michael@0: /* This file implements the SERVER Session ID cache. michael@0: * NOTE: The contents of this file are NOT used by the client. michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server michael@0: * cache sids! michael@0: * michael@0: * About record locking among different server processes: michael@0: * michael@0: * All processes that are part of the same conceptual server (serving on michael@0: * the same address and port) MUST share a common SSL session cache. michael@0: * This code makes the content of the shared cache accessible to all michael@0: * processes on the same "server". This code works on Unix and Win32 only. michael@0: * michael@0: * We use NSPR anonymous shared memory and move data to & from shared memory. michael@0: * We must do explicit locking of the records for all reads and writes. michael@0: * The set of Cache entries are divided up into "sets" of 128 entries. michael@0: * Each set is protected by a lock. There may be one or more sets protected michael@0: * by each lock. That is, locks to sets are 1:N. michael@0: * There is one lock for the entire cert cache. michael@0: * There is one lock for the set of wrapped sym wrap keys. michael@0: * michael@0: * The anonymous shared memory is laid out as if it were declared like this: michael@0: * michael@0: * struct { michael@0: * cacheDescriptor desc; michael@0: * sidCacheLock sidCacheLocks[ numSIDCacheLocks]; michael@0: * sidCacheLock keyCacheLock; michael@0: * sidCacheLock certCacheLock; michael@0: * sidCacheSet sidCacheSets[ numSIDCacheSets ]; michael@0: * sidCacheEntry sidCacheData[ numSIDCacheEntries]; michael@0: * certCacheEntry certCacheData[numCertCacheEntries]; michael@0: * SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS]; michael@0: * PRUint8 keyNameSuffix[SESS_TICKET_KEY_VAR_NAME_LEN] michael@0: * encKeyCacheEntry ticketEncKey; // Wrapped in non-bypass mode michael@0: * encKeyCacheEntry ticketMacKey; // Wrapped in non-bypass mode michael@0: * PRBool ticketKeysValid; michael@0: * sidCacheLock srvNameCacheLock; michael@0: * srvNameCacheEntry srvNameData[ numSrvNameCacheEntries ]; michael@0: * } cacheMemCacheData; michael@0: */ michael@0: #include "seccomon.h" michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS) michael@0: michael@0: #include "cert.h" michael@0: #include "ssl.h" michael@0: #include "sslimpl.h" michael@0: #include "sslproto.h" michael@0: #include "pk11func.h" michael@0: #include "base64.h" michael@0: #include "keyhi.h" michael@0: #ifdef NO_PKCS11_BYPASS michael@0: #include "blapit.h" michael@0: #include "sechash.h" michael@0: #else michael@0: #include "blapi.h" michael@0: #endif michael@0: michael@0: #include michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: michael@0: #include michael@0: #include michael@0: #include michael@0: #include michael@0: #include michael@0: #include "unix_err.h" michael@0: michael@0: #else michael@0: michael@0: #ifdef XP_WIN32 michael@0: #include michael@0: #include "win32err.h" michael@0: #endif michael@0: michael@0: #endif michael@0: #include michael@0: michael@0: #define SET_ERROR_CODE /* reminder */ michael@0: michael@0: #include "nspr.h" michael@0: #include "sslmutex.h" michael@0: michael@0: /* michael@0: ** Format of a cache entry in the shared memory. michael@0: */ michael@0: struct sidCacheEntryStr { michael@0: /* 16 */ PRIPv6Addr addr; /* client's IP address */ michael@0: /* 4 */ PRUint32 creationTime; michael@0: /* 4 */ PRUint32 lastAccessTime; michael@0: /* 4 */ PRUint32 expirationTime; michael@0: /* 2 */ PRUint16 version; michael@0: /* 1 */ PRUint8 valid; michael@0: /* 1 */ PRUint8 sessionIDLength; michael@0: /* 32 */ PRUint8 sessionID[SSL3_SESSIONID_BYTES]; michael@0: /* 2 */ PRUint16 authAlgorithm; michael@0: /* 2 */ PRUint16 authKeyBits; michael@0: /* 2 */ PRUint16 keaType; michael@0: /* 2 */ PRUint16 keaKeyBits; michael@0: /* 72 - common header total */ michael@0: michael@0: union { michael@0: struct { michael@0: /* 64 */ PRUint8 masterKey[SSL_MAX_MASTER_KEY_BYTES]; michael@0: /* 32 */ PRUint8 cipherArg[SSL_MAX_CYPHER_ARG_BYTES]; michael@0: michael@0: /* 1 */ PRUint8 cipherType; michael@0: /* 1 */ PRUint8 masterKeyLen; michael@0: /* 1 */ PRUint8 keyBits; michael@0: /* 1 */ PRUint8 secretKeyBits; michael@0: /* 1 */ PRUint8 cipherArgLen; michael@0: /*101 */} ssl2; michael@0: michael@0: struct { michael@0: /* 2 */ ssl3CipherSuite cipherSuite; michael@0: /* 2 */ PRUint16 compression; /* SSLCompressionMethod */ michael@0: michael@0: /* 52 */ ssl3SidKeys keys; /* keys, wrapped as needed. */ michael@0: michael@0: /* 4 */ PRUint32 masterWrapMech; michael@0: /* 4 */ SSL3KEAType exchKeyType; michael@0: /* 4 */ PRInt32 certIndex; michael@0: /* 4 */ PRInt32 srvNameIndex; michael@0: /* 32 */ PRUint8 srvNameHash[SHA256_LENGTH]; /* SHA256 name hash */ michael@0: /*104 */} ssl3; michael@0: /* force sizeof(sidCacheEntry) to be a multiple of cache line size */ michael@0: struct { michael@0: /*120 */ PRUint8 filler[120]; /* 72+120==192, a multiple of 16 */ michael@0: } forceSize; michael@0: } u; michael@0: }; michael@0: typedef struct sidCacheEntryStr sidCacheEntry; michael@0: michael@0: /* The length of this struct is supposed to be a power of 2, e.g. 4KB */ michael@0: struct certCacheEntryStr { michael@0: PRUint16 certLength; /* 2 */ michael@0: PRUint16 sessionIDLength; /* 2 */ michael@0: PRUint8 sessionID[SSL3_SESSIONID_BYTES]; /* 32 */ michael@0: PRUint8 cert[SSL_MAX_CACHED_CERT_LEN]; /* 4060 */ michael@0: }; /* total 4096 */ michael@0: typedef struct certCacheEntryStr certCacheEntry; michael@0: michael@0: struct sidCacheLockStr { michael@0: PRUint32 timeStamp; michael@0: sslMutex mutex; michael@0: sslPID pid; michael@0: }; michael@0: typedef struct sidCacheLockStr sidCacheLock; michael@0: michael@0: struct sidCacheSetStr { michael@0: PRIntn next; michael@0: }; michael@0: typedef struct sidCacheSetStr sidCacheSet; michael@0: michael@0: struct encKeyCacheEntryStr { michael@0: PRUint8 bytes[512]; michael@0: PRInt32 length; michael@0: }; michael@0: typedef struct encKeyCacheEntryStr encKeyCacheEntry; michael@0: michael@0: #define SSL_MAX_DNS_HOST_NAME 1024 michael@0: michael@0: struct srvNameCacheEntryStr { michael@0: PRUint16 type; /* 2 */ michael@0: PRUint16 nameLen; /* 2 */ michael@0: PRUint8 name[SSL_MAX_DNS_HOST_NAME + 12]; /* 1034 */ michael@0: PRUint8 nameHash[SHA256_LENGTH]; /* 32 */ michael@0: /* 1072 */ michael@0: }; michael@0: typedef struct srvNameCacheEntryStr srvNameCacheEntry; michael@0: michael@0: michael@0: struct cacheDescStr { michael@0: michael@0: PRUint32 cacheMemSize; michael@0: michael@0: PRUint32 numSIDCacheLocks; michael@0: PRUint32 numSIDCacheSets; michael@0: PRUint32 numSIDCacheSetsPerLock; michael@0: michael@0: PRUint32 numSIDCacheEntries; michael@0: PRUint32 sidCacheSize; michael@0: michael@0: PRUint32 numCertCacheEntries; michael@0: PRUint32 certCacheSize; michael@0: michael@0: PRUint32 numKeyCacheEntries; michael@0: PRUint32 keyCacheSize; michael@0: michael@0: PRUint32 numSrvNameCacheEntries; michael@0: PRUint32 srvNameCacheSize; michael@0: michael@0: PRUint32 ssl2Timeout; michael@0: PRUint32 ssl3Timeout; michael@0: michael@0: PRUint32 numSIDCacheLocksInitialized; michael@0: michael@0: /* These values are volatile, and are accessed through sharedCache-> */ michael@0: PRUint32 nextCertCacheEntry; /* certCacheLock protects */ michael@0: PRBool stopPolling; michael@0: PRBool everInherited; michael@0: michael@0: /* The private copies of these values are pointers into shared mem */ michael@0: /* The copies of these values in shared memory are merely offsets */ michael@0: sidCacheLock * sidCacheLocks; michael@0: sidCacheLock * keyCacheLock; michael@0: sidCacheLock * certCacheLock; michael@0: sidCacheLock * srvNameCacheLock; michael@0: sidCacheSet * sidCacheSets; michael@0: sidCacheEntry * sidCacheData; michael@0: certCacheEntry * certCacheData; michael@0: SSLWrappedSymWrappingKey * keyCacheData; michael@0: PRUint8 * ticketKeyNameSuffix; michael@0: encKeyCacheEntry * ticketEncKey; michael@0: encKeyCacheEntry * ticketMacKey; michael@0: PRUint32 * ticketKeysValid; michael@0: srvNameCacheEntry * srvNameCacheData; michael@0: michael@0: /* Only the private copies of these pointers are valid */ michael@0: char * cacheMem; michael@0: struct cacheDescStr * sharedCache; /* shared copy of this struct */ michael@0: PRFileMap * cacheMemMap; michael@0: PRThread * poller; michael@0: PRUint32 mutexTimeout; michael@0: PRBool shared; michael@0: }; michael@0: typedef struct cacheDescStr cacheDesc; michael@0: michael@0: static cacheDesc globalCache; michael@0: michael@0: static const char envVarName[] = { SSL_ENV_VAR_NAME }; michael@0: michael@0: static PRBool isMultiProcess = PR_FALSE; michael@0: michael@0: michael@0: #define DEF_SID_CACHE_ENTRIES 10000 michael@0: #define DEF_CERT_CACHE_ENTRIES 250 michael@0: #define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */ michael@0: #define DEF_KEY_CACHE_ENTRIES 250 michael@0: #define DEF_NAME_CACHE_ENTRIES 1000 michael@0: michael@0: #define SID_CACHE_ENTRIES_PER_SET 128 michael@0: #define SID_ALIGNMENT 16 michael@0: michael@0: #define DEF_SSL2_TIMEOUT 100 /* seconds */ michael@0: #define MAX_SSL2_TIMEOUT 100 /* seconds */ michael@0: #define MIN_SSL2_TIMEOUT 5 /* seconds */ michael@0: michael@0: #define DEF_SSL3_TIMEOUT 86400L /* 24 hours */ michael@0: #define MAX_SSL3_TIMEOUT 86400L /* 24 hours */ michael@0: #define MIN_SSL3_TIMEOUT 5 /* seconds */ michael@0: michael@0: #if defined(AIX) || defined(LINUX) || defined(NETBSD) || defined(OPENBSD) michael@0: #define MAX_SID_CACHE_LOCKS 8 /* two FDs per lock */ michael@0: #elif defined(OSF1) michael@0: #define MAX_SID_CACHE_LOCKS 16 /* one FD per lock */ michael@0: #else michael@0: #define MAX_SID_CACHE_LOCKS 256 michael@0: #endif michael@0: michael@0: #define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size)) michael@0: #define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size))) michael@0: michael@0: michael@0: static sslPID myPid; michael@0: static PRUint32 ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS; michael@0: michael@0: /* forward static function declarations */ michael@0: static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, michael@0: unsigned nl); michael@0: static SECStatus LaunchLockPoller(cacheDesc *cache); michael@0: static SECStatus StopLockPoller(cacheDesc *cache); michael@0: michael@0: michael@0: struct inheritanceStr { michael@0: PRUint32 cacheMemSize; michael@0: PRUint32 fmStrLen; michael@0: }; michael@0: michael@0: typedef struct inheritanceStr inheritance; michael@0: michael@0: #if defined(_WIN32) || defined(XP_OS2) michael@0: michael@0: #define DEFAULT_CACHE_DIRECTORY "\\temp" michael@0: michael@0: #endif /* _win32 */ michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: michael@0: #define DEFAULT_CACHE_DIRECTORY "/tmp" michael@0: michael@0: #endif /* XP_UNIX || XP_BEOS */ michael@0: michael@0: michael@0: /************************************************************************/ michael@0: michael@0: static PRUint32 michael@0: LockSidCacheLock(sidCacheLock *lock, PRUint32 now) michael@0: { michael@0: SECStatus rv = sslMutex_Lock(&lock->mutex); michael@0: if (rv != SECSuccess) michael@0: return 0; michael@0: if (!now) michael@0: now = ssl_Time(); michael@0: lock->timeStamp = now; michael@0: lock->pid = myPid; michael@0: return now; michael@0: } michael@0: michael@0: static SECStatus michael@0: UnlockSidCacheLock(sidCacheLock *lock) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: lock->pid = 0; michael@0: rv = sslMutex_Unlock(&lock->mutex); michael@0: return rv; michael@0: } michael@0: michael@0: /* returns the value of ssl_Time on success, zero on failure. */ michael@0: static PRUint32 michael@0: LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now) michael@0: { michael@0: PRUint32 lockNum = set % cache->numSIDCacheLocks; michael@0: sidCacheLock * lock = cache->sidCacheLocks + lockNum; michael@0: michael@0: return LockSidCacheLock(lock, now); michael@0: } michael@0: michael@0: static SECStatus michael@0: UnlockSet(cacheDesc *cache, PRUint32 set) michael@0: { michael@0: PRUint32 lockNum = set % cache->numSIDCacheLocks; michael@0: sidCacheLock * lock = cache->sidCacheLocks + lockNum; michael@0: michael@0: return UnlockSidCacheLock(lock); michael@0: } michael@0: michael@0: /************************************************************************/ michael@0: michael@0: michael@0: /* Put a certificate in the cache. Update the cert index in the sce. michael@0: */ michael@0: static PRUint32 michael@0: CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce) michael@0: { michael@0: PRUint32 now; michael@0: certCacheEntry cce; michael@0: michael@0: if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) || michael@0: (cert->derCert.len <= 0) || michael@0: (cert->derCert.data == NULL)) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return 0; michael@0: } michael@0: michael@0: cce.sessionIDLength = sce->sessionIDLength; michael@0: PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength); michael@0: michael@0: cce.certLength = cert->derCert.len; michael@0: PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength); michael@0: michael@0: /* get lock on cert cache */ michael@0: now = LockSidCacheLock(cache->certCacheLock, 0); michael@0: if (now) { michael@0: michael@0: /* Find where to place the next cert cache entry. */ michael@0: cacheDesc * sharedCache = cache->sharedCache; michael@0: PRUint32 ndx = sharedCache->nextCertCacheEntry; michael@0: michael@0: /* write the entry */ michael@0: cache->certCacheData[ndx] = cce; michael@0: michael@0: /* remember where we put it. */ michael@0: sce->u.ssl3.certIndex = ndx; michael@0: michael@0: /* update the "next" cache entry index */ michael@0: sharedCache->nextCertCacheEntry = michael@0: (ndx + 1) % cache->numCertCacheEntries; michael@0: michael@0: UnlockSidCacheLock(cache->certCacheLock); michael@0: } michael@0: return now; michael@0: michael@0: } michael@0: michael@0: /* Server configuration hash tables need to account the SECITEM.type michael@0: * field as well. These functions accomplish that. */ michael@0: static PLHashNumber michael@0: Get32BitNameHash(const SECItem *name) michael@0: { michael@0: PLHashNumber rv = SECITEM_Hash(name); michael@0: michael@0: PRUint8 *rvc = (PRUint8 *)&rv; michael@0: rvc[ name->len % sizeof(rv) ] ^= name->type; michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* Put a name in the cache. Update the cert index in the sce. michael@0: */ michael@0: static PRUint32 michael@0: CacheSrvName(cacheDesc * cache, SECItem *name, sidCacheEntry *sce) michael@0: { michael@0: PRUint32 now; michael@0: PRUint32 ndx; michael@0: srvNameCacheEntry snce; michael@0: michael@0: if (!name || name->len <= 0 || michael@0: name->len > SSL_MAX_DNS_HOST_NAME) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return 0; michael@0: } michael@0: michael@0: snce.type = name->type; michael@0: snce.nameLen = name->len; michael@0: PORT_Memcpy(snce.name, name->data, snce.nameLen); michael@0: #ifdef NO_PKCS11_BYPASS michael@0: HASH_HashBuf(HASH_AlgSHA256, snce.nameHash, name->data, name->len); michael@0: #else michael@0: SHA256_HashBuf(snce.nameHash, (unsigned char*)name->data, michael@0: name->len); michael@0: #endif michael@0: /* get index of the next name */ michael@0: ndx = Get32BitNameHash(name); michael@0: /* get lock on cert cache */ michael@0: now = LockSidCacheLock(cache->srvNameCacheLock, 0); michael@0: if (now) { michael@0: if (cache->numSrvNameCacheEntries > 0) { michael@0: /* Fit the index into array */ michael@0: ndx %= cache->numSrvNameCacheEntries; michael@0: /* write the entry */ michael@0: cache->srvNameCacheData[ndx] = snce; michael@0: /* remember where we put it. */ michael@0: sce->u.ssl3.srvNameIndex = ndx; michael@0: /* Copy hash into sid hash */ michael@0: PORT_Memcpy(sce->u.ssl3.srvNameHash, snce.nameHash, SHA256_LENGTH); michael@0: } michael@0: UnlockSidCacheLock(cache->srvNameCacheLock); michael@0: } michael@0: return now; michael@0: } michael@0: michael@0: /* michael@0: ** Convert local SID to shared memory one michael@0: */ michael@0: static void michael@0: ConvertFromSID(sidCacheEntry *to, sslSessionID *from) michael@0: { michael@0: to->valid = 1; michael@0: to->version = from->version; michael@0: to->addr = from->addr; michael@0: to->creationTime = from->creationTime; michael@0: to->lastAccessTime = from->lastAccessTime; michael@0: to->expirationTime = from->expirationTime; michael@0: to->authAlgorithm = from->authAlgorithm; michael@0: to->authKeyBits = from->authKeyBits; michael@0: to->keaType = from->keaType; michael@0: to->keaKeyBits = from->keaKeyBits; michael@0: michael@0: if (from->version < SSL_LIBRARY_VERSION_3_0) { michael@0: if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) || michael@0: (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) { michael@0: SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d", michael@0: myPid, from->u.ssl2.masterKey.len, michael@0: from->u.ssl2.cipherArg.len)); michael@0: to->valid = 0; michael@0: return; michael@0: } michael@0: michael@0: to->u.ssl2.cipherType = from->u.ssl2.cipherType; michael@0: to->u.ssl2.masterKeyLen = from->u.ssl2.masterKey.len; michael@0: to->u.ssl2.cipherArgLen = from->u.ssl2.cipherArg.len; michael@0: to->u.ssl2.keyBits = from->u.ssl2.keyBits; michael@0: to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; michael@0: to->sessionIDLength = SSL2_SESSIONID_BYTES; michael@0: PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES); michael@0: PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data, michael@0: from->u.ssl2.masterKey.len); michael@0: PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data, michael@0: from->u.ssl2.cipherArg.len); michael@0: #ifdef DEBUG michael@0: PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0, michael@0: sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len); michael@0: PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0, michael@0: sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len); michael@0: #endif michael@0: SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d " michael@0: "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid, michael@0: to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen, michael@0: to->creationTime, to->addr.pr_s6_addr32[0], michael@0: to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], michael@0: to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType)); michael@0: } else { michael@0: /* This is an SSL v3 session */ michael@0: michael@0: to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; michael@0: to->u.ssl3.compression = (PRUint16)from->u.ssl3.compression; michael@0: to->u.ssl3.keys = from->u.ssl3.keys; michael@0: to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; michael@0: to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; michael@0: to->sessionIDLength = from->u.ssl3.sessionIDLength; michael@0: to->u.ssl3.certIndex = -1; michael@0: to->u.ssl3.srvNameIndex = -1; michael@0: michael@0: PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID, michael@0: to->sessionIDLength); michael@0: michael@0: SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x " michael@0: "cipherSuite=%d", michael@0: myPid, to->creationTime, to->addr.pr_s6_addr32[0], michael@0: to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2], michael@0: to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite)); michael@0: } michael@0: } michael@0: michael@0: /* michael@0: ** Convert shared memory cache-entry to local memory based one michael@0: ** This is only called from ServerSessionIDLookup(). michael@0: */ michael@0: static sslSessionID * michael@0: ConvertToSID(sidCacheEntry * from, michael@0: certCacheEntry * pcce, michael@0: srvNameCacheEntry *psnce, michael@0: CERTCertDBHandle * dbHandle) michael@0: { michael@0: sslSessionID *to; michael@0: PRUint16 version = from->version; michael@0: michael@0: to = PORT_ZNew(sslSessionID); michael@0: if (!to) { michael@0: return 0; michael@0: } michael@0: michael@0: if (version < SSL_LIBRARY_VERSION_3_0) { michael@0: /* This is an SSL v2 session */ michael@0: to->u.ssl2.masterKey.data = michael@0: (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen); michael@0: if (!to->u.ssl2.masterKey.data) { michael@0: goto loser; michael@0: } michael@0: if (from->u.ssl2.cipherArgLen) { michael@0: to->u.ssl2.cipherArg.data = michael@0: (unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen); michael@0: if (!to->u.ssl2.cipherArg.data) { michael@0: goto