From a98f4c06288ffa848d1fe29ac26ec79cc0f01265 Mon Sep 17 00:00:00 2001 From: "wtc%netscape.com" Date: Wed, 26 Mar 2003 00:31:13 +0000 Subject: [PATCH] Bug 199082: checked in Nelson's patch, which a) changes selfserv to test the return value from NSS_Shutdown. b) changes SECMOD_Shutdown to set the error code SEC_ERROR_BUSY before returning SECFailure. c) Adds a new function SSL_ShutdownServerSessionIDCache to ssl.h. d) Changes selfserv to call SSL_ShutdownServerSessionIDCache before calling NSS_Shutdown. Modified Files: cmd/selfserv/selfserv.c lib/pk11wrap/pk11util.c lib/ssl/ssl.def lib/ssl/ssl.h lib/ssl/ssl3con.c lib/ssl/sslimpl.h lib/ssl/sslsnce.c --- security/nss/cmd/selfserv/selfserv.c | 8 ++++++- security/nss/lib/pk11wrap/pk11util.c | 6 +++++- security/nss/lib/ssl/ssl.def | 6 ++++++ security/nss/lib/ssl/ssl.h | 7 +++++- security/nss/lib/ssl/ssl3con.c | 32 ++++++++++++++++++++++++---- security/nss/lib/ssl/sslimpl.h | 5 ++++- security/nss/lib/ssl/sslsnce.c | 17 ++++++++++++++- 7 files changed, 72 insertions(+), 9 deletions(-) diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index 5a4dff262c95..41f1efe8b2d9 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -1739,7 +1739,13 @@ main(int argc, char **argv) free(nickName); free(passwd); - NSS_Shutdown(); + SSL_ShutdownServerSessionIDCache(); + + if (NSS_Shutdown() != SECSuccess) { + SECU_PrintError(progName, "NSS_Shutdown"); + PR_Cleanup(); + exit(1); + } PR_Cleanup(); printf("selfserv: normal termination\n"); return 0; diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index 9c66a6491a20..1a32d04b93f9 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -112,7 +112,11 @@ SECMOD_Shutdown() { PORT_Assert(secmod_PrivateModuleCount == 0); } #endif - return (secmod_PrivateModuleCount == 0) ? SECSuccess : SECFailure; + if (secmod_PrivateModuleCount) { + PORT_SetError(SEC_ERROR_BUSY); + return SECFailure; + } + return SECSuccess; } diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def index 7833ae741ea2..33083caeab90 100644 --- a/security/nss/lib/ssl/ssl.def +++ b/security/nss/lib/ssl/ssl.def @@ -115,3 +115,9 @@ SSL_SetMaxServerCacheLocks; ;+ local: ;+*; ;+}; +;+NSS_3.7.4 { # NSS 3.7.4 release +;+ global: +SSL_ShutdownServerSessionIDCache; +;+ local: +;+*; +;+}; diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index 10eb931e941a..f9f3d93a3331 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -32,7 +32,7 @@ * may use your version of this file under either the MPL or the * GPL. * - * $Id: ssl.h,v 1.15 2002/09/18 22:32:19 wtc%netscape.com Exp $ + * $Id: ssl.h,v 1.16 2003/03/26 00:31:12 wtc%netscape.com Exp $ */ #ifndef __ssl_h_ @@ -364,6 +364,11 @@ SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd); */ SSL_IMPORT void SSL_ClearSessionCache(void); +/* +** Close the server's SSL session cache. +*/ +SSL_IMPORT SECStatus SSL_ShutdownServerSessionIDCache(void); + /* ** Set peer information so we can correctly look up SSL session later. ** You only have to do this if you're tunneling through a proxy. diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 3582321ac75e..1f3edb2cc613 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -37,7 +37,7 @@ * may use your version of this file under either the MPL or the * GPL. * - * $Id: ssl3con.c,v 1.51 2003/03/13 16:36:43 relyea%netscape.com Exp $ + * $Id: ssl3con.c,v 1.52 2003/03/26 00:31:12 wtc%netscape.com Exp $ */ #include "nssrenam.h" @@ -3320,6 +3320,33 @@ typedef struct { PK11SymKey * symWrapKey[kt_kea_size]; } ssl3SymWrapKey; +static PZLock * symWrapKeysLock; +static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; + +SECStatus +SSL3_ShutdownServerCache(void) +{ + int i, j; + + if (!symWrapKeysLock) + return SECSuccess; /* was never initialized */ + PZ_Lock(symWrapKeysLock); + /* get rid of all symWrapKeys */ + for (i = 0; i < SSL_NUM_WRAP_MECHS; ++i) { + for (j = 0; j < kt_kea_size; ++j) { + PK11SymKey ** pSymWrapKey; + pSymWrapKey = &symWrapKeys[i].symWrapKey[j]; + if (*pSymWrapKey) { + PK11_FreeSymKey(*pSymWrapKey); + *pSymWrapKey = NULL; + } + } + } + + PZ_Unlock(symWrapKeysLock); + return SECSuccess; +} + /* Try to get wrapping key for mechanism from in-memory array. * If that fails, look for one on disk. * If that fails, generate a new one, put the new one on disk, @@ -3344,9 +3371,6 @@ getWrappingKey( sslSocket * ss, SECItem wrappedKey; SSLWrappedSymWrappingKey wswk; - static PZLock * symWrapKeysLock; - static ssl3SymWrapKey symWrapKeys[SSL_NUM_WRAP_MECHS]; - svrPrivKey = ss->serverCerts[exchKeyType].serverKey; PORT_Assert(svrPrivKey != NULL); if (!svrPrivKey) { diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 6d64bfa3053e..84ab9868d147 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -38,7 +38,7 @@ * may use your version of this file under either the MPL or the * GPL. * - * $Id: sslimpl.h,v 1.30 2003/02/27 01:31:34 nelsonb%netscape.com Exp $ + * $Id: sslimpl.h,v 1.31 2003/03/26 00:31:13 wtc%netscape.com Exp $ */ #ifndef __sslimpl_h_ @@ -1261,6 +1261,9 @@ ssl_GetWrappingKey( PRInt32 symWrapMechIndex, extern PRBool ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk); +/* get rid of the symmetric wrapping key references. */ +extern SECStatus SSL3_ShutdownServerCache(void); + /********************** misc calls *********************/ extern int ssl_MapLowLevelError(int hiLevelError); diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 88ca300df0e9..c197ae4fd420 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -32,7 +32,7 @@ * may use your version of this file under either the MPL or the * GPL. * - * $Id: sslsnce.c,v 1.23 2003/01/23 00:15:08 jpierre%netscape.com Exp $ + * $Id: sslsnce.c,v 1.24 2003/03/26 00:31:13 wtc%netscape.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server @@ -1158,6 +1158,21 @@ SSL_ConfigServerSessionIDCache( int maxCacheEntries, maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE); } +SECStatus +SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache) +{ + /* if single process, close down, clean up. + ** if multi-process, TBD. + */ +} + +SECStatus +SSL_ShutdownServerSessionIDCache(void) +{ + SSL3_ShutdownServerCache(); + return SSL_ShutdownServerSessionIDCacheInstance(&globalCache); +} + /* Use this function, instead of SSL_ConfigServerSessionIDCache, * if the cache will be shared by multiple processes. */