static NSSSlot * nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) { NSSSlot *rvSlot; NSSArena *arena; arena = nssArena_Create(); if (!arena) { return NULL; } rvSlot = nss_ZNEW(arena, NSSSlot); if (!rvSlot) { nssArena_Destroy(arena); return NULL; } rvSlot->base.refCount = 1; rvSlot->base.lock = PZ_NewLock(nssILockOther); rvSlot->base.arena = arena; rvSlot->pk11slot = nss3slot; rvSlot->epv = nss3slot->functionList; rvSlot->slotID = nss3slot->slotID; /* Grab the slot name from the PKCS#11 fixed-length buffer */ rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena); rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; return rvSlot; }
SECStatus launch_threads( startFn *startFunc, PRFileDesc *a, PRFileDesc *b, int c, PRBool local) { int i; SECStatus rv = SECSuccess; /* create the thread management serialization structs */ qLock = PZ_NewLock(nssILockSelfServ); jobQNotEmptyCv = PZ_NewCondVar(qLock); freeListNotEmptyCv = PZ_NewCondVar(qLock); threadCountChangeCv = PZ_NewCondVar(qLock); /* create monitor for crl reload procedure */ lastLoadedCrlLock = PR_NewLock(); /* allocate the array of thread slots */ threads = PR_Calloc(maxThreads, sizeof(perThread)); if ( NULL == threads ) { fprintf(stderr, "Oh Drat! Can't allocate the perThread array\n"); return SECFailure; } /* 5 is a little extra, intended to keep the jobQ from underflowing. ** That is, from going empty while not stopping and clients are still ** trying to contact us. */ rv = setupJobs(maxThreads + 5); if (rv != SECSuccess) return rv; PZ_Lock(qLock); for (i = 0; i < maxThreads; ++i) { perThread * slot = threads + i; slot->state = rs_running; slot->a = a; slot->b = b; slot->c = c; slot->startFunc = startFunc; slot->prThread = PR_CreateThread(PR_USER_THREAD, thread_wrapper, slot, PR_PRIORITY_NORMAL, (PR_TRUE==local)?PR_LOCAL_THREAD:PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0); if (slot->prThread == NULL) { printf("selfserv: Failed to launch thread!\n"); slot->state = rs_idle; rv = SECFailure; break; } ++threadCount; } PZ_Unlock(qLock); return rv; }
/* InitSessionCacheLocks is called, protected by lockOnce, to create the * session cache locks. */ static PRStatus InitSessionCacheLocks(void) { SECStatus rv; cacheLock = PZ_NewLock(nssILockCache); if (cacheLock == NULL) { return PR_FAILURE; } rv = ssl_InitSymWrapKeysLock(); if (rv != SECSuccess) { PRErrorCode error = PORT_GetError(); PZ_DestroyLock(cacheLock); cacheLock = NULL; PORT_SetError(error); return PR_FAILURE; } rv = NSS_RegisterShutdown(FreeSessionCacheLocks, NULL); PORT_Assert(SECSuccess == rv); if (SECSuccess != rv) { return PR_FAILURE; } return PR_SUCCESS; }
/* build the PKCS #11 2.01 lock files */ CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) { *pmutex = (CK_VOID_PTR)PZ_NewLock(nssILockOther); if (*pmutex) return CKR_OK; return CKR_HOST_MEMORY; }
static PRStatus rng_init(void) { PRUint8 bytes[PRNG_SEEDLEN * 2]; /* entropy + nonce */ unsigned int numBytes; SECStatus rv = SECSuccess; if (globalrng == NULL) { /* bytes needs to have enough space to hold * a SHA256 hash value. Blow up at compile time if this isn't true */ PR_STATIC_ASSERT(sizeof(bytes) >= SHA256_LENGTH); /* create a new global RNG context */ globalrng = &theGlobalRng; PORT_Assert(NULL == globalrng->lock); /* create a lock for it */ globalrng->lock = PZ_NewLock(nssILockOther); if (globalrng->lock == NULL) { globalrng = NULL; PORT_SetError(PR_OUT_OF_MEMORY_ERROR); return PR_FAILURE; } /* Try to get some seed data for the RNG */ numBytes = (unsigned int)RNG_SystemRNG(bytes, sizeof bytes); PORT_Assert(numBytes == 0 || numBytes == sizeof bytes); if (numBytes != 0) { /* if this is our first call, instantiate, otherwise reseed * prng_instantiate gets a new clean state, we want to mix * any previous entropy we may have collected */ if (V(globalrng)[0] == 0) { rv = prng_instantiate(globalrng, bytes, numBytes); } else { rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0); } memset(bytes, 0, numBytes); } else { PZ_DestroyLock(globalrng->lock); globalrng->lock = NULL; globalrng = NULL; return PR_FAILURE; } if (rv != SECSuccess) { return PR_FAILURE; } /* the RNG is in a valid state */ globalrng->isValid = PR_TRUE; globalrng->isKatTest = PR_FALSE; /* fetch one random value so that we can populate rng->oldV for our * continous random number test. */ prng_generateNewBytes(globalrng, bytes, SHA256_LENGTH, NULL, 0); /* Fetch more entropy into the PRNG */ RNG_SystemInfoForRNG(); } return PR_SUCCESS; }
