diff options
| author | nelsonb%netscape.com <devnull@localhost> | 2001-01-05 01:38:26 +0000 |
|---|---|---|
| committer | nelsonb%netscape.com <devnull@localhost> | 2001-01-05 01:38:26 +0000 |
| commit | 2c37abab0f2d147bcccec46f9d6e2dd71aec2b94 (patch) | |
| tree | d560ab158deca81666194ba5ad23141a9a8197bd /security | |
| parent | bdd0ac1e42e583a42e8aa1d7405a35a11df209ef (diff) | |
| download | nss-hg-2c37abab0f2d147bcccec46f9d6e2dd71aec2b94.tar.gz | |
Changes to deal with exporting data from Windows DLLs.
SECHashObjects[] is no longer exported.
New function HASH_GetHashObject returns pointer to selected const object.
SSL statistics are now in a structure whose address is obtained via a
call to SSL_GetStatistics().
On NT, the new symbol NSS_USE_STATIC_LIBS must be declared in programs
that use the static SSL library.
Also, propagate "const" declaration for SECHashObjects.
Diffstat (limited to 'security')
40 files changed, 386 insertions, 513 deletions
diff --git a/security/nss/cmd/SSLsample/sslsample.c b/security/nss/cmd/SSLsample/sslsample.c index 7270c3f8e..564a6e785 100644 --- a/security/nss/cmd/SSLsample/sslsample.c +++ b/security/nss/cmd/SSLsample/sslsample.c @@ -391,23 +391,7 @@ printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -#if 0 -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; -#endif - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result != SECSuccess) @@ -420,8 +404,8 @@ extern long ssl3_hch_sid_cache_not_ok; PR_Free(sp); printf("%ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } diff --git a/security/nss/cmd/p7sign/p7sign.c b/security/nss/cmd/p7sign/p7sign.c index d8047a89a..b78193d83 100644 --- a/security/nss/cmd/p7sign/p7sign.c +++ b/security/nss/cmd/p7sign/p7sign.c @@ -45,6 +45,7 @@ #include "cert.h" #include "certdb.h" #include "cdbhdl.h" +#include "sechash.h" /* for HASH_GetHashObject() */ #if defined(XP_UNIX) #include <unistd.h> @@ -127,11 +128,11 @@ SignOut(void *arg, const char *buf, unsigned long len) static int CreateDigest(SECItem *data, char *digestdata, unsigned int *len, unsigned int maxlen) { - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; /* XXX probably want to extend interface to allow other hash algorithms */ - hashObj = &SECHashObjects[HASH_AlgSHA1]; + hashObj = HASH_GetHashObject(HASH_AlgSHA1); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c index f9485de51..d86ef1e17 100644 --- a/security/nss/cmd/p7verify/p7verify.c +++ b/security/nss/cmd/p7verify/p7verify.c @@ -45,6 +45,7 @@ #include "certdb.h" #include "cdbhdl.h" #include "secoid.h" +#include "sechash.h" /* for HASH_GetHashObject() */ #if defined(XP_UNIX) #include <unistd.h> @@ -87,10 +88,10 @@ DigestFile(unsigned char *digest, unsigned int *len, unsigned int maxLen, { int nb; char ibuf[4096]; - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; - hashObj = &SECHashObjects[hashType]; + hashObj = HASH_GetHashObject(hashType); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 52b12cf8b..7b326a21c 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -36,6 +36,7 @@ ifdef USE_STATIC_LIBS # can't do this in manifest.mn because OS_ARCH isn't defined there. ifeq ($(OS_ARCH), WINNT) +DEFINES += -DNSS_USE_STATIC_LIBS # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) CRYPTOLIB=$(DIST)/lib/freebl.lib ifdef MOZILLA_SECURITY_BUILD diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index a00afa1b7..b98fc6e9e 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -46,6 +46,10 @@ #include <unistd.h> #endif +#if defined(_WINDOWS) +#include <process.h> /* for getpid() */ +#endif + #include <stdlib.h> #include <errno.h> #include <fcntl.h> @@ -188,50 +192,6 @@ Usage(const char *progName) progName); } -static void -networkStart(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - - WORD wVersionRequested; - WSADATA wsaData; - int err; - wVersionRequested = MAKEWORD(1, 1); - - err = WSAStartup(wVersionRequested, &wsaData); - - if (err != 0) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("WSAStartup failed!\n", stderr); - exit(1); - } - -/* Confirm that the Windows Sockets DLL supports 1.1.*/ -/* Note that if the DLL supports versions greater */ -/* than 1.1 in addition to 1.1, it will still return */ -/* 1.1 in wVersion since that is the version we */ -/* requested. */ - - if ( LOBYTE( wsaData.wVersion ) != 1 || - HIBYTE( wsaData.wVersion ) != 1 ) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("wrong winsock version\n", stderr); - WSACleanup(); - exit(2); - } - /* The Windows Sockets DLL is acceptable. Proceed. */ - -#endif -} - -static void -networkEnd(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - WSACleanup(); -#endif -} - static const char * errWarn(char * funcString) { @@ -246,30 +206,6 @@ errWarn(char * funcString) static void errExit(char * funcString) { -#if defined (XP_WIN) && !defined(NSPR20) - int err; - LPVOID lpMsgBuf; - - err = WSAGetLastError(); - - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, - NULL, - err, - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - - /* Display the string. */ - /*MessageBox( NULL, lpMsgBuf, "GetLastError", MB_OK|MB_ICONINFORMATION ); */ - fprintf(stderr, "%s\n", lpMsgBuf); - - /* Free the buffer. */ - LocalFree( lpMsgBuf ); -#endif - errWarn(funcString); exit(3); } @@ -330,25 +266,11 @@ void printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); PRINTF("selfserv: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result == SECSuccess) { @@ -439,9 +361,9 @@ launch_thread( slot->b = b; slot->c = c; slot->startFunc = startFunc; - slot->prThread = PR_CreateThread(PR_USER_THREAD, thread_wrapper, slot, - PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, 0); + slot->prThread = PR_CreateThread(PR_USER_THREAD, + thread_wrapper, slot, PR_PRIORITY_NORMAL, + PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0); if (slot->prThread == NULL) { printf("selfserv: Failed to launch thread!\n"); slot->state = rs_idle; @@ -708,7 +630,8 @@ handle_connection( newln = 0; i = 0; rv = PR_Read(ssl_sock, pBuf, bufRem); - if (rv == 0) { + if (rv == 0 || + (rv < 0 && PR_END_OF_FILE_ERROR == PR_GetError())) { errWarn("HDX PR_Read hit EOF"); break; } @@ -919,10 +842,9 @@ do_accepts( } VLOG(("selfserv: do_accept: Got connection\n")); - if (bigBuf.data != NULL) - result = launch_thread(handle_fdx_connection, tcp_sock, model_sock, requestCert); - else - result = launch_thread(handle_connection, tcp_sock, model_sock, requestCert); + result = launch_thread((bigBuf.data != NULL) ? + handle_fdx_connection : handle_connection, + tcp_sock, model_sock, requestCert); if (result != SECSuccess) { PR_Close(tcp_sock); @@ -952,10 +874,8 @@ server_main( PRSocketOptionData opt; int listenQueueDepth = 5 + (2 * maxThreads); - networkStart(); - /* create the thread management serialization structs */ - threadLock = PZ_NewLock(nssILockSelfServ); + threadLock = PZ_NewLock(nssILockSelfServ); threadQ = PZ_NewCondVar(threadLock); stopLock = PZ_NewLock(nssILockSelfServ); stopQ = PZ_NewCondVar(stopLock); @@ -1096,7 +1016,6 @@ server_main( PR_Close(model_sock); } - networkEnd(); } SECStatus @@ -1152,11 +1071,12 @@ main(int argc, char **argv) char * tmp; CERTCertificate * cert [kt_kea_size] = { NULL }; SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + int optionsFound = 0; unsigned short port = 0; SECStatus rv; PRBool useExportPolicy = PR_FALSE; - PLOptState *optstate; - PLOptStatus status; + PLOptState *optstate; + PLOptStatus status; tmp = strrchr(argv[0], '/'); @@ -1164,92 +1084,65 @@ main(int argc, char **argv) progName = strrchr(tmp, '\\'); progName = progName ? progName + 1 : tmp; - optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:i:f:rt:vw:x"); + optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:hi:f:rt:vw:x"); while (status = PL_GetNextOpt(optstate) == PL_OPT_OK) { - switch(optstate->option) { - case '2': - fileName = optstate->value; - break; - - case '3': - disableSSL3 = PR_TRUE; - break; - - case 'R': - disableRollBack = PR_TRUE; - break; - - case 'T': - disableTLS = PR_TRUE; - break; - - case 'c': - cipherString = strdup(optstate->value); - break; - - case 'd': - dir = optstate->value; - break; - - case 'f': - fNickName = optstate->value; - break; - - case 'h': - Usage(progName); - exit(0); - break; - - case 'm': - useModelSocket = PR_TRUE; - break; - - case 'n': - nickName = optstate->value; - break; - - case 'i': - pidFile = optstate->value; - break; - - case 'p': - port = PORT_Atoi(optstate->value); - break; - - case 'r': - ++requestCert; - break; - - case 't': - maxThreads = PORT_Atoi(optstate->value); - if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; - if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS; - break; - - case 'v': - verbose++; - break; - - case 'w': - passwd = optstate->value; - break; - - case 'x': - useExportPolicy = PR_TRUE; - break; - default: - case '?': - fprintf(stderr, "Unrecognized or bad option specified.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n", progName); - exit(4); - break; - } - } - if (status == PL_OPT_BAD) { - fprintf(stderr, "Unrecognized or bad option specified.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n", progName); - exit(5); + ++optionsFound; + switch(optstate->option) { + case '2': fileName = optstate->value; break; + + case '3': disableSSL3 = PR_TRUE; break; + + case 'R': disableRollBack = PR_TRUE; break; + + case 'T': disableTLS = PR_TRUE; break; + + case 'c': cipherString = strdup(optstate->value); break; + + case 'd': dir = optstate->value; break; + + case 'f': fNickName = optstate->value; break; + + case 'h': Usage(progName); exit(0); break; + + case 'm': useModelSocket = PR_TRUE; break; + + case 'n': nickName = optstate->value; break; + + case 'i': pidFile = optstate->value; break; + + case 'p': port = PORT_Atoi(optstate->value); break; + + case 'r': ++requestCert; break; + + case 't': + maxThreads = PORT_Atoi(optstate->value); + if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; + if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS; + break; + + case 'v': verbose++; break; + + case 'w': passwd = optstate->value; break; + + case 'x': useExportPolicy = PR_TRUE; break; + + default: + case '?': + fprintf(stderr, "Unrecognized or bad option specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(4); + break; } + } + if (status == PL_OPT_BAD) { + fprintf(stderr, "Unrecognized or bad option specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(5); + } + if (!optionsFound) { + Usage(progName); + exit(51); + } /* allocate the array of thread slots */ threads = PR_Calloc(maxThreads, sizeof(perThread)); @@ -1259,25 +1152,25 @@ main(int argc, char **argv) } if ((nickName == NULL) && (fNickName == NULL)) { - fprintf (stderr, "Required arg '-n' (rsa nickname) not supplied.\n"); - fprintf(stderr, "Run '%s -h' for usage information.\n"); + fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); exit(6); } if (port == 0) { - fprintf(stderr, "Required argument 'port' must be non-zero value\n"); - exit(7); - } + fprintf(stderr, "Required argument 'port' must be non-zero value\n"); + exit(7); + } if (pidFile) { - FILE *tmpfile=fopen(pidFile,"w+"); - - if (tmpfile) { - fprintf(tmpfile,"%d",getpid()); - fclose(tmpfile); - } + FILE *tmpfile=fopen(pidFile,"w+"); + + if (tmpfile) { + fprintf(tmpfile,"%d",getpid()); + fclose(tmpfile); + } } - + /* Call the NSPR initialization routines */ PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); @@ -1314,29 +1207,29 @@ main(int argc, char **argv) if (cipherString) { int ndx; - /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); - - while (0 != (ndx = *cipherString++)) { - int *cptr; - int cipher; - - if (! isalpha(ndx)) { - fprintf(stderr, - "Non-alphabetic char in cipher string (-c arg).\n"); - exit(9); - } - cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; - for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) - /* do nothing */; - if (cipher) { - SECStatus status; - status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); - if (status != SECSuccess) - SECU_PrintError(progName, "SSL_CipherPrefSet()"); - } - } + /* disable all the ciphers, then enable the ones we want. */ + disableSSL2Ciphers(); + disableSSL3Ciphers(); + + while (0 != (ndx = *cipherString++)) { + int *cptr; + int cipher; + + if (! isalpha(ndx)) { + fprintf(stderr, + "Non-alphabetic char in cipher string (-c arg).\n"); + exit(9); + } + cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; + for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) + /* do nothing */; + if (cipher) { + SECStatus status; + status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); + if (status != SECSuccess) + SECU_PrintError(progName, "SSL_CipherPrefSet()"); + } + } } if (nickName) { diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c index 58a72ebef..49fc111e9 100644 --- a/security/nss/cmd/signtool/sign.c +++ b/security/nss/cmd/signtool/sign.c @@ -35,6 +35,7 @@ #include "zip.h" #include "prmem.h" #include "blapi.h" +#include "sechash.h" /* for HASH_GetHashObject() */ static int create_pk7 (char *dir, char *keyName, int *keyType); static int jar_find_key_type (CERTCertificate *cert); @@ -581,7 +582,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert) { int nb; char ibuf[4096], digestdata[32]; - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; unsigned int len; @@ -593,7 +594,7 @@ SignFile (FILE *outFile, FILE *inFile, CERTCertificate *cert) return -1; /* XXX probably want to extend interface to allow other hash algorithms */ - hashObj = &SECHashObjects[HASH_AlgSHA1]; + hashObj = HASH_GetHashObject(HASH_AlgSHA1); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/cmd/signver/signver.c b/security/nss/cmd/signver/signver.c index 9eaf93146..173afbd60 100644 --- a/security/nss/cmd/signver/signver.c +++ b/security/nss/cmd/signver/signver.c @@ -44,6 +44,7 @@ #include "prmem.h" /* Portable layer header files */ #include "plstr.h" +#include "sechash.h" /* for HASH_GetHashObject() */ static int debugInfo = 0; @@ -118,10 +119,10 @@ DigestData (unsigned char *digest, unsigned char *data, unsigned int *len, unsigned int maxLen, HASH_HashType hashType) { - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; - hashObj = &SECHashObjects[hashType]; + hashObj = HASH_GetHashObject(hashType); hashcx = (* hashObj->create)(); if (hashcx == NULL) return -1; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index e0085d12a..d826c3a21 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -111,6 +111,8 @@ int certsTested; int MakeCertOK; int NoReuse; +SSL3Statistics * ssl3stats; + void disableSSL2Ciphers(void) { @@ -299,21 +301,6 @@ myBadCertHandler( void *arg, PRFileDesc *fd) return (MakeCertOK ? SECSuccess : SECFailure); } -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; - void printSecurityInfo(PRFileDesc *fd) { @@ -341,9 +328,9 @@ printSecurityInfo(PRFileDesc *fd) PRINTF( "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hsh_sid_cache_hits, - ssl3_hsh_sid_cache_misses, - ssl3_hsh_sid_cache_not_ok); + ssl3stats->hsh_sid_cache_hits, + ssl3stats->hsh_sid_cache_misses, + ssl3stats->hsh_sid_cache_not_ok); } @@ -1076,9 +1063,14 @@ main(int argc, char **argv) case 'w': passwd = optstate->value; break; - case '\0': + + case 0: /* positional parameter */ + if (hostName) { + Usage(progName); + } hostName = PL_strdup(optstate->value); break; + default: case '?': Usage(progName); @@ -1108,6 +1100,7 @@ main(int argc, char **argv) fputs("NSS_Init failed.