,
- NULL);
+ issuers = nssTrustDomain_FindCertsBySubject(td, &c->issuer,
+ NULL, 0, NULL);
}
if (issuers) {
nssCertDecoding *dc = NULL;
@@ -1507,7 +1503,7 @@ nssCert_GetPublicKey (
NSSToken **tokens, **tp;
nssCryptokiObject *instance = NULL;
NSSTrustDomain *td = nssCert_GetTrustDomain(c);
- NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c);
+ NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c, NULL);
/* first look for a persistent object in the trust domain */
tokens = nssPKIObject_GetTokens(&c->object, NULL, 0, &status);
@@ -1533,6 +1529,7 @@ nssCert_GetPublicKey (
bk = nssPublicKey_CreateFromInstance(instance, td, vd, NULL);
if (!bk) {
nssCryptokiObject_Destroy(instance);
+ nssVolatileDomain_Destroy(vd);
return (NSSPublicKey *)NULL;
}
return bk;
@@ -1548,9 +1545,11 @@ nssCert_GetPublicKey (
status = dc->methods->getPublicKeyInfo(dc->data, &keyAlg, &keyBits);
if (status == PR_SUCCESS) {
c->bk = nssPublicKey_CreateFromInfo(td, vd, keyAlg, &keyBits);
- return nssPublicKey_AddRef(c->bk);
+ nssVolatileDomain_Destroy(vd);
+ return c->bk;
}
}
+ nssVolatileDomain_Destroy(vd);
return (NSSPublicKey *)NULL;
}
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
index 065bb340f..2b1ea3000 100644
--- a/security/nss/lib/pki/cryptocontext.c
+++ b/security/nss/lib/pki/cryptocontext.c
@@ -133,6 +133,7 @@ nssCryptoContext_CreateForSymKey (
rvCC->which = a_symkey;
rvCC->u.mkey = nssSymKey_AddRef(mkey);
}
+ nssVolatileDomain_Destroy(vd);
return rvCC;
}
@@ -1331,6 +1332,7 @@ nssCryptoContext_DigestKey (
NSSSymKey *mkOpt
)
{
+ PRStatus status;
nssCryptokiObject *mko;
if (mkOpt) {
/* The context is being asked to digest a key that may not be
@@ -1350,7 +1352,9 @@ nssCryptoContext_DigestKey (
}
mko = cc->key;
}
- return nssToken_DigestKey(cc->token, cc->session, mko);
+ status = nssToken_DigestKey(cc->token, cc->session, mko);
+ if (mkOpt) nssCryptokiObject_Destroy(mko);
+ return status;
}
NSS_IMPLEMENT PRStatus
diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn
index 990660631..abf278c05 100644
--- a/security/nss/lib/pki/manifest.mn
+++ b/security/nss/lib/pki/manifest.mn
@@ -49,9 +49,9 @@ MODULE = nss
CSRCS = \
pkibase.c \
asymmkey.c \
- certificate.c \
+ cert.c \
cryptocontext.c \
- symmkey.c \
+ symkey.c \
time.c \
trustdomain.c \
volatiledomain.c \
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
index cf4edd0bc..d2cab22e5 100644
--- a/security/nss/lib/pki/nsspki.h
+++ b/security/nss/lib/pki/nsspki.h
@@ -1353,9 +1353,7 @@ nssSymKey_DeriveSSLSessionKeys (
const NSSAlgNParam *ap,
PRUint32 keySize,
NSSSymKeyType keyType,
- NSSSymKey **rvSessionKeys,
- NSSItem *rvClientIV,
- NSSItem *rvServerIV
+ NSSSymKey **rvSessionKeys
);
/*
@@ -1682,7 +1680,7 @@ NSSTrustDomain_ImportEncodedPublicKey (
);
NSS_EXTERN NSSPublicKey *
-NSSTrustDomain_ImportPublicKey (
+NSSTrustDomain_ImportPublicKeyByInfo (
NSSTrustDomain *td,
NSSPublicKeyInfo *keyInfo,
NSSUTF8 *nicknameOpt,
diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c
index fd2dfdae3..5df0bb75d 100644
