sslsnce.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 1,927 行 · 第 1/4 页

    do {
	(void) unlink(cfn);
	certCacheFD = open(cfn, O_EXCL|O_CREAT|O_RDWR, 0600);
    } while (certCacheFD < 0 && errno == EEXIST);
    if (certCacheFD < 0) {
	nss_MD_unix_map_open_error(errno);
	IOError(certCacheFD, "create");
	goto loser;
    }
    rv = unlink(cfn);
    if (rv < 0) {
	nss_MD_unix_map_unlink_error(errno);
	IOError(rv, "unlink");
	goto loser;
    }
#else  /* WIN32 */
    certCacheFDMAP = 
    	CreateFileMapping(INVALID_HANDLE_VALUE, /* allocate in swap file */
			  &certCacheFDMapAttributes, /* inheritable. */
			  PAGE_READWRITE,
			  0,                /* size, high word. */
			  certCacheFileSize, /* size, low word. */
			  NULL);           /* no map name in FS */
    if (! certCacheFDMAP) {
	nss_MD_win32_map_default_error(GetLastError());
	goto loser;
    }
    certCacheData = (char *) MapViewOfFile(certCacheFDMAP, 
                                           FILE_MAP_ALL_ACCESS, /* R/W    */
					   0, 0, 		/* offset */
					   certCacheFileSize);	/* size   */
    if (! certCacheData) {
	nss_MD_win32_map_default_error(GetLastError());
	goto loser;
    }
#endif /* XP_UNIX */

/*  GET_SERVER_CACHE_WRITE_LOCK(certCacheFD, 0, certCacheFileSize); */
#ifdef XP_UNIX
    /* Initialize the files */
    if (ZeroFile(certCacheFD, certCacheFileSize)) {
	/* Bummer */
	close(certCacheFD);
	certCacheFD = -1;
	goto loser;
    }
#else /* XP_WIN32 */
    ZeroMemory(certCacheData, certCacheFileSize);
#endif /* XP_UNIX */
/*  RELEASE_SERVER_CACHE_LOCK(certCacheFD, 0, certCacheFileSize);   */
    PORT_Free(cfn);
    return SECSuccess;

  loser:
    PORT_Free(cfn);
    return SECFailure;
}

int
SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
				PRUint32 timeout,
			       	PRUint32 ssl3_timeout, 
			  const char *   directory)
{
    SECStatus rv;

    PORT_Assert(sizeof(SIDCacheEntry) == 256);
    PORT_Assert(sizeof(CertCacheEntry) == 4096);

    myPid = SSL_GETPID();
    if (!directory) {
	directory = DEFAULT_CACHE_DIRECTORY;
    }
    rv = InitSessionIDCache(maxCacheEntries, timeout, ssl3_timeout, directory);
    if (rv) {
	SET_ERROR_CODE
    	return SECFailure;
    }
    rv = InitCertCache(directory);
    if (rv) {
	SET_ERROR_CODE
    	return SECFailure;
    }

    ssl_sid_lookup  = ServerSessionIDLookup;
    ssl_sid_cache   = ServerSessionIDCache;
    ssl_sid_uncache = ServerSessionIDUncache;
    return SECSuccess;
}

/* Use this function, instead of SSL_ConfigServerSessionIDCache,
 * if the cache will be shared by multiple processes.
 */
int
SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
				PRUint32 timeout,
			       	PRUint32 ssl3_timeout, 
		          const char *   directory)
{
    char *	envValue;
    int 	result;
    SECStatus	putEnvFailed;

    isMultiProcess = PR_TRUE;
    result = SSL_ConfigServerSessionIDCache(maxCacheEntries, timeout, 
                                            ssl3_timeout, directory);
    if (result == SECSuccess) {
#ifdef _WIN32
	winInheritance winherit;