\n", stderr); exit(1); } + ssl3stats = SSL_GetStatistics(); if (nickName) { @@ -1143,20 +1136,26 @@ main(int argc, char **argv) client_main(port, connections, privKey, cert, hostName, nickName); /* some final stats. */ - if (ssl3_hsh_sid_cache_hits + ssl3_hsh_sid_cache_misses + - ssl3_hsh_sid_cache_not_ok == 0) { + if (ssl3stats->hsh_sid_cache_hits + ssl3stats->hsh_sid_cache_misses + + ssl3stats->hsh_sid_cache_not_ok == 0) { /* presumably we were testing SSL2. */ printf("strsclnt: %d server certificates tested.\n", certsTested); } else { printf( "strsclnt: %ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hsh_sid_cache_hits, - ssl3_hsh_sid_cache_misses, - ssl3_hsh_sid_cache_not_ok); + ssl3stats->hsh_sid_cache_hits, + ssl3stats->hsh_sid_cache_misses, + ssl3stats->hsh_sid_cache_not_ok); } - exitVal = (ssl3_hsh_sid_cache_misses > 1) || - (ssl3_hsh_sid_cache_not_ok != 0) || - (certsTested > 1); + + if (!NoReuse) + exitVal = (ssl3stats->hsh_sid_cache_misses > 1) || + (ssl3stats->hsh_sid_cache_not_ok != 0) || + (certsTested > 1); + else + exitVal = (ssl3stats->hsh_sid_cache_misses != connections) || + (certsTested != connections); + NSS_Shutdown(); PR_Cleanup(); diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index cf217dc40..33a0910ec 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -123,21 +123,7 @@ void printSecurityInfo(PRFileDesc *fd) int kp0; /* total key bits */ int kp1; /* secret key bits */ int result; - -/* statistics from ssl3_SendClientHello (sch) */ -extern long ssl3_sch_sid_cache_hits; -extern long ssl3_sch_sid_cache_misses; -extern long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -extern long ssl3_hsh_sid_cache_hits; -extern long ssl3_hsh_sid_cache_misses; -extern long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -extern long ssl3_hch_sid_cache_hits; -extern long ssl3_hch_sid_cache_misses; -extern long ssl3_hch_sid_cache_not_ok; + SSL3Statistics * ssl3stats = SSL_GetStatistics(); result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); if (result != SECSuccess) @@ -152,8 +138,8 @@ extern long ssl3_hch_sid_cache_not_ok; fprintf(stderr, "%ld cache hits; %ld cache misses, %ld cache not reusable\n", - ssl3_hch_sid_cache_hits, ssl3_hch_sid_cache_misses, - ssl3_hch_sid_cache_not_ok); + ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, + ssl3stats->hch_sid_cache_not_ok); } @@ -214,24 +200,22 @@ milliPause(PRUint32 milli) } void -disableSSL2Ciphers(void) -{ - int i; - - /* disable all the SSL2 cipher suites */ - for (i = 0; ssl2CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED); - } -} - -void -disableSSL3Ciphers(void) +disableAllSSLCiphers(void) { - int i; + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i = SSL_NumImplementedCiphers; + SECStatus rv; /* disable all the SSL3 cipher suites */ - for (i = 0; ssl3CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED); + while (--i >= 0) { + PRUint16 suite = cipherSuites[i]; + rv = SSL_CipherPrefSetDefault(suite, SSL_NOT_ALLOWED); + if (rv != SECSuccess) { + PRErrorCode err = PR_GetError(); + printf("SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n", + suite, i, SECU_Strerror(err)); + exit(2); + } } } @@ -379,8 +363,7 @@ int main(int argc, char **argv) /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + disableAllSSLCiphers(); } /* Lookup host */ diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c index 534ef1165..f93beb686 100644 --- a/security/nss/lib/certdb/pcertdb.c +++ b/security/nss/lib/certdb/pcertdb.c @@ -5648,10 +5648,10 @@ InitDBspkDigestInfo(CERTCertDBHandle *handle) return(SECSuccess); } -static SECHashObject * +static const SECHashObject * OidTagToRawDigestObject(SECOidTag digestAlg) { - SECHashObject *rawDigestObject; + const SECHashObject *rawDigestObject; switch (digestAlg) { case SEC_OID_MD2: @@ -5682,7 +5682,7 @@ SECItem * CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert, SECOidTag digestAlg, SECItem *fill) { - SECHashObject *digestObject; + const SECHashObject *digestObject; void *digestContext; SECItem *result = NULL; void *mark = NULL; diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h index b506ccdc0..287db360d 100644 --- a/security/nss/lib/ckfw/builtins/builtins.h +++ b/security/nss/lib/ckfw/builtins/builtins.h @@ -55,8 +55,8 @@ static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; struct builtinsInternalObjectStr { CK_ULONG n; - CK_ATTRIBUTE_TYPE *types; - NSSItem *items; + const CK_ATTRIBUTE_TYPE *types; + const NSSItem *items; }; typedef struct builtinsInternalObjectStr builtinsInternalObject; diff --git a/security/nss/lib/ckfw/builtins/find.c b/security/nss/lib/ckfw/builtins/find.c index 774f0abde..17737fd22 100644 --- a/security/nss/lib/ckfw/builtins/find.c +++ b/security/nss/lib/ckfw/builtins/find.c @@ -107,7 +107,7 @@ static CK_BBOOL builtins_attrmatch ( CK_ATTRIBUTE_PTR a, - NSSItem *b + const NSSItem *b ) { PRBool prb; diff --git a/security/nss/lib/ckfw/builtins/object.c b/security/nss/lib/ckfw/builtins/object.c index 18cefda8a..030bc11a0 100644 --- a/security/nss/lib/ckfw/builtins/object.c +++ b/security/nss/lib/ckfw/builtins/object.c @@ -163,7 +163,7 @@ builtins_mdObject_GetAttributeSize return 0; } -static NSSItem * +static const NSSItem * builtins_mdObject_GetAttribute ( NSSCKMDObject *mdObject, diff --git a/security/nss/lib/ckfw/nssckmdt.h b/security/nss/lib/ckfw/nssckmdt.h index d45a089d2..30e4fc33b 100644 --- a/security/nss/lib/ckfw/nssckmdt.h +++ b/security/nss/lib/ckfw/nssckmdt.h @@ -1949,7 +1949,7 @@ struct NSSCKMDObjectStr { * (which is likely the Framework's token or session arena). * It may return NULL on error. */ - NSSItem *(PR_CALLBACK *GetAttribute)( + const NSSItem *(PR_CALLBACK *GetAttribute)( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, diff --git a/security/nss/lib/cryptohi/hasht.h b/security/nss/lib/cryptohi/hasht.h index 697520015..aa5e39215 100644 --- a/security/nss/lib/cryptohi/hasht.h +++ b/security/nss/lib/cryptohi/hasht.h @@ -75,13 +75,19 @@ struct SECHashObjectStr { }; struct HASHContextStr { - struct SECHashObjectStr *hashobj; + const struct SECHashObjectStr *hashobj; void *hash_context; }; -extern SECHashObject SECHashObjects[]; +/* This symbol is NOT exported from the NSS DLL. Code that needs a + * pointer to one of the SECHashObjects should call HASH_GetHashObject() + * instead. See "sechash.h". + */ +extern const SECHashObject SECHashObjects[]; -/*only those functions below the PKCS #11 line should use SECRawHashObjects*/ -extern SECHashObject SECRawHashObjects[]; +/* Only those functions below the PKCS #11 line should use SECRawHashObjects. + * This symbol is not exported from the NSS DLL. + */ +extern const SECHashObject SECRawHashObjects[]; #endif /* _HASHT_H_ */ diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c index 94000f543..36ee1efd2 100644 --- a/security/nss/lib/cryptohi/sechash.c +++ b/security/nss/lib/cryptohi/sechash.c @@ -87,7 +87,7 @@ sha1_NewContext(void) { return (void *) PK11_CreateDigestContext(SEC_OID_SHA1); } -SECHashObject SECHashObjects[] = { +const SECHashObject SECHashObjects[] = { { 0, (void * (*)(void)) null_hash_new_context, (void * (*)(void *)) null_hash_clone_context, @@ -126,6 +126,13 @@ SECHashObject SECHashObjects[] = { }, }; +const SECHashObject * +HASH_GetHashObject(HASH_HashType type) +{ + return &SECHashObjects[type]; +} + + unsigned int HASH_ResultLen(HASH_HashType type) { diff --git a/security/nss/lib/cryptohi/sechash.h b/security/nss/lib/cryptohi/sechash.h index 6a4fb3e40..0e5a92e3b 100644 --- a/security/nss/lib/cryptohi/sechash.h +++ b/security/nss/lib/cryptohi/sechash.h @@ -72,6 +72,8 @@ extern void HASH_End(HASHContext *context, unsigned int *result_len, unsigned int max_result_len); +extern const SECHashObject * HASH_GetHashObject(HASH_HashType type); + SEC_END_PROTOS #endif /* _HASH_H_ */ diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c index 35af3f701..3583d709a 100644 --- a/security/nss/lib/cryptohi/secsign.c +++ b/security/nss/lib/cryptohi/secsign.c @@ -49,7 +49,7 @@ struct SGNContextStr { SECOidTag signalg; SECOidTag hashalg; void *hashcx; - SECHashObject *hashobj; + const SECHashObject *hashobj; SECKEYPrivateKey *key; }; diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c index 6c2443e30..99921a56d 100644 --- a/security/nss/lib/cryptohi/secvfy.c +++ b/security/nss/lib/cryptohi/secvfy.c @@ -116,7 +116,7 @@ struct VFYContextStr { unsigned char digest[DSA_SIGNATURE_LEN]; void * wincx; void *hashcx; - SECHashObject *hashobj; + const SECHashObject *hashobj; }; VFYContext * diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c index 5f5b0e67f..3ddb3341a 100644 --- a/security/nss/lib/jar/jarfile.c +++ b/security/nss/lib/jar/jarfile.c @@ -51,6 +51,7 @@ #include "sys/stat.h" #endif +#include "sechash.h" /* for HASH_GetHashObject() */ /* extracting */ diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c index d03f980b0..5aa8bcc00 100644 --- a/security/nss/lib/jar/jarsign.c +++ b/security/nss/lib/jar/jarsign.c @@ -48,6 +48,7 @@ #endif #include "pk11func.h" +#include "sechash.h" /* from libevent.h */ typedef void (*ETVoidPtrFunc) (void * data); @@ -259,7 +260,7 @@ int jar_create_pk7 { int nb; unsigned char buffer [4096], digestdata[32]; - SECHashObject *hashObj; + const SECHashObject *hashObj; void *hashcx; unsigned int len; @@ -276,7 +277,7 @@ int jar_create_pk7 return JAR_ERR_GENERAL; /* we sign with SHA */ - hashObj = &SECHashObjects [HASH_AlgSHA1]; + hashObj = HASH_GetHashObject(HASH_AlgSHA1); hashcx = (* hashObj->create)(); if (hashcx == NULL) diff --git a/security/nss/lib/nss/mapfile b/security/nss/lib/nss/mapfile index f19a0737f..27594853d 100644 --- a/security/nss/lib/nss/mapfile +++ b/security/nss/lib/nss/mapfile @@ -374,6 +374,7 @@ NSS_3.2 { # NSS 3.2 release HASH_Create; HASH_Destroy; HASH_End; + HASH_GetHashObject; HASH_HashBuf; HASH_ResultLen; HASH_ResultLenContext; @@ -788,7 +789,6 @@ NSS_3.2 { # NSS 3.2 release RSA_PublicKeyOp; RSA_Sign; RSA_SignRaw; - SECHashObjects; SECITEM_AllocItem; SECITEM_CompareItem; SECITEM_CopyItem; diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 01fe850b6..3877972fb 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -373,6 +373,7 @@ HASH_Clone HASH_Create HASH_Destroy HASH_End +HASH_GetHashObject HASH_HashBuf HASH_ResultLen HASH_ResultLenContext @@ -787,7 +788,6 @@ RSA_PrivateKeyOp RSA_PublicKeyOp RSA_Sign RSA_SignRaw -SECHashObjects SECITEM_AllocItem SECITEM_CompareItem SECITEM_CopyItem diff --git a/security/nss/lib/nss/nsssym.c b/security/nss/lib/nss/nsssym.c index 0cf3540cd..e0c53c993 100644 --- a/security/nss/lib/nss/nsssym.c +++ b/security/nss/lib/nss/nsssym.c @@ -4,7 +4,6 @@ #ifdef INC_SSL -extern int SECHashObjects; extern int nss_InitLock; extern void ATOB_AsciiToData(); @@ -134,7 +133,6 @@ extern void VFY_Update(); void nss_referenceNSSFunctionsForSSL() { - int tmp1 = SECHashObjects; int tmp2 = nss_InitLock; ATOB_AsciiToData(); @@ -273,23 +271,28 @@ extern int SEC_PointerToOctetStringTemplate; extern int SEC_SetOfAnyTemplate; extern void CERT_CertListFromCert(); +extern void CERT_DestroyCertArray(); extern void CERT_FindSMimeProfile(); extern void CERT_GetCertIssuerAndSN(); extern void CERT_ImportCerts(); +extern void CERT_OpenCertDBFilename(); extern void CERT_SaveSMimeProfile(); extern void CERT_VerifyCert(); extern void DER_TimeToUTCTime(); extern void PK11_CreatePBEAlgorithmID(); +extern void PK11_FindCertAndKeyByRecipientList(); extern void PK11_FindCertAndKeyByRecipientListNew(); extern void PK11_FortezzaHasKEA(); extern void PK11_FortezzaMapSig(); extern void PK11_GenerateNewParam(); extern void PK11_GetKeyStrength(); extern void PK11_IsHW(); +extern void PK11_PBEKeyGen(); extern void PK11_ParamToAlgid(); extern void PK11_SetPasswordFunc(); extern void SEC_ASN1DecodeInteger(); extern void SEC_ASN1DecoderClearFilterProc(); +extern void SEC_ASN1DecoderClearNotifyProc(); extern void SEC_ASN1DecoderFinish(); extern void SEC_ASN1DecoderSetFilterProc(); extern void SEC_ASN1DecoderSetNotifyProc(); @@ -308,11 +311,6 @@ extern void SEC_PKCS5IsAlgorithmPBEAlg(); extern void SEC_SignData(); extern void SGN_Digest(); extern void VFY_VerifyDigest(); -extern void CERT_OpenCertDBFilename(); -extern void CERT_DestroyCertArray(); -extern void PK11_PBEKeyGen(); -extern void PK11_FindCertAndKeyByRecipientList(); -extern void SEC_ASN1DecoderClearNotifyProc(); nss_referenceNSSFunctionsForSMIME() { int tmp1=CERT_IssuerAndSNTemplate; @@ -368,63 +366,64 @@ nss_referenceNSSFunctionsForSMIME() { extern int CERT_CertificateRequestTemplate; extern void CERT_DecodeCertificatePoliciesExtension(); -extern void CERT_DestroyCertificatePoliciesExtension(); extern void CERT_DecodeUserNotice(); -extern void DER_GeneralizedTimeToTime(); +extern void CERT_DestroyCertificatePoliciesExtension(); extern void CERT_GenTime2FormattedAscii(); -extern void SECKEY_DeriveKeyDBPassword(); extern void CERT_Hexify(); -extern void SECKEY_GetKeyDBVersion(); +extern void DER_GeneralizedTimeToTime(); +extern void HASH_GetHashObject(); +extern void MD2_Flatten(); +extern void MD2_Resurrect(); +extern void MD5_Flatten(); +extern void MD5_Resurrect(); +extern void NSSBase64Decoder_Create(); +extern void NSSBase64Decoder_Destroy(); +extern void NSSBase64Decoder_Update(); +extern void NSSBase64Encoder_Create(); +extern void NSSBase64Encoder_Destroy(); +extern void NSSBase64Encoder_Update(); +extern void PK11_ChangePW(); +extern void PK11_CheckUserPassword(); extern void PK11_DoPassword(); extern void PK11_FindKeyByKeyID(); -extern void PK11_NeedUserInit(); extern void PK11_InitPin(); -extern void PK11_CheckUserPassword(); -extern void PK11_ChangePW(); -extern void MD5_Flatten(); -extern void MD5_Resurrect(); -extern void MD2_Flatten(); -extern void MD2_Resurrect(); +extern void PK11_NeedUserInit(); extern void PQG_ParamGen(); extern void PQG_VerifyParams(); extern void SECITEM_ReallocItem(); -extern void NSSBase64Encoder_Create(); -extern void NSSBase64Encoder_Update(); -extern void NSSBase64Encoder_Destroy(); -extern void NSSBase64Decoder_Create(); -extern void NSSBase64Decoder_Update(); -extern void NSSBase64Decoder_Destroy(); - +extern void SECKEY_DeriveKeyDBPassword(); +extern void SECKEY_GetKeyDBVersion(); nss_CMDExports() { int tmp1 = CERT_CertificateRequestTemplate; CERT_DecodeCertificatePoliciesExtension(); - CERT_DestroyCertificatePoliciesExtension(); CERT_DecodeUserNotice(); - DER_GeneralizedTimeToTime(); + CERT_DestroyCertificatePoliciesExtension(); CERT_GenTime2FormattedAscii(); - SECKEY_DeriveKeyDBPassword(); CERT_Hexify(); - SECKEY_GetKeyDBVersion(); + DER_GeneralizedTimeToTime(); + HASH_GetHashObject(); + MD2_Flatten(); + MD2_Resurrect(); + MD5_Flatten(); + MD5_Resurrect(); + NSSBase64Decoder_Create(); + NSSBase64Decoder_Destroy(); + NSSBase64Decoder_Update(); + NSSBase64Encoder_Create(); + NSSBase64Encoder_Destroy(); + NSSBase64Encoder_Update(); + PK11_ChangePW(); + PK11_CheckUserPassword(); PK11_DoPassword(); PK11_FindKeyByKeyID(); - PK11_NeedUserInit(); PK11_InitPin(); - PK11_CheckUserPassword(); - PK11_ChangePW(); - MD5_Flatten(); - MD5_Resurrect(); - MD2_Flatten(); - MD2_Resurrect(); + PK11_NeedUserInit(); PQG_ParamGen(); PQG_VerifyParams(); SECITEM_ReallocItem(); - NSSBase64Encoder_Create(); - NSSBase64Encoder_Update(); - NSSBase64Encoder_Destroy(); - NSSBase64Decoder_Create(); - NSSBase64Decoder_Update(); - NSSBase64Decoder_Destroy(); + SECKEY_DeriveKeyDBPassword(); + SECKEY_GetKeyDBVersion(); } diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index 