--- a/security/nss/lib/pki/pkibase.c
+++ b/security/nss/lib/pki/pkibase.c
@@ -48,7 +48,7 @@ nssPKIObject_Create (
NSSArena *arenaOpt,
nssCryptokiObject *instanceOpt,
NSSTrustDomain *td,
- NSSVolatileDomain *vdOpt
+ NSSVolatileDomain *vdOpt /* XXX remove */
)
{
NSSArena *arena;
@@ -69,7 +69,6 @@ nssPKIObject_Create (
}
object->arena = arena;
object->td = td; /* XXX */
- object->vd = vdOpt;
object->lock = PZ_NewLock(nssILockOther);
if (!object->lock) {
goto loser;
@@ -105,6 +104,7 @@ nssPKIObject_Destroy (
for (i=0; i<object->numInstances; i++) {
nssCryptokiObject_Destroy(object->instances[i]);
}
+ /*nssVolatileDomain_Destroy(object->vd);*/
PZ_DestroyLock(object->lock);
nssArena_Destroy(object->arena);
return PR_TRUE;
@@ -477,7 +477,7 @@ nssPKIObject_GetVolatileDomain (
if (statusOpt) {
*statusOpt = PR_SUCCESS;
}
- return object->vd;
+ return nssVolatileDomain_AddRef(object->vd);
}
NSS_IMPLEMENT NSSToken *
@@ -690,6 +690,48 @@ nssCRLArray_Destroy (
}
}
+NSS_IMPLEMENT void
+nssSymKeyArray_Destroy (
+ NSSSymKey **mkeys
+)
+{
+ if (mkeys) {
+ NSSSymKey **mkp;
+ for (mkp = mkeys; *mkp; mkp++) {
+ nssSymKey_Destroy(*mkp);
+ }
+ }
+ nss_ZFreeIf(mkeys);
+}
+
+NSS_IMPLEMENT void
+nssPrivateKeyArray_Destroy (
+ NSSPrivateKey **vkeys
+)
+{
+ if (vkeys) {
+ NSSPrivateKey **vkp;
+ for (vkp = vkeys; *vkp; vkp++) {
+ nssPrivateKey_Destroy(*vkp);
+ }
+ }
+ nss_ZFreeIf(vkeys);
+}
+
+NSS_IMPLEMENT void
+nssPublicKeyArray_Destroy (
+ NSSPublicKey **bkeys
+)
+{
+ if (bkeys) {
+ NSSPublicKey **bkp;
+ for (bkp = bkeys; *bkp; bkp++) {
+ nssPublicKey_Destroy(*bkp);
+ }
+ }
+ nss_ZFreeIf(bkeys);
+}
+
NSS_IMPLEMENT PRBool
nssUsages_Match (
const NSSUsages *usages,
@@ -1819,7 +1861,7 @@ new_session:
goto finish;
}
}
- t2s = &tsHash->token2session[++tsHash->count];
+ t2s = &tsHash->token2session[tsHash->count++];
}
session = nssToken_CreateSession(token, readWrite);
if (!session) {
diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symkey.c
index e78568ddf..9e0400e7d 100644
--- a/security/nss/lib/pki/symmkey.c
+++ b/security/nss/lib/pki/symkey.c
@@ -68,10 +68,10 @@ nssSymKey_Create (
rvKey->object = *object;
/* XXX should choose instance based on some criteria */
status = nssCryptokiSymKey_GetAttributes(object->instances[0],
- arena,
- &rvKey->kind,
- &rvKey->length,
- &rvKey->operations);
+ arena,
+ &rvKey->kind,
+ &rvKey->length,
+ &rvKey->operations);
if (status != PR_SUCCESS) {
return (NSSSymKey *)NULL;
}
@@ -85,13 +85,23 @@ nssSymKey_CreateFromInstance (
NSSVolatileDomain *vdOpt
)
{
+ PRStatus status;
nssPKIObject *pkio;
+ NSSSymKey *rvKey = NULL;
pkio = nssPKIObject_Create(NULL, instance, td, vdOpt);
- if (pkio) {
- return nssSymKey_Create(pkio);
+ if (!pkio) {
+ return (NSSSymKey *)NULL;
+ }
+ rvKey = nssSymKey_Create(pkio);
+ if (rvKey && vdOpt) {
+ status = nssVolatileDomain_ImportSymKey(vdOpt, rvKey);
+ if (status == PR_FAILURE) {
+ nssSymKey_Destroy(rvKey);
+ rvKey = NULL;
+ }
}
- return (NSSSymKey *)NULL;
+ return rvKey;
}
NSS_IMPLEMENT NSSSymKey *
@@ -281,6 +291,15 @@ NSSSymKey_IsStillPresent (
