/*

 * Various SSL functions.

 *

 * This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "cert.h"

#include "secitem.h"

#include "keyhi.h"

#include "ssl.h"

#include "sslimpl.h"

#include "sslproto.h"

#include "secoid.h"	/* for SECOID_GetALgorithmTag */

#include "pk11func.h"	/* for PK11_GenerateRandom */

#include "nss.h"        /* for NSS_RegisterShutdown */

#include "prinit.h"     /* for PR_CallOnceWithArg */

#define MAX_BLOCK_CYPHER_SIZE	32

#define TEST_FOR_FAILURE	/* reminder */

#define SET_ERROR_CODE		/* reminder */

/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 

 * 

 * Currently, the list of functions called through ss->handshake is:

 * 

 * In sslsocks.c:

 *  SocksGatherRecord

 *  SocksHandleReply	

 *  SocksStartGather

 *

 * In sslcon.c:

 *  ssl_GatherRecord1stHandshake

 *  ssl2_HandleClientSessionKeyMessage

 *  ssl2_HandleMessage

 *  ssl2_HandleVerifyMessage

 *  ssl2_BeginClientHandshake

 *  ssl2_BeginServerHandshake

 *  ssl2_HandleClientHelloMessage

 *  ssl2_HandleServerHelloMessage

 * 

 * The ss->handshake function returns SECWouldBlock under these conditions:

 * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 

 *	the beginning of an SSL v3 hello message and returned SECWouldBlock 

 *	to switch to SSL v3 handshake processing.

 *

 * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming

 *	v2 client hello msg, and called ssl3_HandleV2ClientHello which 

 *	returned SECWouldBlock.

 *

 * 3.   SECWouldBlock was returned by one of the callback functions, via

 *	one of these paths:

 * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() ->

 *	ss->getClientAuthData()

 *

 * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()

 *

 * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 

 *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 

 *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 

 *	ss->handleBadCert()

 *

 * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 

 *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 

 *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 

 *	ss->getClientAuthData()

 *

 * Called from: SSL_ForceHandshake	(below), 

 *              ssl_SecureRecv 		(below) and

 *              ssl_SecureSend		(below)

 *	  from: WaitForResponse 	in sslsocks.c

 *	        ssl_SocksRecv   	in sslsocks.c

 *              ssl_SocksSend   	in sslsocks.c

 *

 * Caller must hold the (write) handshakeLock.

 */

int 

ssl_Do1stHandshake(sslSocket *ss)

{

    int rv        = SECSuccess;

    int loopCount = 0;

    do {

	PORT_Assert(ss->opt.noLocks ||  ssl_Have1stHandshakeLock(ss) );

	PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));

	PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));

	PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));

	if (ss->handshake == 0) {

	    /* Previous handshake finished. Switch to next one */

	    ss->handshake = ss->nextHandshake;

	    ss->nextHandshake = 0;

	}

	if (ss->handshake == 0) {

	    /* Previous handshake finished. Switch to security handshake */

	    ss->handshake = ss->securityHandshake;

	    ss->securityHandshake = 0;

	}

	if (ss->handshake == 0) {

	    /* for v3 this is done in ssl3_FinishHandshake */

	    if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {

		ssl_GetRecvBufLock(ss);

		ss->gs.recordLen = 0;

		ssl_FinishHandshake(ss);

		ssl_ReleaseRecvBufLock(ss);

	    }

	    break;

	}

	rv = (*ss->handshake)(ss);

	++loopCount;

    /* This code must continue to loop on SECWouldBlock, 

     * or any positive value.	See XXX_1 comments.

     */

    } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */

    PORT_Assert(ss->opt.noLocks || !ssl_HaveRecvBufLock(ss));

    PORT_Assert(ss->opt.noLocks || !ssl_HaveXmitBufLock(ss));

    PORT_Assert(ss->opt.noLocks || !ssl_HaveSSL3HandshakeLock(ss));

    if (rv == SECWouldBlock) {

	PORT_SetError(PR_WOULD_BLOCK_ERROR);

	rv = SECFailure;

    }

    return rv;

}

void

ssl_FinishHandshake(sslSocket *ss)

{

    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );

    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );

    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));

    ss->firstHsDone = PR_TRUE;

    ss->enoughFirstHsDone = PR_TRUE;

    ss->gs.writeOffset = 0;

    ss->gs.readOffset  = 0;

    if (ss->handshakeCallback) {

	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);

    }

}

/*

 * Handshake function that blocks.  Used to force a

 * retry on a connection on the next read/write.

