svn rev #24348: branches/nss/src/ include/ lib/crypto/builtin/ lib/crypto/krb/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Sat Sep 25 11:09:08 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24348
Commit By: ghudson
Log Message:
In the NSS crypto back end, add mutex protection and fork protection
to the libnss context.
Changed Files:
U branches/nss/src/include/k5-int.h
U branches/nss/src/lib/crypto/builtin/Makefile.in
A branches/nss/src/lib/crypto/builtin/init.c
U branches/nss/src/lib/crypto/krb/crypto_libinit.c
U branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c
U branches/nss/src/lib/crypto/openssl/Makefile.in
A branches/nss/src/lib/crypto/openssl/init.c
Modified: branches/nss/src/include/k5-int.h
===================================================================
--- branches/nss/src/include/k5-int.h 2010-09-25 14:51:09 UTC (rev 24347)
+++ branches/nss/src/include/k5-int.h 2010-09-25 15:09:08 UTC (rev 24348)
@@ -816,6 +816,7 @@
* Internal - for cleanup.
*/
extern void krb5int_prng_cleanup(void);
+extern void krb5int_crypto_impl_cleanup(void);
#ifdef KRB5_OLD_CRYPTO
@@ -2533,6 +2534,7 @@
extern int krb5int_crypto_init (void);
extern int krb5int_prng_init(void);
+extern int krb5int_crypto_impl_init(void);
/*
* Referral definitions, debugging hooks, and subfunctions.
Modified: branches/nss/src/lib/crypto/builtin/Makefile.in
===================================================================
--- branches/nss/src/lib/crypto/builtin/Makefile.in 2010-09-25 14:51:09 UTC (rev 24347)
+++ branches/nss/src/lib/crypto/builtin/Makefile.in 2010-09-25 15:09:08 UTC (rev 24348)
@@ -26,14 +26,17 @@
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
Added: branches/nss/src/lib/crypto/builtin/init.c
===================================================================
--- branches/nss/src/lib/crypto/builtin/init.c (rev 0)
+++ branches/nss/src/lib/crypto/builtin/init.c 2010-09-25 15:09:08 UTC (rev 24348)
@@ -0,0 +1,40 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/builtin/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Built-in back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}
Modified: branches/nss/src/lib/crypto/krb/crypto_libinit.c
===================================================================
--- branches/nss/src/lib/crypto/krb/crypto_libinit.c 2010-09-25 14:51:09 UTC (rev 24347)
+++ branches/nss/src/lib/crypto/krb/crypto_libinit.c 2010-09-25 15:09:08 UTC (rev 24348)
@@ -14,7 +14,11 @@
int cryptoint_initialize_library (void)
{
- return krb5int_prng_init();
+ int err;
+ err = krb5int_prng_init();
+ if (err)
+ return err;
+ return krb5int_crypto_impl_init();
}
int krb5int_crypto_init(void)
@@ -30,5 +34,6 @@
{
if (!INITIALIZER_RAN(cryptoint_initialize_library))
return;
- krb5int_prng_cleanup ();
+ krb5int_prng_cleanup();
+ krb5int_crypto_impl_cleanup();
}
Modified: branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c
===================================================================
--- branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c 2010-09-25 14:51:09 UTC (rev 24347)
+++ branches/nss/src/lib/crypto/nss/enc_provider/enc_gen.c 2010-09-25 15:09:08 UTC (rev 24348)
@@ -49,6 +49,9 @@
#define MAX_KEY_LENGTH 64
#define MAX_BLOCK_SIZE 64
+static NSSInitContext *k5_nss_ctx = NULL;
+static pid_t k5_nss_pid = 0;
+static k5_mutex_t k5_nss_lock = K5_MUTEX_PARTIAL_INITIALIZER;
krb5_error_code
k5_nss_map_error(int nss_error)
@@ -65,34 +68,64 @@
return k5_nss_map_error(PORT_GetError());
}
-static NSSInitContext *krb5_nss_init = NULL;
+int
+krb5int_crypto_impl_init(void)
+{
+ return k5_mutex_finish_init(&k5_nss_lock);
+}
+void
+krb5int_crypto_impl_cleanup(void)
+{
+ k5_mutex_destroy(&k5_nss_lock);
+}
+
/*
* krb5 doesn't have a call into the crypto engine to initialize it, so we do
* it here. This code will try to piggyback on any application initialization
* done to NSS. Otherwise get our one library init context.