return PR_FAILURE;
}
+NSS_IMPLEMENT void
+nssSymKey_SetVolatileDomain (
+ NSSSymKey *mk,
+ NSSVolatileDomain *vd
+)
+{
+ mk->object.vd = vd; /* volatile domain holds ref */
+}
+
NSS_IMPLEMENT NSSTrustDomain *
nssSymKey_GetTrustDomain (
NSSSymKey *mk,
@@ -667,27 +686,25 @@ nssSymKey_DeriveSSLSessionKeys (
const NSSAlgNParam *ap,
PRUint32 keySize,
NSSSymKeyType keyType,
- NSSSymKey **rvSessionKeys, /* [4] */
- NSSItem *rvClientIV,
- NSSItem *rvServerIV
+ NSSSymKey **rvSessionKeys /* [4] */
)
{
nssCryptokiObject *mso; /* only one instance of master secret */
nssCryptokiObject *skeys[4];
+ NSSTrustDomain *td = masterSecret->object.td;
+ NSSVolatileDomain *vd = masterSecret->object.vd;
PRStatus status;
PRIntn i;
mso = masterSecret->object.instances[0];
status = nssToken_DeriveSSLSessionKeys(mso->token, mso->session,
ap, mso, keySize, keyType,
- skeys, rvClientIV, rvServerIV);
+ skeys);
if (status == PR_FAILURE) {
return PR_FAILURE;
}
for (i=0; i<4; i++) {
- rvSessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i],
- masterSecret->object.td,
- masterSecret->object.vd);
+ rvSessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i], td, vd);
if (!rvSessionKeys[i]) break;
}
if (i < 4) {
@@ -700,17 +717,3 @@ nssSymKey_DeriveSSLSessionKeys (
return status;
}
-NSS_IMPLEMENT void
-nssSymKeyArray_Destroy (
- NSSSymKey **mkeys
-)
-{
- NSSSymKey **mk = mkeys;
- if (mkeys) {
- while (mk++) {
- nssSymKey_Destroy(*mk);
- }
- }
- nss_ZFreeIf(mkeys);
-}
-
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
index 629388d51..338f26f61 100644
--- a/security/nss/lib/pki/trustdomain.c
+++ b/security/nss/lib/pki/trustdomain.c
@@ -748,6 +748,7 @@ nssTrustDomain_FindCertsBySubject (
numRemaining,
&status);
nssToken_Destroy(token);
+ nssSession_Destroy(session);
if (status != PR_SUCCESS) {
goto loser;
}
diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c
index 29a67d0d4..f2913858d 100644
--- a/security/nss/lib/pki/volatiledomain.c
+++ b/security/nss/lib/pki/volatiledomain.c
@@ -58,9 +58,7 @@ struct object_array_str
struct NSSVolatileDomainStr
{
-#if 0
PRInt32 refCount;
-#endif
NSSArena *arena;
NSSTrustDomain *td;
NSSCallback *callback;
@@ -103,6 +101,7 @@ nssVolatileDomain_Create (
}
rvVD->td = td;
rvVD->arena = arena;
+ PR_AtomicIncrement(&rvVD->refCount);
if (uhhOpt) {
rvVD->callback = uhhOpt;
} else {
@@ -117,13 +116,20 @@ nssVolatileDomain_Destroy (
)
{
PRStatus status = PR_SUCCESS;
- PZ_DestroyLock(vd->objectLock);
- nssTokenSessionHash_Destroy(vd->tokenSessionHash);
- nssCertArray_Destroy((NSSCert **)vd->certs.array);
- nssPublicKeyArray_Destroy((NSSPublicKey **)vd->bkeys.array);
- nssPrivateKeyArray_Destroy((NSSPrivateKey **)vd->vkeys.array);
- nssSymKeyArray_Destroy((NSSSymKey **)vd->mkeys.array);
- status |= nssArena_Destroy(vd->arena);
+
+ if (vd) {
+ PR_ASSERT(vd->refCount > 0);
+ PR_AtomicDecrement(&vd->refCount);
+ if (vd->refCount == 0) {
+ PZ_DestroyLock(vd->objectLock);
+ nssTokenSessionHash_Destroy(vd->tokenSessionHash);