	winherit.numSIDCacheEntries	= numSIDCacheEntries;
	winherit.sidCacheFileSize	= sidCacheFileSize;
	winherit.sidCacheWrapOffset	= sidCacheWrapOffset;
	winherit.numCertCacheEntries	= numCertCacheEntries;
	winherit.certCacheFileSize	= certCacheFileSize;
	winherit.SIDCacheFDMAP		= SIDCacheFDMAP;
	winherit.certCacheFDMAP		= certCacheFDMAP;
	winherit.svrCacheSem		= svrCacheSem;
	winherit.parentProcessID	= GetCurrentProcessId();
	winherit.parentProcessHandle	= 
	    OpenProcess(PROCESS_DUP_HANDLE, TRUE, winherit.parentProcessID);
        if (winherit.parentProcessHandle == NULL) {
	    SET_ERROR_CODE
	    return SECFailure;
	}
        envValue = BTOA_DataToAscii((unsigned char *)&winherit, 
	                             sizeof winherit);
    	if (!envValue) {
	    SET_ERROR_CODE
	    return SECFailure;
	}
#else
	unixInheritance uinherit;

	uinherit.numSIDCacheEntries	= numSIDCacheEntries;
	uinherit.sidCacheFileSize	= sidCacheFileSize;
	uinherit.sidCacheWrapOffset	= sidCacheWrapOffset;
	uinherit.numCertCacheEntries	= numCertCacheEntries;
	uinherit.certCacheFileSize	= certCacheFileSize;
	uinherit.SIDCacheFD		= SIDCacheFD;
	uinherit.certCacheFD		= certCacheFD;

        envValue = BTOA_DataToAscii((unsigned char *)&uinherit, 
	                             sizeof uinherit);
    	if (!envValue) {
	    SET_ERROR_CODE
	    return SECFailure;
	}
#endif
    }
    putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
    PORT_Free(envValue);
    if (putEnvFailed) {
        SET_ERROR_CODE
        result = SECFailure;
    }
    return result;
}

SECStatus
SSL_InheritMPServerSIDCache(const char * envString)
{
    unsigned char * decoString = NULL;
    unsigned int    decoLen;
#ifdef _WIN32
    winInheritance  inherit;
#else
    unixInheritance inherit;
#endif

    myPid = SSL_GETPID();
    if (isMultiProcess)
    	return SECSuccess;	/* already done. */

    ssl_sid_lookup  = ServerSessionIDLookup;
    ssl_sid_cache   = ServerSessionIDCache;
    ssl_sid_uncache = ServerSessionIDUncache;

    if (!envString) {
    	envString  = getenv(envVarName);
	if (!envString) {
	    SET_ERROR_CODE
	    return SECFailure;
	}
    }

    decoString = ATOB_AsciiToData(envString, &decoLen);
    if (!decoString) {
    	SET_ERROR_CODE
	return SECFailure;
    }
    if (decoLen != sizeof inherit) {
    	SET_ERROR_CODE
    	goto loser;
    }

    PORT_Memcpy(&inherit, decoString, sizeof inherit);
    PORT_Free(decoString);

    numSIDCacheEntries	= inherit.numSIDCacheEntries;
    sidCacheFileSize	= inherit.sidCacheFileSize;
    sidCacheWrapOffset	= inherit.sidCacheWrapOffset;
    numCertCacheEntries	= inherit.numCertCacheEntries;
    certCacheFileSize	= inherit.certCacheFileSize;

#ifdef _WIN32
    SIDCacheFDMAP	= inherit.SIDCacheFDMAP;
    certCacheFDMAP	= inherit.certCacheFDMAP;
    svrCacheSem		= inherit.svrCacheSem;

#if 0
    /* call DuplicateHandle ?? */
    inherit.parentProcessID;
    inherit.parentProcessHandle;
#endif

    if(!SIDCacheFDMAP) {
    	SET_ERROR_CODE
    	goto loser;
    }
    SIDCacheData = (char *)MapViewOfFile(SIDCacheFDMAP, 
                                         FILE_MAP_ALL_ACCESS, 	/* R/W    */
					 0, 0, 			/* offset */
				         sidCacheFileSize);	/* size   */
    if(!SIDCacheData) {
	nss_MD_win32_map_default_error(GetLastError());
    	goto loser;
    }

    if(!certCacheFDMAP) {
    	SET_ERROR_CODE
    	goto loser;
    }
    certCacheData = (char *) MapViewOfFile(certCacheFDMAP, 
                                           FILE_MAP_ALL_ACCESS, /* R/W    */
					   0, 0, 		/* offset */
					   certCacheFileSize);	/* size   */
    if(!certCacheData) {
	nss_MD_win32_map_default_error(GetLastError());
    	goto loser;
    }

