diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2003-02-11 16:38:08 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-02-11 16:38:08 +0000 |
commit | 681a90a262cd988747175bbbd41c24cbfccebcbc (patch) | |
tree | 415ba1025e22b2e61dcfaa21e57ce8606c88925f | |
parent | 4d2bc7e18152503dfc4347839857b1121f41347c (diff) | |
download | nss-hg-681a90a262cd988747175bbbd41c24cbfccebcbc.tar.gz |
fix leaks/bugs found with purify
rename certificate.c and symmkey.c to reflect object names
24 files changed, 413 insertions, 162 deletions
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c index d3e63ba71..c4129a30a 100644 --- a/security/nss/lib/base/arena.c +++ b/security/nss/lib/base/arena.c @@ -375,6 +375,14 @@ nssArena_Destroy ( nss_arena_call_destructor_chain(arena->first_destructor); #endif /* ARENA_DESTRUCTOR_LIST */ + { + const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST"); + if (!ev) { + PL_FreeArenaPool(arena); + } else { + PL_FinishArenaPool(arena); + } + } PL_FinishArenaPool(&arena->pool); lock = arena->lock; arena->lock = (PRLock *)NULL; diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c index fd76cbff5..9e4c7b1bc 100644 --- a/security/nss/lib/base/item.c +++ b/security/nss/lib/base/item.c @@ -152,7 +152,15 @@ nssItem_Duplicate ( NSSItem *rvOpt ) { - return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data); + if (obj->size > 0 && obj->data) { + return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data); + } else if (rvOpt) { + rvOpt->size = 0; + rvOpt->data = NULL; + return rvOpt; + } else { + return (NSSItem *)NULL; + } } /* diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 9e0759b68..e4a72b2b4 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -688,9 +688,7 @@ nssToken_DeriveSSLSessionKeys ( nssCryptokiObject *masterSecret, PRUint32 keySize, NSSSymKeyType keyType, - nssCryptokiObject **rvSessionKeys, /* [4] */ - NSSItem *rvClientIV, - NSSItem *rvServerIV + nssCryptokiObject **rvSessionKeys /* [4] */ ); NSS_EXTERN PRStatus diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 2df87b0a0..151fd376e 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -50,7 +50,9 @@ static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; /* The number of object handles to grab during each call to C_FindObjects */ #define OBJECT_STACK_SIZE 16 +#ifndef BITS_PER_BYTE #define BITS_PER_BYTE 8 +#endif struct NSSTokenStr { @@ -1174,8 +1176,14 @@ nssToken_FindPublicKeyByID ( */ PRStatus status; NSSPublicKeyInfo keyInfo; - status = nssCryptokiPublicKey_GetAttributes(rvKey, NULL, - &keyInfo, NULL); + NSSArena *tmparena = nssArena_Create(); + if (tmparena) { + status = nssCryptokiPublicKey_GetAttributes(rvKey, tmparena, + &keyInfo, NULL); + nssArena_Destroy(tmparena); + } else { + status = PR_FAILURE; + } if (status == PR_FAILURE) { nssCryptokiObject_Destroy(rvKey); rvKey = NULL; @@ -2012,9 +2020,7 @@ nssToken_DeriveSSLSessionKeys ( nssCryptokiObject *masterSecret, PRUint32 keySize, NSSSymKeyType keyType, - nssCryptokiObject **rvSessionKeys, /* [4] */ - NSSItem *rvClientIV, - NSSItem *rvServerIV + nssCryptokiObject **rvSessionKeys /* [4] */ ) { CK_RV ckrv; @@ -2025,7 +2031,6 @@ nssToken_DeriveSSLSessionKeys ( CK_KEY_TYPE ckKeyType = nssCK_GetSymKeyType(keyType); CK_ULONG ktSize; void *epv = nssToken_GetCryptokiEPV(token); - PRUint32 ivSize; PRUint32 i, keyNum; mechanism = nssAlgNParam_GetMechanism(ap); @@ -2082,18 +2087,6 @@ nssToken_DeriveSSLSessionKeys ( return PR_FAILURE; } keyNum++; - ivSize = kmp->ulIVSizeInBits / 8; /* XXX */ - if (nssItem_Create(NULL, rvClientIV, ivSize, kmo->pIVClient) == NULL) { - for (i=0; i<keyNum; i++) - nssCryptokiObject_Destroy(rvSessionKeys[i]); - return PR_FAILURE; - } - if (nssItem_Create(NULL, rvServerIV, ivSize, kmo->pIVServer) == NULL) { - for (i=0; i<keyNum; i++) - nssCryptokiObject_Destroy(rvSessionKeys[i]); - nss_ZFreeIf(rvClientIV->data); rvClientIV->data = NULL; - return PR_FAILURE; - } return PR_SUCCESS; } return PR_FAILURE; diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 8fc76c659..34214acc8 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -293,7 +293,7 @@ NSSVolatileDomain_Destroy; ;+#NSSVolatileDomain_ImportCert; NSSVolatileDomain_ImportEncodedCert; ;+#NSSVolatileDomain_ImportEncodedCertChain; -NSSVolatileDomain_ImportPublicKey; +NSSVolatileDomain_ImportPublicKeyByInfo; NSSVolatileDomain_ImportEncodedPrivateKey; NSSVolatileDomain_FindBestCertByNickname; NSSVolatileDomain_FindCertsByNickname; diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index