+ nssCertArray_Destroy((NSSCert **)vd->certs.array);
+ nssPublicKeyArray_Destroy((NSSPublicKey **)vd->bkeys.array);
+ nssPrivateKeyArray_Destroy((NSSPrivateKey **)vd->vkeys.array);
+ nssSymKeyArray_Destroy((NSSSymKey **)vd->mkeys.array);
+ status |= nssArena_Destroy(vd->arena);
+ }
+ }
return status;
}
@@ -138,6 +144,17 @@ NSSVolatileDomain_Destroy (
return nssVolatileDomain_Destroy(vd);
}
+NSS_IMPLEMENT NSSVolatileDomain *
+nssVolatileDomain_AddRef (
+ NSSVolatileDomain *vd
+)
+{
+ if (vd) {
+ PR_AtomicIncrement(&vd->refCount);
+ }
+ return vd;
+}
+
NSS_IMPLEMENT PRStatus
nssVolatileDomain_SetDefaultCallback (
NSSVolatileDomain *vd,
@@ -288,9 +305,40 @@ NSSVolatileDomain_ImportEncodedCertChain (
return NULL;
}
-NSS_IMPLEMENT NSSPublicKey *
+NSS_IMPLEMENT PRStatus
nssVolatileDomain_ImportPublicKey (
NSSVolatileDomain *vd,
+ NSSPublicKey *bk
+)
+{
+ PZ_Lock(vd->objectLock);
+ if (vd->bkeys.count == vd->bkeys.size) {
+ if (vd->bkeys.size == 0) {
+ /* need to alloc new array */
+ vd->bkeys.array = (void **)nss_ZNEWARRAY(vd->arena,
+ NSSPublicKey *,
+ DEFAULT_ARRAY_SIZE);
+ } else {
+ /* array is full, realloc */
+ vd->bkeys.size *= 2;
+ vd->bkeys.array = (void **)nss_ZREALLOCARRAY(vd->bkeys.array,
+ NSSPublicKey *,
+ vd->bkeys.size);
+ }
+ if (!vd->bkeys.array) {
+ PZ_Unlock(vd->objectLock);
+ return PR_FAILURE;
+ }
+ }
+ vd->bkeys.array[vd->bkeys.count++] = (void *)nssPublicKey_AddRef(bk);
+ PZ_Unlock(vd->objectLock);
+ nssPublicKey_SetVolatileDomain(bk, vd);
+ return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+nssVolatileDomain_ImportPublicKeyByInfo (
+ NSSVolatileDomain *vd,
NSSPublicKeyInfo *keyInfo,
NSSUTF8 *labelOpt,
NSSOperations operations,
@@ -330,7 +378,7 @@ nssVolatileDomain_ImportPublicKey (
}
NSS_IMPLEMENT NSSPublicKey *
-NSSVolatileDomain_ImportPublicKey (
+NSSVolatileDomain_ImportPublicKeyByInfo (
NSSVolatileDomain *vd,
NSSPublicKeyInfo *keyInfo,
NSSUTF8 *labelOpt,
@@ -339,9 +387,40 @@ NSSVolatileDomain_ImportPublicKey (
NSSToken *destinationOpt
)
{
- return nssVolatileDomain_ImportPublicKey(vd, keyInfo, labelOpt,
- operations, properties,
- destinationOpt);
+ return nssVolatileDomain_ImportPublicKeyByInfo(vd, keyInfo, labelOpt,
+ operations, properties,
+ destinationOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+nssVolatileDomain_ImportPrivateKey (
+ NSSVolatileDomain *vd,
+ NSSPrivateKey *vk
+)
+{
+ PZ_Lock(vd->objectLock);
+ if (vd->vkeys.count == vd->vkeys.size) {
+ if (vd->vkeys.size == 0) {
+ /* need to alloc new array */
+ vd->vkeys.array = (void **)nss_ZNEWARRAY(vd->arena,
+ NSSPrivateKey *,
+ DEFAULT_ARRAY_SIZE);
+ } else {
+ /* array is full, realloc */
+ vd->vkeys.size *= 2;
+ vd->vkeys.array = (void **)nss_ZREALLOCARRAY(vd->vkeys.array,
+ NSSPrivateKey *,
+ vd->vkeys.size);
+ }
+ if (!vd->vkeys.array) {
+ PZ_Unlock(vd->objectLock);
+ return PR_FAILURE;
+ }
+ }
+ vd->vkeys.array[vd->vkeys.count++] = (void *)nssPrivateKey_AddRef(vk);
+ PZ_Unlock(vd->objectLock);
+ nssPrivateKey_SetVolatileDomain(vk, vd);
+ return PR_SUCCESS;
}
NSS_IMPLEMENT NSSPrivateKey *