NSSToken * nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) { NSSToken *rvToken; NSSArena *arena; /* Don't create a token object for a disabled slot */ if (nss3slot->disabled) { PORT_SetError(SEC_ERROR_NO_TOKEN); return NULL; } arena = nssArena_Create(); if (!arena) { return NULL; } rvToken = nss_ZNEW(arena, NSSToken); if (!rvToken) { nssArena_Destroy(arena); return NULL; } rvToken->base.refCount = 1; rvToken->base.lock = PZ_NewLock(nssILockOther); if (!rvToken->base.lock) { nssArena_Destroy(arena); return NULL; } rvToken->base.arena = arena; rvToken->pk11slot = nss3slot; rvToken->epv = nss3slot->functionList; rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena, nss3slot->session, nss3slot->sessionLock, nss3slot->defRWSession); /* continue, even if rvToken->defaultSession is NULL */ if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) { rvToken->cache = nssTokenObjectCache_Create(rvToken, PR_TRUE, PR_TRUE, PR_TRUE); if (!rvToken->cache) goto loser; } rvToken->trustDomain = td; /* Grab the token name from the PKCS#11 fixed-length buffer */ rvToken->base.name = nssUTF8_Duplicate(nss3slot->token_name,td->arena); rvToken->slot = nssSlot_CreateFromPK11SlotInfo(td, nss3slot); if (!rvToken->slot) { goto loser; } rvToken->slot->token = rvToken; if (rvToken->defaultSession) rvToken->defaultSession->slot = rvToken->slot; return rvToken; loser: PZ_DestroyLock(rvToken->base.lock); nssArena_Destroy(arena); return NULL; }
/* * nssHash_create * */ NSS_IMPLEMENT nssHash * nssHash_Create ( NSSArena *arenaOpt, PRUint32 numBuckets, PLHashFunction keyHash, PLHashComparator keyCompare, PLHashComparator valueCompare ) { nssHash *rv; NSSArena *arena; PRBool i_alloced; #ifdef NSSDEBUG if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) { nss_SetError(NSS_ERROR_INVALID_POINTER); return (nssHash *)NULL; } #endif /* NSSDEBUG */ if (arenaOpt) { arena = arenaOpt; i_alloced = PR_FALSE; } else { arena = nssArena_Create(); i_alloced = PR_TRUE; } rv = nss_ZNEW(arena, nssHash); if( (nssHash *)NULL == rv ) { goto loser; } rv->mutex = PZ_NewLock(nssILockOther); if( (PZLock *)NULL == rv->mutex ) { goto loser; } rv->plHashTable = PL_NewHashTable(numBuckets, keyHash, keyCompare, valueCompare, &nssArenaHashAllocOps, arena); if( (PLHashTable *)NULL == rv->plHashTable ) { (void)PZ_DestroyLock(rv->mutex); goto loser; } rv->count = 0; rv->arena = arena; rv->i_alloced_arena = i_alloced; return rv; loser: (void)nss_ZFreeIf(rv); return (nssHash *)NULL; }
/* create a new module */ static SECMODModule * secmod_NewModule(void) { SECMODModule *newMod; PLArenaPool *arena; /* create an arena in which dllName and commonName can be * allocated. */ arena = PORT_NewArena(512); if (arena == NULL) { return NULL; } newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule)); if (newMod == NULL) { PORT_FreeArena(arena,PR_FALSE); return NULL; } /* * initialize of the fields of the module */ newMod->arena = arena; newMod->internal = PR_FALSE; newMod->loaded = PR_FALSE; newMod->isFIPS = PR_FALSE; newMod->dllName = NULL; newMod->commonName = NULL; newMod->library = NULL; newMod->functionList = NULL; newMod->slotCount = 0; newMod->slots = NULL; newMod->slotInfo = NULL; newMod->slotInfoCount = 0; newMod->refCount = 1; newMod->ssl[0] = 0; newMod->ssl[1] = 0; newMod->libraryParams = NULL; newMod->moduleDBFunc = NULL; newMod->parent = NULL; newMod->isCritical = PR_FALSE; newMod->isModuleDB = PR_FALSE; newMod->moduleDBOnly = PR_FALSE; newMod->trustOrder = 0; newMod->cipherOrder = 0; newMod->evControlMask = 0; newMod->refLock = PZ_NewLock(nssILockRefLock); if (newMod->refLock == NULL) { PORT_FreeArena(arena,PR_FALSE); return NULL; } return newMod; }
NSS_IMPLEMENT nssCertificateStore * nssCertificateStore_Create ( NSSArena *arenaOpt ) { NSSArena *arena; nssCertificateStore *store; PRBool i_alloced_arena; if (arenaOpt) { arena = arenaOpt; i_alloced_arena = PR_FALSE; } else { arena = nssArena_Create(); if (!arena) { return NULL; } i_alloced_arena = PR_TRUE; } store = nss_ZNEW(arena, nssCertificateStore); if (!store) { goto loser; } store->lock = PZ_NewLock(nssILockOther); if (!store->lock) { goto loser; } /* Create the issuer/serial --> {cert, trust, S/MIME profile } hash */ store->issuer_and_serial = nssHash_CreateCertificate(arena, 0); if (!store->issuer_and_serial) { goto loser; } /* Create the subject DER --> subject list hash */ store->subject = nssHash_CreateItem(arena, 0); if (!store->subject) { goto loser; } store->arena = arena; store->i_alloced_arena = i_alloced_arena; return store; loser: if (store) { if (store->lock) { PZ_DestroyLock(store->lock); } if (store->issuer_and_serial) { nssHash_Destroy(store->issuer_and_serial); } if (store->subject) { nssHash_Destroy(store->subject); } } if (i_alloced_arena) { nssArena_Destroy(arena); } return NULL; }
static PRStatus init_blinding_params_list(void) { blindingParamsList.lock = PZ_NewLock(nssILockOther); if (!blindingParamsList.lock) { PORT_SetError(SEC_ERROR_NO_MEMORY); return PR_FAILURE; } PR_INIT_CLIST(&blindingParamsList.head); return PR_SUCCESS; }
PLArenaPool * PORT_NewArena(unsigned long chunksize) { PORTArenaPool *pool; pool = PORT_ZNew(PORTArenaPool); if (!pool) { return NULL; } pool->magic = ARENAPOOL_MAGIC; pool->lock = PZ_NewLock(nssILockArena); if (!pool->lock) { ++port_allocFailures; PORT_Free(pool); return NULL; } PL_InitArenaPool(&pool->arena, "security", chunksize, sizeof(double)); return(&pool->arena); }
/********************* Arena code follows ***************************** * ArenaPools are like heaps. The memory in them consists of large blocks, * called arenas, which are allocated from the/a system heap. Inside an * ArenaPool, the arenas are organized as if they were in a stack. Newly * allocated arenas are "pushed" on that stack. When you attempt to * allocate memory from an ArenaPool, the code first looks to see if there * is enough unused space in the top arena on the stack to satisfy your * request, and if so, your request is satisfied from that arena. * Otherwise, a new arena is allocated (or taken from NSPR's list of freed * arenas) and pushed on to the stack. The new arena is always big enough * to satisfy the request, and is also at least a minimum size that is * established at the time that the ArenaPool is created. * * The ArenaMark function returns the address of a marker in the arena at * the top of the arena stack. It is the address of the place in the arena * on the top of the arena stack from which the next block of memory will * be allocated. Each ArenaPool has its own separate stack, and hence * marks are only relevant to the ArenaPool from which they are gotten. * Marks may be nested. That is, a thread can get a mark, and then get * another mark. * * It is intended that all the marks in an ArenaPool may only be owned by a * single thread. In DEBUG builds, this is enforced. In non-DEBUG builds, * it is not. In DEBUG builds, when a thread gets a mark from an * ArenaPool, no other thread may acquire a mark in that ArenaPool while * that mark exists, that is, until that mark is unmarked or released. * Therefore, it is important that every mark be unmarked or released when * the creating thread has no further need for exclusive ownership of the * right to manage the ArenaPool. * * The ArenaUnmark function discards the ArenaMark at the address given, * and all marks nested inside that mark (that is, acquired from that same * ArenaPool while that mark existed). It is an error for a thread other * than the mark's creator to try to unmark it. When a thread has unmarked * all its marks from an ArenaPool, then another thread is able to set * marks in that ArenaPool. ArenaUnmark does not deallocate (or "pop") any * memory allocated from the ArenaPool since the mark was created. * * ArenaRelease "pops" the stack back to the mark, deallocating all the * memory allocated from the arenas in the ArenaPool since that mark was * created, and removing any arenas from the ArenaPool that have no * remaining active allocations when that is done. It implicitly releases * any marks nested inside the mark being explicitly released. It is the * only operation, other than destroying the arenapool, that potentially * reduces the number of arenas on the stack. Otherwise, the stack grows * until the arenapool is destroyed, at which point all the arenas are * freed or returned to a "free arena list", depending on their sizes. */ PLArenaPool * PORT_NewArena(unsigned long chunksize) { PORTArenaPool *pool; if (chunksize > MAX_SIZE) { PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } pool = PORT_ZNew(PORTArenaPool); if (!pool) { return NULL; } pool->magic = ARENAPOOL_MAGIC; pool->lock = PZ_NewLock(nssILockArena); if (!pool->lock) { PORT_Free(pool); return NULL; } PL_InitArenaPool(&pool->arena, "security", chunksize, sizeof(double)); return (&pool->arena); }