e05b1d31d..3f1fc11d7 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -546,14 +546,14 @@ NSS_NoDB_Init(const char * configdir) extern void nss_DumpModuleLog(void); +NSS_EXTERN void nss_FreeOIDTable(void); + PRStatus NSS_Shutdown(void) { PRStatus rv = PR_SUCCESS; nss_DumpModuleLog(); -#if 0 - SECOID_Shutdown(); -#endif + nss_FreeOIDTable(); NSSTrustDomain_Destroy(g_default_trust_domain); nss_DestroyGlobalModuleList(); nss_IsInitted = PR_FALSE; diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c index ab8d64466..8fc2b84b8 100644 --- a/security/nss/lib/pki/asymmkey.c +++ b/security/nss/lib/pki/asymmkey.c @@ -112,13 +112,23 @@ nssPrivateKey_CreateFromInstance ( NSSVolatileDomain *vdOpt ) { + PRStatus status; nssPKIObject *pkio; + NSSPrivateKey *rvKey = NULL; pkio = nssPKIObject_Create(NULL, instance, td, vdOpt); - if (pkio) { - return nssPrivateKey_Create(pkio); + if (!pkio) { + return (NSSPrivateKey *)NULL; + } + rvKey = nssPrivateKey_Create(pkio); + if (rvKey && vdOpt) { + status = nssVolatileDomain_ImportPrivateKey(vdOpt, rvKey); + if (status == PR_FAILURE) { + nssPrivateKey_Destroy(rvKey); + rvKey = NULL; + } } - return (NSSPrivateKey *)NULL; + return rvKey; } NSS_IMPLEMENT NSSPrivateKey * @@ -204,6 +214,15 @@ nssPrivateKey_FindInstanceForAlgorithm ( return nssPKIObject_FindInstanceForAlgorithm(&vk->object, ap); } +NSS_IMPLEMENT void +nssPrivateKey_SetVolatileDomain ( + NSSPrivateKey *vk, + NSSVolatileDomain *vd +) +{ + vk->object.vd = vd; /* volatile domain holds ref */ +} + NSS_IMPLEMENT PRStatus NSSPrivateKey_DeleteStoredObject ( NSSPrivateKey *vk, @@ -546,7 +565,7 @@ nssPrivateKey_GetVolatileDomain ( PRStatus *statusOpt ) { - return vk->object.vd; + return nssPKIObject_GetVolatileDomain(&vk->object, statusOpt); } NSS_IMPLEMENT NSSTrustDomain * @@ -903,20 +922,6 @@ NSSPrivateKey_CreateCryptoContext ( return nssPrivateKey_CreateCryptoContext(vk, apOpt, uhh); } -NSS_IMPLEMENT void -nssPrivateKeyArray_Destroy ( - NSSPrivateKey **vkeys -) -{ - NSSPrivateKey **vk = vkeys; - if (vkeys) { - while (vk++) { - nssPrivateKey_Destroy(*vk); - } - } - nss_ZFreeIf(vkeys); -} - struct NSSPublicKeyStr { nssPKIObject object; @@ -964,13 +969,23 @@ nssPublicKey_CreateFromInstance ( NSSArena *arenaOpt ) { + PRStatus status; nssPKIObject *pkio; + NSSPublicKey *rvKey = NULL; pkio = nssPKIObject_Create(arenaOpt, instance, td, vdOpt); - if (pkio) { - return nssPublicKey_Create(pkio); + if (!pkio) { + return (NSSPublicKey *)NULL; } - return (NSSPublicKey *)NULL; + rvKey = nssPublicKey_Create(pkio); + if (rvKey && vdOpt) { + status = nssVolatileDomain_ImportPublicKey(vdOpt, rvKey); + if (status == PR_FAILURE) { + nssPublicKey_Destroy(rvKey); + rvKey = NULL; + } + } + return rvKey; } /* XXX same here */ @@ -1131,6 +1146,15 @@ nssPublicKey_FindInstanceForAlgorithm ( return nssPKIObject_FindInstanceForAlgorithm(&bk->object, ap); } +NSS_IMPLEMENT void +nssPublicKey_SetVolatileDomain ( + NSSPublicKey *bk, + NSSVolatileDomain *vd +) +{ + bk->object.vd = vd; /* volatile domain holds ref */ +} + NSS_IMPLEMENT PRStatus nssPublicKey_DeleteStoredObject ( NSSPublicKey *bk, @@ -1170,6 +1194,9 @@ nssPublicKey_CopyToToken ( if (nssPKIObject_AddInstance(&bk->object, bko) == PR_FAILURE) { nssCryptokiObject_Destroy(bko); bko = NULL; + } else { + /* XXX maybe AddInstance should rethink not cloning */ + bko = nssCryptokiObject_Clone(bko); } } return bko; @@ -1482,6 +1509,9 @@ nssPublicKey_WrapSymKey ( rvIt = nssToken_WrapKey(bko->token, bko->session, ap, bko, mko, rvOpt, arenaOpt); + + nssCryptokiObject_Destroy(bko); + nssCryptokiObject_Destroy(mko); return rvIt; } @@ -1576,17 +1606,3 @@ NSSPublicKey_FindPrivateKey ( return NULL; } -NSS_IMPLEMENT void -nssPublicKeyArray_Destroy ( - NSSPublicKey **bkeys -) -{ - NSSPublicKey **bk = bkeys; - if (bkeys) { - while (bk++) { - nssPublicKey_Destroy(*bk); - } - } - nss_ZFreeIf(bkeys); -} - diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/cert.c index 616e99d57..b873d23f6 100644 --- a/security/nss/lib/pki/certificate.c +++ b/security/nss/lib/pki/cert.c @@ -100,14 +100,14 @@ nssCert_Create ( rvCert->object = *object; /* XXX