@@ -381,6 +460,37 @@ NSSVolatileDomain_ImportEncodedPrivateKey (
destination);
}
+NSS_IMPLEMENT PRStatus
+nssVolatileDomain_ImportSymKey (
+ NSSVolatileDomain *vd,
+ NSSSymKey *mk
+)
+{
+ PZ_Lock(vd->objectLock);
+ if (vd->mkeys.count == vd->mkeys.size) {
+ if (vd->mkeys.size == 0) {
+ /* need to alloc new array */
+ vd->mkeys.array = (void **)nss_ZNEWARRAY(vd->arena,
+ NSSSymKey *,
+ DEFAULT_ARRAY_SIZE);
+ } else {
+ /* array is full, realloc */
+ vd->mkeys.size *= 2;
+ vd->mkeys.array = (void **)nss_ZREALLOCARRAY(vd->mkeys.array,
+ NSSSymKey *,
+ vd->mkeys.size);
+ }
+ if (!vd->mkeys.array) {
+ PZ_Unlock(vd->objectLock);
+ return PR_FAILURE;
+ }
+ }
+ vd->mkeys.array[vd->mkeys.count++] = (void *)nssSymKey_AddRef(mk);
+ PZ_Unlock(vd->objectLock);
+ nssSymKey_SetVolatileDomain(mk, vd);
+ return PR_SUCCESS;
+}
+
NSS_IMPLEMENT NSSSymKey *
nssVolatileDomain_ImportRawSymKey (
NSSVolatileDomain *vd,
@@ -1037,6 +1147,7 @@ nssVolatileDomain_GenerateSymKey (
)
{
nssPKIObjectCreator creator;
+ NSSSymKey *rvKey = NULL;
creator.td = vd->td;
creator.vd = vd;
@@ -1052,7 +1163,9 @@ nssVolatileDomain_GenerateSymKey (
creator.nickname = nicknameOpt;
creator.properties = properties;
creator.operations = operations;
- return nssPKIObjectCreator_GenerateSymKey(&creator, keysize);
+ rvKey = nssPKIObjectCreator_GenerateSymKey(&creator, keysize);
+ nssSession_Destroy(creator.session);
+ return rvKey;
}
NSS_IMPLEMENT NSSSymKey *
@@ -1130,6 +1243,7 @@ nssVolatileDomain_UnwrapSymKey (
operations, properties, targetSymKeyType);
/* done with the private key */
nssCryptokiObject_Destroy(vko);
+ nssSession_Destroy(session);
/* create a new symkey in the volatile domain */
if (mko) {
mkey = nssSymKey_CreateFromInstance(mko, vd->td, vd);
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
index e68a39721..a84295692 100644
--- a/security/nss/lib/pki1/oid.c
+++ b/security/nss/lib/pki1/oid.c
@@ -546,6 +546,27 @@ oid_init (
return PR_CallOnce(&oid_call_once, oid_once_func);
}
+NSS_IMPLEMENT void
+nss_FreeOIDTable (
+ void
+)
+{
+ if( (PLHashTable *)NULL != oid_hash_table ) {
+ PL_HashTableDestroy(oid_hash_table);
+ oid_hash_table = (PLHashTable *)NULL;
+ }
+
+ if( (PZLock *)NULL != oid_hash_lock ) {
+ PZ_DestroyLock(oid_hash_lock);
+ oid_hash_lock = (PZLock *)NULL;
+ }
+
+ if( (NSSArena *)NULL != oid_arena ) {
+ (void)nssArena_Destroy(oid_arena);
+ oid_arena = (NSSArena *)NULL;
+ }
+}
+
/*
* oid_sanity_check_ber
*
diff --git a/security/nss/lib/pkix/src/AlgorithmID.c b/security/nss/lib/pkix/src/AlgorithmID.c
index 10c629f6e..8697ea92f 100644
--- a/security/nss/lib/pkix/src/AlgorithmID.c
+++ b/security/nss/lib/pkix/src/AlgorithmID.c
@@ -321,6 +321,16 @@ nssPKIXAlgorithmIdentifier_Encode (
return NSSItem_Duplicate(it, arenaOpt, rvOpt);
}
+NSS_IMPLEMENT void
+nssPKIXAlgorithmIdentifier_SetArena
+(
+ NSSPKIXAlgorithmIdentifier *algid,
+ NSSArena *arena
+)
+{
+ algid->arena = arena;
+}
+
NSS_IMPLEMENT PRBool
nssPKIXAlgorithmIdentifier_Equal (
NSSPKIXAlgorithmIdentifier *algid1,