loser; michael@0: } michael@0: PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg, michael@0: from->u.ssl2.cipherArgLen); michael@0: } michael@0: michael@0: to->u.ssl2.cipherType = from->u.ssl2.cipherType; michael@0: to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen; michael@0: to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen; michael@0: to->u.ssl2.keyBits = from->u.ssl2.keyBits; michael@0: to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits; michael@0: /* to->sessionIDLength = SSL2_SESSIONID_BYTES; */ michael@0: PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES); michael@0: PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey, michael@0: from->u.ssl2.masterKeyLen); michael@0: michael@0: SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d " michael@0: "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", michael@0: myPid, to->u.ssl2.masterKey.len, michael@0: to->u.ssl2.cipherArg.len, to->creationTime, michael@0: to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1], michael@0: to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3], michael@0: to->u.ssl2.cipherType)); michael@0: } else { michael@0: /* This is an SSL v3 session */ michael@0: michael@0: to->u.ssl3.sessionIDLength = from->sessionIDLength; michael@0: to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; michael@0: to->u.ssl3.compression = (SSLCompressionMethod)from->u.ssl3.compression; michael@0: to->u.ssl3.keys = from->u.ssl3.keys; michael@0: to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; michael@0: to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; michael@0: if (from->u.ssl3.srvNameIndex != -1 && psnce) { michael@0: SECItem name; michael@0: SECStatus rv; michael@0: name.type = psnce->type; michael@0: name.len = psnce->nameLen; michael@0: name.data = psnce->name; michael@0: rv = SECITEM_CopyItem(NULL, &to->u.ssl3.srvName, &name); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: } michael@0: michael@0: PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength); michael@0: michael@0: /* the portions of the SID that are only restored on the client michael@0: * are set to invalid values on the server. michael@0: */ michael@0: to->u.ssl3.clientWriteKey = NULL; michael@0: to->u.ssl3.serverWriteKey = NULL; michael@0: michael@0: to->urlSvrName = NULL; michael@0: michael@0: to->u.ssl3.masterModuleID = (SECMODModuleID)-1; /* invalid value */ michael@0: to->u.ssl3.masterSlotID = (CK_SLOT_ID)-1; /* invalid value */ michael@0: to->u.ssl3.masterWrapIndex = 0; michael@0: to->u.ssl3.masterWrapSeries = 0; michael@0: to->u.ssl3.masterValid = PR_FALSE; michael@0: michael@0: to->u.ssl3.clAuthModuleID = (SECMODModuleID)-1; /* invalid value */ michael@0: to->u.ssl3.clAuthSlotID = (CK_SLOT_ID)-1; /* invalid value */ michael@0: to->u.ssl3.clAuthSeries = 0; michael@0: to->u.ssl3.clAuthValid = PR_FALSE; michael@0: michael@0: if (from->u.ssl3.certIndex != -1 && pcce) { michael@0: SECItem derCert; michael@0: michael@0: derCert.len = pcce->certLength; michael@0: derCert.data = pcce->cert; michael@0: michael@0: to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL, michael@0: PR_FALSE, PR_TRUE); michael@0: if (to->peerCert == NULL) michael@0: goto loser; michael@0: } michael@0: } michael@0: michael@0: to->version = from->version; michael@0: to->creationTime = from->creationTime; michael@0: to->lastAccessTime = from->lastAccessTime; michael@0: to->expirationTime = from->expirationTime; michael@0: to->cached = in_server_cache; michael@0: to->addr = from->addr; michael@0: to->references = 1; michael@0: to->authAlgorithm = from->authAlgorithm; michael@0: to->authKeyBits = from->authKeyBits; michael@0: to->keaType = from->keaType; michael@0: to->keaKeyBits = from->keaKeyBits; michael@0: michael@0: return to; michael@0: michael@0: loser: michael@0: if (to) { michael@0: if (version < SSL_LIBRARY_VERSION_3_0) { michael@0: if (to->u.ssl2.masterKey.data) michael@0: PORT_Free(to->u.ssl2.masterKey.data); michael@0: if (to->u.ssl2.cipherArg.data) michael@0: PORT_Free(to->u.ssl2.cipherArg.data); michael@0: } else { michael@0: SECITEM_FreeItem(&to->u.ssl3.srvName, PR_FALSE); michael@0: } michael@0: PORT_Free(to); michael@0: } michael@0: return NULL; michael@0: } michael@0: michael@0: michael@0: michael@0: /* michael@0: ** Perform some mumbo jumbo on the ip-address and the session-id value to michael@0: ** compute a hash value. michael@0: */ michael@0: static PRUint32 michael@0: SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl) michael@0: { michael@0: PRUint32 rv; michael@0: PRUint32 x[8]; michael@0: michael@0: memset(x, 0, sizeof x); michael@0: if (nl > sizeof x) michael@0: nl = sizeof x; michael@0: memcpy(x, s, nl); michael@0: michael@0: rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^ michael@0: addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^ michael@0: x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7]) michael@0: % cache->numSIDCacheSets; michael@0: return rv; michael@0: } michael@0: michael@0: michael@0: michael@0: /* michael@0: ** Look something up in the cache. This will invalidate old entries michael@0: ** in the process. Caller has locked the cache set! michael@0: ** Returns PR_TRUE if found a valid match. PR_FALSE otherwise. michael@0: */ michael@0: static sidCacheEntry * michael@0: FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now, michael@0: const PRIPv6Addr *addr, unsigned char *sessionID, michael@0: unsigned sessionIDLength) michael@0: { michael@0: PRUint32 ndx = cache->sidCacheSets[setNum].next; michael@0: int i; michael@0: michael@0: sidCacheEntry * set = cache->sidCacheData + michael@0: (setNum * SID_CACHE_ENTRIES_PER_SET); michael@0: michael@0: for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) { michael@0: sidCacheEntry * sce; michael@0: michael@0: ndx = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET; michael@0: sce = set + ndx; michael@0: michael@0: if (!sce->valid) michael@0: continue; michael@0: michael@0: if (now > sce->expirationTime) { michael@0: /* SessionID has timed out. Invalidate the entry. */ michael@0: SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x " michael@0: "time+=%x", michael@0: myPid, sce->addr.pr_s6_addr32[0], michael@0: sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2], michael@0: sce->addr.pr_s6_addr32[3], now, michael@0: sce->expirationTime )); michael@0: sce->valid = 0; michael@0: continue; michael@0: } michael@0: michael@0: /* michael@0: ** Next, examine specific session-id/addr data to see if the cache michael@0: ** entry matches our addr+session-id value michael@0: */ michael@0: if (sessionIDLength == sce->sessionIDLength && michael@0: !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) && michael@0: !memcmp(sce->sessionID, sessionID, sessionIDLength)) { michael@0: /* Found it */ michael@0: return sce; michael@0: } michael@0: } michael@0: michael@0: PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND); michael@0: return NULL; michael@0: } michael@0: michael@0: /************************************************************************/ michael@0: michael@0: /* This is the primary function for finding entries in the server's sid cache. michael@0: * Although it is static, this function is called via the global function michael@0: * pointer ssl_sid_lookup. michael@0: */ michael@0: static sslSessionID * michael@0: ServerSessionIDLookup(const PRIPv6Addr *addr, michael@0: unsigned char *sessionID, michael@0: unsigned int sessionIDLength, michael@0: CERTCertDBHandle * dbHandle) michael@0: { michael@0: sslSessionID * sid = 0; michael@0: sidCacheEntry * psce; michael@0: certCacheEntry *pcce = 0; michael@0: srvNameCacheEntry *psnce = 0; michael@0: cacheDesc * cache = &globalCache; michael@0: PRUint32 now; michael@0: PRUint32 set; michael@0: PRInt32 cndx; michael@0: sidCacheEntry sce; michael@0: certCacheEntry cce; michael@0: srvNameCacheEntry snce; michael@0: michael@0: set = SIDindex(cache, addr, sessionID, sessionIDLength); michael@0: now = LockSet(cache, set, 0); michael@0: if (!now) michael@0: return NULL; michael@0: michael@0: psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength); michael@0: if (psce) { michael@0: if (psce->version >= SSL_LIBRARY_VERSION_3_0) { michael@0: if ((cndx = psce->u.ssl3.certIndex) != -1) { michael@0: michael@0: PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now); michael@0: if (gotLock) { michael@0: pcce = &cache->certCacheData[cndx]; michael@0: michael@0: /* See if the cert's session ID matches the sce cache. */ michael@0: if ((pcce->sessionIDLength == psce->sessionIDLength) && michael@0: !PORT_Memcmp(pcce->sessionID, psce->sessionID, michael@0: pcce->sessionIDLength)) { michael@0: cce = *pcce; michael@0: } else { michael@0: /* The cert doesen't match the SID cache entry, michael@0: ** so invalidate the SID cache entry. michael@0: */ michael@0: psce->valid = 0; michael@0: psce = 0; michael@0: pcce = 0; michael@0: } michael@0: UnlockSidCacheLock(cache->certCacheLock); michael@0: } else { michael@0: /* what the ??. Didn't get the cert cache lock. michael@0: ** Don't invalidate the SID cache entry, but don't find it. michael@0: */ michael@0: PORT_Assert(!("Didn't get cert Cache Lock!")); michael@0: psce = 0; michael@0: pcce = 0; michael@0: } michael@0: } michael@0: if (psce && ((cndx = psce->u.ssl3.srvNameIndex) != -1)) { michael@0: PRUint32 gotLock = LockSidCacheLock(cache->srvNameCacheLock, michael@0: now); michael@0: if (gotLock) { michael@0: psnce = &cache->srvNameCacheData[cndx]; michael@0: michael@0: if (!PORT_Memcmp(psnce->nameHash, psce->u.ssl3.srvNameHash, michael@0: SHA256_LENGTH)) { michael@0: snce = *psnce; michael@0: } else { michael@0: /* The name doesen't match the SID cache entry, michael@0: ** so invalidate the SID cache entry. michael@0: */ michael@0: psce->valid = 0; michael@0: psce = 0; michael@0: psnce = 0; michael@0: } michael@0: UnlockSidCacheLock(cache->srvNameCacheLock); michael@0: } else { michael@0: /* what the ??. Didn't get the cert cache lock. michael@0: ** Don't invalidate the SID cache entry, but don't find it. michael@0: */ michael@0: PORT_Assert(!