*/
+#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
krb5_error_code
k5_nss_init(void)
{
-#ifdef LINUX
- /* Default to the system NSS. */
-#define NSS_KRB5_CONFIGDIR "sql:/etc/pki/nssdb"
-#define NSS_KRB5_FLAGS 0
-#else
- /* Other platforms don't have a system NSS defined yet, do a nodb init. */
-#define NSS_KRB5_CONFIGDIR NULL
-#define NSS_KRB5_FLAGS NSS_INIT_NOMODDB|NSS_INIT_NOCERTDB
-#endif
- if (krb5_nss_init) /* We've already initialized NSS. */
- return 0;
- if (NSS_IsInitialized()) /* Someone else has initialized NSS. */
- return 0;
- krb5_nss_init = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL,
- NSS_INIT_READONLY | NSS_INIT_NOROOTINIT |
- NSS_KRB5_FLAGS);
- if (!krb5_nss_init)
- return k5_nss_map_last_error();
+ PRUint32 flags = NSS_INIT_READONLY | NSS_INIT_NOROOTINIT;
+ krb5_error_code ret;
+ SECStatus rv;
+ pid_t pid;
+
+ ret = k5_mutex_lock(&k5_nss_lock);
+ if (ret)
+ return ret;
+
+ pid = getpid();
+ if (k5_nss_ctx != NULL) {
+ /* Do nothing if the existing context is still good. */
+ if (k5_nss_pid == pid)
+ goto cleanup;
+
+ /* We've forked since the last init, and need to reinitialize. */
+ rv = NSS_ShutdownContext(k5_nss_ctx);
+ k5_nss_ctx = NULL;
+ if (rv != SECSuccess) {
+ ret = k5_nss_map_last_error();
+ goto cleanup;
+ }
+ }
+ k5_nss_ctx = NSS_InitContext(NSS_KRB5_CONFIGDIR, "", "", "", NULL, flags);
+ if (k5_nss_ctx == NULL) {
+ /* There may be no system database; try again without it. */
+ flags |= NSS_INIT_NOMODDB | NSS_INIT_NOCERTDB;
+ k5_nss_ctx = NSS_InitContext(NULL, "", "", "", NULL, flags);
+ if (k5_nss_ctx == NULL) {
+ ret = k5_nss_map_last_error();
+ goto cleanup;
+ }
+ }
+ k5_nss_pid = pid;
+
+cleanup:
+ k5_mutex_unlock(&k5_nss_lock);
return 0;
}
Modified: branches/nss/src/lib/crypto/openssl/Makefile.in
===================================================================
--- branches/nss/src/lib/crypto/openssl/Makefile.in 2010-09-25 14:51:09 UTC (rev 24347)
+++ branches/nss/src/lib/crypto/openssl/Makefile.in 2010-09-25 15:09:08 UTC (rev 24348)
@@ -22,14 +22,17 @@
STLIBOBJS=\
hmac.o \
- pbkdf2.o
+ init.o \
+ pbkdf2.o
OBJS=\
$(OUTPRE)hmac.$(OBJEXT) \
- $(OUTPRE)pbkdf2.$(OBJEXT)
+ $(OUTPRE)init.$(OBJEXT) \
+ $(OUTPRE)pbkdf2.$(OBJEXT)
SRCS=\
$(srcdir)/hmac.c \
+ $(srcdir)/init.c \
$(srcdir)/pbkdf2.c
STOBJLISTS= des/OBJS.ST md4/OBJS.ST \
Added: branches/nss/src/lib/crypto/openssl/init.c
===================================================================
--- branches/nss/src/lib/crypto/openssl/init.c (rev 0)
+++ branches/nss/src/lib/crypto/openssl/init.c 2010-09-25 15:09:08 UTC (rev 24348)
@@ -0,0 +1,40 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/openssl/init.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * OpenSSL back-end library init functions
+ */
+
+int
+krb5int_crypto_impl_init(void)
+{
+ return 0;
+}
+
+void
+krb5int_crypto_impl_cleanup(void)
+{
+}
More information about the cvs-krb5
mailing list