diff --git a/security/nss/lib/pkix/src/Extensions.c b/security/nss/lib/pkix/src/Extensions.c
index ae0d36d98..f8ca00626 100644
--- a/security/nss/lib/pkix/src/Extensions.c
+++ b/security/nss/lib/pkix/src/Extensions.c
@@ -95,7 +95,6 @@ decode_me(NSSPKIXExtensions *extensions)
static PRStatus
count_me(NSSPKIXExtensions *extensions)
{
- extensions->count = 0;
if (!extensions->extensions) {
if (NSSITEM_IS_EMPTY(&extensions->der)) {
return 0; /* there are none */
@@ -104,7 +103,13 @@ count_me(NSSPKIXExtensions *extensions)
return PR_FAILURE;
}
}
- while (extensions->extensions[++extensions->count]);
+ for (extensions->count = 0;
+ extensions->extensions[extensions->count];
+ extensions->count++)
+ {
+ nssPKIXExtension_SetArena(extensions->extensions[extensions->count],
+ extensions->arena);
+ }
return extensions->count;
}
diff --git a/security/nss/lib/pkix/src/SPKI.c b/security/nss/lib/pkix/src/SPKI.c
index 098849ebc..1fcc2270e 100644
--- a/security/nss/lib/pkix/src/SPKI.c
+++ b/security/nss/lib/pkix/src/SPKI.c
@@ -231,6 +231,16 @@ nssPKIXSubjectPublicKeyInfo_Encode (
}
}
+NSS_IMPLEMENT void
+nssPKIXSubjectPublicKeyInfo_SetArena (
+ NSSPKIXSubjectPublicKeyInfo *spki,
+ NSSArena *arena
+)
+{
+ spki->arena = arena;
+ nssPKIXAlgorithmIdentifier_SetArena(&spki->algorithm, arena);
+}
+
#if 0
NSS_IMPLEMENT PRBool
nssPKIXSubjectPublicKeyInfo_Equal (
diff --git a/security/nss/lib/pkix/src/TBSCertificate.c b/security/nss/lib/pkix/src/TBSCertificate.c
index 514e4e379..555591843 100644
--- a/security/nss/lib/pkix/src/TBSCertificate.c
+++ b/security/nss/lib/pkix/src/TBSCertificate.c
@@ -262,6 +262,7 @@ nssPKIXTBSCertificate_SetArena (
nssPKIXName_SetArena(&tbsCert->issuer, arena);
nssPKIXValidity_SetArena(&tbsCert->validity, arena);
nssPKIXName_SetArena(&tbsCert->subject, arena);
+ nssPKIXSubjectPublicKeyInfo_SetArena(&tbsCert->subjectPublicKeyInfo, arena);
nssPKIXExtensions_SetArena(&tbsCert->extensions, arena);
}
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index d750eb132..8f84c99c4 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -2129,6 +2129,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, NSSSymKey *pmsOpt)
NSSToken_Destroy(internal);
}
pwSpec->master_secret = ms;
+ NSSAlgNParam_Destroy(msDerive);
return PR_SUCCESS;
loser:
if (msDerive) {
@@ -2164,12 +2165,13 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt)
NSSAlgNParam *ap = NULL;
NSSAlgNParam *skAP = NULL;
NSSSymKey *sessionKeys[4];
- NSSItem *iv1, *iv2;
- NSSItem clientIV, serverIV;
+ NSSItem iv1, iv2;
PRIntn ecx, dcx;
PRBool isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
PRUint32 keySize;
NSSSymKeyType keyType;
+ PRBool haveSessionKeys = PR_FALSE;
+ PRIntn i;
PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss));
PR_ASSERT( ssl_HaveSpecWriteLock(ss));
@@ -2212,12 +2214,13 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt)
/* Derive the set of session keys from the master secret */
status = nssSymKey_DeriveSSLSessionKeys(pwSpec->master_secret,
skAP, keySize, keyType,
- sessionKeys,