0eee743c2..6400badc8 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -54,13 +54,13 @@ #include "pk11func.h" #include "prtime.h" #include "secerr.h" - +#include "sechash.h" /* for HASH_GetHashObject() */ struct sec_pkcs7_decoder_worker { int depth; int digcnt; void **digcxs; - SECHashObject **digobjs; + const SECHashObject **digobjs; sec_PKCS7CipherObject *decryptobj; PRBool saw_contents; }; @@ -261,7 +261,7 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth, { SECAlgorithmID *algid; SECOidData *oiddata; - SECHashObject *digobj; + const SECHashObject *digobj; void *digcx; int i, digcnt; @@ -287,7 +287,7 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth, p7dcx->worker.digcxs = (void**)PORT_ArenaAlloc (p7dcx->tmp_poolp, digcnt * sizeof (void *)); - p7dcx->worker.digobjs = (SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp, + p7dcx->worker.digobjs = (const SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp, digcnt * sizeof (SECHashObject *)); if (p7dcx->worker.digcxs == NULL || p7dcx->worker.digobjs == NULL) { p7dcx->error = SEC_ERROR_NO_MEMORY; @@ -308,13 +308,13 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth, } else { switch (oiddata->offset) { case SEC_OID_MD2: - digobj = &SECHashObjects[HASH_AlgMD2]; + digobj = HASH_GetHashObject(HASH_AlgMD2); break; case SEC_OID_MD5: - digobj = &SECHashObjects[HASH_AlgMD5]; + digobj = HASH_GetHashObject(HASH_AlgMD5); break; case SEC_OID_SHA1: - digobj = &SECHashObjects[HASH_AlgSHA1]; + digobj = HASH_GetHashObject(HASH_AlgSHA1); break; default: digobj = NULL; @@ -362,7 +362,7 @@ sec_pkcs7_decoder_finish_digests (SEC_PKCS7DecoderContext *p7dcx, SECItem ***digestsp) { struct sec_pkcs7_decoder_worker *worker; - SECHashObject *digobj; + const SECHashObject *digobj; void *digcx; SECItem **digests, *digest; int i; diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c index b45d2d916..33aae7553 100644 --- a/security/nss/lib/pkcs7/p7encode.c +++ b/security/nss/lib/pkcs7/p7encode.c @@ -47,6 +47,7 @@ #include "secitem.h" #include "pk11func.h" #include "secerr.h" +#include "sechash.h" /* for HASH_GetHashObject() */ struct sec_pkcs7_encoder_output { SEC_PKCS7EncoderOutputCallback outputfn; @@ -58,7 +59,7 @@ struct SEC_PKCS7EncoderContextStr { SEC_PKCS7ContentInfo *cinfo; struct sec_pkcs7_encoder_output output; sec_PKCS7CipherObject *encryptobj; - SECHashObject *digestobj; + const SECHashObject *digestobj; void *digestcx; }; @@ -591,13 +592,13 @@ sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo, if (oiddata != NULL) { switch (oiddata->offset) { case SEC_OID_MD2: - p7ecx->digestobj = &SECHashObjects[HASH_AlgMD2]; + p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD2); break; case SEC_OID_MD5: - p7ecx->digestobj = &SECHashObjects[HASH_AlgMD5]; + p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD5); break; case SEC_OID_SHA1: - p7ecx->digestobj = &SECHashObjects[HASH_AlgSHA1]; + p7ecx->digestobj = HASH_GetHashObject(HASH_AlgSHA1); break; default: /* XXX right error? */ diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h index acfd56ad8..f2f50a654 100644 --- a/security/nss/lib/smime/cms.h +++ b/security/nss/lib/smime/cms.h @@ -398,7 +398,7 @@ NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID extern int NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag); -extern SECHashObject * +extern const SECHashObject * NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid); /* diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c index ce3f59228..6c7bd918b 100644 --- a/security/nss/lib/smime/cmsdigest.c +++ b/security/nss/lib/smime/cmsdigest.c @@ -52,7 +52,7 @@ struct NSSCMSDigestContextStr { PRBool saw_contents; int digcnt; void ** digcxs; - SECHashObject ** digobjs; +const SECHashObject ** digobjs; }; /* @@ -63,7 +63,7 @@ NSSCMSDigestContext * NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) { NSSCMSDigestContext *cmsdigcx; - SECHashObject *digobj; + const SECHashObject *digobj; void *digcx; int digcnt; int i; @@ -76,7 +76,7 @@ NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) if (digcnt > 0) { cmsdigcx->digcxs = (void **)PORT_Alloc(digcnt * sizeof (void *)); - cmsdigcx->digobjs = (SECHashObject **)PORT_Alloc(digcnt * sizeof(SECHashObject *)); + cmsdigcx->digobjs = (const SECHashObject **)PORT_Alloc(digcnt * sizeof(SECHashObject *)); if (cmsdigcx->digcxs == NULL || cmsdigcx->digobjs == NULL) goto loser; } @@ -169,7 +169,7 @@ SECStatus NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, SECItem ***digestsp) { - SECHashObject *digobj; + const SECHashObject *digobj; void *digcx; SECItem **digests, *digest; int i; diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c index 77f79b4d3..a31c2a20a 100644 --- a/security/nss/lib/smime/cmsutil.c +++ b/security/nss/lib/smime/cmsutil.c @@ -46,6 +46,7 @@ #include "secoid.h" #include "pk11func.h" #include "secerr.h" +#include "sechash.h" /* * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding @@ -195,11 +196,11 @@ NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algt return i; } -SECHashObject * +const SECHashObject * NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid) { SECOidData *oiddata; - SECHashObject *digobj; + const SECHashObject *digobj; /* here are the algorithms we know */ oiddata = SECOID_FindOID(&(algid->algorithm)); @@ -208,13 +209,13 @@ NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid) } else { switch (oiddata->offset) { case SEC_OID_MD2: - digobj = &SECHashObjects[HASH_AlgMD2]; + digobj = HASH_GetHashObject(HASH_AlgMD2); break; case SEC_OID_MD5: - digobj = &SECHashObjects[HASH_AlgMD5]; + digobj = HASH_GetHashObject(HASH_AlgMD5); break; case SEC_OID_SHA1: - digobj = &SECHashObjects[HASH_AlgSHA1]; + digobj = HASH_GetHashObject(HASH_AlgSHA1); break; default: digobj = NULL; diff --git a/security/nss/lib/softoken/alghmac.c b/security/nss/lib/softoken/alghmac.c index ff320da09..aef81a76b 100644 --- a/security/nss/lib/softoken/alghmac.c +++ b/security/nss/lib/softoken/alghmac.c @@ -40,7 +40,7 @@ struct HMACContextStr { void *hash; - SECHashObject *hashobj; + const SECHashObject *hashobj; unsigned char ipad[HMAC_PAD_SIZE]; unsigned char opad[HMAC_PAD_SIZE]; }; diff --git a/security/nss/lib/softoken/rawhash.c b/security/nss/lib/softoken/rawhash.c index 4d19b3cdb..9250bf62b 100644 --- a/security/nss/lib/softoken/rawhash.c +++ b/security/nss/lib/softoken/rawhash.c @@ -73,7 +73,7 @@ null_hash_destroy_context(void *v, PRBool b) } -SECHashObject SECRawHashObjects[] = { +const SECHashObject SECRawHashObjects[] = { { 0, (void * (*)(void)) null_hash_new_context, (void * (*)(void *)) null_hash_clone_context, diff --git a/security/nss/lib/softoken/secpkcs5.h b/security/nss/lib/softoken/secpkcs5.h index 4efe99900..7719ac115 100644 --- a/security/nss/lib/softoken/secpkcs5.h +++ b/security/nss/lib/softoken/secpkcs5.h @@ -60,7 +60,7 @@ typedef struct _PBEBitGenContext { /* hash algorithm information */ pbeBitGenParameters pbeParams; - SECHashObject *hashObject; + const SECHashObject *hashObject; void *hash; /* buffers used in generation of bits */ diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile index a711c3361..fff62966e 100644 --- a/security/nss/lib/ssl/Makefile +++ b/security/nss/lib/ssl/Makefile @@ -58,6 +58,7 @@ include config.mk ifeq ($(OS_ARCH),WINNT) CSRCS += win32err.c +DEFINES += -DIN_LIBSSL else ifeq ($(OS_ARCH),OS2) CSRCS += os2_err.c diff --git a/security/nss/lib/ssl/mapfile b/security/nss/lib/ssl/mapfile index e2249362f..50d3691d4 100644 --- a/security/nss/lib/ssl/mapfile +++ b/security/nss/lib/ssl/mapfile @@ -39,7 +39,7 @@ NSS_3.2 { # NSS 3.2 release NSS_SetDomesticPolicy; NSS_SetExportPolicy; NSS_SetFrancePolicy; - SSL3_SendAlert; +# SSL3_SendAlert; SSL_AuthCertificate; SSL_AuthCertificateHook; SSL_BadCertHook; @@ -63,12 +63,13 @@ NSS_3.2 { # NSS 3.2 release SSL_ForceHandshake; SSL_GetClientAuthDataHook; SSL_GetSessionID; + SSL_GetStatistics; SSL_HandshakeCallback; - SSL_ImplementedCiphers; + SSL_ImplementedCiphers; # data SSL_ImportFD; SSL_InheritMPServerSIDCache; SSL_InvalidateSession; - SSL_NumImplementedCiphers; + SSL_NumImplementedCiphers; # data SSL_OptionGet; SSL_OptionGetDefault; SSL_OptionSet; @@ -90,12 +91,6 @@ NSS_3.2 { # NSS 3.2 release SSL_SetPolicy; SSL_SetSockPeerID; SSL_SetURL; - ssl3_hch_sid_cache_hits; - ssl3_hch_sid_cache_misses; - ssl3_hch_sid_cache_not_ok; - ssl3_hsh_sid_cache_hits; - ssl3_hsh_sid_cache_misses; - ssl3_hsh_sid_cache_not_ok; local: *; }; diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 628b039f3..b90bfa8b8 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -38,7 +38,7 @@ NSS_GetClientAuthData NSS_SetDomesticPolicy NSS_SetExportPolicy NSS_SetFrancePolicy -SSL3_SendAlert +;SSL3_SendAlert SSL_AuthCertificate SSL_AuthCertificateHook SSL_BadCertHook @@ -62,12 +62,13 @@ SSL_EnableDefault SSL_ForceHandshake SSL_GetClientAuthDataHook SSL_GetSessionID +SSL_GetStatistics SSL_HandshakeCallback -SSL_ImplementedCiphers +SSL_ImplementedCiphers DATA SSL_ImportFD SSL_InheritMPServerSIDCache SSL_InvalidateSession -SSL_NumImplementedCiphers +SSL_NumImplementedCiphers DATA SSL_OptionGet SSL_OptionGetDefault SSL_OptionSet @@ -89,9 +90,3 @@ SSL_SetPKCS11PinArg SSL_SetPolicy SSL_SetSockPeerID SSL_SetURL -ssl3_hch_sid_cache_hits -ssl3_hch_sid_cache_misses -ssl3_hch_sid_cache_not_ok -ssl3_hsh_sid_cache_hits -ssl3_hsh_sid_cache_misses -ssl3_hsh_sid_cache_not_ok diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 97a97759b..6faa2e91c 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -45,15 +45,38 @@ #include "cert.h" #include "keyt.h" +#if defined(_WINDOWS) && !defined(IN_LIBSSL) && !defined(NSS_USE_STATIC_LIBS) +#define SSL_IMPORT extern __declspec(dllimport) +#else +#define SSL_IMPORT extern +#endif + /* constant table enumerating all implemented SSL 2 and 3 cipher suites. */ -extern const PRUint16 SSL_ImplementedCiphers[]; +SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[]; /* number of entries in the above table. */ -extern const PRUint16 SSL_NumImplementedCiphers; +SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers; /* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */ #define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00) +typedef struct SSL3StatisticsStr { + /* statistics from ssl3_SendClientHello (sch) */ + long sch_sid_cache_hits; + long sch_sid_cache_misses; + long sch_sid_cache_not_ok; + + /* statistics from ssl3_HandleServerHello (hsh) */ + long hsh_sid_cache_hits; + long hsh_sid_cache_misses; + long hsh_sid_cache_not_ok; + + /* statistics from ssl3_HandleClientHello (hch) */ + long hch_sid_cache_hits; + long hch_sid_cache_misses; + long hch_sid_cache_not_ok; +} SSL3Statistics; + SEC_BEGIN_PROTOS @@ -61,7 +84,7 @@ SEC_BEGIN_PROTOS ** Imports fd into SSL, returning a new socket. Copies SSL configuration ** from model. */ -extern PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); +SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* ** Enable/disable an ssl mode @@ -92,15 +115,15 @@ extern PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); #define SSL_ROLLBACK_DETECTION 14 /* for compatibility, default: on */ /* Old deprecated function names */ -extern SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); -extern SECStatus SSL_EnableDefault(int option, PRBool on); +SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); +SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on); /* New function names */ -extern SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on); -extern SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on); -extern SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on); -extern SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on); -extern SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle); +SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on); +SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on); +SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on); +SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on); +SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle); /* ** Control ciphers that SSL uses. If on is non-zero then the named cipher @@ -110,16 +133,16 @@ extern SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle) ** SetPolicy sets the policy according to the policy module. */ /* Old deprecated function names */ -extern SECStatus SSL_EnableCipher(long which, PRBool enabled); -extern SECStatus SSL_SetPolicy(long which, int policy); +SSL_IMPORT SECStatus SSL_EnableCipher(long which, PRBool enabled); +SSL_IMPORT SECStatus SSL_SetPolicy(long which, int policy); /* New function names */ -extern SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled); -extern SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled); -extern SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); -extern SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); -extern SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); -extern SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); +SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled); +SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled); +SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); +SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); +SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); +SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); /* Values for "policy" argument to SSL_PolicySet */ /* Values returned by SSL_CipherPolicyGet. */ @@ -132,13 +155,13 @@ extern SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); ** handshake protocol execute from the ground up on the next i/o ** operation. */ -extern SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer); +SSL_IMPORT SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer); /* ** Force the handshake for fd to complete immediately. This blocks until ** the complete SSL handshake protocol is finished. */ -extern int SSL_ForceHandshake(PRFileDesc *fd); +SSL_IMPORT int SSL_ForceHandshake(PRFileDesc *fd); /* ** Query security status of socket. *on is set to one if security is @@ -151,7 +174,7 @@ extern int SSL_ForceHandshake(PRFileDesc *fd); ** data is not needed. All strings returned by this function are owned ** by SSL, and will be freed when the socket is closed. */ -extern int SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, +SSL_IMPORT int SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, int *keySize, int *secretKeySize, char **issuer, char **subject); @@ -169,7 +192,7 @@ extern int SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, ** if the client had no certificate