diff options
author | nelsonb%netscape.com <devnull@localhost> | 2001-01-05 01:38:26 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2001-01-05 01:38:26 +0000 |
commit | 2c37abab0f2d147bcccec46f9d6e2dd71aec2b94 (patch) | |
tree | d560ab158deca81666194ba5ad23141a9a8197bd /security/nss/cmd | |
parent | bdd0ac1e42e583a42e8aa1d7405a35a11df209ef (diff) | |
download | nss-hg-2c37abab0f2d147bcccec46f9d6e2dd71aec2b94.tar.gz |
Changes to deal with exporting data from Windows DLLs.
SECHashObjects[] is no longer exported.
New function HASH_GetHashObject returns pointer to selected const object.
SSL statistics are now in a structure whose address is obtained via a
call to SSL_GetStatistics().
On NT, the new symbol NSS_USE_STATIC_LIBS must be declared in programs
that use the static SSL library.
Also, propagate "const" declaration for SECHashObjects.
Diffstat (limited to 'security/nss/cmd')
-rw-r--r-- | security/nss/cmd/SSLsample/sslsample.c | 22 | ||||
-rw-r--r-- | security/nss/cmd/p7sign/p7sign.c | 5 | ||||
-rw-r--r-- | security/nss/cmd/p7verify/p7verify.c | 5 | ||||
-rw-r--r-- | security/nss/cmd/platlibs.mk | 1 | ||||
-rw-r--r-- | security/nss/cmd/selfserv/selfserv.c | 329 | ||||
-rw-r--r-- | security/nss/cmd/signtool/sign.c | 5 | ||||
-rw-r--r-- | security/nss/cmd/signver/signver.c | 5 | ||||
-rw-r--r-- | security/nss/cmd/strsclnt/strsclnt.c | 53 | ||||
-rw-r--r-- | security/nss/cmd/tstclnt/tstclnt.c | 51 |
9 files changed, 170 insertions, 306 deletions
diff --git a/security/nss/cmd/SSLsample/sslsample.c b/security/nss/cmd/SSLsample/sslsample.c index 7270c3f8e..564a6e785 100644 --- a/security/nss/cmd/SSLsample/sslsample.c +++ b/security/nss/cmd/SSLsample/sslsample.c @@ -391,23 +391,7 @@ printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -#if 0 -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; -#endif - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result != SECSuccess) @@ -420,8 +404,8 @@ extern long ssl3_hch_sid_cache_not_ok; PR_Free(sp); printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } diff --git a/security/nss/cmd/p7sign/p7sign.c b/security/nss/cmd/p7sign/p7sign.c index d8047a89a..b78193d83 100644 --- a/security/nss/cmd/p7sign/p7sign.c +++ b/security/nss/cmd/p7sign/p7sign.c @@ -45,6 +45,7 @@ #include "cert.h" #include "certdb.h" #include "cdbhdl.h" +#include "sechash.h" /* for HASH_GetHashObject() */ #if defined(XP_UNIX) #include <unistd.h> @@ -127,11 +128,11 @@ SignOut(void *arg, const char *buf, unsigned long len) static int CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen) { - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; /* XXX probably want to extend interface to allow other hash algorithms */ - hashObj = &SECHashObjects[HASH_AlgSHA1]; + hashObj = HASH_GetHashObject(HASH_AlgSHA1); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c index f9485de51..d86ef1e17 100644 --- a/security/nss/cmd/p7verify/p7verify.c +++ b/security/nss/cmd/p7verify/p7verify.c @@ -45,6 +45,7 @@ #include "certdb.h" #include "cdbhdl.h" #include "secoid.h" +#include "sechash.h" /* for HASH_GetHashObject() */ #if defined(XP_UNIX) #include <unistd.h> @@ -87,10 +88,10 @@ DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen, { int nb; char ibuf[4096]; - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; - hashObj = &SECHashObjects[hashType]; + hashObj = HASH_GetHashObject(hashType); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 52b12cf8b..7b326a21c 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -36,6 +36,7 @@ ifdef USE_STATIC_LIBS # can't do this in manifest.mn because OS_ARCH isn't defined there. ifeq ($(OS_ARCH), WINNT) +DEFINES += -DNSS_USE_STATIC_LIBS # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(DIST)/lib/freebl.lib ifdef MOZILLA_SECURITY_BUILD diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index a00afa1b7..b98fc6e9e 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -46,6 +46,10 @@ #include <unistd.h> #endif +#if defined(_WINDOWS) +#include <process.h> /* for getpid() */ +#endif + #include <stdlib.h> #include <errno.h> #include <fcntl.h> @@ -188,50 +192,6 @@ Usage(const char *progName) progName); } -static void -networkStart(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - - WORD wVersionRequested; - WSADATA wsaData; - int err; - wVersionRequested = MAKEWORD(1, 1); - - err = WSAStartup(wVersionRequested, &wsaData); - - if (err != 0) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("WSAStartup failed!\n", stderr); - exit(1); - } - -/* Confirm that the Windows Sockets DLL supports 1.1.*/ -/* Note that if the DLL supports versions greater */ -/* than 1.1 in addition to 1.1, it will still return */ -/* 1.1 in wVersion since that is the version we */ -/* requested. */ - - if ( LOBYTE( wsaData.wVersion ) != 1 || - HIBYTE( wsaData.wVersion ) != 1 ) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("wrong winsock version\n", stderr); - WSACleanup(); - exit(2); - } - /* The Windows Sockets DLL is acceptable. Proceed. */ - -#endif -} - -static void -networkEnd(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - WSACleanup(); -#endif -} - static const char * errWarn(char * funcString) { @@ -246,30 +206,6 @@ errWarn(char * funcString) static void errExit(char * funcString) { -#if defined (XP_WIN) && !defined(NSPR20) - int err; - LPVOID lpMsgBuf; - - err = WSAGetLastError(); - - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, - NULL, - err, - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - - /* Display the string. */ - /*MessageBox( NULL, lpMsgBuf, "GetLastError", MB_OK|MB_ICONINFORMATION ); */ - fprintf(stderr, "%s\n", lpMsgBuf); - - /* Free the buffer. */ - LocalFree( lpMsgBuf ); -#endif - errWarn(funcString); exit(3); } @@ -330,25 +266,11 @@ void printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); PRINTF("selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result == SECSuccess) { @@ -439,9 +361,9 @@ launch_thread( slot->b = b; slot->c = c; slot->startFunc = startFunc; - slot->prThread = PR_CreateThread(PR_USER_THREAD, thread_wrapper, slot, - PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, 0); + slot->prThread = PR_CreateThread(PR_USER_THREAD, + thread_wrapper, slot, PR_PRIORITY_NORMAL, + PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0); if (slot->prThread == NULL) { printf("selfserv: Failed to launch thread!\n"); slot->state = rs_idle; @@ -708,7 +630,8 @@ handle_connection( newln = 0; i = 0; rv = PR_Read(ssl_sock, pBuf, bufRem); - if (rv == 0) { + if (rv == 0 || + (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) { errWarn("HDX PR_Read hit EOF"); break; } @@ -919,10 +842,9 @@ do_accepts( } VLOG(("selfserv: do_accept: Got connection\n")); - if (bigBuf.data != NULL) - result = launch_thread(handle_fdx_connection, tcp_sock, model_sock, requestCert); - else - result = launch_thread(handle_connection, tcp_sock, model_sock, requestCert); + result = launch_thread((bigBuf.data != NULL) ? + handle_fdx_connection : handle_connection, + tcp_sock, model_sock, requestCert); if (result != SECSuccess) { PR_Close(tcp_sock); @@ -952,10 +874,8 @@ server_main( PRSocketOptionData opt; int listenQueueDepth = 5 + (2 * maxThreads); - networkStart(); - /* create the thread management serialization structs */ - threadLock = PZ_NewLock(nssILockSelfServ); + threadLock = PZ_NewLock(nssILockSelfServ); threadQ = PZ_NewCondVar(threadLock); stopLock = PZ_NewLock(nssILockSelfServ); stopQ = PZ_NewCondVar(stopLock); @@ -1096,7 +1016,6 @@ server_main( PR_Close(model_sock); } - networkEnd(); } SECStatus @@ -1152,11 +1071,12 @@ main(int argc, char **argv) char * tmp; CERTCertificate * cert [kt_kea_size] = { NULL }; SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + int optionsFound = 0; unsigned short port = 0; SECStatus rv; PRBool useExportPolicy = PR_FALSE; - PLOptState *optstate; - PLOptStatus status; + PLOptState *optstate; + PLOptStatus status; tmp = strrchr(argv[0], '/'); @@ -1164,92 +1084,65 @@ main(int argc, char **argv) progName = strrchr(tmp, '\\'); progName = progName ? progName + 1 : tmp; - optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:i:f:rt:vw:x"); + optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:hi:f:rt:vw:x"); while (status = PL_GetNextOpt(optstate) == PL_OPT_OK) { - switch(optstate->option) { - case '2': - fileName = optstate->value; - break; - - case '3': - disableSSL3 = PR_TRUE; - break; - - case 'R': - disableRollBack = PR_TRUE; - break; - - case 'T': - disableTLS = PR_TRUE; - break; - - case 'c': - cipherString = strdup(optstate->value); - break; - - case 'd': - dir = optstate->value; - break; - - case 'f': - fNickName = optstate->value; - break; - - case 'h': - Usage(progName); - exit(0); - break; - - case 'm': - useModelSocket = PR_TRUE; - break; - - case 'n': - nickName = optstate->value; - break; - - case 'i': - pidFile = optstate->value; - break; - - case 'p': - port = PORT_Atoi(optstate->value); - break; - - case 'r': - ++requestCert; - break; - - case 't': - maxThreads = PORT_Atoi(optstate->value); - if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; - if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS; - break; - - case 'v': - verbose++; - break; - - case 'w': - passwd = optstate->value; - break; - - case 'x': - useExportPolicy = PR_TRUE; - break; - default: - case '?': - fprintf(stderr, "Unrecognized or bad option specified.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n", progName); - exit(4); - break; - } - } - if (status == PL_OPT_BAD) { - fprintf(stderr, "Unrecognized or bad option specified.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n", progName); - exit(5); + ++optionsFound; + switch(optstate->option) { + case '2': fileName = optstate->value; break; + + case '3': disableSSL3 = PR_TRUE; break; + + case 'R': disableRollBack = PR_TRUE; break; + + case 'T': disableTLS = PR_TRUE; break; + + case 'c': cipherString = strdup(optstate->value); break; + + case 'd': dir = optstate->value; break; + + case 'f': fNickName = optstate->value; break; + + case 'h': Usage(progName); exit(0); break; + + case 'm': useModelSocket = PR_TRUE; break; + + case 'n': nickName = optstate->value; break; + + case 'i': pidFile = optstate->value; break; + + case 'p': port = PORT_Atoi(optstate->value); break; + + case 'r': ++requestCert; break; + + case 't': + maxThreads = PORT_Atoi(optstate->value); + if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; + if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS; + break; + + case 'v': verbose++; break; + + case 'w': passwd = optstate->value; break; + + case 'x': useExportPolicy = PR_TRUE; break; + + default: + case '?': + fprintf(stderr, "Unrecognized or bad option specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(4); + break; } + } + if (status == PL_OPT_BAD) { + fprintf(stderr, "Unrecognized or bad option specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(5); + } + if (!optionsFound) { + Usage(progName); + exit(51); + } /* allocate the array of thread slots */ threads = PR_Calloc(maxThreads, sizeof(perThread)); @@ -1259,25 +1152,25 @@ main(int argc, char **argv) } if ((nickName == NULL) && (fNickName == NULL)) { - fprintf (stderr, "Required arg '-n' (rsa nickname) not supplied.