- &clientIV, &serverIV);
+ sessionKeys);
+ NSSAlgNParam_Destroy(skAP);
if (status == PR_FAILURE) {
ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
goto loser;
}
+ haveSessionKeys = PR_TRUE;
/* Set up the mac contexts */
ap = (NSSAlgNParam *)ssl3_GetMacAP(ss->ssl3); /* it's const below */
@@ -2230,18 +2233,18 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt)
/* Set up the encryption and decryption contexts */
if (ss->sec.isServer) {
- iv1 = &serverIV;
- iv2 = &clientIV;
+ iv1.data = skParams.serverIV; iv1.size = cipher_def->iv_size;
+ iv2.data = skParams.clientIV; iv2.size = cipher_def->iv_size;
ecx = 3;
dcx = 2;
} else {
- iv1 = &clientIV;
- iv2 = &serverIV;
+ iv1.data = skParams.clientIV; iv1.size = cipher_def->iv_size;
+ iv2.data = skParams.serverIV; iv2.size = cipher_def->iv_size;
ecx = 2;
dcx = 3;
}
- ap = ssl3_GetBulkCipherAP(cipher_def, iv1);
+ ap = ssl3_GetBulkCipherAP(cipher_def, &iv1);
if (!ap) {
goto loser;
}
@@ -2253,7 +2256,7 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt)
goto loser;
}
- ap = ssl3_GetBulkCipherAP(cipher_def, iv2);
+ ap = ssl3_GetBulkCipherAP(cipher_def, &iv2);
if (!ap) {
NSSCryptoContext_Destroy(pwSpec->encodeContext);
pwSpec->encodeContext = NULL;
@@ -2269,8 +2272,12 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt)
goto loser;
}
+ for (i=0; i<4; i++) NSSSymKey_Destroy(sessionKeys[i]);
return PR_SUCCESS;
loser:
+ if (haveSessionKeys) {
+ for (i=0; i<4; i++) NSSSymKey_Destroy(sessionKeys[i]);
+ }
ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
return PR_FAILURE;
}
@@ -4386,8 +4393,9 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
sid->version = ss->version;
sid->u.ssl3.sessionIDLength = sidBytes.size;
memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.size);
- nss_ZFreeIf(sidBytes.data);
#endif /* IMPLEMENT_SESSION_ID_CACHE */
+ nss_ZFreeIf(sidBytes.data);
+
ss->ssl3->hs.isResuming = PR_FALSE;
ss->ssl3->hs.ws = wait_server_cert;
@@ -4495,8 +4503,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
goto alert_loser;
}
- peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo,
- NULL, 0, 0, NULL);
+ peerKey = NSSVolatileDomain_ImportPublicKeyByInfo(ss->vd, &keyInfo,
+ NULL, 0, 0, NULL);
ss->sec.peerKey = peerKey;
ss->ssl3->hs.ws = wait_cert_request;
NSSArena_Destroy(arena);
@@ -4563,8 +4571,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
goto alert_loser;
}
- peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo,
- NULL, 0, 0, NULL);
+ peerKey = NSSVolatileDomain_ImportPublicKeyByInfo(ss->vd, &keyInfo,
+ NULL, 0, 0, NULL);
ss->sec.peerKey = peerKey;
ss->ssl3->hs.ws = wait_cert_request;
NSSArena_Destroy(arena);
@@ -6392,6 +6400,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
}
rv = ssl3_InitPendingCipherSpec(ss, pms);
+ NSSSymKey_Destroy(pms);
if (rv != SECSuccess) {
SEND_ALERT
return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
@@ -6540,7 +6549,9 @@ ssl3_SendCertificate(sslSocket *ss)
for (i = 0; i < numCerts; i++) {
cert = NSSCertChain_GetCert(certChain, i);