when asked. ** "fd" the socket "file" descriptor */ -extern CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); +SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); /* ** Authenticate certificate hook. Called when a certificate comes in @@ -178,11 +201,11 @@ extern CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd); */ typedef int (*SSLAuthCertificate)(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer); -extern int SSL_AuthCertificateHook(PRFileDesc *fd, SSLAuthCertificate f, +SSL_IMPORT int SSL_AuthCertificateHook(PRFileDesc *fd, SSLAuthCertificate f, void *arg); /* An implementation of the certificate authentication hook */ -extern int SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, +SSL_IMPORT int SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer); /* @@ -204,7 +227,7 @@ typedef int (*SSLGetClientAuthData)(void *arg, PRFileDesc *fd, * f - the application's callback that delivers the key and cert * a - application specific data */ -extern int SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, +SSL_IMPORT int SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, void *a); @@ -213,7 +236,7 @@ extern int SSL_GetClientAuthDataHook(PRFileDesc *fd, SSLGetClientAuthData f, * fd - the file descriptor for the connection in question * a - pkcs11 application specific data */ -extern int SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); +SSL_IMPORT int SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); /* ** This is a callback for dealing with server certs that are not authenticated @@ -221,7 +244,7 @@ extern int SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a); ** cert by some external means and restart the connection. */ typedef int (*SSLBadCertHandler)(void *arg, PRFileDesc *fd); -extern int SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg); +SSL_IMPORT int SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg); /* ** Configure ssl for running a secure server. Needs the @@ -237,7 +260,7 @@ typedef enum { kt_kea_size } SSLKEAType; -extern SECStatus SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, +SSL_IMPORT SECStatus SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, SECKEYPrivateKey *key, SSLKEAType kea); /* @@ -248,7 +271,7 @@ extern SECStatus SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert, ** This version of the function is for use in applications that have only one ** process that uses the cache (even if that process has multiple threads). */ -extern int SSL_ConfigServerSessionIDCache(int maxCacheEntries, +SSL_IMPORT int SSL_ConfigServerSessionIDCache(int maxCacheEntries, PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory); @@ -261,7 +284,7 @@ extern int SSL_ConfigServerSessionIDCache(int maxCacheEntries, ** This function sets up a Server Session ID (SID) cache that is safe for ** access by multiple processes on the same system. */ -extern int SSL_ConfigMPServerSIDCache(int maxCacheEntries, +SSL_IMPORT int SSL_ConfigMPServerSIDCache(int maxCacheEntries, PRUint32 timeout, PRUint32 ssl3_timeout, const char * directory); @@ -276,14 +299,14 @@ extern int SSL_ConfigMPServerSIDCache(int maxCacheEntries, * variable "SSL_INHERITANCE", otherwise the string value passed in will be * used. */ -extern SECStatus SSL_InheritMPServerSIDCache(const char * envString); +SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString); /* ** Set the callback on a particular socket that gets called when we finish ** performing a handshake. */ typedef void (*SSLHandshakeCallback)(PRFileDesc *fd, void *client_data); -extern int SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb, +SSL_IMPORT int SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb, void *client_data); /* @@ -294,7 +317,7 @@ extern int SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb, ** do the much faster session restart handshake. This will change the ** session keys without doing another private key operation. */ -extern int SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache); +SSL_IMPORT int SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache); /* ** For the server, request a new handshake. For the client, begin a new @@ -302,68 +325,68 @@ extern int SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache); ** full handshake will be done. ** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE) */ -extern int SSL_RedoHandshake(PRFileDesc *fd); +SSL_IMPORT int SSL_RedoHandshake(PRFileDesc *fd); /* ** Return 1 if the socket is direct, 0 if not, -1 on error */ -extern int SSL_CheckDirectSock(PRFileDesc *s); +SSL_IMPORT int SSL_CheckDirectSock(PRFileDesc *s); /* ** A cousin to SSL_Bind, this takes an extra arg: dsthost, so we can ** set up sockd connection. This should be used with socks enabled. */ -extern int SSL_BindForSockd(PRFileDesc *s, PRNetAddr *sa, long dsthost); +SSL_IMPORT int SSL_BindForSockd(PRFileDesc *s, PRNetAddr *sa, long dsthost); /* ** Configure ssl for using socks. */ -extern SECStatus SSL_ConfigSockd(PRFileDesc *fd, PRUint32 host, PRUint16 port); +SSL_IMPORT SECStatus SSL_ConfigSockd(PRFileDesc *fd, PRUint32 host, PRUint16 port); /* * Allow the application to pass a URL or hostname into the SSL library */ -extern int SSL_SetURL(PRFileDesc *fd, const char *url); +SSL_IMPORT int SSL_SetURL(PRFileDesc *fd, const char *url); /* ** Return the number of bytes that SSL has waiting in internal buffers. ** Return 0 if security is not enabled. */ -extern int SSL_DataPending(PRFileDesc *fd); +SSL_IMPORT int SSL_DataPending(PRFileDesc *fd); /* ** Invalidate the SSL session associated with fd. */ -extern int SSL_InvalidateSession(PRFileDesc *fd); +SSL_IMPORT int SSL_InvalidateSession(PRFileDesc *fd); /* ** Return a SECItem containing the SSL session ID associated with the fd. */ -extern SECItem *SSL_GetSessionID(PRFileDesc *fd); +SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd); /* ** Clear out the SSL session cache. */ -extern void SSL_ClearSessionCache(void); +SSL_IMPORT void SSL_ClearSessionCache(void); /* ** Set peer information so we can correctly look up SSL session later. ** You only have to do this if you're tunneling through a proxy. */ -extern int SSL_SetSockPeerID(PRFileDesc *fd, char *peerID); +SSL_IMPORT int SSL_SetSockPeerID(PRFileDesc *fd, char *peerID); /* ** Read the socks config file. You must do this before doing anything with ** socks. */ -extern int SSL_ReadSocksConfFile(PRFileDesc *fp); +SSL_IMPORT int SSL_ReadSocksConfFile(PRFileDesc *fp); /* ** Reveal the security information for the peer. */ -extern CERTCertificate * SSL_RevealCert(PRFileDesc * socket); -extern void * SSL_RevealPinArg(PRFileDesc * socket); -extern char * SSL_RevealURL(PRFileDesc * socket); +SSL_IMPORT CERTCertificate * SSL_RevealCert(PRFileDesc * socket); +SSL_IMPORT void * SSL_RevealPinArg(PRFileDesc * socket); +SSL_IMPORT char * SSL_RevealURL(PRFileDesc * socket); /* This callback may be passed to the SSL library via a call to @@ -375,7 +398,7 @@ extern char * SSL_RevealURL(PRFileDesc * socket); * If arg is NULL, this function will search the cert and key databases for * a suitable match and send it if one is found. */ -extern SECStatus +SSL_IMPORT SECStatus NSS_GetClientAuthData(void * arg, PRFileDesc * socket, struct CERTDistNamesStr * caNames, @@ -388,18 +411,18 @@ NSS_GetClientAuthData(void * arg, * Returns SECSuccess if so, SECFailure if not. * Used by NSS_GetClientAuthData. May be used by other callback functions. */ -extern SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, +SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames); /* * Returns