 */

static SECStatus

ssl3_AlwaysBlock(sslSocket *ss)

{

    PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */

    return SECWouldBlock;

}

/*

 * set the initial handshake state machine to block

 */

void

ssl3_SetAlwaysBlock(sslSocket *ss)

{

    if (!ss->firstHsDone) {

	ss->handshake = ssl3_AlwaysBlock;

	ss->nextHandshake = 0;

    }

}

static SECStatus 

ssl_SetTimeout(PRFileDesc *fd, PRIntervalTime timeout)

{

    sslSocket *ss;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in SetTimeout", SSL_GETPID(), fd));

	return SECFailure;

    }

    SSL_LOCK_READER(ss);

    ss->rTimeout = timeout;

    if (ss->opt.fdx) {

        SSL_LOCK_WRITER(ss);

    }

    ss->wTimeout = timeout;

    if (ss->opt.fdx) {

        SSL_UNLOCK_WRITER(ss);

    }

    SSL_UNLOCK_READER(ss);

    return SECSuccess;

}

/* Acquires and releases HandshakeLock.

*/

SECStatus

SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)

{

    sslSocket *ss;

    SECStatus status;

    PRNetAddr addr;

    ss = ssl_FindSocket(s);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));

	return SECFailure;

    }

    /* Don't waste my time */

    if (!ss->opt.useSecurity)

	return SECSuccess;

    SSL_LOCK_READER(ss);

    SSL_LOCK_WRITER(ss);

    /* Reset handshake state */

    ssl_Get1stHandshakeLock(ss);

    ss->firstHsDone = PR_FALSE;

    ss->enoughFirstHsDone = PR_FALSE;

    if ( asServer ) {

	ss->handshake = ssl2_BeginServerHandshake;

	ss->handshaking = sslHandshakingAsServer;

    } else {

	ss->handshake = ssl2_BeginClientHandshake;

	ss->handshaking = sslHandshakingAsClient;

    }

    ss->nextHandshake       = 0;

    ss->securityHandshake   = 0;

    ssl_GetRecvBufLock(ss);

    status = ssl_InitGather(&ss->gs);

    ssl_ReleaseRecvBufLock(ss);

    ssl_GetSSL3HandshakeLock(ss);

    ss->ssl3.hs.canFalseStart = PR_FALSE;

    ss->ssl3.hs.restartTarget = NULL;

    /*

    ** Blow away old security state and get a fresh setup.

    */

    ssl_GetXmitBufLock(ss); 

    ssl_ResetSecurityInfo(&ss->sec, PR_TRUE);

    status = ssl_CreateSecurityInfo(ss);

    ssl_ReleaseXmitBufLock(ss); 

    ssl_ReleaseSSL3HandshakeLock(ss);

    ssl_Release1stHandshakeLock(ss);

    if (!ss->TCPconnected)

	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));

    SSL_UNLOCK_WRITER(ss);

    SSL_UNLOCK_READER(ss);

    return status;

}

/* For SSLv2, does nothing but return an error.

** For SSLv3, flushes SID cache entry (if requested),

** and then starts new client hello or hello request.

** Acquires and releases HandshakeLock.

*/

SECStatus

SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)

{

    sslSocket *ss;

    SECStatus  rv;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));

	return SECFailure;

    }

    if (!ss->opt.useSecurity)

	return SECSuccess;

    ssl_Get1stHandshakeLock(ss);

    /* SSL v2 protocol does not support subsequent handshakes. */

    if (ss->version < SSL_LIBRARY_VERSION_3_0) {

	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);

	rv = SECFailure;

    } else {

	ssl_GetSSL3HandshakeLock(ss);

	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */

	ssl_ReleaseSSL3HandshakeLock(ss);

    }

    ssl_Release1stHandshakeLock(ss);

    return rv;

}

/*

** Same as above, but with an I/O timeout.

 */

SSL_IMPORT SECStatus SSL_ReHandshakeWithTimeout(PRFileDesc *fd,

                                                PRBool flushCache,

                                                PRIntervalTime timeout)

{

    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {

        return SECFailure;

    }

    return SSL_ReHandshake(fd, flushCache);

}

SECStatus

SSL_RedoHandshake(PRFileDesc *fd)

{

    return SSL_ReHandshake(fd, PR_TRUE);

}

/* Register an application callback to be called when SSL handshake completes.