#else /* must be unix */
    SIDCacheFD		= inherit.SIDCacheFD;
    certCacheFD		= inherit.certCacheFD;
    if (SIDCacheFD < 0 || certCacheFD < 0) {
    	SET_ERROR_CODE
    	goto loser;
    }
#endif

    if (!cacheLock) {
	nss_InitLock(&cacheLock);
	if (!cacheLock) 
	    goto loser;
    }
    isMultiProcess = PR_TRUE;
    return SECSuccess;

loser:
    if (decoString) 
	PORT_Free(decoString);
#if _WIN32
    if (SIDCacheFDMAP) {
	CloseHandle(SIDCacheFDMAP);
	SIDCacheFDMAP = NULL;
    }
    if (certCacheFDMAP) {
	CloseHandle(certCacheFDMAP);
	certCacheFDMAP = NULL;
    }
#else
    if (SIDCacheFD >= 0) {
	close(SIDCacheFD);
	SIDCacheFD = -1;
    }
    if (certCacheFD >= 0) {
	close(certCacheFD);
	certCacheFD = -1;
    }
#endif
    return SECFailure;

}

/************************************************************************
 *  Code dealing with shared wrapped symmetric wrapping keys below      *
 ************************************************************************/


static PRBool
getWrappingKey(PRInt32                   symWrapMechIndex,
               SSL3KEAType               exchKeyType, 
               SSLWrappedSymWrappingKey *wswk, 
               PRBool                    grabSharedLock)
{
    PRUint32      offset = sidCacheWrapOffset + 
	       ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) *
		   sizeof(SSLWrappedSymWrappingKey));
    PRBool        rv     = PR_TRUE;
#ifdef XP_UNIX
    off_t         lrv;
    ssize_t       rrv;
#endif

    if (grabSharedLock) {
	GET_SERVER_CACHE_READ_LOCK(SIDCacheFD, offset, sizeof *wswk);
    }

#ifdef XP_UNIX
    lrv = lseek(SIDCacheFD, offset, SEEK_SET);
    if (lrv != offset) {
	if (lrv == -1) 
	    nss_MD_unix_map_lseek_error(errno);
	else
	    PORT_SetError(PR_IO_ERROR);
	    IOError(rv, "wrapping-read");
	rv = PR_FALSE;
    } else {
	rrv = read(SIDCacheFD, wswk, sizeof *wswk);
	if (rrv != sizeof *wswk) {
	    if (rrv == -1) 
		nss_MD_unix_map_read_error(errno);
	    else 
		PORT_SetError(PR_IO_ERROR);
	    IOError(rv, "wrapping-read");
	    rv = PR_FALSE;
	}
    }
#else /* XP_WIN32 */
    /* Use memory mapped I/O and just memcpy() the data */
    CopyMemory(wswk, &SIDCacheData[offset], sizeof *wswk);
#endif /* XP_WIN32 */
    if (grabSharedLock) {
	RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk);
    }
    if (rv) {
    	if (wswk->exchKeyType      != exchKeyType || 
	    wswk->symWrapMechIndex != symWrapMechIndex ||
	    wswk->wrappedSymKeyLen == 0) {
	    memset(wswk, 0, sizeof *wswk);
	    rv = PR_FALSE;
	}
    }
    return rv;
}

PRBool
ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
                    SSL3KEAType               exchKeyType, 
		    SSLWrappedSymWrappingKey *wswk)
{
    PRBool rv;

    lock_cache();

    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
    if ((unsigned)exchKeyType < kt_kea_size &&
        (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
	rv = getWrappingKey(symWrapMechIndex, exchKeyType, wswk, PR_TRUE);
    } else {
    	rv = PR_FALSE;
    }
    unlock_cache();
    return rv;
}