should choose instance based on some criteria */ status = nssCryptokiCert_GetAttributes(object->instances[0], - arena, - &rvCert->kind, - &rvCert->id, - &rvCert->encoding, - &rvCert->issuer, - &rvCert->serial, - &rvCert->subject, - &rvCert->email); + arena, + &rvCert->kind, + &rvCert->id, + &rvCert->encoding, + &rvCert->issuer, + &rvCert->serial, + &rvCert->subject, + &rvCert->email); if (status != PR_SUCCESS) { return (NSSCert *)NULL; } @@ -383,7 +383,7 @@ nssCert_GetNames ( rvOpt = nss_ZNEWARRAY(arenaOpt, NSSUTF8 *, 2); } rvOpt[0] = nssUTF8_Duplicate("<not implemented>", arenaOpt); - rvOpt[1] = NULL; + if (rvMaxOpt > 1) rvOpt[1] = NULL; return rvOpt; } @@ -411,7 +411,7 @@ nssCert_GetIssuerNames ( rvOpt = nss_ZNEWARRAY(arenaOpt, NSSUTF8 *, 2); } rvOpt[0] = nssUTF8_Duplicate("<not implemented>", arenaOpt); - rvOpt[1] = NULL; + if (rvMaxOpt > 1) rvOpt[1] = NULL; return rvOpt; } @@ -617,16 +617,17 @@ nssCert_SetVolatileDomain ( NSSVolatileDomain *vd ) { - c->object.vd = vd; + c->object.vd = vd; /* volatile domain holds ref to cert */ c->object.td = nssVolatileDomain_GetTrustDomain(vd); } NSS_IMPLEMENT NSSVolatileDomain * nssCert_GetVolatileDomain ( - NSSCert *c + NSSCert *c, + PRStatus *statusOpt ) { - return c->object.vd; + return nssPKIObject_GetVolatileDomain(&c->object, statusOpt); } NSS_IMPLEMENT NSSTrustDomain * @@ -1271,20 +1272,15 @@ find_cert_issuer ( NSSCert *issuer = NULL; NSSTrustDomain *td; NSSVolatileDomain *vd; - vd = nssCert_GetVolatileDomain(c); + vd = nssCert_GetVolatileDomain(c, NULL); td = nssCert_GetTrustDomain(c); if (vd) { - issuers = nssVolatileDomain_FindCertsBySubject(vd, - &c->issuer, - NULL, - 0, - NULL); + issuers = nssVolatileDomain_FindCertsBySubject(vd, &c->issuer, + NULL, 0, NULL); + nssVolatileDomain_Destroy(vd); } else { - issuers = nssTrustDomain_FindCertsBySubject(td, - &c->issuer, - NULL, - 0, - NULL); + issuers = nssTrustDomain_FindCertsBySubject(td, &c->issuer, + NULL, 0, NULL); } if (issuers) { nssCertDecoding *dc = NULL; @@ -1507,7 +1503,7 @@ nssCert_GetPublicKey ( NSSToken **tokens, **tp; nssCryptokiObject *instance = NULL; NSSTrustDomain *td = nssCert_GetTrustDomain(c); - NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c); + NSSVolatileDomain *vd = nssCert_GetVolatileDomain(c, NULL); /* first look for a persistent object in the trust domain */ tokens = nssPKIObject_GetTokens(&c->object, NULL, 0, &status); @@ -1533,6 +1529,7 @@ nssCert_GetPublicKey ( bk = nssPublicKey_CreateFromInstance(instance, td, vd, NULL); if (!bk) { nssCryptokiObject_Destroy(instance); + nssVolatileDomain_Destroy(vd); return (NSSPublicKey *)NULL; } return bk; @@ -1548,9 +1545,11 @@ nssCert_GetPublicKey ( status = dc->methods->getPublicKeyInfo(dc->data, &keyAlg, &keyBits); if (status == PR_SUCCESS) { c->bk = nssPublicKey_CreateFromInfo(td, vd, keyAlg, &keyBits); - return nssPublicKey_AddRef(c->bk); + nssVolatileDomain_Destroy(vd); + return c->bk; } } + nssVolatileDomain_Destroy(vd); return (NSSPublicKey *)NULL; } diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c index 065bb340f..2b1ea3000 100644 --- a/security/nss/lib/pki/cryptocontext.c +++ b/security/nss/lib/pki/cryptocontext.c @@ -133,6 +133,7 @@ nssCryptoContext_CreateForSymKey ( rvCC->which = a_symkey; rvCC->u.mkey = nssSymKey_AddRef(mkey); } + nssVolatileDomain_Destroy(vd); return rvCC; } @@ -1331,6 +1332,7 @@ nssCryptoContext_DigestKey ( NSSSymKey *mkOpt ) { + PRStatus status; nssCryptokiObject *mko; if (mkOpt) { /* The context is being asked to digest a key that may not be @@ -1350,7 +1352,9 @@ nssCryptoContext_DigestKey ( } mko = cc->key; } - return nssToken_DigestKey(cc->token, cc->session, mko); + status = nssToken_DigestKey(cc->token, cc->session, mko); + if (mkOpt) nssCryptokiObject_Destroy(mko); + return status; } NSS_IMPLEMENT PRStatus diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn index 990660631..abf278c05 100644 --- a/security/nss/lib/pki/manifest.mn +++ b/security/nss/lib/pki/manifest.mn @@ -49,9 +49,9 @@ MODULE = nss CSRCS = \ pkibase.c \ asymmkey.c \ - certificate.c \ + cert.c \ cryptocontext.c \ - symmkey.c \ + symkey.c \ time.c \ trustdomain.c \ volatiledomain.c \ diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h index cf4edd0bc..d2cab22e5 100644 --- a/security/nss/lib/pki/nsspki.h +++ b/security/nss/lib/pki/nsspki.h @@ -1353,9 +1353,7 @@ nssSymKey_DeriveSSLSessionKeys ( const NSSAlgNParam *ap, PRUint32 keySize, NSSSymKeyType keyType, - NSSSymKey **rvSessionKeys, - NSSItem *rvClientIV, - NSSItem *rvServerIV + NSSSymKey **rvSessionKeys ); /* @@ -1682,7 +1680,7 @@ NSSTrustDomain_ImportEncodedPublicKey ( ); NSS_EXTERN NSSPublicKey * -NSSTrustDomain_ImportPublicKey ( +NSSTrustDomain_ImportPublicKeyByInfo ( NSSTrustDomain *td, NSSPublicKeyInfo *keyInfo, NSSUTF8 *nicknameOpt, diff --git a/security/nss/lib/pki/pkibase.c b/security/nss/lib/pki/pkibase.c index fd2dfdae3..5df0bb75d 100644 --- a/security/nss/lib/pki/pkibase.c +++ b/security/nss/lib/pki/pkibase.c @@ -48,7 +48,7 @@ nssPKIObject_Create ( NSSArena *arenaOpt, nssCryptokiObject *instanceOpt, NSSTrustDomain *td, - NSSVolatileDomain *vdOpt + NSSVolatileDomain *vdOpt /* XXX remove */ ) { NSSArena *arena; @@ -69,7 +69,6 @@ nssPKIObject_Create ( } object->arena = arena; object->td = td; /* XXX */ - object->vd = vdOpt; object->lock = PZ_NewLock(nssILockOther); if (!object->lock) { goto loser; @@ -105,6 +104,7 @@ nssPKIObject_Destroy ( for (i=0; i<object->numInstances; i++) { nssCryptokiObject_Destroy(object->instances[i]); } + /*nssVolatileDomain_Destroy(object->vd);*/ PZ_DestroyLock(object->lock); nssArena_Destroy(object->arena); return PR_TRUE; @@ -477,7 +477,7 @@ nssPKIObject_GetVolatileDomain ( if (statusOpt) { *statusOpt = PR_SUCCESS; } - return object->vd; + return nssVolatileDomain_AddRef(object->vd); } NSS_IMPLEMENT NSSToken * @@ -690,6 +690,48 @@ nssCRLArray_Destroy ( } } +NSS_IMPLEMENT void +nssSymKeyArray_Destroy ( + NSSSymKey **mkeys +) +{ + if (mkeys) { + NSSSymKey **mkp; + for (mkp = mkeys; *mkp; mkp++) { + nssSymKey_Destroy(*mkp); + } + } + nss_ZFreeIf(mkeys); +} + +NSS_IMPLEMENT void +nssPrivateKeyArray_Destroy ( + NSSPrivateKey **vkeys +) +{ + if (vkeys) { + NSSPrivateKey **vkp; + for (vkp = vkeys; *vkp; vkp++) { + nssPrivateKey_Destroy(*vkp); + } + } + nss_ZFreeIf(vkeys); +} + +NSS_IMPLEMENT void +nssPublicKeyArray_Destroy ( + NSSPublicKey **bkeys +) +{ + if (bkeys) { + NSSPublicKey **bkp; + for (bkp = bkeys; *bkp; bkp++) { + nssPublicKey_Destroy(*bkp); + } + } + nss_ZFreeIf(bkeys); +} + NSS_IMPLEMENT PRBool nssUsages_Match ( const NSSUsages *usages, @@ -1819,7 +1861,7 @@ new_session: goto finish; } } - t2s = &tsHash->token2session[++tsHash->count]; + t2s = &tsHash->token2session[tsHash->count++]; } session = nssToken_CreateSession(token, readWrite); if (!session) { diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symkey.c index e78568ddf..9e0400e7d 100644 --- a/security/nss/lib/pki/symmkey.c +++ b/security/nss/lib/pki/symkey.c @@ -68,10 +68,10 @@ nssSymKey_Create ( rvKey->object = *object; /* XXX should choose instance based on some criteria */ status = nssCryptokiSymKey_GetAttributes(object->instances[0], - arena, - &rvKey->kind, - &rvKey->length, - &rvKey->operations); + arena, + &rvKey->kind, + &rvKey->length, + &rvKey->operations); if (status != PR_SUCCESS) { return (NSSSymKey *)NULL; } @@ -85,13 +85,23 @@ nssSymKey_CreateFromInstance ( NSSVolatileDomain *vdOpt ) { + PRStatus status; nssPKIObject *pkio; + NSSSymKey *rvKey = NULL; pkio = nssPKIObject_Create(NULL, instance, td, vdOpt); - if (pkio) { - return nssSymKey_Create(pkio); + if (!pkio) { + return (NSSSymKey *)NULL; + } + rvKey = nssSymKey_Create(pkio); + if (rvKey && vdOpt) { + status = nssVolatileDomain_ImportSymKey(vdOpt, rvKey); + if (status == PR_FAILURE) { + nssSymKey_Destroy(rvKey); + rvKey = NULL; + } } - return (NSSSymKey *)NULL; + return rvKey; } NSS_IMPLEMENT NSSSymKey * @@ -281,6 +291,15 @@ NSSSymKey_IsStillPresent ( return PR_FAILURE; } +NSS_IMPLEMENT void +nssSymKey_SetVolatileDomain ( + NSSSymKey *mk, + NSSVolatileDomain *vd +) +{ + mk->object.vd = vd; /* volatile domain holds ref */ +} + NSS_IMPLEMENT NSSTrustDomain * nssSymKey_GetTrustDomain ( NSSSymKey *mk, @@ -667,27 +686,25 @@ nssSymKey_DeriveSSLSessionKeys ( const NSSAlgNParam *ap, PRUint32 keySize, NSSSymKeyType keyType, - NSSSymKey **rvSessionKeys, /* [4] */ - NSSItem *rvClientIV, - NSSItem *rvServerIV + NSSSymKey **rvSessionKeys /* [4] */ ) { nssCryptokiObject *mso; /* only one instance of master secret */ nssCryptokiObject *skeys[4]; + NSSTrustDomain *td = masterSecret->object.td; + NSSVolatileDomain *vd = masterSecret->object.vd; PRStatus