** Acquires and releases HandshakeLock.

*/

SECStatus

SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,

		      void *client_data)

{

    sslSocket *ss;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",

		 SSL_GETPID(), fd));

	return SECFailure;

    }

    if (!ss->opt.useSecurity) {

	PORT_SetError(SEC_ERROR_INVALID_ARGS);

	return SECFailure;

    }

    ssl_Get1stHandshakeLock(ss);

    ssl_GetSSL3HandshakeLock(ss);

    ss->handshakeCallback     = cb;

    ss->handshakeCallbackData = client_data;

    ssl_ReleaseSSL3HandshakeLock(ss);

    ssl_Release1stHandshakeLock(ss);

    return SECSuccess;

}

/* Register an application callback to be called when false start may happen.

** Acquires and releases HandshakeLock.

*/

SECStatus

SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,

			     void *arg)

{

    sslSocket *ss;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",

		 SSL_GETPID(), fd));

	return SECFailure;

    }

    if (!ss->opt.useSecurity) {

	PORT_SetError(SEC_ERROR_INVALID_ARGS);

	return SECFailure;

    }

    ssl_Get1stHandshakeLock(ss);

    ssl_GetSSL3HandshakeLock(ss);

    ss->canFalseStartCallback     = cb;

    ss->canFalseStartCallbackData = arg;

    ssl_ReleaseSSL3HandshakeLock(ss);

    ssl_Release1stHandshakeLock(ss);

    return SECSuccess;

}

SECStatus

SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)

{

    sslSocket *ss;

    *canFalseStart = PR_FALSE;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",

		 SSL_GETPID(), fd));

	return SECFailure;

    }

    if (!ss->ssl3.initialized) {

	PORT_SetError(SEC_ERROR_INVALID_ARGS);

	return SECFailure;

    }

    if (ss->version < SSL_LIBRARY_VERSION_3_0) {

	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);

	return SECFailure;

    }

    /* Require a forward-secret key exchange. */

    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||

		     ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||

		     ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||

		     ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;

    return SECSuccess;

}

/* Try to make progress on an SSL handshake by attempting to read the 

** next handshake from the peer, and sending any responses.

** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 

** read the next handshake from the underlying socket.

** For SSLv2, returns when handshake is complete or fatal error occurs.

** For SSLv3, returns when handshake is complete, or application data has

** arrived that must be taken by application before handshake can continue, 

** or a fatal error occurs.

** Application should use handshake completion callback to tell which. 

*/

SECStatus

SSL_ForceHandshake(PRFileDesc *fd)

{

    sslSocket *ss;

    SECStatus  rv = SECFailure;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",

		 SSL_GETPID(), fd));

	return rv;

    }

    /* Don't waste my time */

    if (!ss->opt.useSecurity) 

    	return SECSuccess;

    if (!ssl_SocketIsBlocking(ss)) {

	ssl_GetXmitBufLock(ss);

	if (ss->pendingBuf.len != 0) {

	    int sent = ssl_SendSavedWriteData(ss);

	    if ((sent < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {

		ssl_ReleaseXmitBufLock(ss);

		return SECFailure;

	    }

	}

	ssl_ReleaseXmitBufLock(ss);

    }

    ssl_Get1stHandshakeLock(ss);

    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {

	int gatherResult;

    	ssl_GetRecvBufLock(ss);

	gatherResult = ssl3_GatherCompleteHandshake(ss, 0);

	ssl_ReleaseRecvBufLock(ss);

	if (gatherResult > 0) {

	    rv = SECSuccess;

	} else if (gatherResult == 0) {

	    PORT_SetError(PR_END_OF_FILE_ERROR);

	} else if (gatherResult == SECWouldBlock) {

	    PORT_SetError(PR_WOULD_BLOCK_ERROR);

	}

    } else if (!ss->firstHsDone) {

	rv = ssl_Do1stHandshake(ss);

    } else {

	/* tried to force handshake on an SSL 2 socket that has 

	** already completed the handshake. */

    	rv = SECSuccess;	/* just pretend we did it. */

    }

    ssl_Release1stHandshakeLock(ss);

    return rv;

