diff options
Diffstat (limited to 'nss/lib/nss/nssinit.c')
| -rw-r--r-- | nss/lib/nss/nssinit.c | 1017 |
1 files changed, 546 insertions, 471 deletions
diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c index b22f915..5d62d47 100644 --- a/nss/lib/nss/nssinit.c +++ b/nss/lib/nss/nssinit.c @@ -20,9 +20,12 @@ #include "secerr.h" #include "nssbase.h" #include "nssutil.h" + +#ifndef NSS_DISABLE_LIBPKIX #include "pkixt.h" #include "pkix.h" #include "pkix_tools.h" +#endif /* NSS_DISABLE_LIBPKIX */ #include "pki3hack.h" #include "certi.h" @@ -49,141 +52,153 @@ nss_mktemp(char *path) } #endif -#define NSS_MAX_FLAG_SIZE sizeof("readOnly")+sizeof("noCertDB")+ \ - sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")+ \ - sizeof ("optimizeSpace") +#define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") + \ + sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \ + sizeof("optimizeSpace") #define NSS_DEFAULT_MOD_NAME "NSS Internal Module" static char * -nss_makeFlags(PRBool readOnly, PRBool noCertDB, - PRBool noModDB, PRBool forceOpen, - PRBool passwordRequired, PRBool optimizeSpace) +nss_makeFlags(PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, + PRBool passwordRequired, PRBool optimizeSpace) { char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE); PRBool first = PR_TRUE; - PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE); + PORT_Memset(flags, 0, NSS_MAX_FLAG_SIZE); if (readOnly) { - PORT_Strcat(flags,"readOnly"); + PORT_Strcat(flags, "readOnly"); first = PR_FALSE; } if (noCertDB) { - if (!first) PORT_Strcat(flags,","); - PORT_Strcat(flags,"noCertDB"); + if (!first) + PORT_Strcat(flags, ","); + PORT_Strcat(flags, "noCertDB"); first = PR_FALSE; } if (noModDB) { - if (!first) PORT_Strcat(flags,","); - PORT_Strcat(flags,"noModDB"); + if (!first) + PORT_Strcat(flags, ","); + PORT_Strcat(flags, "noModDB"); first = PR_FALSE; } if (forceOpen) { - if (!first) PORT_Strcat(flags,","); - PORT_Strcat(flags,"forceOpen"); + if (!first) + PORT_Strcat(flags, ","); + PORT_Strcat(flags, "forceOpen"); first = PR_FALSE; } if (passwordRequired) { - if (!first) PORT_Strcat(flags,","); - PORT_Strcat(flags,"passwordRequired"); + if (!first) + PORT_Strcat(flags, ","); + PORT_Strcat(flags, "passwordRequired"); first = PR_FALSE; } if (optimizeSpace) { - if (!first) PORT_Strcat(flags,","); - PORT_Strcat(flags,"optimizeSpace"); - first = PR_FALSE; + if (!first) + PORT_Strcat(flags, ","); + PORT_Strcat(flags, "optimizeSpace"); } return flags; } - /* * build config string from individual internationalized strings */ char * nss_MkConfigString(const char *man, const char *libdesc, const char *tokdesc, - const char *ptokdesc, const char *slotdesc, const char *pslotdesc, - const char *fslotdesc, const char *fpslotdesc, int minPwd) + const char *ptokdesc, const char *slotdesc, const char *pslotdesc, + const char *fslotdesc, const char *fpslotdesc, int minPwd) { char *strings = NULL; char *newStrings; /* make sure the internationalization was done correctly... */ strings = PR_smprintf(""); - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (man) { - newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s manufacturerID='%s'", strings, man); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (libdesc) { - newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdesc); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s libraryDescription='%s'", strings, libdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (tokdesc) { - newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings, - tokdesc); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s cryptoTokenDescription='%s'", strings, + tokdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (ptokdesc) { - newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdesc); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s dbTokenDescription='%s'", strings, ptokdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (slotdesc) { - newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings, - slotdesc); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s cryptoSlotDescription='%s'", strings, + slotdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (pslotdesc) { - newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdesc); - PR_smprintf_free(strings); - strings = newStrings; + newStrings = PR_smprintf("%s dbSlotDescription='%s'", strings, pslotdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (fslotdesc) { newStrings = PR_smprintf("%s FIPSSlotDescription='%s'", - strings,fslotdesc); - PR_smprintf_free(strings); - strings = newStrings; + strings, fslotdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; if (fpslotdesc) { newStrings = PR_smprintf("%s FIPSTokenDescription='%s'", - strings,fpslotdesc); - PR_smprintf_free(strings); - strings = newStrings; + strings, fpslotdesc); + PR_smprintf_free(strings); + strings = newStrings; } - if (strings == NULL) return NULL; + if (strings == NULL) + return NULL; newStrings = PR_smprintf("%s minPS=%d", strings, minPwd); PR_smprintf_free(strings); strings = newStrings; - return(strings); + return (strings); } /* * statics to remember the PK11_ConfigurePKCS11() * info. */ -static char * pk11_config_strings = NULL; -static char * pk11_config_name = NULL; +static char *pk11_config_strings = NULL; +static char *pk11_config_name = NULL; static PRBool pk11_password_required = PR_FALSE; /* @@ -192,27 +207,27 @@ static PRBool pk11_password_required = PR_FALSE; */ void PK11_ConfigurePKCS11(const char *man, const char *libdesc, const char *tokdesc, - const char *ptokdesc, const char *slotdesc, const char *pslotdesc, - const char *fslotdesc, const char *fpslotdesc, int minPwd, - int pwRequired) + const char *ptokdesc, const char *slotdesc, const char *pslotdesc, + const char *fslotdesc, const char *fpslotdesc, int minPwd, + int pwRequired) { - char * strings; + char *strings; - strings = nss_MkConfigString(man,libdesc,tokdesc,ptokdesc,slotdesc, - pslotdesc,fslotdesc,fpslotdesc,minPwd); + strings = nss_MkConfigString(man, libdesc, tokdesc, ptokdesc, slotdesc, + pslotdesc, fslotdesc, fpslotdesc, minPwd); if (strings == NULL) { - return; + return; } if (libdesc) { - if (pk11_config_name != NULL) { - PORT_Free(pk11_config_name); - } - pk11_config_name = PORT_Strdup(libdesc); + if (pk11_config_name != NULL) { + PORT_Free(pk11_config_name); + } + pk11_config_name = PORT_Strdup(libdesc); } if (pk11_config_strings != NULL) { - PR_smprintf_free(pk11_config_strings); + PR_smprintf_free(pk11_config_strings); } pk11_config_strings = strings; pk11_password_required = pwRequired; @@ -220,10 +235,11 @@ PK11_ConfigurePKCS11(const char *man, const char *libdesc, const char *tokdesc, return; } -void PK11_UnconfigurePKCS11(void) +void +PK11_UnconfigurePKCS11(void) { if (pk11_config_strings != NULL) { - PR_smprintf_free(pk11_config_strings); + PR_smprintf_free(pk11_config_strings); pk11_config_strings = NULL; } if (pk11_config_name) { @@ -240,23 +256,24 @@ void PK11_UnconfigurePKCS11(void) static const char *dllname = #if defined(XP_WIN32) || defined(XP_OS2) - "nssckbi.dll"; -#elif defined(HPUX) && !defined(__ia64) /* HP-UX PA-RISC */ - "libnssckbi.sl"; + "nssckbi.dll"; +#elif defined(HPUX) && !defined(__ia64) /* HP-UX PA-RISC */ + "libnssckbi.sl"; #elif defined(DARWIN) - "libnssckbi.dylib"; + "libnssckbi.dylib"; #elif defined(XP_UNIX) || defined(XP_BEOS) - "libnssckbi.so"; + "libnssckbi.so"; #else - #error "Uh! Oh! I don't know about this platform." +#error "Uh! Oh! I don't know about this platform." #endif /* Should we have platform ifdefs here??? */ #define FILE_SEP '/' -static void nss_FindExternalRootPaths(const char *dbpath, - const char* secmodprefix, - char** retoldpath, char** retnewpath) +static void +nss_FindExternalRootPaths(const char *dbpath, + const char *secmodprefix, + char **retoldpath, char **retnewpath) { char *path, *oldpath = NULL, *lastsep; int len, path_len, secmod_len, dll_len; @@ -267,26 +284,27 @@ static void nss_FindExternalRootPaths(const char *dbpath, len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */ path = PORT_Alloc(len); - if (path == NULL) return; + if (path == NULL) + return; /* back up to the top of the directory */ - PORT_Memcpy(path,dbpath,path_len); - if (path[path_len-1] != FILE_SEP) { + PORT_Memcpy(path, dbpath, path_len); + if (path[path_len - 1] != FILE_SEP) { path[path_len++] = FILE_SEP; } - PORT_Strcpy(&path[path_len],dllname); + PORT_Strcpy(&path[path_len], dllname); if (secmod_len > 0) { lastsep = PORT_Strrchr(secmodprefix, FILE_SEP); if (lastsep) { - int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */ + int secmoddir_len = lastsep - secmodprefix + 1; /* FILE_SEP */ oldpath = PORT_Alloc(len); if (oldpath == NULL) { PORT_Free(path); return; } - PORT_Memcpy(oldpath,path,path_len); - PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len); - PORT_Strcpy(&oldpath[path_len+secmoddir_len],dllname); + PORT_Memcpy(oldpath, path, path_len); + PORT_Memcpy(&oldpath[path_len], secmodprefix, secmoddir_len); + PORT_Strcpy(&oldpath[path_len + secmoddir_len], dllname); } } *retoldpath = oldpath; @@ -294,7 +312,8 @@ static void nss_FindExternalRootPaths(const char *dbpath, return; } -static void nss_FreeExternalRootPaths(char* oldpath, char* path) +static void +nss_FreeExternalRootPaths(char *oldpath, char *path) { if (path) { PORT_Free(path); @@ -305,27 +324,27 @@ static void nss_FreeExternalRootPaths(char* oldpath, char* path) } static void -nss_FindExternalRoot(const char *dbpath, const char* secmodprefix) +nss_FindExternalRoot(const char *dbpath, const char *secmodprefix) { - char *path = NULL; - char *oldpath = NULL; - PRBool hasrootcerts = PR_FALSE; + char *path = NULL; + char *oldpath = NULL; + PRBool hasrootcerts = PR_FALSE; - /* - * 'oldpath' is the external root path in NSS 3.3.x or older. - * For backward compatibility we try to load the root certs - * module with the old path first. - */ - nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path); - if (oldpath) { - (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0); - hasrootcerts = SECMOD_HasRootCerts(); - } - if (path && !hasrootcerts) { - (void) SECMOD_AddNewModule("Root Certs",path, 0, 0); - } - nss_FreeExternalRootPaths(oldpath, path); - return; + /* + * 'oldpath' is the external root path in NSS 3.3.x or older. + * For backward compatibility we try to load the root certs + * module with the old path first. + */ + nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path); + if (oldpath) { + (void)SECMOD_AddNewModule("Root Certs", oldpath, 0, 0); + hasrootcerts = SECMOD_HasRootCerts(); + } + if (path && !hasrootcerts) { + (void)SECMOD_AddNewModule("Root Certs", path, 0, 0); + } + nss_FreeExternalRootPaths(oldpath, path); + return; } /* @@ -335,17 +354,17 @@ nss_FindExternalRoot(const char *dbpath, const char* secmodprefix) * set statics (from PKCS11_Configure, for instance), and uses it to kick off * the loading of the various PKCS #11 modules. */ -static SECStatus -nss_InitModules(const char *configdir, const char *certPrefix, - const char *keyPrefix, const char *secmodName, - const char *updateDir, const char *updCertPrefix, - const char *updKeyPrefix, const char *updateID, - const char *updateName, char *configName, char *configStrings, - PRBool pwRequired, PRBool readOnly, PRBool noCertDB, - PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace, - PRBool isContextInit) +static SECMODModule * +nss_InitModules(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *secmodName, + const char *updateDir, const char *updCertPrefix, + const char *updKeyPrefix, const char *updateID, + const char *updateName, char *configName, char *configStrings, + PRBool pwRequired, PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace, + PRBool isContextInit) { - SECStatus rv = SECFailure; + SECMODModule *module = NULL; char *moduleSpec = NULL; char *flags = NULL; char *lconfigdir = NULL; @@ -359,13 +378,14 @@ nss_InitModules(const char *configdir, const char *certPrefix, char *lupdateName = NULL; if (NSS_InitializePRErrorTable() != SECSuccess) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return rv; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } - flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen, - pwRequired, optimizeSpace); - if (flags == NULL) return rv; + flags = nss_makeFlags(readOnly, noCertDB, noModDB, forceOpen, + pwRequired, optimizeSpace); + if (flags == NULL) + return NULL; /* * configdir is double nested, and Windows uses the same character @@ -373,73 +393,82 @@ nss_InitModules(const char *configdir, const char *certPrefix, */ lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); if (lconfigdir == NULL) { - goto loser; + goto loser; } lcertPrefix = NSSUTIL_DoubleEscape(certPrefix, '\'', '\"'); if (lcertPrefix == NULL) { - goto loser; + goto loser; } lkeyPrefix = NSSUTIL_DoubleEscape(keyPrefix, '\'', '\"'); if (lkeyPrefix == NULL) { - goto loser; + goto loser; } lsecmodName = NSSUTIL_DoubleEscape(secmodName, '\'', '\"'); if (lsecmodName == NULL) { - goto loser; + goto loser; } lupdateDir = NSSUTIL_DoubleEscape(updateDir, '\'', '\"'); if (lupdateDir == NULL) { - goto loser; + goto loser; } lupdCertPrefix = NSSUTIL_DoubleEscape(updCertPrefix, '\'', '\"'); if (lupdCertPrefix == NULL) { - goto loser; + goto loser; } lupdKeyPrefix = NSSUTIL_DoubleEscape(updKeyPrefix, '\'', '\"'); if (lupdKeyPrefix == NULL) { - goto loser; + goto loser; } lupdateID = NSSUTIL_DoubleEscape(updateID, '\'', '\"'); if (lupdateID == NULL) { - goto loser; + goto loser; } lupdateName = NSSUTIL_DoubleEscape(updateName, '\'', '\"'); if (lupdateName == NULL) { - goto loser; + goto loser; } moduleSpec = PR_smprintf( - "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' " - "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' " - "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" " - "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"", - configName ? configName : NSS_DEFAULT_MOD_NAME, - lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags, - lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID, - lupdateName, configStrings ? configStrings : "", - isContextInit ? "" : ",defaultModDB,internalKeySlot"); + "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' " + "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' " + "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" " + "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"", + configName ? configName : NSS_DEFAULT_MOD_NAME, + lconfigdir, lcertPrefix, lkeyPrefix, lsecmodName, flags, + lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID, + lupdateName, configStrings ? configStrings : "", + isContextInit ? "" : ",defaultModDB,internalKeySlot"); loser: PORT_Free(flags); - if (lconfigdir) PORT_Free(lconfigdir); - if (lcertPrefix) PORT_Free(lcertPrefix); - if (lkeyPrefix) PORT_Free(lkeyPrefix); - if (lsecmodName) PORT_Free(lsecmodName); - if (lupdateDir) PORT_Free(lupdateDir); - if (lupdCertPrefix) PORT_Free(lupdCertPrefix); - if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix); - if (lupdateID) PORT_Free(lupdateID); - if (lupdateName) PORT_Free(lupdateName); + if (lconfigdir) + PORT_Free(lconfigdir); + if (lcertPrefix) + PORT_Free(lcertPrefix); + if (lkeyPrefix) + PORT_Free(lkeyPrefix); + if (lsecmodName) + PORT_Free(lsecmodName); + if (lupdateDir) + PORT_Free(lupdateDir); + if (lupdCertPrefix) + PORT_Free(lupdCertPrefix); + if (lupdKeyPrefix) + PORT_Free(lupdKeyPrefix); + if (lupdateID) + PORT_Free(lupdateID); + if (lupdateName) + PORT_Free(lupdateName); if (moduleSpec) { - SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); - PR_smprintf_free(moduleSpec); - if (module) { - if (module->loaded) rv=SECSuccess; - SECMOD_DestroyModule(module); - } + module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); + PR_smprintf_free(moduleSpec); + if (module && !module->loaded) { + SECMOD_DestroyModule(module); + return NULL; + } } - return rv; + return module; } /* @@ -447,9 +476,9 @@ loser: * * configdir - base directory where all the cert, key, and module datbases live. * certPrefix - prefix added to the beginning of the cert database example: " - * "https-server1-" + * "https-server1-" * keyPrefix - prefix added to the beginning of the key database example: " - * "https-server1-" + * "https-server1-" * secmodName - name of the security module database (usually "secmod.db"). * updateDir - used in initMerge, old directory to update from. * updateID - used in initMerge, unique ID to represent the updated directory. @@ -457,12 +486,12 @@ loser: * initContextPtr - used in initContext, pointer to return a unique context * value. * readOnly - Boolean: true if the databases are to be opened read only. - * nocertdb - Don't open the cert DB and key DB's, just initialize the - * Volatile certdb. - * nomoddb - Don't open the security module DB, just initialize the - * PKCS #11 module. + * nocertdb - Don't open the cert DB and key DB's, just initialize the + * Volatile certdb. + * nomoddb - Don't open the security module DB, just initialize the + * PKCS #11 module. * forceOpen - Continue to force initializations even if the databases cannot - * be opened. + * be opened. * noRootInit - don't try to automatically load the root cert store if one is * not found. * optimizeSpace - tell NSS to use fewer hash table buckets. @@ -479,9 +508,12 @@ loser: * don'tFinalizeModules - dont shutdown modules we may have loaded. */ -static PRBool nssIsInitted = PR_FALSE; +static PRBool nssIsInitted = PR_FALSE; static NSSInitContext *nssInitContextList = NULL; -static void* plContext = NULL; + +#ifndef NSS_DISABLE_LIBPKIX +static void *plContext = NULL; +#endif /* NSS_DISABLE_LIBPKIX */ struct