if (cert) {
- if ((berCert = nssCert_GetEncoding(cert)) == NULL) {
+ berCert = nssCert_GetEncoding(cert);
+ NSSCert_Destroy(cert);
+ if (berCert == NULL) {
return SECFailure;
}
len += berCert->size + 3;
@@ -6562,6 +6573,7 @@ ssl3_SendCertificate(sslSocket *ss)
cert = NSSCertChain_GetCert(certChain, i);
berCert = nssCert_GetEncoding(cert);
rv = ssl3_AppendHandshakeVariable(ss, berCert->data, berCert->size, 3);
+ NSSCert_Destroy(cert);
if (rv != SECSuccess) {
return rv; /* err set by AppendHandshake. */
}
@@ -6724,6 +6736,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
if (status == PR_FAILURE)
goto ambiguous_err;
}
+ nss_ZFreeIf(berCert.data); /* XXX on error as well */
if (remaining != 0)
goto decode_loser;
@@ -8169,7 +8182,7 @@ ssl3_DestroySSL3Info(ssl3State *ssl3)
if (ssl3->clientPrivateKey != NULL)
NSSPrivateKey_Destroy(ssl3->clientPrivateKey);
- if (ssl3->peerCertArena != NULL)
+ if (ssl3->peerCertChain != NULL)
ssl3_CleanupPeerCerts(ssl3);
if (ssl3->clientCertChain != NULL) {
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
index 18f81826a..6c77d42c3 100644
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -3522,6 +3522,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
ss->sec.ci.sid->version = ss->version;
}
ssl_ReleaseRecvBufLock(ss);
+ NSSCert_Destroy(serverCert);
return rv;
}
/* Previously, there was a test here to see if SSL2 was enabled.
@@ -3682,7 +3683,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
if (ss->sec.localCert) {
NSSCert_Destroy(ss->sec.localCert);
}
- ss->sec.localCert = nssCert_AddRef(serverCert);
+ ss->sec.localCert = serverCert;
/* Build up final list of required elements */
ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
@@ -3759,6 +3760,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss)
/* FALLTHROUGH */
loser:
+ NSSCert_Destroy(serverCert);
if (gotXmitBufLock) {
ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
}
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index 83b4521da..69fb64d4e 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -656,8 +656,10 @@ struct ssl3StateStr {
/* This says what cipher suites we can do, and should
* be either SSL_ALLOWED or SSL_RESTRICTED
*/
+#if 0
/* XXX */
NSSArena * peerCertArena;
+#endif
/* These are used to keep track of the peer CA */
/* XXX */
void * peerCertChain;
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index fbf977460..716119054 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -239,7 +239,7 @@ ssl_DupSocket(sslSocket *os)
ss->wTimeout = os->wTimeout;
ss->cTimeout = os->cTimeout;
ss->td = os->td; /* XXX ref counted? */
- ss->vd = os->vd; /* XXX ref counted? */
+ ss->vd = NSSTrustDomain_CreateVolatileDomain(os->td, NULL);
/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
ss->allowedByPolicy = os->allowedByPolicy;
@@ -387,6 +387,9 @@ ssl_DestroySocketContents(sslSocket *ss)
ssl3_FreeKeyPair(ss->stepDownKeyPair);
ss->stepDownKeyPair = NULL;
}
+ if (ss->vd) {
+ NSSVolatileDomain_Destroy(ss->vd);
+ }
}
/*
View Lorry Controller Status