/* The caller passes in the new value it wants
 * to set.  This code tests the wrapped sym key entry in the file on disk.  
 * If it is uninitialized, this function writes the caller's value into 
 * the disk entry, and returns false.  
 * Otherwise, it overwrites the caller's wswk with the value obtained from 
 * the disk, and returns PR_TRUE.  
 * This is all done while holding the locks/semaphores necessary to make 
 * the operation atomic.
 */
PRBool
ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
{
    PRBool        rv;
    SSL3KEAType   exchKeyType      = wswk->exchKeyType;   
                                /* type of keys used to wrap SymWrapKey*/
    PRInt32       symWrapMechIndex = wswk->symWrapMechIndex;
    PRUint32      offset;
    SSLWrappedSymWrappingKey myWswk;

    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
    if ((unsigned)exchKeyType >= kt_kea_size)
    	return 0;

    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
    if ((unsigned)symWrapMechIndex >=  SSL_NUM_WRAP_MECHS)
    	return 0;

    offset = sidCacheWrapOffset + 
	       ((exchKeyType * SSL_NUM_WRAP_MECHS + symWrapMechIndex) *
		   sizeof(SSLWrappedSymWrappingKey));
    PORT_Memset(&myWswk, 0, sizeof myWswk);	/* eliminate UMRs. */
    lock_cache();
    GET_SERVER_CACHE_WRITE_LOCK(SIDCacheFD, offset, sizeof *wswk);

    rv = getWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, &myWswk, 
                        PR_FALSE);
    if (rv) {
	/* we found it on disk, copy it out to the caller. */
	PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
    } else {
	/* Wasn't on disk, and we're still holding the lock, so write it. */

#ifdef XP_UNIX
	off_t         lrv;
	ssize_t       rrv;

	lrv = lseek(SIDCacheFD, offset, SEEK_SET);
	if (lrv != offset) {
	    if (lrv == -1) 
		nss_MD_unix_map_lseek_error(errno);
	    else
		PORT_SetError(PR_IO_ERROR);
	    IOError(rv, "wrapping-read");
	    rv = PR_FALSE;
	} else {
	    rrv = write(SIDCacheFD, wswk, sizeof *wswk);
	    if (rrv != sizeof *wswk) {
		if (rrv == -1) 
		    nss_MD_unix_map_read_error(errno);
		else 
		    PORT_SetError(PR_IO_ERROR);
		IOError(rv, "wrapping-read");
		rv = PR_FALSE;
	    }
	}
#else /* XP_WIN32 */
	/* Use memory mapped I/O and just memcpy() the data */
	CopyMemory(&SIDCacheData[offset], wswk, sizeof *wswk);
#endif /* XP_WIN32 */
    }
    RELEASE_SERVER_CACHE_LOCK(SIDCacheFD, offset, sizeof *wswk);
    unlock_cache();
    return rv;
}


#endif /* NADA_VERISON */
#else

#include "seccomon.h"
#include "cert.h"
#include "ssl.h"
#include "sslimpl.h"

PRBool
ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
                    SSL3KEAType               exchKeyType, 
		    SSLWrappedSymWrappingKey *wswk)
{
    PRBool rv = PR_FALSE;
    PR_ASSERT(!"SSL servers are not supported on the Mac. (ssl_GetWrappingKey)");    
    return rv;
}

/* This is a kind of test-and-set.  The caller passes in the new value it wants
 * to set.  This code tests the wrapped sym key entry in the file on disk.  
 * If it is uninitialized, this function writes the caller's value into 
 * the disk entry, and returns false.  
 * Otherwise, it overwrites the caller's wswk with the value obtained from 
 * the disk, and returns PR_TRUE.  
 * This is all done while holding the locks/semaphores necessary to make 
 * the operation atomic.
 */
PRBool
ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
{
    PRBool        rv = PR_FALSE;
    PR_ASSERT(!"SSL servers are not supported on the Mac. (ssl_SetWrappingKey)");
    return rv;
}

#endif /* XP_UNIX || XP_WIN32 */