NSSInitContextStr { NSSInitContext *next; @@ -502,62 +534,66 @@ nss_doLockInit(void) { nssInitLock = PZ_NewLock(nssILockOther); if (nssInitLock == NULL) { - return PR_FAILURE; + return PR_FAILURE; } nssInitCondition = PZ_NewCondVar(nssInitLock); if (nssInitCondition == NULL) { - return PR_FAILURE; + return PR_FAILURE; } return PR_SUCCESS; } - static SECStatus nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, - const char *secmodName, const char *updateDir, - const char *updCertPrefix, const char *updKeyPrefix, - const char *updateID, const char *updateName, - NSSInitContext ** initContextPtr, - NSSInitParameters *initParams, - PRBool readOnly, PRBool noCertDB, - PRBool noModDB, PRBool forceOpen, PRBool noRootInit, - PRBool optimizeSpace, PRBool noSingleThreadedModules, - PRBool allowAlreadyInitializedModules, - PRBool dontFinalizeModules) + const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, + NSSInitContext **initContextPtr, + NSSInitParameters *initParams, + PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool noRootInit, + PRBool optimizeSpace, PRBool noSingleThreadedModules, + PRBool allowAlreadyInitializedModules, + PRBool dontFinalizeModules) { - SECStatus rv = SECFailure; + SECMODModule *parent = NULL; +#ifndef NSS_DISABLE_LIBPKIX PKIX_UInt32 actualMinorVersion = 0; PKIX_Error *pkixError = NULL; +#endif /* NSS_DISABLE_LIBPKIX */ PRBool isReallyInitted; char *configStrings = NULL; char *configName = NULL; PRBool passwordRequired = PR_FALSE; +#ifdef POLICY_FILE + char *ignoreVar; +#endif /* if we are trying to init with a traditional NSS_Init call, maintain * the traditional idempotent behavior. */ if (!initContextPtr && nssIsInitted) { - return SECSuccess; + return SECSuccess; } - + /* make sure our lock and condition variable are initialized one and only - * one time */ + * one time */ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; + return SECFailure; } /* - * if we haven't done basic initialization, single thread the + * if we haven't done basic initialization, single thread the * initializations. */ PZ_Lock(nssInitLock); isReallyInitted = NSS_IsInitialized(); if (!isReallyInitted) { - while (!isReallyInitted && nssIsInInit) { - PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT); - isReallyInitted = NSS_IsInitialized(); - } - /* once we've completed basic initialization, we can allow more than - * one process initialize NSS at a time. */ + while (!isReallyInitted && nssIsInInit) { + PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT); + isReallyInitted = NSS_IsInitialized(); + } + /* once we've completed basic initialization, we can allow more than + * one process initialize NSS at a time. */ } nssIsInInit++; PZ_Unlock(nssInitLock); @@ -569,21 +605,21 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, if (!isReallyInitted) { #ifdef DEBUG CERTCertificate dummyCert; - /* New option bits must not change the size of CERTCertificate. */ - PORT_Assert(sizeof(dummyCert.options) == sizeof(void *)); + /* New option bits must not change the size of CERTCertificate. */ + PORT_Assert(sizeof(dummyCert.options) == sizeof(void *)); #endif - if (SECSuccess != cert_InitLocks()) { - goto loser; - } + if (SECSuccess != cert_InitLocks()) { + goto loser; + } + + if (SECSuccess != InitCRLCache()) { + goto loser; + } - if (SECSuccess != InitCRLCache()) { - goto loser; - } - - if (SECSuccess != OCSP_InitGlobal()) { - goto loser; - } + if (SECSuccess != OCSP_InitGlobal()) { + goto loser; + } } if (noSingleThreadedModules || allowAlreadyInitializedModules || @@ -594,110 +630,146 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, } if (initContextPtr) { - *initContextPtr = PORT_ZNew(NSSInitContext); - if (*initContextPtr == NULL) { - goto loser; - } - /* - * For traditional NSS_Init, we used the PK11_Configure() call to set - * globals. with InitContext, we pass those strings in as parameters. - * - * This allows old NSS_Init calls to work as before, while at the same - * time new calls and old calls will not interfere with each other. - */ + *initContextPtr = PORT_ZNew(NSSInitContext); + if (*initContextPtr == NULL) { + goto loser; + } + /* + * For traditional NSS_Init, we used the PK11_Configure() call to set + * globals. with InitContext, we pass those strings in as parameters. + * + * This allows old NSS_Init calls to work as before, while at the same + * time new calls and old calls will not interfere with each other. + */ if (initParams) { - if (initParams->length < sizeof(NSSInitParameters)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto loser; - } - configStrings = nss_MkConfigString(initParams->manufactureID, - initParams->libraryDescription, - initParams->cryptoTokenDescription, - initParams->dbTokenDescription, - initParams->cryptoSlotDescription, - initParams->dbSlotDescription, - initParams->FIPSSlotDescription, - initParams->FIPSTokenDescription, - initParams->minPWLen); - if (configStrings == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - goto loser; - } - configName = initParams->libraryDescription; - passwordRequired = initParams->passwordRequired; - } + if (initParams->length < sizeof(NSSInitParameters)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + configStrings = nss_MkConfigString(initParams->manufactureID, + initParams->libraryDescription, + initParams->cryptoTokenDescription, + initParams->dbTokenDescription, + initParams->cryptoSlotDescription, + initParams->dbSlotDescription, + initParams->FIPSSlotDescription, + initParams->FIPSTokenDescription, + initParams->minPWLen); + if (configStrings == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + configName = initParams->libraryDescription; + passwordRequired = initParams->passwordRequired; + } + + /* If we're NSS_ContextInit, we're probably a library. It could be + * possible that the application initialized NSS then forked(). The + * library would have no knowledge