status; PRIntn i; mso = masterSecret->object.instances[0]; status = nssToken_DeriveSSLSessionKeys(mso->token, mso->session, ap, mso, keySize, keyType, - skeys, rvClientIV, rvServerIV); + skeys); if (status == PR_FAILURE) { return PR_FAILURE; } for (i=0; i<4; i++) { - rvSessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i], - masterSecret->object.td, - masterSecret->object.vd); + rvSessionKeys[i] = nssSymKey_CreateFromInstance(skeys[i], td, vd); if (!rvSessionKeys[i]) break; } if (i < 4) { @@ -700,17 +717,3 @@ nssSymKey_DeriveSSLSessionKeys ( return status; } -NSS_IMPLEMENT void -nssSymKeyArray_Destroy ( - NSSSymKey **mkeys -) -{ - NSSSymKey **mk = mkeys; - if (mkeys) { - while (mk++) { - nssSymKey_Destroy(*mk); - } - } - nss_ZFreeIf(mkeys); -} - diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 629388d51..338f26f61 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -748,6 +748,7 @@ nssTrustDomain_FindCertsBySubject ( numRemaining, &status); nssToken_Destroy(token); + nssSession_Destroy(session); if (status != PR_SUCCESS) { goto loser; } diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c index 29a67d0d4..f2913858d 100644 --- a/security/nss/lib/pki/volatiledomain.c +++ b/security/nss/lib/pki/volatiledomain.c @@ -58,9 +58,7 @@ struct object_array_str struct NSSVolatileDomainStr { -#if 0 PRInt32 refCount; -#endif NSSArena *arena; NSSTrustDomain *td; NSSCallback *callback; @@ -103,6 +101,7 @@ nssVolatileDomain_Create ( } rvVD->td = td; rvVD->arena = arena; + PR_AtomicIncrement(&rvVD->refCount); if (uhhOpt) { rvVD->callback = uhhOpt; } else { @@ -117,13 +116,20 @@ nssVolatileDomain_Destroy ( ) { PRStatus status = PR_SUCCESS; - PZ_DestroyLock(vd->objectLock); - nssTokenSessionHash_Destroy(vd->tokenSessionHash); - nssCertArray_Destroy((NSSCert **)vd->certs.array); - nssPublicKeyArray_Destroy((NSSPublicKey **)vd->bkeys.array); - nssPrivateKeyArray_Destroy((NSSPrivateKey **)vd->vkeys.array); - nssSymKeyArray_Destroy((NSSSymKey **)vd->mkeys.array); - status |= nssArena_Destroy(vd->arena); + + if (vd) { + PR_ASSERT(vd->refCount > 0); + PR_AtomicDecrement(&vd->refCount); + if (vd->refCount == 0) { + PZ_DestroyLock(vd->objectLock); + nssTokenSessionHash_Destroy(vd->tokenSessionHash); + nssCertArray_Destroy((NSSCert **)vd->certs.array); + nssPublicKeyArray_Destroy((NSSPublicKey **)vd->bkeys.array); + nssPrivateKeyArray_Destroy((NSSPrivateKey **)vd->vkeys.array); + nssSymKeyArray_Destroy((NSSSymKey **)vd->mkeys.array); + status |= nssArena_Destroy(vd->arena); + } + } return status; } @@ -138,6 +144,17 @@ NSSVolatileDomain_Destroy ( return nssVolatileDomain_Destroy(vd); } +NSS_IMPLEMENT NSSVolatileDomain * +nssVolatileDomain_AddRef ( + NSSVolatileDomain *vd +) +{ + if (vd) { + PR_AtomicIncrement(&vd->refCount); + } + return vd; +} + NSS_IMPLEMENT PRStatus nssVolatileDomain_SetDefaultCallback ( NSSVolatileDomain *vd, @@ -288,9 +305,40 @@ NSSVolatileDomain_ImportEncodedCertChain ( return NULL; } -NSS_IMPLEMENT NSSPublicKey * +NSS_IMPLEMENT PRStatus nssVolatileDomain_ImportPublicKey ( NSSVolatileDomain *vd, + NSSPublicKey *bk +) +{ + PZ_Lock(vd->objectLock); + if (vd->bkeys.count == vd->bkeys.size) { + if (vd->bkeys.size == 0) { + /* need to alloc new array */ + vd->bkeys.array = (void **)nss_ZNEWARRAY(vd->arena, + NSSPublicKey *, + DEFAULT_ARRAY_SIZE); + } else { + /* array is full, realloc */ + vd->bkeys.size *= 2; + vd->bkeys.array = (void **)nss_ZREALLOCARRAY(vd->bkeys.array, + NSSPublicKey *, + vd->bkeys.size); + } + if (!vd->bkeys.array) { + PZ_Unlock(vd->objectLock); + return PR_FAILURE; + } + } + vd->bkeys.array[vd->bkeys.count++] = (void *)nssPublicKey_AddRef(bk); + PZ_Unlock(vd->objectLock); + nssPublicKey_SetVolatileDomain(bk, vd); + return PR_SUCCESS; +} + +NSS_IMPLEMENT NSSPublicKey * +nssVolatileDomain_ImportPublicKeyByInfo ( + NSSVolatileDomain *vd, NSSPublicKeyInfo *keyInfo, NSSUTF8 *labelOpt, NSSOperations operations, @@ -330,7 +378,7 @@ nssVolatileDomain_ImportPublicKey ( } NSS_IMPLEMENT NSSPublicKey * -NSSVolatileDomain_ImportPublicKey ( +NSSVolatileDomain_ImportPublicKeyByInfo ( NSSVolatileDomain *vd, NSSPublicKeyInfo *keyInfo, NSSUTF8 *labelOpt, @@ -339,9 +387,40 @@ NSSVolatileDomain_ImportPublicKey ( NSSToken *destinationOpt ) { - return nssVolatileDomain_ImportPublicKey(vd, keyInfo, labelOpt, - operations, properties, - destinationOpt); + return