Bug 1303224 - Remove the PKCS#11 bypass r=franziskus,mt

author: Tim Taubert <ttaubert@mozilla.com> 2016-09-16 13:42:56 -0700
committer: Tim Taubert <ttaubert@mozilla.com> 2016-09-16 13:42:56 -0700
commit: 6c214486e9ef0f7b8653dea24689e5491de959b6 (patch)
tree: 7d4d3f1347d05853217823b9b9710268e4193081 /lib/ssl/sslsnce.c
parent: 6efedbcb0d51f696cdb7a5d44f781e69e3ca5802 (diff)
download: nss-hg-6c214486e9ef0f7b8653dea24689e5491de959b6.tar.gz
1 files changed, 7 insertions, 79 deletions
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
index 59c341647..4a4005c2d 100644
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -35,8 +35,8 @@
  *     certCacheEntry           certCacheData[numCertCacheEntries];
  *     SSLWrappedSymWrappingKey keyCacheData[ssl_auth_size][SSL_NUM_WRAP_MECHS];
  *     PRUint8                  keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN]
- *     encKeyCacheEntry         ticketEncKey; // Wrapped in non-bypass mode
- *     encKeyCacheEntry         ticketMacKey; // Wrapped in non-bypass mode
+ *     encKeyCacheEntry         ticketEncKey; // Wrapped
+ *     encKeyCacheEntry         ticketMacKey; // Wrapped
  *     PRBool                   ticketKeysValid;
  *     sidCacheLock             srvNameCacheLock;
  *     srvNameCacheEntry        srvNameData[ numSrvNameCacheEntries ];
@@ -53,12 +53,8 @@
 #include "pk11func.h"
 #include "base64.h"
 #include "keyhi.h"
-#ifdef NO_PKCS11_BYPASS
 #include "blapit.h"
 #include "sechash.h"
-#else
-#include "blapi.h"
-#endif
 
 #include <stdio.h>
 
@@ -396,12 +392,8 @@ CacheSrvName(cacheDesc *cache, SECItem *name, sidCacheEntry *sce)
     snce.type = name->type;
     snce.nameLen = name->len;
     PORT_Memcpy(snce.name, name->data, snce.nameLen);
-#ifdef NO_PKCS11_BYPASS
     HASH_HashBuf(HASH_AlgSHA256, snce.nameHash, name->data, name->len);
-#else
-    SHA256_HashBuf(snce.nameHash, (unsigned char *)name->data,
-                   name->len);
-#endif
+
     /* get index of the next name */
     ndx = Get32BitNameHash(name);
     /* get lock on cert cache */
@@ -1829,10 +1821,10 @@ loser:
 }
 
 PRBool
-ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey,
-                               SECKEYPublicKey *svrPubKey, void *pwArg,
-                               unsigned char *keyName, PK11SymKey **aesKey,
-                               PK11SymKey **macKey)
+ssl_GetSessionTicketKeys(SECKEYPrivateKey *svrPrivKey,
+                         SECKEYPublicKey *svrPubKey, void *pwArg,
+                         unsigned char *keyName, PK11SymKey **aesKey,
+                         PK11SymKey **macKey)
 {
     PRUint32 now = 0;
     PRBool rv = PR_FALSE;
@@ -1867,70 +1859,6 @@ loser:
     return rv;
 }
 
-PRBool
-ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey,
-                         unsigned char *macKey)
-{
-    PRBool rv = PR_FALSE;
-    PRUint32 now = 0;
-    cacheDesc *cache = &globalCache;
-    PRUint8 ticketMacKey[SHA256_LENGTH], ticketEncKey[AES_256_KEY_LENGTH];
-    PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN];
-    PRUint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix;
-    PRBool cacheIsEnabled = PR_TRUE;
-
-    if (!cache->cacheMem) { /* cache is uninitialized */
-        cacheIsEnabled = PR_FALSE;
-        ticketKeyNameSuffix = ticketKeyNameSuffixLocal;
-        ticketEncKeyPtr = ticketEncKey;
-        ticketMacKeyPtr = ticketMacKey;
-    } else {
-        /* these values have constant memory locations in the cache.
-         * Ok to reference them without holding the lock. */
-        ticketKeyNameSuffix = cache->ticketKeyNameSuffix;
-        ticketEncKeyPtr = cache->ticketEncKey->bytes;
-        ticketMacKeyPtr = cache->ticketMacKey->bytes;
-    }
-
-    if (cacheIsEnabled) {
-        /* Grab lock if initialized. */
-        now = LockSidCacheLock(cache->keyCacheLock, now);
-        if (!now)
-            return rv;
-    }
-    /* Going to regenerate keys on every call if cache was not
-     * initialized. */
-    if (!cacheIsEnabled || !*(cache->ticketKeysValid)) {
-        if (PK11_GenerateRandom(ticketKeyNameSuffix,
-                                SESS_TICKET_KEY_VAR_NAME_LEN) !=
-            SECSuccess)
-            goto loser;
-        if (PK11_GenerateRandom(ticketEncKeyPtr,
-                                AES_256_KEY_LENGTH) != SECSuccess)
-            goto loser;
-        if (PK11_GenerateRandom(ticketMacKeyPtr,
-                                SHA256_LENGTH) != SECSuccess)
-            goto loser;
-        if (cacheIsEnabled) {
-            *(cache->ticketKeysValid) = 1;
-        }
-    }
-
-    rv = PR_TRUE;
-
-loser:
-    if (cacheIsEnabled) {
-        UnlockSidCacheLock(cache->keyCacheLock);
-    }
-    if (rv) {
-        PORT_Memcpy(keyName, ticketKeyNameSuffix,
-                    SESS_TICKET_KEY_VAR_NAME_LEN);
-        PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH);
-        PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH);
-    }
-    return rv;
-}
-
 /* The caller passes in the new value it wants
  * to set.  This code tests the wrapped sym key entry in the shared memory.
  * If it is uninitialized, this function writes the caller's value into
author	Tim Taubert <ttaubert@mozilla.com>	2016-09-16 13:42:56 -0700
committer	Tim Taubert <ttaubert@mozilla.com>	2016-09-16 13:42:56 -0700
commit	6c214486e9ef0f7b8653dea24689e5491de959b6 (patch)
tree	7d4d3f1347d05853217823b9b9710268e4193081 /lib/ssl/sslsnce.c
parent	6efedbcb0d51f696cdb7a5d44f781e69e3ca5802 (diff)
download	nss-hg-6c214486e9ef0f7b8653dea24689e5491de959b6.tar.gz