of that. If we call + * SECMOD_RestartModules() here, we will be able to continue on with + * NSS as normal. SECMOD_RestartModules() does have the side affect + * of losing all our PKCS #11 objects in the new process, but only if + * the module needs to be reinited. If it needs to be reinit those + * objects are inaccessible anyway, it's always save to call + * SECMOD_RestartModules(PR_FALSE). + */ + /* NOTE: We could call SECMOD_Init() here, but if we aren't already + * inited, then there's no modules to restart, so SECMOD_RestartModules + * will return immediately */ + SECMOD_RestartModules(PR_FALSE); } else { - configStrings = pk11_config_strings; - configName = pk11_config_name; - passwordRequired = pk11_password_required; + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; } /* Skip the module init if we are already initted and we are trying * to init with noCertDB and noModDB */ if (!(isReallyInitted && noCertDB && noModDB)) { - rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, - updateDir, updCertPrefix, updKeyPrefix, updateID, - updateName, configName, configStrings, passwordRequired, - readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, - (initContextPtr != NULL)); - - if (rv != SECSuccess) { - goto loser; - } + parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, + updateDir, updCertPrefix, updKeyPrefix, updateID, + updateName, configName, configStrings, passwordRequired, + readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, + (initContextPtr != NULL)); + + if (parent == NULL) { + goto loser; + } } - /* finish up initialization */ if (!isReallyInitted) { - if (SECOID_Init() != SECSuccess) { - goto loser; - } - if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) { - goto loser; - } - if (nss_InitShutdownList() != SECSuccess) { - goto loser; - } - CERT_SetDefaultCertDB((CERTCertDBHandle *) - STAN_GetDefaultTrustDomain()); - if ((!noModDB) && (!noCertDB) && (!noRootInit)) { - if (!SECMOD_HasRootCerts()) { - const char *dbpath = configdir; - /* handle supported database modifiers */ - if (strncmp(dbpath, "sql:", 4) == 0) { - dbpath += 4; - } else if(strncmp(dbpath, "dbm:", 4) == 0) { - dbpath += 4; - } else if(strncmp(dbpath, "extern:", 7) == 0) { - dbpath += 7; - } else if(strncmp(dbpath, "rdb:", 4) == 0) { - /* if rdb: is specified, the configdir isn't really a - * path. Skip it */ - dbpath = NULL; - } - if (dbpath) { - nss_FindExternalRoot(dbpath, secmodName); - } - } - } - - pk11sdr_Init(); - cert_CreateSubjectKeyIDHashTable(); - - pkixError = PKIX_Initialize - (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, - PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); - - if (pkixError != NULL) { - goto loser; - } else { - char *ev = getenv("NSS_ENABLE_PKIX_VERIFY"); - if (ev && ev[0]) { - CERT_SetUsePKIXForValidation(PR_TRUE); + if (SECOID_Init() != SECSuccess) { + goto loser; + } + if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) { + goto loser; + } + if (nss_InitShutdownList() != SECSuccess) { + goto loser; + } + CERT_SetDefaultCertDB((CERTCertDBHandle *) + STAN_GetDefaultTrustDomain()); + if ((!noModDB) && (!noCertDB) && (!noRootInit)) { + if (!SECMOD_HasRootCerts()) { + const char *dbpath = configdir; + /* handle supported database modifiers */ + if (strncmp(dbpath, "sql:", 4) == 0) { + dbpath += 4; + } else if (strncmp(dbpath, "dbm:", 4) == 0) { + dbpath += 4; + } else if (strncmp(dbpath, "extern:", 7) == 0) { + dbpath += 7; + } else if (strncmp(dbpath, "rdb:", 4) == 0) { + /* if rdb: is specified, the configdir isn't really a + * path. Skip it */ + dbpath = NULL; + } + if (dbpath) { + nss_FindExternalRoot(dbpath, secmodName); + } + } + } +#ifdef POLICY_FILE + /* Load the system crypto policy file if it exists, + * unless the NSS_IGNORE_SYSTEM_POLICY environment + * variable has been set to 1. */ + ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); + if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { + if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", + parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); + if (!isLoaded) { + goto loser; + } + } } } +#endif + pk11sdr_Init(); + cert_CreateSubjectKeyIDHashTable(); +#ifndef NSS_DISABLE_LIBPKIX + pkixError = PKIX_Initialize(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + if (pkixError != NULL) { + goto loser; + } else { + char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); + if (ev && ev[0]) { + CERT_SetUsePKIXForValidation(PR_TRUE); + } + } +#endif /* NSS_DISABLE_LIBPKIX */ } /* @@ -707,11 +779,11 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, */ PZ_Lock(nssInitLock); if (!initContextPtr) { - nssIsInitted = PR_TRUE; + nssIsInitted = PR_TRUE; } else { - (*initContextPtr)->magic = NSS_INIT_MAGIC; - (*initContextPtr)->next = nssInitContextList; - nssInitContextList = (*initContextPtr); + (*initContextPtr)->magic = NSS_INIT_MAGIC; + (*initContextPtr)->next = nssInitContextList; + nssInitContextList = (*initContextPtr); } nssIsInInit--; /* now that we are inited, all waiters can move forward */ @@ -719,42 +791,47 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, PZ_Unlock(nssInitLock); if (initContextPtr && configStrings) { - PR_smprintf_free(configStrings); + PR_smprintf_free(configStrings); + } + if (parent) { + SECMOD_DestroyModule(parent); } return SECSuccess; loser: if (initContextPtr && *initContextPtr) { - PORT_Free(*initContextPtr); - *initContextPtr = NULL; - if (configStrings) { - PR_smprintf_free(configStrings); - } + PORT_Free(*initContextPtr); + *initContextPtr = NULL; + if (configStrings) { + PR_smprintf_free(configStrings); + } } PZ_Lock(nssInitLock); nssIsInInit--; /* We failed to init, allow one to move forward */ PZ_NotifyCondVar(nssInitCondition); PZ_Unlock(nssInitLock); + if (parent) { + SECMOD_DestroyModule(parent); + } return SECFailure; } - SECStatus NSS_Init(const char *configdir) { return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL, - NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE); + NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE); } SECStatus NSS_InitReadWrite(const char *configdir) { return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL, - NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, - PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE); + NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE); } /* @@ -762,18 +839,18 @@ NSS_InitReadWrite(const char *configdir) * * configdir - base directory where all the cert, key, and module datbases live. * certPrefix - prefix added to the beginning of the cert database example: " - * "https-server1-" + * "https-server1-" * keyPrefix - prefix added to the beginning of the key database example: " - * "https-server1-" + * "https-server1-" * secmodName - name of the security module database (usually "secmod.db"). * flags - change the open options of NSS_Initialize as follows: - * NSS_INIT_READONLY - Open the databases read only. - * NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just - * initialize the volatile certdb. - * NSS_INIT_NOMODDB - Don't open the security module DB, just - * initialize the PKCS #11 module. - * NSS_INIT_FORCEOPEN - Continue to force initializations even if the - * databases cannot be opened. + * NSS_INIT_READONLY - Open the databases read only. + * NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just + * initialize the volatile certdb. + * NSS_INIT_NOMODDB - Don't open the security module DB, just + * initialize the PKCS #11 module. + * NSS_INIT_FORCEOPEN - Continue to force initializations even if the + * databases cannot be opened. * NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are * thread-safe, ie. that support locking - either OS * locking or NSS-provided locks . If a PKCS#11 @@ -803,111 +880,110 @@ NSS_InitReadWrite(const char *configdir) * provider. This should occur after a new flag is defined * for C_Initialize by the PKCS#11 working group. * NSS_INIT_COOPERATE - Sets 4 recommended options for applications that - * use both NSS and the Java SunPKCS11 provider. + * use both NSS and the Java SunPKCS11 provider. */ SECStatus -NSS_Initialize(const char *configdir, const char *certPrefix, - const char *keyPrefix, const char *secmodName, PRUint32 flags) +NSS_Initialize(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *secmodName, PRUint32 flags) { return nss_Init(configdir, certPrefix, keyPrefix, secmodName, - "", "", "", "", "", NULL, NULL, - ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), - ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), - ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), - ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), - ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT), - ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), - ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), - ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), - ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); + "", "", "", "", "", NULL, NULL, + ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), + ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), + ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), + ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), + ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT), + ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), + ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), + ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), + ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); } NSSInitContext * -NSS_InitContext(const char *configdir, const char *certPrefix, - const char *keyPrefix, const char *secmodName, - NSSInitParameters *initParams, PRUint32 flags) +NSS_InitContext(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *secmodName, + NSSInitParameters *initParams, PRUint32 flags) { SECStatus rv; NSSInitContext *context; rv = nss_Init(configdir, certPrefix, keyPrefix, secmodName, - "", "", "", "", "", &context, initParams, - ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), - ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), - ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), - ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), PR_TRUE, - ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), - ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), - ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), - ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); + "", "", "", "", "", &context, initParams, + ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), + ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), + ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), + ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), PR_TRUE, + ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), + ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), + ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), + ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); return (rv == SECSuccess) ? context : NULL; } SECStatus -NSS_InitWithMerge(const char *configdir, const char *certPrefix, - const char *keyPrefix, const char *secmodName, - const char *updateDir, const char *updCertPrefix, - const char *updKeyPrefix, const char *updateID, - const char *updateName, PRUint32 flags) +NSS_InitWithMerge(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *secmodName, + const char *updateDir, const char *updCertPrefix, + const char *updKeyPrefix, const char *updateID, + const char *updateName, PRUint32 flags) { return nss_Init(configdir, certPrefix, keyPrefix, secmodName, - updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, - NULL, NULL, - ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), - ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), - ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), - ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), - ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT), - ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), - ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), - ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), - ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); + updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, + NULL, NULL, + ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY), + ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB), + ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB), + ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), + ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT), + ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE), + ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE), + ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD), + ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE)); } /* * initialize NSS without a creating cert db's, key db's, or secmod db's. */ SECStatus -NSS_NoDB_Init(const char * configdir) +NSS_NoDB_Init(const char *configdir) { - return nss_Init("","","","", "", "", "", "", "", NULL, NULL, - PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE, - PR_FALSE,PR_FALSE,PR_FALSE); + return nss_Init("", "", "", "", "", "", "", "", "", NULL, NULL, + PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE); } - #define NSS_SHUTDOWN_STEP 10 struct NSSShutdownFuncPair { - NSS_ShutdownFunc func; - void *appData; + NSS_ShutdownFunc func; + void *appData; }; static struct NSSShutdownListStr { - PZLock *lock; - int allocatedFuncs; - int peakFuncs; - struct NSSShutdownFuncPair *funcs; + PZLock *lock; + int allocatedFuncs; + int peakFuncs; + struct NSSShutdownFuncPair *funcs; } nssShutdownList = { 0 }; /* * find and existing shutdown function */ -static int +static int nss_GetShutdownEntry(NSS_ShutdownFunc sFunc, void *appData) { int count, i; count = nssShutdownList.peakFuncs; - for (i=0; i < count; i++) { - if ((nssShutdownList.funcs[i].func == sFunc) && - (nssShutdownList.funcs[i].appData == appData)){ - return i; - } + for (i = 0; i < count; i++) { + if ((nssShutdownList.funcs[i].func == sFunc) && + (nssShutdownList.funcs[i].appData == appData)) { + return i; + } } return -1; } - + /* * register a callback to be called when NSS shuts down */ @@ -917,21 +993,21 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData) int i; /* make sure our lock and condition variable are initialized one and only - * one time */ + * one time */ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; + return SECFailure; } PZ_Lock(nssInitLock); if (!NSS_IsInitialized()) { - PZ_Unlock(nssInitLock); - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PZ_Unlock(nssInitLock); + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } PZ_Unlock(nssInitLock); if (sFunc == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } PORT_Assert(nssShutdownList.lock); @@ -940,30 +1016,28 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData) /* make sure we don't have a duplicate */ i = nss_GetShutdownEntry(sFunc, appData); if (i >= 0) { - PZ_Unlock(nssShutdownList.lock); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + PZ_Unlock(nssShutdownList.lock); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } /* find an empty slot */ i = nss_GetShutdownEntry(NULL, NULL); if (i >= 0) { - nssShutdownList.funcs[i].func = sFunc; - nssShutdownList.funcs[i].appData = appData; - PZ_Unlock(nssShutdownList.lock); - return SECSuccess; + nssShutdownList.funcs[i].func = sFunc; + nssShutdownList.funcs[i].appData = appData; + PZ_Unlock(nssShutdownList.lock); + return SECSuccess; } if (nssShutdownList.allocatedFuncs == nssShutdownList.peakFuncs) { - struct NSSShutdownFuncPair *funcs = - (struct NSSShutdownFuncPair *)PORT_Realloc - (nssShutdownList.funcs, - (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) - *sizeof(struct NSSShutdownFuncPair)); - if (!funcs) { - PZ_Unlock(nssShutdownList.lock); - return SECFailure; - } - nssShutdownList.funcs = funcs; - nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP; + struct NSSShutdownFuncPair *funcs = + (struct NSSShutdownFuncPair *)PORT_Realloc(nssShutdownList.funcs, + (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) * sizeof(struct NSSShutdownFuncPair)); + if (!funcs) { + PZ_Unlock(nssShutdownList.lock); + return SECFailure; + } + nssShutdownList.funcs = funcs; + nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP; } nssShutdownList.funcs[nssShutdownList.peakFuncs].func = sFunc; nssShutdownList.funcs[nssShutdownList.peakFuncs].appData = appData; @@ -981,15 +1055,15 @@ NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData) int i; /* make sure our lock and condition variable are initialized one and only - * one time */ + * one time */ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; + return SECFailure; } PZ_Lock(nssInitLock); if (!NSS_IsInitialized()) { - PZ_Unlock(nssInitLock); - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PZ_Unlock(nssInitLock); + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } PZ_Unlock(nssInitLock); @@ -997,14 +1071,14 @@ NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData) PZ_Lock(nssShutdownList.lock); i = nss_GetShutdownEntry(sFunc, appData); if (i >= 0) { - nssShutdownList.funcs[i].func = NULL; - nssShutdownList.funcs[i].appData = NULL; + nssShutdownList.funcs[i].func = NULL; + nssShutdownList.funcs[i].appData = NULL; } PZ_Unlock(nssShutdownList.lock); if (i < 0) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } return SECSuccess; } @@ -1016,18 +1090,18 @@ static SECStatus nss_InitShutdownList(void) { if (nssShutdownList.lock != NULL) { - return SECSuccess; + return SECSuccess; } nssShutdownList.lock = PZ_NewLock(nssILockOther); if (nssShutdownList.lock == NULL) { - return SECFailure; + return