nssVolatileDomain_ImportPublicKeyByInfo(vd, keyInfo, labelOpt, + operations, properties, + destinationOpt); +} + +NSS_IMPLEMENT PRStatus +nssVolatileDomain_ImportPrivateKey ( + NSSVolatileDomain *vd, + NSSPrivateKey *vk +) +{ + PZ_Lock(vd->objectLock); + if (vd->vkeys.count == vd->vkeys.size) { + if (vd->vkeys.size == 0) { + /* need to alloc new array */ + vd->vkeys.array = (void **)nss_ZNEWARRAY(vd->arena, + NSSPrivateKey *, + DEFAULT_ARRAY_SIZE); + } else { + /* array is full, realloc */ + vd->vkeys.size *= 2; + vd->vkeys.array = (void **)nss_ZREALLOCARRAY(vd->vkeys.array, + NSSPrivateKey *, + vd->vkeys.size); + } + if (!vd->vkeys.array) { + PZ_Unlock(vd->objectLock); + return PR_FAILURE; + } + } + vd->vkeys.array[vd->vkeys.count++] = (void *)nssPrivateKey_AddRef(vk); + PZ_Unlock(vd->objectLock); + nssPrivateKey_SetVolatileDomain(vk, vd); + return PR_SUCCESS; } NSS_IMPLEMENT NSSPrivateKey * @@ -381,6 +460,37 @@ NSSVolatileDomain_ImportEncodedPrivateKey ( destination); } +NSS_IMPLEMENT PRStatus +nssVolatileDomain_ImportSymKey ( + NSSVolatileDomain *vd, + NSSSymKey *mk +) +{ + PZ_Lock(vd->objectLock); + if (vd->mkeys.count == vd->mkeys.size) { + if (vd->mkeys.size == 0) { + /* need to alloc new array */ + vd->mkeys.array = (void **)nss_ZNEWARRAY(vd->arena, + NSSSymKey *, + DEFAULT_ARRAY_SIZE); + } else { + /* array is full, realloc */ + vd->mkeys.size *= 2; + vd->mkeys.array = (void **)nss_ZREALLOCARRAY(vd->mkeys.array, + NSSSymKey *, + vd->mkeys.size); + } + if (!vd->mkeys.array) { + PZ_Unlock(vd->objectLock); + return PR_FAILURE; + } + } + vd->mkeys.array[vd->mkeys.count++] = (void *)nssSymKey_AddRef(mk); + PZ_Unlock(vd->objectLock); + nssSymKey_SetVolatileDomain(mk, vd); + return PR_SUCCESS; +} + NSS_IMPLEMENT NSSSymKey * nssVolatileDomain_ImportRawSymKey ( NSSVolatileDomain *vd, @@ -1037,6 +1147,7 @@ nssVolatileDomain_GenerateSymKey ( ) { nssPKIObjectCreator creator; + NSSSymKey *rvKey = NULL; creator.td = vd->td; creator.vd = vd; @@ -1052,7 +1163,9 @@ nssVolatileDomain_GenerateSymKey ( creator.nickname = nicknameOpt; creator.properties = properties; creator.operations = operations; - return nssPKIObjectCreator_GenerateSymKey(&creator, keysize); + rvKey = nssPKIObjectCreator_GenerateSymKey(&creator, keysize); + nssSession_Destroy(creator.session); + return rvKey; } NSS_IMPLEMENT NSSSymKey * @@ -1130,6 +1243,7 @@ nssVolatileDomain_UnwrapSymKey ( operations, properties, targetSymKeyType); /* done with the private key */ nssCryptokiObject_Destroy(vko); + nssSession_Destroy(session); /* create a new symkey in the volatile domain */ if (mko) { mkey = nssSymKey_CreateFromInstance(mko, vd->td, vd); diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c index e68a39721..a84295692 100644 --- a/security/nss/lib/pki1/oid.c +++ b/security/nss/lib/pki1/oid.c @@ -546,6 +546,27 @@ oid_init ( return PR_CallOnce(&oid_call_once, oid_once_func); } +NSS_IMPLEMENT void +nss_FreeOIDTable ( + void +) +{ + if( (PLHashTable *)NULL != oid_hash_table ) { + PL_HashTableDestroy(oid_hash_table); + oid_hash_table = (PLHashTable *)NULL; + } + + if( (PZLock *)NULL != oid_hash_lock ) { + PZ_DestroyLock(oid_hash_lock); + oid_hash_lock = (PZLock *)NULL; + } + + if( (NSSArena *)NULL != oid_arena ) { + (void)nssArena_Destroy(oid_arena); + oid_arena = (NSSArena *)NULL; + } +} + /* * oid_sanity_check_ber * diff --git a/security/nss/lib/pkix/src/AlgorithmID.c b/security/nss/lib/pkix/src/AlgorithmID.c index 10c629f6e..8697ea92f 100644 --- a/security/nss/lib/pkix/src/AlgorithmID.c +++ b/security/nss/lib/pkix/src/AlgorithmID.c @@ -321,6 +321,16 @@ nssPKIXAlgorithmIdentifier_Encode ( return NSSItem_Duplicate(it, arenaOpt, rvOpt); } +NSS_IMPLEMENT void +nssPKIXAlgorithmIdentifier_SetArena +( + NSSPKIXAlgorithmIdentifier *algid, + NSSArena *arena +) +{ + algid->arena = arena; +} + NSS_IMPLEMENT PRBool nssPKIXAlgorithmIdentifier_Equal ( NSSPKIXAlgorithmIdentifier *algid1, diff --git a/security/nss/lib/pkix/src/Extensions.c b/security/nss/lib/pkix/src/Extensions.c index ae0d36d98..f8ca00626 100644 --- a/security/nss/lib/pkix/src/Extensions.c +++ b/security/nss/lib/pkix/src/Extensions.c @@ -95,7 +95,6 @@ decode_me(NSSPKIXExtensions *extensions) static PRStatus count_me(NSSPKIXExtensions *extensions) { - extensions->count = 0; if (!extensions->extensions) { if (NSSITEM_IS_EMPTY(&extensions->der)) { return 0; /* there are none */ @@ -104,7 +103,13 @@ count_me(NSSPKIXExtensions *extensions) return PR_FAILURE; } } - while (extensions->extensions[++extensions->count]); + for (extensions->count = 0; + extensions->extensions[extensions->count]; + extensions->count++) + { + nssPKIXExtension_SetArena(extensions->extensions[extensions->count], + extensions->arena); + } return extensions->count; } diff --git a/security/nss/lib/pkix/src/SPKI.c b/security/nss/lib/pkix/src/SPKI.c index 098849ebc..1fcc2270e 100644 --- a/security/nss/lib/pkix/src/SPKI.c +++ b/security/nss/lib/pkix/src/SPKI.c @@ -231,6 +231,16 @@ nssPKIXSubjectPublicKeyInfo_Encode ( } } +NSS_IMPLEMENT void +nssPKIXSubjectPublicKeyInfo_SetArena ( + NSSPKIXSubjectPublicKeyInfo *spki, + NSSArena *arena +) +{ + spki->arena = arena; + nssPKIXAlgorithmIdentifier_SetArena(&spki->algorithm, arena); +} + #if 0 NSS_IMPLEMENT PRBool nssPKIXSubjectPublicKeyInfo_Equal ( diff --git a/security/nss/lib/pkix/src/TBSCertificate.c b/security/nss/lib/pkix/src/TBSCertificate.c index 514e4e379..555591843 100644 --- a/security/nss/lib/pkix/src/TBSCertificate.c +++ b/security/nss/lib/pkix/src/TBSCertificate.c @@ -262,6 +262,7 @@ nssPKIXTBSCertificate_SetArena ( nssPKIXName_SetArena(&tbsCert->issuer, arena); nssPKIXValidity_SetArena(&tbsCert->validity, arena); nssPKIXName_SetArena(&tbsCert->subject, arena); + nssPKIXSubjectPublicKeyInfo_SetArena(&tbsCert->subjectPublicKeyInfo, arena); nssPKIXExtensions_SetArena(&tbsCert->extensions, arena); } diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index d750eb132..8f84c99c4 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -2129,6 +2129,7 @@ ssl3_DeriveMasterSecret(sslSocket *ss, NSSSymKey *pmsOpt) NSSToken_Destroy(internal); } pwSpec->master_secret = ms; + NSSAlgNParam_Destroy(msDerive); return PR_SUCCESS; loser: if (msDerive) { @@ -2164,12 +2165,13 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) NSSAlgNParam *ap = NULL; NSSAlgNParam *skAP = NULL; NSSSymKey *sessionKeys[4]; - NSSItem *iv1, *iv2; - NSSItem clientIV, serverIV; + NSSItem iv1, iv2; PRIntn ecx, dcx; PRBool isTLS = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0); PRUint32 keySize; NSSSymKeyType keyType; + PRBool haveSessionKeys = PR_FALSE; + PRIntn i; PR_ASSERT( ssl_HaveSSL3HandshakeLock(ss)); PR_ASSERT( ssl_HaveSpecWriteLock(ss)); @@ -2212,12 +2214,13 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) /* Derive the set of session keys from the master secret */ status = nssSymKey_DeriveSSLSessionKeys(pwSpec->master_secret, skAP, keySize, keyType, - sessionKeys, - &clientIV, &serverIV); + sessionKeys); + NSSAlgNParam_Destroy(skAP); if (status == PR_FAILURE) { ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); goto loser; } + haveSessionKeys = PR_TRUE; /* Set up the mac contexts */ ap = (NSSAlgNParam *)ssl3_GetMacAP(ss->ssl3); /* it's const below */ @@ -2230,18 +2233,18 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) /* Set up the encryption and decryption contexts */ if (ss->sec.isServer) { - iv1 = &serverIV; - iv2 = &clientIV; + iv1.data = skParams.serverIV; iv1.size = cipher_def->iv_size; + iv2.data = skParams.clientIV; iv2.size = cipher_def->iv_size; ecx = 3; dcx = 2; } else { - iv1 = &clientIV; - iv2 = &serverIV; + iv1.data = skParams.clientIV; iv1.size = cipher_def->iv_size; + iv2.data = skParams.serverIV; iv2.size = cipher_def->iv_size; ecx = 2; dcx = 3; } - ap = ssl3_GetBulkCipherAP(cipher_def, iv1); + ap = ssl3_GetBulkCipherAP(cipher_def, &iv1); if (!ap) { goto loser; } @@ -2253,7 +2256,7 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) goto loser; } - ap = ssl3_GetBulkCipherAP(cipher_def, iv2); + ap = ssl3_GetBulkCipherAP(cipher_def, &iv2); if (!ap) { NSSCryptoContext_Destroy(pwSpec->encodeContext); pwSpec->encodeContext = NULL; @@ -2269,8 +2272,12 @@ ssl3_GenerateSessionKeys(sslSocket *ss, NSSSymKey *pmsOpt) goto loser; } + for (i=0; i<4; i++) NSSSymKey_Destroy(sessionKeys[i]); return PR_SUCCESS; loser: + if (haveSessionKeys) { + for (i=0; i<4; i++) NSSSymKey_Destroy(sessionKeys[i]); + } ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE); return PR_FAILURE; } @@ -4386,8 +4393,9 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) sid->version = ss->version; sid->u.ssl3.sessionIDLength = sidBytes.size; memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.size); - nss_ZFreeIf(sidBytes.data); #endif /* IMPLEMENT_SESSION_ID_CACHE */ + nss_ZFreeIf(sidBytes.data); + ss->ssl3->hs.isResuming = PR_FALSE; ss->ssl3->hs.ws = wait_server_cert; @@ -4495,8 +4503,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } - peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo, - NULL, 0, 0, NULL); + peerKey = NSSVolatileDomain_ImportPublicKeyByInfo(ss->vd, &keyInfo, + NULL, 0, 0, NULL); ss->sec.peerKey = peerKey; ss->ssl3->hs.ws = wait_cert_request; NSSArena_Destroy(arena); @@ -4563,8 +4571,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) goto alert_loser; } - peerKey = NSSVolatileDomain_ImportPublicKey(ss->vd, &keyInfo, - NULL, 0, 0, NULL); + peerKey = NSSVolatileDomain_ImportPublicKeyByInfo(ss->vd, &keyInfo, + NULL, 0, 0, NULL); ss->sec.peerKey = peerKey; ss->ssl3->hs.ws = wait_cert_request; NSSArena_Destroy(arena); @@ -6392,6 +6400,7 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss, } rv = ssl3_InitPendingCipherSpec(ss, pms); + NSSSymKey_Destroy(pms); if (rv != SECSuccess) { SEND_ALERT return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */ @@ -6540,7 +6549,9 @@ ssl3_SendCertificate(sslSocket *ss) for (i = 0; i < numCerts; i++) { cert = NSSCertChain_GetCert(certChain, i); if (cert) { - if ((berCert = nssCert_GetEncoding(cert)) == NULL) { + berCert = nssCert_GetEncoding(cert); + NSSCert_Destroy(cert); + if (berCert == NULL) { return SECFailure; } len += berCert->size + 3; @@ -6562,6 +6573,7 @@ ssl3_SendCertificate(sslSocket *ss) cert = NSSCertChain_GetCert(certChain, i); berCert = nssCert_GetEncoding(cert); rv = ssl3_AppendHandshakeVariable(ss, berCert->data, berCert->size, 3); + NSSCert_Destroy(cert); if (rv != SECSuccess) { return rv; /* err set by AppendHandshake. */ } @@ -6724,6 +6736,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) if (status == PR_FAILURE) goto ambiguous_err; } + nss_ZFreeIf(berCert.data); /* XXX on error as well */ if (remaining != 0) goto decode_loser; @@ -8169,7 +8182,7 @@ ssl3_DestroySSL3Info(ssl3State *ssl3) if (ssl3->clientPrivateKey != NULL) NSSPrivateKey_Destroy(ssl3->clientPrivateKey); - if (ssl3->peerCertArena != NULL) + if (ssl3->peerCertChain != NULL) ssl3_CleanupPeerCerts(ssl3); if (ssl3->clientCertChain != NULL) { diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 18f81826a..6c77d42c3 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -3522,6 +3522,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss) ss->sec.ci.sid->version = ss->version; } ssl_ReleaseRecvBufLock(ss); + NSSCert_Destroy(serverCert); return rv; } /* Previously, there was a test here to see if SSL2 was enabled. @@ -3682,7 +3683,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss) if (ss->sec.localCert) { NSSCert_Destroy(ss->sec.localCert); } - ss->sec.localCert = nssCert_AddRef(serverCert); + ss->sec.localCert = serverCert; /* Build up final list of required elements */ ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED; @@ -3759,6 +3760,7 @@ ssl2_HandleClientHelloMessage(sslSocket *ss) /* FALLTHROUGH */ loser: + NSSCert_Destroy(serverCert); if (gotXmitBufLock) { ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0; } diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 83b4521da..69fb64d4e 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -656,8 +656,10 @@ struct ssl3StateStr { /* This says what cipher suites we can do, and should * be either SSL_ALLOWED or SSL_RESTRICTED */ +#if 0 /* XXX */ NSSArena * peerCertArena; +#endif /* These are used to keep track of the peer CA */ /* XXX */ void * peerCertChain; diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index fbf977460..716119054 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -239,7 +239,7 @@ ssl_DupSocket(sslSocket *os) ss->wTimeout = os->wTimeout; ss->cTimeout = os->cTimeout; ss->td = os->td; /* XXX ref counted? */ - ss->vd = os->vd; /* XXX ref counted? */ + ss->vd = NSSTrustDomain_CreateVolatileDomain(os->td, NULL); /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */ ss->allowedByPolicy = os->allowedByPolicy; @@ -387,6 +387,9 @@ ssl_DestroySocketContents(sslSocket *ss) ssl3_FreeKeyPair(ss->stepDownKeyPair); ss->stepDownKeyPair = NULL; } + if (ss->vd) { + NSSVolatileDomain_Destroy(ss->vd); + } } /* |