/* * Common Helper Function do come up with a new context. */ static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param) { CK_MECHANISM mech_info; PK11Context *context; SECStatus rv; PORT_Assert(slot != NULL); if (!slot || (!symKey && operation != CKA_DIGEST)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } context = (PK11Context *) PORT_Alloc(sizeof(PK11Context)); if (context == NULL) { return NULL; } /* now deal with the fortezza hack... the fortezza hack is an attempt * to get around the issue of the card not allowing you to do a FORTEZZA * LoadIV/Encrypt, which was added because such a combination could be * use to circumvent the key escrow system. Unfortunately SSL needs to * do this kind of operation, so in SSL we do a loadIV (to verify it), * Then GenerateIV, and through away the first 8 bytes on either side * of the connection.*/ context->fortezzaHack = PR_FALSE; if (type == CKM_SKIPJACK_CBC64) { if (symKey->origin == PK11_OriginFortezzaHack) { context->fortezzaHack = PR_TRUE; } } /* initialize the critical fields of the context */ context->operation = operation; context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; context->slot = PK11_ReferenceSlot(slot); context->session = pk11_GetNewSession(slot,&context->ownSession); context->cx = symKey ? symKey->cx : NULL; /* get our session */ context->savedData = NULL; /* save the parameters so that some digesting stuff can do multiple * begins on a single context */ context->type = type; if (param) { if (param->len > 0) { context->param = SECITEM_DupItem(param); } else { context->param = (SECItem *)&pk11_null_params; } } else { context->param = NULL; } context->init = PR_FALSE; context->sessionLock = PZ_NewLock(nssILockPK11cxt); if ((context->param == NULL) || (context->sessionLock == NULL)) { PK11_DestroyContext(context,PR_TRUE); return NULL; } mech_info.mechanism = type; mech_info.pParameter = param->data; mech_info.ulParameterLen = param->len; PK11_EnterContextMonitor(context); rv = pk11_context_init(context,&mech_info); PK11_ExitContextMonitor(context); if (rv != SECSuccess) { PK11_DestroyContext(context,PR_TRUE); return NULL; } context->init = PR_TRUE; return context; }
/* this should not be exposed in a header, but is here to keep the above * types/functions static */ NSS_IMPLEMENT PRStatus nssTrustDomain_InitializeCache ( NSSTrustDomain *td, PRUint32 cacheSize ) { NSSArena *arena; nssTDCertificateCache *cache = td->cache; #ifdef DEBUG_CACHE s_log = PR_NewLogModule("nss_cache"); PR_ASSERT(s_log); #endif PR_ASSERT(!cache); arena = nssArena_Create(); if (!arena) { return PR_FAILURE; } cache = nss_ZNEW(arena, nssTDCertificateCache); if (!cache) { nssArena_Destroy(arena); return PR_FAILURE; } cache->lock = PZ_NewLock(nssILockCache); if (!cache->lock) { nssArena_Destroy(arena); return PR_FAILURE; } /* Create the issuer and serial DER --> certificate hash */ cache->issuerAndSN = nssHash_CreateCertificate(arena, cacheSize); if (!cache->issuerAndSN) { goto loser; } /* Create the subject DER --> subject list hash */ cache->subject = nssHash_CreateItem(arena, cacheSize); if (!cache->subject) { goto loser; } /* Create the nickname --> subject list hash */ cache->nickname = nssHash_CreateString(arena, cacheSize); if (!cache->nickname) { goto loser; } /* Create the email --> list of subject lists hash */ cache->email = nssHash_CreateString(arena, cacheSize); if (!cache->email) { goto loser; } cache->arena = arena; td->cache = cache; #ifdef DEBUG_CACHE PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialized.")); #endif return PR_SUCCESS; loser: PZ_DestroyLock(cache->lock); nssArena_Destroy(arena); td->cache = NULL; #ifdef DEBUG_CACHE PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialization failed.")); #endif return PR_FAILURE; }
static SECStatus ssl_InitClientSessionCacheLock(void) { cacheLock = PZ_NewLock(nssILockCache); return cacheLock ? SECSuccess : SECFailure; }