("Didn't get name Cache Lock!")); michael@0: psce = 0; michael@0: psnce = 0; michael@0: } michael@0: michael@0: } michael@0: } michael@0: if (psce) { michael@0: psce->lastAccessTime = now; michael@0: sce = *psce; /* grab a copy while holding the lock */ michael@0: } michael@0: } michael@0: UnlockSet(cache, set); michael@0: if (psce) { michael@0: /* sce conains a copy of the cache entry. michael@0: ** Convert shared memory format to local format michael@0: */ michael@0: sid = ConvertToSID(&sce, pcce ? &cce : 0, psnce ? &snce : 0, dbHandle); michael@0: } michael@0: return sid; michael@0: } michael@0: michael@0: /* michael@0: ** Place a sid into the cache, if it isn't already there. michael@0: */ michael@0: static void michael@0: ServerSessionIDCache(sslSessionID *sid) michael@0: { michael@0: sidCacheEntry sce; michael@0: PRUint32 now = 0; michael@0: PRUint16 version = sid->version; michael@0: cacheDesc * cache = &globalCache; michael@0: michael@0: if ((version >= SSL_LIBRARY_VERSION_3_0) && michael@0: (sid->u.ssl3.sessionIDLength == 0)) { michael@0: return; michael@0: } michael@0: michael@0: if (sid->cached == never_cached || sid->cached == invalid_cache) { michael@0: PRUint32 set; michael@0: michael@0: PORT_Assert(sid->creationTime != 0); michael@0: if (!sid->creationTime) michael@0: sid->lastAccessTime = sid->creationTime = ssl_Time(); michael@0: if (version < SSL_LIBRARY_VERSION_3_0) { michael@0: /* override caller's expiration time, which uses client timeout michael@0: * duration, not server timeout duration. michael@0: */ michael@0: sid->expirationTime = sid->creationTime + cache->ssl2Timeout; michael@0: SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x " michael@0: "cipher=%d", myPid, sid->cached, michael@0: sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], michael@0: sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], michael@0: sid->creationTime, sid->u.ssl2.cipherType)); michael@0: PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID, michael@0: SSL2_SESSIONID_BYTES)); michael@0: PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, michael@0: sid->u.ssl2.masterKey.len)); michael@0: PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, michael@0: sid->u.ssl2.cipherArg.len)); michael@0: michael@0: } else { michael@0: /* override caller's expiration time, which uses client timeout michael@0: * duration, not server timeout duration. michael@0: */ michael@0: sid->expirationTime = sid->creationTime + cache->ssl3Timeout; michael@0: SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x " michael@0: "cipherSuite=%d", myPid, sid->cached, michael@0: sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], michael@0: sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], michael@0: sid->creationTime, sid->u.ssl3.cipherSuite)); michael@0: PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID, michael@0: sid->u.ssl3.sessionIDLength)); michael@0: } michael@0: michael@0: ConvertFromSID(&sce, sid); michael@0: michael@0: if (version >= SSL_LIBRARY_VERSION_3_0) { michael@0: SECItem *name = &sid->u.ssl3.srvName; michael@0: if (name->len && name->data) { michael@0: now = CacheSrvName(cache, name, &sce); michael@0: } michael@0: if (sid->peerCert != NULL) { michael@0: now = CacheCert(cache, sid->peerCert, &sce); michael@0: } michael@0: } michael@0: michael@0: set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength); michael@0: now = LockSet(cache, set, now); michael@0: if (now) { michael@0: PRUint32 next = cache->sidCacheSets[set].next; michael@0: PRUint32 ndx = set * SID_CACHE_ENTRIES_PER_SET + next; michael@0: michael@0: /* Write out new cache entry */ michael@0: cache->sidCacheData[ndx] = sce; michael@0: michael@0: cache->sidCacheSets[set].next = michael@0: (next + 1) % SID_CACHE_ENTRIES_PER_SET; michael@0: michael@0: UnlockSet(cache, set); michael@0: sid->cached = in_server_cache; michael@0: } michael@0: } michael@0: } michael@0: michael@0: /* michael@0: ** Although this is static, it is called from ssl via global function pointer michael@0: ** ssl_sid_uncache. This invalidates the referenced cache entry. michael@0: */ michael@0: static void michael@0: ServerSessionIDUncache(sslSessionID *sid) michael@0: { michael@0: cacheDesc * cache = &globalCache; michael@0: PRUint8 * sessionID; michael@0: unsigned int sessionIDLength; michael@0: PRErrorCode err; michael@0: PRUint32 set; michael@0: PRUint32 now; michael@0: sidCacheEntry *psce; michael@0: michael@0: if (sid == NULL) michael@0: return; michael@0: michael@0: /* Uncaching a SID should never change the error code. michael@0: ** So save it here and restore it before exiting. michael@0: */ michael@0: err = PR_GetError(); michael@0: michael@0: if (sid->version < SSL_LIBRARY_VERSION_3_0) { michael@0: sessionID = sid->u.ssl2.sessionID; michael@0: sessionIDLength = SSL2_SESSIONID_BYTES; michael@0: SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x " michael@0: "cipher=%d", myPid, sid->cached, michael@0: sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], michael@0: sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], michael@0: sid->creationTime, sid->u.ssl2.cipherType)); michael@0: PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); michael@0: PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data, michael@0: sid->u.ssl2.masterKey.len)); michael@0: PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data, michael@0: sid->u.ssl2.cipherArg.len)); michael@0: } else { michael@0: sessionID = sid->u.ssl3.sessionID; michael@0: sessionIDLength = sid->u.ssl3.sessionIDLength; michael@0: SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x " michael@0: "cipherSuite=%d", myPid, sid->cached, michael@0: sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1], michael@0: sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3], michael@0: sid->creationTime, sid->u.ssl3.cipherSuite)); michael@0: PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength)); michael@0: } michael@0: set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength); michael@0: now = LockSet(cache, set, 0); michael@0: if (now) { michael@0: psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength); michael@0: if (psce) { michael@0: psce->valid = 0; michael@0: } michael@0: UnlockSet(cache, set); michael@0: } michael@0: sid->cached = invalid_cache; michael@0: PORT_SetError(err); michael@0: } michael@0: michael@0: #ifdef XP_OS2 michael@0: michael@0: #define INCL_DOSPROCESS michael@0: #include michael@0: michael@0: long gettid(void) michael@0: { michael@0: PTIB ptib; michael@0: PPIB ppib; michael@0: DosGetInfoBlocks(&ptib, &ppib); michael@0: return ((long)ptib->tib_ordinal); /* thread id */ michael@0: } michael@0: #endif michael@0: michael@0: static void michael@0: CloseCache(cacheDesc *cache) michael@0: { michael@0: int locks_initialized = cache->numSIDCacheLocksInitialized; michael@0: michael@0: if (cache->cacheMem) { michael@0: if (cache->sharedCache) { michael@0: sidCacheLock *pLock = cache->sidCacheLocks; michael@0: for (; locks_initialized > 0; --locks_initialized, ++pLock ) { michael@0: /* If everInherited is true, this shared cache was (and may michael@0: ** still be) in use by multiple processes. We do not wish to michael@0: ** destroy the mutexes while they are still in use, but we do michael@0: ** want to free mutex resources associated with this process. michael@0: */ michael@0: sslMutex_Destroy(&pLock->mutex, michael@0: cache->sharedCache->everInherited); michael@0: } michael@0: } michael@0: if (cache->shared) { michael@0: PR_MemUnmap(cache->cacheMem, cache->cacheMemSize); michael@0: } else { michael@0: PORT_Free(cache->cacheMem); michael@0: } michael@0: cache->cacheMem = NULL; michael@0: } michael@0: if (cache->cacheMemMap) { michael@0: PR_CloseFileMap(cache->cacheMemMap); michael@0: cache->cacheMemMap = NULL; michael@0: } michael@0: memset(cache, 0, sizeof *cache); michael@0: } michael@0: michael@0: static SECStatus michael@0: InitCache(cacheDesc *cache, int maxCacheEntries, int maxCertCacheEntries, michael@0: int maxSrvNameCacheEntries, PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, const char *directory, PRBool shared) michael@0: { michael@0: ptrdiff_t ptr; michael@0: sidCacheLock *pLock; michael@0: char * cacheMem; michael@0: PRFileMap * cacheMemMap; michael@0: char * cfn = NULL; /* cache file name */ michael@0: int locks_initialized = 0; michael@0: int locks_to_initialize = 0; michael@0: PRUint32 init_time; michael@0: michael@0: if ( (!cache) || (maxCacheEntries < 0) || (!directory) ) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: michael@0: if (cache->cacheMem) { michael@0: /* Already done */ michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* make sure loser can clean up properly */ michael@0: cache->shared = shared; michael@0: cache->cacheMem = cacheMem = NULL; michael@0: cache->cacheMemMap = cacheMemMap = NULL; michael@0: cache->sharedCache = (cacheDesc *)0; michael@0: michael@0: cache->numSIDCacheLocksInitialized = 0; michael@0: cache->nextCertCacheEntry = 0; michael@0: cache->stopPolling = PR_FALSE; michael@0: cache->everInherited = PR_FALSE; michael@0: cache->poller = NULL; michael@0: cache->mutexTimeout = 0; michael@0: michael@0: cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries michael@0: : DEF_SID_CACHE_ENTRIES; michael@0: cache->numSIDCacheSets = michael@0: SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET); michael@0: michael@0: cache->numSIDCacheEntries = michael@0: cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET; michael@0: michael@0: cache->numSIDCacheLocks = michael@0: PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks); michael@0: michael@0: cache->numSIDCacheSetsPerLock = michael@0: SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks); michael@0: michael@0: cache->numCertCacheEntries = (maxCertCacheEntries > 0) ? michael@0: maxCertCacheEntries : 0; michael@0: cache->numSrvNameCacheEntries = (maxSrvNameCacheEntries >= 0) ? michael@0: maxSrvNameCacheEntries : DEF_NAME_CACHE_ENTRIES; michael@0: michael@0: /* compute size of shared memory, and offsets of all pointers */ michael@0: ptr = 0; michael@0: cache->cacheMem = (char *)ptr; michael@0: ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT); michael@0: michael@0: cache->sidCacheLocks = (sidCacheLock *)ptr; michael@0: cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks; michael@0: cache->certCacheLock = cache->keyCacheLock + 1; michael@0: cache->srvNameCacheLock = cache->certCacheLock + 1; michael@0: ptr = (ptrdiff_t)(cache->srvNameCacheLock + 1); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->sidCacheSets = (sidCacheSet *)ptr; michael@0: ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->sidCacheData = (sidCacheEntry *)ptr; michael@0: ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->certCacheData = (certCacheEntry *)ptr; michael@0: cache->sidCacheSize = michael@0: (char *)cache->certCacheData - (char *)cache->sidCacheData; michael@0: michael@0: if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) { michael@0: /* This is really a poor way to computer this! */ michael@0: cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry); michael@0: if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES) michael@0: cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES; michael@0: } michael@0: ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->keyCacheData = (SSLWrappedSymWrappingKey *)ptr; michael@0: cache->certCacheSize = michael@0: (char *)cache->keyCacheData - (char *)cache->certCacheData; michael@0: michael@0: cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS; michael@0: ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->keyCacheSize = (char *)ptr - (char *)cache->keyCacheData; michael@0: michael@0: cache->ticketKeyNameSuffix = (PRUint8 *)ptr; michael@0: ptr = (ptrdiff_t)(cache->ticketKeyNameSuffix + michael@0: SESS_TICKET_KEY_VAR_NAME_LEN); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->ticketEncKey = (encKeyCacheEntry *)ptr; michael@0: ptr = (ptrdiff_t)(cache->ticketEncKey + 1); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->ticketMacKey = (encKeyCacheEntry *)ptr; michael@0: ptr = (ptrdiff_t)(cache->ticketMacKey + 1); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->ticketKeysValid = (PRUint32 *)ptr; michael@0: ptr = (ptrdiff_t)(cache->ticketKeysValid + 1); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->srvNameCacheData = (srvNameCacheEntry *)ptr; michael@0: cache->srvNameCacheSize = michael@0: cache->numSrvNameCacheEntries * sizeof(srvNameCacheEntry); michael@0: ptr = (ptrdiff_t)(cache->srvNameCacheData + cache->numSrvNameCacheEntries); michael@0: ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT); michael@0: michael@0: cache->cacheMemSize = ptr; michael@0: michael@0: if (ssl2_timeout) { michael@0: if (ssl2_timeout > MAX_SSL2_TIMEOUT) { michael@0: ssl2_timeout = MAX_SSL2_TIMEOUT; michael@0: } michael@0: if (ssl2_timeout < MIN_SSL2_TIMEOUT) { michael@0: ssl2_timeout = MIN_SSL2_TIMEOUT; michael@0: } michael@0: cache->ssl2Timeout = ssl2_timeout; michael@0: } else { michael@0: cache->ssl2Timeout = DEF_SSL2_TIMEOUT; michael@0: } michael@0: michael@0: if (ssl3_timeout) { michael@0: if (ssl3_timeout > MAX_SSL3_TIMEOUT) { michael@0: ssl3_timeout = MAX_SSL3_TIMEOUT; michael@0: } michael@0: if (ssl3_timeout < MIN_SSL3_TIMEOUT) { michael@0: ssl3_timeout = MIN_SSL3_TIMEOUT; michael@0: } michael@0: cache->ssl3Timeout = ssl3_timeout; michael@0: } else { michael@0: cache->ssl3Timeout = DEF_SSL3_TIMEOUT; michael@0: } michael@0: michael@0: if (shared) { michael@0: /* Create file names */ michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: /* there's some confusion here about whether PR_OpenAnonFileMap wants michael@0: ** a directory name or a file name for its first argument. michael@0: cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid); michael@0: */ michael@0: cfn = PR_smprintf("%s", directory); michael@0: #elif defined(XP_WIN32) michael@0: cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, michael@0: GetCurrentThreadId()); michael@0: #elif defined(XP_OS2) michael@0: cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, michael@0: gettid()); michael@0: #else michael@0: #error "Don't know how to create file name for this platform!" michael@0: #endif michael@0: if (!cfn) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* Create cache */ michael@0: cacheMemMap = PR_OpenAnonFileMap(cfn, cache->cacheMemSize, michael@0: PR_PROT_READWRITE); michael@0: michael@0: PR_smprintf_free(cfn); michael@0: if(!cacheMemMap) { michael@0: goto loser; michael@0: } michael@0: michael@0: cacheMem = PR_MemMap(cacheMemMap, 0, cache->cacheMemSize); michael@0: } else { michael@0: cacheMem = PORT_Alloc(cache->cacheMemSize); michael@0: } michael@0: michael@0: if (! cacheMem) { michael@0: goto loser; michael@0: } michael@0: michael@0: /* Initialize shared memory. This may not be necessary on all platforms */ michael@0: memset(cacheMem, 0, cache->cacheMemSize); michael@0: michael@0: /* Copy cache descriptor header into shared memory */ michael@0: memcpy(cacheMem, cache, sizeof *cache); michael@0: michael@0: /* save private copies of these values */ michael@0: cache->cacheMemMap = cacheMemMap; michael@0: cache->cacheMem = cacheMem; michael@0: cache->sharedCache = (cacheDesc *)cacheMem; michael@0: michael@0: /* Fix pointers in our private copy of cache descriptor to point to michael@0: ** spaces in shared memory michael@0: */ michael@0: ptr = (ptrdiff_t)cache->cacheMem; michael@0: *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr; michael@0: *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr; michael@0: *(ptrdiff_t *)(&cache->certCacheLock) += ptr; michael@0: *(ptrdiff_t *)(&cache->srvNameCacheLock) += ptr; michael@0: *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr; michael@0: *(ptrdiff_t *)(&cache->sidCacheData ) += ptr; michael@0: *(ptrdiff_t *)(&cache->certCacheData) += ptr; michael@0: *(ptrdiff_t *)(&cache->keyCacheData ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketKeyNameSuffix) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketEncKey ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketMacKey ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketKeysValid) += ptr; michael@0: *(ptrdiff_t *)(&cache->srvNameCacheData) += ptr; michael@0: michael@0: /* initialize the locks */ michael@0: init_time = ssl_Time(); michael@0: pLock = cache->sidCacheLocks; michael@0: for (locks_to_initialize = cache->numSIDCacheLocks + 3; michael@0: locks_initialized < locks_to_initialize; michael@0: ++locks_initialized, ++pLock ) { michael@0: michael@0: SECStatus err = sslMutex_Init(&pLock->mutex, shared); michael@0: if (err) { michael@0: cache->numSIDCacheLocksInitialized = locks_initialized; michael@0: goto loser; michael@0: } michael@0: pLock->timeStamp = init_time; michael@0: pLock->pid = 0; michael@0: } michael@0: cache->numSIDCacheLocksInitialized = locks_initialized; michael@0: michael@0: return SECSuccess; michael@0: michael@0: loser: michael@0: CloseCache(cache); michael@0: return SECFailure; michael@0: } michael@0: michael@0: PRUint32 michael@0: SSL_GetMaxServerCacheLocks(void) michael@0: { michael@0: return ssl_max_sid_cache_locks + 2; michael@0: /* The extra two are the cert cache lock and the key cache lock. */ michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) michael@0: { michael@0: /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock. michael@0: ** We'd like to test for a maximum value, but not all platforms' header michael@0: ** files provide a symbol or function or other means of determining michael@0: ** the maximum, other than trial and error. michael@0: */ michael@0: if (maxLocks < 3) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: ssl_max_sid_cache_locks = maxLocks - 2; michael@0: /* The extra two are the cert cache lock and the key cache lock. */ michael@0: return SECSuccess; michael@0: } michael@0: michael@0: static SECStatus michael@0: ssl_ConfigServerSessionIDCacheInstanceWithOpt(cacheDesc *cache, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory, michael@0: PRBool shared, michael@0: int maxCacheEntries, michael@0: int maxCertCacheEntries, michael@0: int maxSrvNameCacheEntries) michael@0: { michael@0: SECStatus rv; michael@0: michael@0: PORT_Assert(sizeof(sidCacheEntry) == 192); michael@0: PORT_Assert(sizeof(certCacheEntry) == 4096); michael@0: PORT_Assert(sizeof(srvNameCacheEntry) == 1072); michael@0: michael@0: rv = ssl_Init(); michael@0: if (rv != SECSuccess) { michael@0: return rv; michael@0: } michael@0: michael@0: myPid = SSL_GETPID(); michael@0: if (!directory) { michael@0: directory = DEFAULT_CACHE_DIRECTORY; michael@0: } michael@0: rv = InitCache(cache, maxCacheEntries, maxCertCacheEntries, michael@0: maxSrvNameCacheEntries, ssl2_timeout, ssl3_timeout, michael@0: directory, shared); michael@0: if (rv) { michael@0: SET_ERROR_CODE michael@0: return SECFailure; michael@0: } michael@0: michael@0: ssl_sid_lookup = ServerSessionIDLookup; michael@0: ssl_sid_cache = ServerSessionIDCache; michael@0: ssl_sid_uncache = ServerSessionIDUncache; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ConfigServerSessionIDCacheInstance( cacheDesc *cache, michael@0: int maxCacheEntries, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory, PRBool shared) michael@0: { michael@0: return ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache, michael@0: ssl2_timeout, michael@0: ssl3_timeout, michael@0: directory, michael@0: shared, michael@0: maxCacheEntries, michael@0: -1, -1); michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ConfigServerSessionIDCache( int maxCacheEntries, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory) michael@0: { michael@0: ssl_InitSessionCacheLocks(PR_FALSE); michael@0: return SSL_ConfigServerSessionIDCacheInstance(&globalCache, michael@0: maxCacheEntries, ssl2_timeout, ssl3_timeout, directory, PR_FALSE); michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ShutdownServerSessionIDCacheInstance(cacheDesc *cache) michael@0: { michael@0: CloseCache(cache); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ShutdownServerSessionIDCache(void) michael@0: { michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: /* Stop the thread that polls cache for expired locks on Unix */ michael@0: StopLockPoller(&globalCache); michael@0: #endif michael@0: SSL3_ShutdownServerCache(); michael@0: return SSL_ShutdownServerSessionIDCacheInstance(&globalCache); michael@0: } michael@0: michael@0: /* Use this function, instead of SSL_ConfigServerSessionIDCache, michael@0: * if the cache will be shared by multiple processes. michael@0: */ michael@0: static SECStatus michael@0: ssl_ConfigMPServerSIDCacheWithOpt( PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory, michael@0: int maxCacheEntries, michael@0: int maxCertCacheEntries, michael@0: int maxSrvNameCacheEntries) michael@0: { michael@0: char * envValue; michael@0: char * inhValue; michael@0: cacheDesc * cache = &globalCache; michael@0: PRUint32 fmStrLen; michael@0: SECStatus result; michael@0: PRStatus prStatus; michael@0: SECStatus putEnvFailed; michael@0: inheritance inherit; michael@0: char fmString[PR_FILEMAP_STRING_BUFSIZE]; michael@0: michael@0: isMultiProcess = PR_TRUE; michael@0: result = ssl_ConfigServerSessionIDCacheInstanceWithOpt(cache, michael@0: ssl2_timeout, ssl3_timeout, directory, PR_TRUE, michael@0: maxCacheEntries, maxCacheEntries, maxSrvNameCacheEntries); michael@0: if (result != SECSuccess) michael@0: return result; michael@0: michael@0: prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, michael@0: sizeof fmString, fmString); michael@0: if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) { michael@0: SET_ERROR_CODE michael@0: return SECFailure; michael@0: } michael@0: michael@0: inherit.cacheMemSize = cache->cacheMemSize; michael@0: inherit.fmStrLen = fmStrLen; michael@0: michael@0: inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit); michael@0: if (!inhValue || !strlen(inhValue)) { michael@0: SET_ERROR_CODE michael@0: return SECFailure; michael@0: } michael@0: envValue = PR_smprintf("%s,%s", inhValue, fmString); michael@0: if (!envValue || !strlen(envValue)) { michael@0: SET_ERROR_CODE michael@0: return SECFailure; michael@0: } michael@0: PORT_Free(inhValue); michael@0: michael@0: putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue); michael@0: PR_smprintf_free(envValue); michael@0: if (putEnvFailed) { michael@0: SET_ERROR_CODE michael@0: result = SECFailure; michael@0: } michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: /* Launch thread to poll cache for expired locks on Unix */ michael@0: LaunchLockPoller(cache); michael@0: #endif michael@0: return result; michael@0: } michael@0: michael@0: /* Use this function, instead of SSL_ConfigServerSessionIDCache, michael@0: * if the cache will be shared by multiple processes. michael@0: */ michael@0: SECStatus michael@0: SSL_ConfigMPServerSIDCache( int maxCacheEntries, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory) michael@0: { michael@0: return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, michael@0: ssl3_timeout, michael@0: directory, michael@0: maxCacheEntries, michael@0: -1, -1); michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ConfigServerSessionIDCacheWithOpt( michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory, michael@0: int maxCacheEntries, michael@0: int maxCertCacheEntries, michael@0: int maxSrvNameCacheEntries, michael@0: PRBool enableMPCache) michael@0: { michael@0: if (!enableMPCache) { michael@0: ssl_InitSessionCacheLocks(PR_FALSE); michael@0: return ssl_ConfigServerSessionIDCacheInstanceWithOpt(&globalCache, michael@0: ssl2_timeout, ssl3_timeout, directory, PR_FALSE, michael@0: maxCacheEntries, maxCertCacheEntries, maxSrvNameCacheEntries); michael@0: } else { michael@0: return ssl_ConfigMPServerSIDCacheWithOpt(ssl2_timeout, ssl3_timeout, michael@0: directory, maxCacheEntries, maxCertCacheEntries, michael@0: maxSrvNameCacheEntries); michael@0: } michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString) michael@0: { michael@0: unsigned char * decoString = NULL; michael@0: char * fmString = NULL; michael@0: char * myEnvString = NULL; michael@0: unsigned int decoLen; michael@0: ptrdiff_t ptr; michael@0: inheritance inherit; michael@0: cacheDesc my; michael@0: #ifdef WINNT michael@0: sidCacheLock* newLocks; michael@0: int locks_initialized = 0; michael@0: int locks_to_initialize = 0; michael@0: #endif michael@0: SECStatus status = ssl_Init(); michael@0: michael@0: if (status != SECSuccess) { michael@0: return status; michael@0: } michael@0: michael@0: myPid = SSL_GETPID(); michael@0: michael@0: /* If this child was created by fork(), and not by exec() on unix, michael@0: ** then isMultiProcess will already be set. michael@0: ** If not, we'll set it below. michael@0: */ michael@0: if (isMultiProcess) { michael@0: if (cache && cache->sharedCache) { michael@0: cache->sharedCache->everInherited = PR_TRUE; michael@0: } michael@0: return SECSuccess; /* already done. */ michael@0: } michael@0: michael@0: ssl_InitSessionCacheLocks(PR_FALSE); michael@0: michael@0: ssl_sid_lookup = ServerSessionIDLookup; michael@0: ssl_sid_cache = ServerSessionIDCache; michael@0: ssl_sid_uncache = ServerSessionIDUncache; michael@0: michael@0: if (!envString) { michael@0: envString = getenv(envVarName); michael@0: if (!envString) { michael@0: SET_ERROR_CODE michael@0: return SECFailure; michael@0: } michael@0: } michael@0: myEnvString = PORT_Strdup(envString); michael@0: if (!myEnvString) michael@0: return SECFailure; michael@0: fmString = strchr(myEnvString, ','); michael@0: if (!fmString) michael@0: goto loser; michael@0: *fmString++ = 0; michael@0: michael@0: decoString = ATOB_AsciiToData(myEnvString, &decoLen); michael@0: if (!decoString) { michael@0: SET_ERROR_CODE michael@0: goto loser; michael@0: } michael@0: if (decoLen != sizeof inherit) { michael@0: SET_ERROR_CODE michael@0: goto loser; michael@0: } michael@0: michael@0: PORT_Memcpy(&inherit, decoString, sizeof inherit); michael@0: michael@0: if (strlen(fmString) != inherit.fmStrLen ) { michael@0: goto loser; michael@0: } michael@0: michael@0: memset(cache, 0, sizeof *cache); michael@0: cache->cacheMemSize = inherit.cacheMemSize; michael@0: michael@0: /* Create cache */ michael@0: cache->cacheMemMap = PR_ImportFileMapFromString(fmString); michael@0: if(! cache->cacheMemMap) { michael@0: goto loser; michael@0: } michael@0: cache->cacheMem = PR_MemMap(cache->cacheMemMap, 0, cache->cacheMemSize); michael@0: if (! cache->cacheMem) { michael@0: goto loser; michael@0: } michael@0: cache->sharedCache = (cacheDesc *)cache->cacheMem; michael@0: michael@0: if (cache->sharedCache->cacheMemSize != cache->cacheMemSize) { michael@0: SET_ERROR_CODE michael@0: goto loser; michael@0: } michael@0: michael@0: /* We're now going to overwrite the local cache instance with the michael@0: ** shared copy of the cache struct, then update several values in michael@0: ** the local cache using the values for cache->cacheMemMap and michael@0: ** cache->cacheMem computed just above. So, we copy cache into michael@0: ** the automatic variable "my", to preserve the variables while michael@0: ** cache is overwritten. michael@0: */ michael@0: my = *cache; /* save values computed above. */ michael@0: memcpy(cache, cache->sharedCache, sizeof *cache); /* overwrite */ michael@0: michael@0: /* Fix pointers in our private copy of cache descriptor to point to michael@0: ** spaces in shared memory, whose address is now in "my". michael@0: */ michael@0: ptr = (ptrdiff_t)my.cacheMem; michael@0: *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr; michael@0: *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr; michael@0: *(ptrdiff_t *)(&cache->certCacheLock) += ptr; michael@0: *(ptrdiff_t *)(&cache->srvNameCacheLock) += ptr; michael@0: *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr; michael@0: *(ptrdiff_t *)(&cache->sidCacheData ) += ptr; michael@0: *(ptrdiff_t *)(&cache->certCacheData) += ptr; michael@0: *(ptrdiff_t *)(&cache->keyCacheData ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketKeyNameSuffix) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketEncKey ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketMacKey ) += ptr; michael@0: *(ptrdiff_t *)(&cache->ticketKeysValid) += ptr; michael@0: *(ptrdiff_t *)(&cache->srvNameCacheData) += ptr; michael@0: michael@0: cache->cacheMemMap = my.cacheMemMap; michael@0: cache->cacheMem = my.cacheMem; michael@0: cache->sharedCache = (cacheDesc *)cache->cacheMem; michael@0: michael@0: #ifdef WINNT michael@0: /* On Windows NT we need to "fix" the sidCacheLocks here to support fibers michael@0: ** When NT fibers are used in a multi-process server, a second level of michael@0: ** locking is needed to prevent a deadlock, in case a fiber acquires the michael@0: ** cross-process mutex, yields, and another fiber is later scheduled on michael@0: ** the same native thread and tries to acquire the cross-process mutex. michael@0: ** We do this by using a PRLock in the sslMutex. However, it is stored in michael@0: ** shared memory as part of sidCacheLocks, and we don't want to overwrite michael@0: ** the PRLock of the parent process. So we need to make new, private michael@0: ** copies of sidCacheLocks before modifying the sslMutex with our own michael@0: ** PRLock michael@0: */ michael@0: michael@0: /* note from jpierre : this should be free'd in child processes when michael@0: ** a function is added to delete the SSL session cache in the future. michael@0: */ michael@0: locks_to_initialize = cache->numSIDCacheLocks + 3; michael@0: newLocks = PORT_NewArray(sidCacheLock, locks_to_initialize); michael@0: if (!newLocks) michael@0: goto loser; michael@0: /* copy the old locks */ michael@0: memcpy(newLocks, cache->sidCacheLocks, michael@0: locks_to_initialize * sizeof(sidCacheLock)); michael@0: cache->sidCacheLocks = newLocks; michael@0: /* fix the locks */ michael@0: for (; locks_initialized < locks_to_initialize; ++locks_initialized) { michael@0: /* now, make a local PRLock in this sslMutex for this child process */ michael@0: SECStatus err; michael@0: err = sslMutex_2LevelInit(&newLocks[locks_initialized].mutex); michael@0: if (err != SECSuccess) { michael@0: cache->numSIDCacheLocksInitialized = locks_initialized; michael@0: goto loser; michael@0: } michael@0: } michael@0: cache->numSIDCacheLocksInitialized = locks_initialized; michael@0: michael@0: /* also fix the key and cert cache which use the last 2 lock entries */ michael@0: cache->keyCacheLock = cache->sidCacheLocks + cache->numSIDCacheLocks; michael@0: cache->certCacheLock = cache->keyCacheLock + 1; michael@0: cache->srvNameCacheLock = cache->certCacheLock + 1; michael@0: #endif michael@0: michael@0: PORT_Free(myEnvString); michael@0: PORT_Free(decoString); michael@0: michael@0: /* mark that we have inherited this. */ michael@0: cache->sharedCache->everInherited = PR_TRUE; michael@0: isMultiProcess = PR_TRUE; michael@0: michael@0: return SECSuccess; michael@0: michael@0: loser: michael@0: PORT_Free(myEnvString); michael@0: if (decoString) michael@0: PORT_Free(decoString); michael@0: CloseCache(cache); michael@0: return SECFailure; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_InheritMPServerSIDCache(const char * envString) michael@0: { michael@0: return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString); michael@0: } michael@0: michael@0: #if defined(XP_UNIX) || defined(XP_BEOS) michael@0: michael@0: #define SID_LOCK_EXPIRATION_TIMEOUT 30 /* seconds */ michael@0: michael@0: static void michael@0: LockPoller(void * arg) michael@0: { michael@0: cacheDesc * cache = (cacheDesc *)arg; michael@0: cacheDesc * sharedCache = cache->sharedCache; michael@0: sidCacheLock * pLock; michael@0: PRIntervalTime timeout; michael@0: PRUint32 now; michael@0: PRUint32 then; michael@0: int locks_polled = 0; michael@0: int locks_to_poll = cache->numSIDCacheLocks + 2; michael@0: PRUint32 expiration = cache->mutexTimeout; michael@0: michael@0: timeout = PR_SecondsToInterval(expiration); michael@0: while(!sharedCache->stopPolling) { michael@0: PR_Sleep(timeout); michael@0: if (sharedCache->stopPolling) michael@0: break; michael@0: michael@0: now = ssl_Time(); michael@0: then = now - expiration; michael@0: for (pLock = cache->sidCacheLocks, locks_polled = 0; michael@0: locks_to_poll > locks_polled && !sharedCache->stopPolling; michael@0: ++locks_polled, ++pLock ) { michael@0: pid_t pid; michael@0: michael@0: if (pLock->timeStamp < then && michael@0: pLock->timeStamp != 0 && michael@0: (pid = pLock->pid) != 0) { michael@0: michael@0: /* maybe we should try the lock? */ michael@0: int result = kill(pid, 0); michael@0: if (result < 0 && errno == ESRCH) { michael@0: SECStatus rv; michael@0: /* No process exists by that pid any more. michael@0: ** Treat this mutex as abandoned. michael@0: */ michael@0: pLock->timeStamp = now; michael@0: pLock->pid = 0; michael@0: rv = sslMutex_Unlock(&pLock->mutex); michael@0: if (rv != SECSuccess) { michael@0: /* Now what? */ michael@0: } michael@0: } michael@0: } michael@0: } /* end of loop over locks */ michael@0: } /* end of entire polling loop */ michael@0: } michael@0: michael@0: /* Launch thread to poll cache for expired locks */ michael@0: static SECStatus michael@0: LaunchLockPoller(cacheDesc *cache) michael@0: { michael@0: const char * timeoutString; michael@0: PRThread * pollerThread; michael@0: michael@0: cache->mutexTimeout = SID_LOCK_EXPIRATION_TIMEOUT; michael@0: timeoutString = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT"); michael@0: if (timeoutString) { michael@0: long newTime = strtol(timeoutString, 0, 0); michael@0: if (newTime == 0) michael@0: return SECSuccess; /* application doesn't want poller thread */ michael@0: if (newTime > 0) michael@0: cache->mutexTimeout = (PRUint32)newTime; michael@0: /* if error (newTime < 0) ignore it and use default */ michael@0: } michael@0: michael@0: pollerThread = michael@0: PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, michael@0: PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0); michael@0: if (!pollerThread) { michael@0: return SECFailure; michael@0: } michael@0: cache->poller = pollerThread; michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* Stop the thread that polls cache for expired locks */ michael@0: static SECStatus michael@0: StopLockPoller(cacheDesc *cache) michael@0: { michael@0: if (!cache->poller) { michael@0: return SECSuccess; michael@0: } michael@0: cache->sharedCache->stopPolling = PR_TRUE; michael@0: if (PR_Interrupt(cache->poller) != PR_SUCCESS) { michael@0: return SECFailure; michael@0: } michael@0: if (PR_JoinThread(cache->poller) != PR_SUCCESS) { michael@0: return SECFailure; michael@0: } michael@0: cache->poller = NULL; michael@0: return SECSuccess; michael@0: } michael@0: #endif michael@0: michael@0: /************************************************************************ michael@0: * Code dealing with shared wrapped symmetric wrapping keys below * michael@0: ************************************************************************/ michael@0: michael@0: /* If now is zero, it implies that the lock is not held, and must be michael@0: ** aquired here. michael@0: */ michael@0: static PRBool michael@0: getSvrWrappingKey(PRInt32 symWrapMechIndex, michael@0: SSL3KEAType exchKeyType, michael@0: SSLWrappedSymWrappingKey *wswk, michael@0: cacheDesc * cache, michael@0: PRUint32 lockTime) michael@0: { michael@0: PRUint32 ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; michael@0: SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx; michael@0: PRUint32 now = 0; michael@0: PRBool rv = PR_FALSE; michael@0: michael@0: if (!cache->cacheMem) { /* cache is uninitialized */ michael@0: PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); michael@0: return rv; michael@0: } michael@0: if (!lockTime) { michael@0: lockTime = now = LockSidCacheLock(cache->keyCacheLock, now); michael@0: if (!lockTime) { michael@0: return rv; michael@0: } michael@0: } michael@0: if (pwswk->exchKeyType == exchKeyType && michael@0: pwswk->symWrapMechIndex == symWrapMechIndex && michael@0: pwswk->wrappedSymKeyLen != 0) { michael@0: *wswk = *pwswk; michael@0: rv = PR_TRUE; michael@0: } michael@0: if (now) { michael@0: UnlockSidCacheLock(cache->keyCacheLock); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: PRBool michael@0: ssl_GetWrappingKey( PRInt32 symWrapMechIndex, michael@0: SSL3KEAType exchKeyType, michael@0: SSLWrappedSymWrappingKey *wswk) michael@0: { michael@0: PRBool rv; michael@0: michael@0: PORT_Assert( (unsigned)exchKeyType < kt_kea_size); michael@0: PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); michael@0: if ((unsigned)exchKeyType < kt_kea_size && michael@0: (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) { michael@0: rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, michael@0: &globalCache, 0); michael@0: } else { michael@0: rv = PR_FALSE; michael@0: } michael@0: michael@0: return rv; michael@0: } michael@0: michael@0: /* Wrap and cache a session ticket key. */ michael@0: static PRBool michael@0: WrapTicketKey(SECKEYPublicKey *svrPubKey, PK11SymKey *symKey, michael@0: const char *keyName, encKeyCacheEntry* cacheEntry) michael@0: { michael@0: SECItem wrappedKey = {siBuffer, NULL, 0}; michael@0: michael@0: wrappedKey.len = SECKEY_PublicKeyStrength(svrPubKey); michael@0: PORT_Assert(wrappedKey.len <= sizeof(cacheEntry->bytes)); michael@0: if (wrappedKey.len > sizeof(cacheEntry->bytes)) michael@0: return PR_FALSE; michael@0: wrappedKey.data = cacheEntry->bytes; michael@0: michael@0: if (PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, symKey, &wrappedKey) michael@0: != SECSuccess) { michael@0: SSL_DBG(("%d: SSL[%s]: Unable to wrap session ticket %s.", michael@0: SSL_GETPID(), "unknown", keyName)); michael@0: return PR_FALSE; michael@0: } michael@0: cacheEntry->length = wrappedKey.len; michael@0: return PR_TRUE; michael@0: } michael@0: michael@0: static PRBool michael@0: GenerateTicketKeys(void *pwArg, unsigned char *keyName, PK11SymKey **aesKey, michael@0: PK11SymKey **macKey) michael@0: { michael@0: PK11SlotInfo *slot; michael@0: CK_MECHANISM_TYPE mechanismArray[2]; michael@0: PK11SymKey *aesKeyTmp = NULL; michael@0: PK11SymKey *macKeyTmp = NULL; michael@0: cacheDesc *cache = &globalCache; michael@0: PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN]; michael@0: PRUint8 *ticketKeyNameSuffix; michael@0: michael@0: if (!cache->cacheMem) { michael@0: /* cache is not initalized. Use stack buffer */ michael@0: ticketKeyNameSuffix = ticketKeyNameSuffixLocal; michael@0: } else { michael@0: ticketKeyNameSuffix = cache->ticketKeyNameSuffix; michael@0: } michael@0: michael@0: if (PK11_GenerateRandom(ticketKeyNameSuffix, michael@0: SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) { michael@0: SSL_DBG(("%d: SSL[%s]: Unable to generate random key name bytes.", michael@0: SSL_GETPID(), "unknown")); michael@0: goto loser; michael@0: } michael@0: michael@0: mechanismArray[0] = CKM_AES_CBC; michael@0: mechanismArray[1] = CKM_SHA256_HMAC; michael@0: michael@0: slot = PK11_GetBestSlotMultiple(mechanismArray, 2, pwArg); michael@0: if (slot) { michael@0: aesKeyTmp = PK11_KeyGen(slot, mechanismArray[0], NULL, michael@0: AES_256_KEY_LENGTH, pwArg); michael@0: macKeyTmp = PK11_KeyGen(slot, mechanismArray[1], NULL, michael@0: SHA256_LENGTH, pwArg); michael@0: PK11_FreeSlot(slot); michael@0: } michael@0: michael@0: if (aesKeyTmp == NULL || macKeyTmp == NULL) { michael@0: SSL_DBG(("%d: SSL[%s]: Unable to generate session ticket keys.", michael@0: SSL_GETPID(), "unknown")); michael@0: goto loser; michael@0: } michael@0: PORT_Memcpy(keyName, ticketKeyNameSuffix, SESS_TICKET_KEY_VAR_NAME_LEN); michael@0: *aesKey = aesKeyTmp; michael@0: *macKey = macKeyTmp; michael@0: return PR_TRUE; michael@0: michael@0: loser: michael@0: if (aesKeyTmp) michael@0: PK11_FreeSymKey(aesKeyTmp); michael@0: if (macKeyTmp) michael@0: PK11_FreeSymKey(macKeyTmp); michael@0: return PR_FALSE; michael@0: } michael@0: michael@0: static PRBool michael@0: GenerateAndWrapTicketKeys(SECKEYPublicKey *svrPubKey, void *pwArg, michael@0: unsigned char *keyName, PK11SymKey **aesKey, michael@0: PK11SymKey **macKey) michael@0: { michael@0: PK11SymKey *aesKeyTmp = NULL; michael@0: PK11SymKey *macKeyTmp = NULL; michael@0: cacheDesc *cache = &globalCache; michael@0: michael@0: if (!GenerateTicketKeys(pwArg, keyName, &aesKeyTmp, &macKeyTmp)) { michael@0: goto loser; michael@0: } michael@0: michael@0: if (cache->cacheMem) { michael@0: /* Export the keys to the shared cache in wrapped form. */ michael@0: if (!WrapTicketKey(svrPubKey, aesKeyTmp, "enc key", cache->ticketEncKey)) michael@0: goto loser; michael@0: if (!WrapTicketKey(svrPubKey, macKeyTmp, "mac key", cache->ticketMacKey)) michael@0: goto loser; michael@0: } michael@0: *aesKey = aesKeyTmp; michael@0: *macKey = macKeyTmp; michael@0: return PR_TRUE; michael@0: michael@0: loser: michael@0: if (aesKeyTmp) michael@0: PK11_FreeSymKey(aesKeyTmp); michael@0: if (macKeyTmp) michael@0: PK11_FreeSymKey(macKeyTmp); michael@0: return PR_FALSE; michael@0: } michael@0: michael@0: static PRBool michael@0: UnwrapCachedTicketKeys(SECKEYPrivateKey *svrPrivKey, unsigned char *keyName, michael@0: PK11SymKey **aesKey, PK11SymKey **macKey) michael@0: { michael@0: SECItem wrappedKey = {siBuffer, NULL, 0}; michael@0: PK11SymKey *aesKeyTmp = NULL; michael@0: PK11SymKey *macKeyTmp = NULL; michael@0: cacheDesc *cache = &globalCache; michael@0: michael@0: wrappedKey.data = cache->ticketEncKey->bytes; michael@0: wrappedKey.len = cache->ticketEncKey->length; michael@0: PORT_Assert(wrappedKey.len <= sizeof(cache->ticketEncKey->bytes)); michael@0: aesKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, michael@0: CKM_AES_CBC, CKA_DECRYPT, 0); michael@0: michael@0: wrappedKey.data = cache->ticketMacKey->bytes; michael@0: wrappedKey.len = cache->ticketMacKey->length; michael@0: PORT_Assert(wrappedKey.len <= sizeof(cache->ticketMacKey->bytes)); michael@0: macKeyTmp = PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey, michael@0: CKM_SHA256_HMAC, CKA_SIGN, 0); michael@0: michael@0: if (aesKeyTmp == NULL || macKeyTmp == NULL) { michael@0: SSL_DBG(("%d: SSL[%s]: Unable to unwrap session ticket keys.", michael@0: SSL_GETPID(), "unknown")); michael@0: goto loser; michael@0: } michael@0: SSL_DBG(("%d: SSL[%s]: Successfully unwrapped session ticket keys.", michael@0: SSL_GETPID(), "unknown")); michael@0: michael@0: PORT_Memcpy(keyName, cache->ticketKeyNameSuffix, michael@0: SESS_TICKET_KEY_VAR_NAME_LEN); michael@0: *aesKey = aesKeyTmp; michael@0: *macKey = macKeyTmp; michael@0: return PR_TRUE; michael@0: michael@0: loser: michael@0: if (aesKeyTmp) michael@0: PK11_FreeSymKey(aesKeyTmp); michael@0: if (macKeyTmp) michael@0: PK11_FreeSymKey(macKeyTmp); michael@0: return PR_FALSE; michael@0: } michael@0: michael@0: PRBool michael@0: ssl_GetSessionTicketKeysPKCS11(SECKEYPrivateKey *svrPrivKey, michael@0: SECKEYPublicKey *svrPubKey, void *pwArg, michael@0: unsigned char *keyName, PK11SymKey **aesKey, michael@0: PK11SymKey **macKey) michael@0: { michael@0: PRUint32 now = 0; michael@0: PRBool rv = PR_FALSE; michael@0: PRBool keysGenerated = PR_FALSE; michael@0: cacheDesc *cache = &globalCache; michael@0: michael@0: if (!cache->cacheMem) { michael@0: /* cache is uninitialized. Generate keys and return them michael@0: * without caching. */ michael@0: return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); michael@0: } michael@0: michael@0: now = LockSidCacheLock(cache->keyCacheLock, now); michael@0: if (!now) michael@0: return rv; michael@0: michael@0: if (!*(cache->ticketKeysValid)) { michael@0: /* Keys do not exist, create them. */ michael@0: if (!GenerateAndWrapTicketKeys(svrPubKey, pwArg, keyName, michael@0: aesKey, macKey)) michael@0: goto loser; michael@0: keysGenerated = PR_TRUE; michael@0: *(cache->ticketKeysValid) = 1; michael@0: } michael@0: michael@0: rv = PR_TRUE; michael@0: michael@0: loser: michael@0: UnlockSidCacheLock(cache->keyCacheLock); michael@0: if (rv && !keysGenerated) michael@0: rv = UnwrapCachedTicketKeys(svrPrivKey, keyName, aesKey, macKey); michael@0: return rv; michael@0: } michael@0: michael@0: PRBool michael@0: ssl_GetSessionTicketKeys(unsigned char *keyName, unsigned char *encKey, michael@0: unsigned char *macKey) michael@0: { michael@0: PRBool rv = PR_FALSE; michael@0: PRUint32 now = 0; michael@0: cacheDesc *cache = &globalCache; michael@0: PRUint8 ticketMacKey[SHA256_LENGTH], ticketEncKey[AES_256_KEY_LENGTH]; michael@0: PRUint8 ticketKeyNameSuffixLocal[SESS_TICKET_KEY_VAR_NAME_LEN]; michael@0: PRUint8 *ticketMacKeyPtr, *ticketEncKeyPtr, *ticketKeyNameSuffix; michael@0: PRBool cacheIsEnabled = PR_TRUE; michael@0: michael@0: if (!cache->cacheMem) { /* cache is uninitialized */ michael@0: cacheIsEnabled = PR_FALSE; michael@0: ticketKeyNameSuffix = ticketKeyNameSuffixLocal; michael@0: ticketEncKeyPtr = ticketEncKey; michael@0: ticketMacKeyPtr = ticketMacKey; michael@0: } else { michael@0: /* these values have constant memory locations in the cache. michael@0: * Ok to reference them without holding the lock. */ michael@0: ticketKeyNameSuffix = cache->ticketKeyNameSuffix; michael@0: ticketEncKeyPtr = cache->ticketEncKey->bytes; michael@0: ticketMacKeyPtr = cache->ticketMacKey->bytes; michael@0: } michael@0: michael@0: if (cacheIsEnabled) { michael@0: /* Grab lock if initialized. */ michael@0: now = LockSidCacheLock(cache->keyCacheLock, now); michael@0: if (!now) michael@0: return rv; michael@0: } michael@0: /* Going to regenerate keys on every call if cache was not michael@0: * initialized. */ michael@0: if (!cacheIsEnabled || !*(cache->ticketKeysValid)) { michael@0: if (PK11_GenerateRandom(ticketKeyNameSuffix, michael@0: SESS_TICKET_KEY_VAR_NAME_LEN) != SECSuccess) michael@0: goto loser; michael@0: if (PK11_GenerateRandom(ticketEncKeyPtr, michael@0: AES_256_KEY_LENGTH) != SECSuccess) michael@0: goto loser; michael@0: if (PK11_GenerateRandom(ticketMacKeyPtr, michael@0: SHA256_LENGTH) != SECSuccess) michael@0: goto loser; michael@0: if (cacheIsEnabled) { michael@0: *(cache->ticketKeysValid) = 1; michael@0: } michael@0: } michael@0: michael@0: rv = PR_TRUE; michael@0: michael@0: loser: michael@0: if (cacheIsEnabled) { michael@0: UnlockSidCacheLock(cache->keyCacheLock); michael@0: } michael@0: if (rv) { michael@0: PORT_Memcpy(keyName, ticketKeyNameSuffix, michael@0: SESS_TICKET_KEY_VAR_NAME_LEN); michael@0: PORT_Memcpy(encKey, ticketEncKeyPtr, AES_256_KEY_LENGTH); michael@0: PORT_Memcpy(macKey, ticketMacKeyPtr, SHA256_LENGTH); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /* The caller passes in the new value it wants michael@0: * to set. This code tests the wrapped sym key entry in the shared memory. michael@0: * If it is uninitialized, this function writes the caller's value into michael@0: * the disk entry, and returns false. michael@0: * Otherwise, it overwrites the caller's wswk with the value obtained from michael@0: * the disk, and returns PR_TRUE. michael@0: * This is all done while holding the locks/mutexes necessary to make michael@0: * the operation atomic. michael@0: */ michael@0: PRBool michael@0: ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) michael@0: { michael@0: cacheDesc * cache = &globalCache; michael@0: PRBool rv = PR_FALSE; michael@0: SSL3KEAType exchKeyType = wswk->exchKeyType; michael@0: /* type of keys used to wrap SymWrapKey*/ michael@0: PRInt32 symWrapMechIndex = wswk->symWrapMechIndex; michael@0: PRUint32 ndx; michael@0: PRUint32 now = 0; michael@0: SSLWrappedSymWrappingKey myWswk; michael@0: michael@0: if (!cache->cacheMem) { /* cache is uninitialized */ michael@0: PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); michael@0: return 0; michael@0: } michael@0: michael@0: PORT_Assert( (unsigned)exchKeyType < kt_kea_size); michael@0: if ((unsigned)exchKeyType >= kt_kea_size) michael@0: return 0; michael@0: michael@0: PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS); michael@0: if ((unsigned)symWrapMechIndex >= SSL_NUM_WRAP_MECHS) michael@0: return 0; michael@0: michael@0: ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; michael@0: PORT_Memset(&myWswk, 0, sizeof myWswk); /* eliminate UMRs. */ michael@0: michael@0: now = LockSidCacheLock(cache->keyCacheLock, now); michael@0: if (now) { michael@0: rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, michael@0: &myWswk, cache, now); michael@0: if (rv) { michael@0: /* we found it on disk, copy it out to the caller. */ michael@0: PORT_Memcpy(wswk, &myWswk, sizeof *wswk); michael@0: } else { michael@0: /* Wasn't on disk, and we're still holding the lock, so write it. */ michael@0: cache->keyCacheData[ndx] = *wswk; michael@0: } michael@0: UnlockSidCacheLock(cache->keyCacheLock); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: #else /* MAC version or other platform */ michael@0: michael@0: #include "seccomon.h" michael@0: #include "cert.h" michael@0: #include "ssl.h" michael@0: #include "sslimpl.h" michael@0: michael@0: SECStatus michael@0: SSL_ConfigServerSessionIDCache( int maxCacheEntries, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory) michael@0: { michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServerSessionIDCache)"); michael@0: return SECFailure; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_ConfigMPServerSIDCache( int maxCacheEntries, michael@0: PRUint32 ssl2_timeout, michael@0: PRUint32 ssl3_timeout, michael@0: const char * directory) michael@0: { michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPServerSIDCache)"); michael@0: return SECFailure; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_InheritMPServerSIDCache(const char * envString) michael@0: { michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPServerSIDCache)"); michael@0: return SECFailure; michael@0: } michael@0: michael@0: PRBool michael@0: ssl_GetWrappingKey( PRInt32 symWrapMechIndex, michael@0: SSL3KEAType exchKeyType, michael@0: SSLWrappedSymWrappingKey *wswk) michael@0: { michael@0: PRBool rv = PR_FALSE; michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)"); michael@0: return rv; michael@0: } michael@0: michael@0: /* This is a kind of test-and-set. The caller passes in the new value it wants michael@0: * to set. This code tests the wrapped sym key entry in the shared memory. michael@0: * If it is uninitialized, this function writes the caller's value into michael@0: * the disk entry, and returns false. michael@0: * Otherwise, it overwrites the caller's wswk with the value obtained from michael@0: * the disk, and returns PR_TRUE. michael@0: * This is all done while holding the locks/mutexes necessary to make michael@0: * the operation atomic. michael@0: */ michael@0: PRBool michael@0: ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk) michael@0: { michael@0: PRBool rv = PR_FALSE; michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)"); michael@0: return rv; michael@0: } michael@0: michael@0: PRUint32 michael@0: SSL_GetMaxServerCacheLocks(void) michael@0: { michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServerCacheLocks)"); michael@0: return -1; michael@0: } michael@0: michael@0: SECStatus michael@0: SSL_SetMaxServerCacheLocks(PRUint32 maxLocks) michael@0: { michael@0: PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServerCacheLocks)"); michael@0: return SECFailure; michael@0: } michael@0: michael@0: #endif /* XP_UNIX || XP_WIN32 */