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n"); + fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); exit(6); } if (port == 0) { - fprintf(stderr, "Required argument 'port' must be non-zero value\n"); - exit(7); - } + fprintf(stderr, "Required argument 'port' must be non-zero value\n"); + exit(7); + } if (pidFile) { - FILE *tmpfile=fopen(pidFile,"w+"); - - if (tmpfile) { - fprintf(tmpfile,"%d",getpid()); - fclose(tmpfile); - } + FILE *tmpfile=fopen(pidFile,"w+"); + + if (tmpfile) { + fprintf(tmpfile,"%d",getpid()); + fclose(tmpfile); + } } - + /* Call the NSPR initialization routines */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); @@ -1314,29 +1207,29 @@ main(int argc, char **argv) if (cipherString) { int ndx; - /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); - - while (0 != (ndx = *cipherString++)) { - int *cptr; - int cipher; - - if (! isalpha(ndx)) { - fprintf(stderr, - "Non-alphabetic char in cipher string (-c arg).\n"); - exit(9); - } - cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; - for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) - /* do nothing */; - if (cipher) { - SECStatus status; - status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); - if (status != SECSuccess) - SECU_PrintError(progName, "SSL_CipherPrefSet()"); - } - } + /* disable all the ciphers, then enable the ones we want. */ + disableSSL2Ciphers(); + disableSSL3Ciphers(); + + while (0 != (ndx = *cipherString++)) { + int *cptr; + int cipher; + + if (! isalpha(ndx)) { + fprintf(stderr, + "Non-alphabetic char in cipher string (-c arg).\n"); + exit(9); + } + cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; + for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) + /* do nothing */; + if (cipher) { + SECStatus status; + status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); + if (status != SECSuccess) + SECU_PrintError(progName, "SSL_CipherPrefSet()"); + } + } } if (nickName) { diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c index 58a72ebef..49fc111e9 100644 --- a/security/nss/cmd/signtool/sign.c +++ b/security/nss/cmd/signtool/sign.c @@ -35,6 +35,7 @@ #include "zip.h" #include "prmem.h" #include "blapi.h" +#include "sechash.h" /* for HASH_GetHashObject() */ static int create_pk7 (char *dir, char *keyName, int *keyType); static int jar_find_key_type (CERTCertificate *cert); @@ -581,7 +582,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert) { int nb; char ibuf[4096], digestdata[32]; - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; unsigned int len; @@ -593,7 +594,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert) return -1; /* XXX probably want to extend interface to allow other hash algorithms */ - hashObj = &SECHashObjects[HASH_AlgSHA1]; + hashObj = HASH_GetHashObject(HASH_AlgSHA1); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c index 9eaf93146..173afbd60 100644 --- a/security/nss/cmd/signver/signver.c +++ b/security/nss/cmd/signver/signver.c @@ -44,6 +44,7 @@ #include "prmem.h" /* Portable layer header files */ #include "plstr.h" +#include "sechash.h" /* for HASH_GetHashObject() */ static int debugInfo = 0; @@ -118,10 +119,10 @@ DigestData (unsigned char *digest, unsigned char *data, unsigned int *len, unsigned int maxLen, HASH_HashType hashType) { - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; - hashObj = &SECHashObjects[hashType]; + hashObj = HASH_GetHashObject(hashType); hashcx = (* hashObj->create)(); if (hashcx == NULL) return -1; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index e0085d12a..d826c3a21 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -111,6 +111,8 @@ int certsTested; int MakeCertOK; int NoReuse; +SSL3Statistics * ssl3stats; + void disableSSL2Ciphers(void) { @@ -299,21 +301,6 @@ myBadCertHandler( void *arg, PRFileDesc *fd) return (MakeCertOK ? SECSuccess : SECFailure); } -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; - void printSecurityInfo(PRFileDesc *fd) { @@ -341,9 +328,9 @@ printSecurityInfo(PRFileDesc *fd) PRINTF( "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hsh_sid_cache_hits, - ssl3_hsh_sid_cache_misses, - ssl3_hsh_sid_cache_not_ok); + ssl3stats->hsh_sid_cache_hits, + ssl3stats->hsh_sid_cache_misses, + ssl3stats->hsh_sid_cache_not_ok); } @@ -1076,9 +1063,14 @@ main(int argc, char **argv) case 'w': passwd = optstate->value; break; - case '\0': + + case 0: /* positional parameter */ + if (hostName) { + Usage(progName); + } hostName = PL_strdup(optstate->value); break; + default: case '?': Usage(progName); @@ -1108,6 +1100,7 @@ main(int argc, char **argv) fputs("NSS_Init failed.\n", stderr); exit(1); } + ssl3stats = SSL_GetStatistics(); if (nickName) { @@ -1143,20 +1136,26 @@ main(int argc, char **argv) client_main(port, connections, privKey, cert, hostName, nickName); /* some final stats. */ - if (ssl3_hsh_sid_cache_hits + ssl3_hsh_sid_cache_misses + - ssl3_hsh_sid_cache_not_ok == 0) { + if (ssl3stats->hsh_sid_cache_hits + ssl3stats->hsh_sid_cache_misses + + ssl3stats->hsh_sid_cache_not_ok == 0) { /* presumably we were testing SSL2. */ printf("strsclnt: %d server certificates tested.\n", certsTested); } else { printf( "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hsh_sid_cache_hits, - ssl3_hsh_sid_cache_misses, - ssl3_hsh_sid_cache_not_ok); + ssl3stats->hsh_sid_cache_hits, + ssl3stats->hsh_sid_cache_misses, + ssl3stats->hsh_sid_cache_not_ok); } - exitVal = (ssl3_hsh_sid_cache_misses > 1) || - (ssl3_hsh_sid_cache_not_ok != 0) || - (certsTested > 1); + + if (!NoReuse) + exitVal = (ssl3stats->hsh_sid_cache_misses > 1) || + (ssl3stats->hsh_sid_cache_not_ok != 0) || + (certsTested > 1); + else + exitVal = (ssl3stats->hsh_sid_cache_misses != connections) || + (certsTested != connections); + NSS_Shutdown(); PR_Cleanup(); diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index cf217dc40..33a0910ec 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -123,21 +123,7 @@ void printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result != SECSuccess) @@ -152,8 +138,8 @@ extern long ssl3_hch_sid_cache_not_ok; fprintf(stderr, "%ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } @@ -214,24 +200,22 @@ milliPause(PRUint32 milli) } void -disableSSL2Ciphers(void) -{ - int i; - - /* disable all the SSL2 cipher suites */ - for (i = 0; ssl2CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED); - } -} - -void -disableSSL3Ciphers(void) +disableAllSSLCiphers(void) { - int i; + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i = SSL_NumImplementedCiphers; + SECStatus rv; /* disable all the SSL3 cipher suites */ - for (i = 0; ssl3CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED); + while (--i >= 0) { + PRUint16 suite = cipherSuites[i]; + rv = SSL_CipherPrefSetDefault(suite, SSL_NOT_ALLOWED); + if (rv != SECSuccess) { + PRErrorCode err = PR_GetError(); + printf("SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n", + suite, i, SECU_Strerror(err)); + exit(2); + } } } @@ -379,8 +363,7 @@ int main(int argc, char **argv) /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + disableAllSSLCiphers(); } /* Lookup host */ |