key exchange type of the keys in an SSL server certificate. */ -extern SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); +SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert); /* Set cipher policies to a predefined Domestic (U.S.A.) policy. * This essentially enables all supported ciphers. */ -extern SECStatus NSS_SetDomesticPolicy(void); +SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void); /* Set cipher policies to a predefined Policy that is exportable from the USA * according to present U.S. policies as we understand them. @@ -409,14 +432,16 @@ extern SECStatus NSS_SetDomesticPolicy(void); * by this function. In that case, you should use SSL_SetPolicy() * to explicitly allow those ciphers you may legally export. */ -extern SECStatus NSS_SetExportPolicy(void); +SSL_IMPORT SECStatus NSS_SetExportPolicy(void); /* Set cipher policies to a predefined Policy that is exportable from the USA * according to present U.S. policies as we understand them, and that the * nation of France will permit to be imported into their country. * See documentation for the list. */ -extern SECStatus NSS_SetFrancePolicy(void); +SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); + +SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); SEC_END_PROTOS diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 8d607915b..cda2ba812 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -144,21 +144,7 @@ PRBool ssl3_global_policy_some_restricted = PR_FALSE; ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). */ CERTDistNames *ssl3_server_ca_list = NULL; - -/* statistics from ssl3_SendClientHello (sch) */ -long ssl3_sch_sid_cache_hits; -long ssl3_sch_sid_cache_misses; -long ssl3_sch_sid_cache_not_ok; - -/* statistics from ssl3_HandleServerHello (hsh) */ -long ssl3_hsh_sid_cache_hits; -long ssl3_hsh_sid_cache_misses; -long ssl3_hsh_sid_cache_not_ok; - -/* statistics from ssl3_HandleClientHello (hch) */ -long ssl3_hch_sid_cache_hits; -long ssl3_hch_sid_cache_misses; -long ssl3_hch_sid_cache_not_ok; +static SSL3Statistics ssl3stats; /* indexed by SSL3BulkCipher */ static const ssl3BulkCipherDef bulk_cipher_defs[] = { @@ -338,6 +324,12 @@ ssl3_DecodeContentType(int msgType) #endif +SSL3Statistics * +SSL_GetStatistics(void) +{ + return &ssl3stats; +} + /* return pointer to ssl3CipherSuiteDef for suite, or NULL */ /* XXX This does a linear search. A binary search would be better. */ static const ssl3CipherSuiteDef * @@ -2510,7 +2502,7 @@ ssl3_SendClientHello(sslSocket *ss) } if (!sidOK) { - ++ssl3_sch_sid_cache_not_ok; + ++ssl3stats.sch_sid_cache_not_ok; (*ss->sec->uncache)(sid); ssl_FreeSID(sid); sid = NULL; @@ -2518,7 +2510,7 @@ ssl3_SendClientHello(sslSocket *ss) } if (sid) { - ++ssl3_sch_sid_cache_hits; + ++ssl3stats.sch_sid_cache_hits; rv = ssl3_NegotiateVersion(ss, sid->version); if (rv != SECSuccess) @@ -2528,7 +2520,7 @@ ssl3_SendClientHello(sslSocket *ss) sid->u.ssl3.sessionIDLength)); ss->ssl3->policy = sid->u.ssl3.policy; } else { - ++ssl3_sch_sid_cache_misses; + ++ssl3stats.sch_sid_cache_misses; rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS); if (rv != SECSuccess) @@ -3813,7 +3805,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } /* Got a Match */ - ++ssl3_hsh_sid_cache_hits; + ++ssl3stats.hsh_sid_cache_hits; ss->ssl3->hs.ws = wait_change_cipher; ss->ssl3->hs.isResuming = PR_TRUE; @@ -3861,9 +3853,9 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } while (0); if (sid_match) - ++ssl3_hsh_sid_cache_not_ok; + ++ssl3stats.hsh_sid_cache_not_ok; else - ++ssl3_hsh_sid_cache_misses; + ++ssl3stats.hsh_sid_cache_misses; /* throw the old one away */ sid->u.ssl3.resumable = PR_FALSE; @@ -4628,7 +4620,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ((ss->requireCertificate == 1) || ((ss->requireCertificate == 2) && !ss->connected))) { - ++ssl3_hch_sid_cache_not_ok; + ++ssl3stats.hch_sid_cache_not_ok; ss->sec->uncache(sid); ssl_FreeSID(sid); sid = NULL; @@ -4773,7 +4765,7 @@ compression_found: * * XXX make sure compression still matches */ - ++ssl3_hch_sid_cache_hits; + ++ssl3stats.hch_sid_cache_hits; ssl3->hs.isResuming = PR_TRUE; ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE; @@ -4889,12 +4881,12 @@ compression_found: } if (sid) { /* we had a sid, but it's no longer valid, free it */ - ++ssl3_hch_sid_cache_not_ok; + ++ssl3stats.hch_sid_cache_not_ok; ss->sec->uncache(sid); ssl_FreeSID(sid); sid = NULL; } - ++ssl3_hch_sid_cache_misses; + ++ssl3stats.hch_sid_cache_misses; sid = ssl3_NewSessionID(ss, PR_TRUE); if (sid == NULL) { @@ -5063,7 +5055,7 @@ suite_found: ss->sec->send = ssl3_SendApplicationData; /* we don't even search for a cache hit here. It's just a miss. */ - ++ssl3_hch_sid_cache_misses; + ++ssl3stats.hch_sid_cache_misses; sid = ssl3_NewSessionID(ss, PR_TRUE); if (sid == NULL) { errCode = PORT_GetError(); diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 87d3896c4..550c49c18 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -466,7 +466,7 @@ ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey, case SSL_CK_RC4_128_WITH_MD5: case SSL_CK_DES_64_CBC_WITH_MD5: case SSL_CK_DES_192_EDE3_CBC_WITH_MD5: - sec->hash = &SECHashObjects[HASH_AlgMD5]; + sec->hash = HASH_GetHashObject(HASH_AlgMD5); SECITEM_CopyItem(0, &sec->sendSecret, writeKey); SECITEM_CopyItem(0, &sec->rcvSecret, readKey); break; diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index c2c06c26c..cdc8d3fce 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -247,7 +247,7 @@ struct sslSocketStr { PRFileDesc * fd; /* Pointer to operations vector for this socket */ - sslSocketOps * ops; + const sslSocketOps * ops; /* State flags */ unsigned int useSocks : 1; @@ -552,7 +552,7 @@ struct sslSecurityInfoStr { uint32 rcvSequence; /*recvBufLock*/ /* ssl2 only */ /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */ - SECHashObject *hash; /* Spec Lock */ /* ssl2 only */ + const SECHashObject *hash; /* Spec Lock */ /* ssl2 only */ void *hashcx; /* Spec Lock */ /* ssl2 only */ SECItem sendSecret; /* Spec Lock */ /* ssl2 only */ diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 905b688de..a4d489e7d 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -78,8 +78,7 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } }; -static -sslSocketOps ssl_default_ops = { /* No SSL, No Socks. */ +static const sslSocketOps ssl_default_ops = { /* No SSL, No Socks. */ ssl_DefConnect, NULL, ssl_DefBind, @@ -94,8 +93,7 @@ sslSocketOps ssl_default_ops = { /* No SSL, No Socks. */ ssl_DefGetsockname }; -static -sslSocketOps ssl_socks_ops = { /* No SSL, has socks. */ +static const sslSocketOps ssl_socks_ops = { /* No SSL, has socks. */ ssl_SocksConnect, ssl_SocksAccept, ssl_SocksBind, @@ -110,8 +108,7 @@ sslSocketOps ssl_socks_ops = { /* No SSL, has socks. */ ssl_SocksGetsockname }; -static -sslSocketOps ssl_secure_ops = { /* SSL, no socks. */ +static const sslSocketOps ssl_secure_ops = { /* SSL, no socks. */ ssl_SecureConnect, NULL, ssl_DefBind, @@ -126,8 +123,7 @@ sslSocketOps ssl_secure_ops = { /* SSL, no socks. */ ssl_DefGetsockname }; -static -sslSocketOps ssl_secure_socks_ops = { /* Both SSL and Socks. */ +static const sslSocketOps ssl_secure_socks_ops = { /* Both SSL and Socks. */ ssl_SecureSocksConnect, ssl_SecureSocksAccept, ssl_SocksBind, @@ -215,19 +211,6 @@ ssl_FindSocket(PRFileDesc *fd) return ss; } -#if 0 /* dead code. */ -PRFileDesc * -ssl_FindTop(sslSocket *ss) -{ - PRFileDesc *fd = ss->fd; - - while (fd->higher != NULL) - fd = fd->higher; - - return fd; -} -#endif - sslSocket * ssl_DupSocket(sslSocket *os) { |