SECFailure; } - nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair, - NSS_SHUTDOWN_STEP); + nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair, + NSS_SHUTDOWN_STEP); if (nssShutdownList.funcs == NULL) { - PZ_DestroyLock(nssShutdownList.lock); - nssShutdownList.lock = NULL; - return SECFailure; + PZ_DestroyLock(nssShutdownList.lock); + nssShutdownList.lock = NULL; + return SECFailure; } nssShutdownList.allocatedFuncs = NSS_SHUTDOWN_STEP; nssShutdownList.peakFuncs = 0; @@ -1042,13 +1116,13 @@ nss_ShutdownShutdownList(void) int i; /* call all the registerd functions first */ - for (i=0; i < nssShutdownList.peakFuncs; i++) { - struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i]; - if (funcPair->func) { - if ((*funcPair->func)(funcPair->appData,NULL) != SECSuccess) { - rv = SECFailure; - } - } + for (i = 0; i < nssShutdownList.peakFuncs; i++) { + struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i]; + if (funcPair->func) { + if ((*funcPair->func)(funcPair->appData, NULL) != SECSuccess) { + rv = SECFailure; + } + } } nssShutdownList.peakFuncs = 0; @@ -1056,13 +1130,12 @@ nss_ShutdownShutdownList(void) PORT_Free(nssShutdownList.funcs); nssShutdownList.funcs = NULL; if (nssShutdownList.lock) { - PZ_DestroyLock(nssShutdownList.lock); + PZ_DestroyLock(nssShutdownList.lock); } nssShutdownList.lock = NULL; return rv; } - extern const NSSError NSS_ERROR_BUSY; SECStatus @@ -1075,27 +1148,29 @@ nss_Shutdown(void) rv = nss_ShutdownShutdownList(); if (rv != SECSuccess) { - shutdownRV = SECFailure; + shutdownRV = SECFailure; } cert_DestroyLocks(); ShutdownCRLCache(); OCSP_ShutdownGlobal(); +#ifndef NSS_DISABLE_LIBPKIX PKIX_Shutdown(plContext); +#endif /* NSS_DISABLE_LIBPKIX */ SECOID_Shutdown(); status = STAN_Shutdown(); cert_DestroySubjectKeyIDHashTable(); pk11_SetInternalKeySlot(NULL); rv = SECMOD_Shutdown(); if (rv != SECSuccess) { - shutdownRV = SECFailure; + shutdownRV = SECFailure; } pk11sdr_Shutdown(); nssArena_Shutdown(); if (status == PR_FAILURE) { - if (NSS_GetError() == NSS_ERROR_BUSY) { - PORT_SetError(SEC_ERROR_BUSY); - } - shutdownRV = SECFailure; + if (NSS_GetError() == NSS_ERROR_BUSY) { + PORT_SetError(SEC_ERROR_BUSY); + } + shutdownRV = SECFailure; } /* * A thread's error stack is automatically destroyed when the thread @@ -1113,10 +1188,10 @@ nss_Shutdown(void) /* free the old list. This is necessary when we are called from * NSS_Shutdown(). */ while (temp) { - NSSInitContext *next = temp->next; - temp->magic = 0; - PORT_Free(temp); - temp = next; + NSSInitContext *next = temp->next; + temp->magic = 0; + PORT_Free(temp); + temp = next; } return shutdownRV; } @@ -1126,22 +1201,22 @@ NSS_Shutdown(void) { SECStatus rv; /* make sure our lock and condition variable are initialized one and only - * one time */ + * one time */ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; + return SECFailure; } PZ_Lock(nssInitLock); if (!nssIsInitted) { - PZ_Unlock(nssInitLock); - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PZ_Unlock(nssInitLock); + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } /* If one or more threads are in the middle of init, wait for them * to complete */ while (nssIsInInit) { - PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT); + PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT); } rv = nss_Shutdown(); PZ_Unlock(nssInitLock); @@ -1152,25 +1227,26 @@ NSS_Shutdown(void) * remove the context from a list. return true if found, false if not */ PRBool -nss_RemoveList(NSSInitContext *context) { +nss_RemoveList(NSSInitContext *context) +{ NSSInitContext *this = nssInitContextList; NSSInitContext **last = &nssInitContextList; while (this) { - if (this == context) { - *last = this->next; - this->magic = 0; - PORT_Free(this); - return PR_TRUE; - } - last = &this->next; - this=this->next; + if (this == context) { + *last = this->next; + this->magic = 0; + PORT_Free(this); + return PR_TRUE; + } + last = &this->next; + this = this->next; } return PR_FALSE; } /* - * This form of shutdown is safe in the case where we may have multiple + * This form of shutdown is safe in the case where we may have multiple * entities using NSS in a single process. Each entity calls shutdown with * it's own context. The application (which doesn't get a context), calls * shutdown with NULL. Once all users have 'checked in' NSS will shutdown. @@ -1183,34 +1259,34 @@ NSS_ShutdownContext(NSSInitContext *context) SECStatus rv = SECSuccess; /* make sure our lock and condition variable are initialized one and only - * one time */ + * one time */ if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; + return SECFailure; } PZ_Lock(nssInitLock); /* If one or more threads are in the middle of init, wait for them * to complete */ while (nssIsInInit) { - PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT); + PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT); } /* OK, we are the only thread now either initializing or shutting down */ - + if (!context) { - if (!nssIsInitted) { - PZ_Unlock(nssInitLock); - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; - } - nssIsInitted = 0; - } else if (! nss_RemoveList(context)) { - PZ_Unlock(nssInitLock); - /* context was already freed or wasn't valid */ - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + if (!nssIsInitted) { + PZ_Unlock(nssInitLock); + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; + } + nssIsInitted = 0; + } else if (!nss_RemoveList(context)) { + PZ_Unlock(nssInitLock); + /* context was already freed or wasn't valid */ + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } if ((nssIsInitted == 0) && (nssInitContextList == NULL)) { - rv = nss_Shutdown(); + rv = nss_Shutdown(); } /* NOTE: we don't try to free the nssInitLocks to prevent races against @@ -1227,7 +1303,6 @@ NSS_IsInitialized(void) { return (nssIsInitted) || (nssInitContextList != NULL); } - extern const char __nss_base_version[]; |