}

/*

 ** Same as above, but with an I/O timeout.

 */

SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,

                                                   PRIntervalTime timeout)

{

    if (SECSuccess != ssl_SetTimeout(fd, timeout)) {

        return SECFailure;

    }

    return SSL_ForceHandshake(fd);

}

/************************************************************************/

/*

** Grow a buffer to hold newLen bytes of data.

** Called for both recv buffers and xmit buffers.

** Caller must hold xmitBufLock or recvBufLock, as appropriate.

*/

SECStatus

sslBuffer_Grow(sslBuffer *b, unsigned int newLen)

{

    newLen = PR_MAX(newLen, MAX_FRAGMENT_LENGTH + 2048);

    if (newLen > b->space) {

	unsigned char *newBuf;

	if (b->buf) {

	    newBuf = (unsigned char *) PORT_Realloc(b->buf, newLen);

	} else {

	    newBuf = (unsigned char *) PORT_Alloc(newLen);

	}

	if (!newBuf) {

	    return SECFailure;

	}

	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",

		     SSL_GETPID(), b->space, newLen));

	b->buf = newBuf;

	b->space = newLen;

    }

    return SECSuccess;

}

SECStatus 

sslBuffer_Append(sslBuffer *b, const void * data, unsigned int len)

{

    unsigned int newLen = b->len + len;

    SECStatus rv;

    rv = sslBuffer_Grow(b, newLen);

    if (rv != SECSuccess)

    	return rv;

    PORT_Memcpy(b->buf + b->len, data, len);

    b->len += len;

    return SECSuccess;

}

/*

** Save away write data that is trying to be written before the security

** handshake has been completed. When the handshake is completed, we will

** flush this data out.

** Caller must hold xmitBufLock

*/

SECStatus 

ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len)

{

    SECStatus    rv;

    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );

    rv = sslBuffer_Append(&ss->pendingBuf, data, len);

    SSL_TRC(5, ("%d: SSL[%d]: saving %u bytes of data (%u total saved so far)",

		 SSL_GETPID(), ss->fd, len, ss->pendingBuf.len));

    return rv;

}

/*

** Send saved write data. This will flush out data sent prior to a

** complete security handshake. Hopefully there won't be too much of it.

** Returns count of the bytes sent, NOT a SECStatus.

** Caller must hold xmitBufLock

*/

int 

ssl_SendSavedWriteData(sslSocket *ss)

{

    int rv	= 0;

    PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );

    if (ss->pendingBuf.len != 0) {

	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",

		     SSL_GETPID(), ss->fd, ss->pendingBuf.len));

	rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0);

	if (rv < 0) {

	    return rv;

	} 

	ss->pendingBuf.len -= rv;

	if (ss->pendingBuf.len > 0 && rv > 0) {

	    /* UGH !! This shifts the whole buffer down by copying it */

	    PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, 

	                 ss->pendingBuf.len);

    	}

    }

    return rv;

}

/************************************************************************/

/*

** Receive some application data on a socket.  Reads SSL records from the input

** stream, decrypts them and then copies them to the output buffer.

** Called from ssl_SecureRecv() below.

**

** Caller does NOT hold 1stHandshakeLock because that handshake is over.

** Caller doesn't call this until initial handshake is complete.

** For SSLv2, there is no subsequent handshake.

** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake

** messages from a subsequent handshake.

**

** This code is similar to, and easily confused with, 

**   ssl_GatherRecord1stHandshake() in sslcon.c

*/

static int 

DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)

{

    int              rv;

    int              amount;

    int              available;

    /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the

     * 1stHandshakeLock. */

    ssl_Get1stHandshakeLock(ss);

    ssl_GetRecvBufLock(ss);

    available = ss->gs.writeOffset - ss->gs.readOffset;

    if (available == 0) {

	/* Get some more data */

	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {

	    /* Wait for application data to arrive.  */

	    rv = ssl3_GatherAppDataRecord(ss, 0);

	} else {

	    /* See if we have a complete record */

	    rv = ssl2_GatherRecord(ss, 0);

	}

	if (rv <= 0) {

	    if (rv == 0) {

		/* EOF */

		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",

			     SSL_GETPID(), ss->fd));

		goto done;

	    }

	    if ((rv != SECWouldBlock) && 

	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {

		/* Some random error */

		goto done;

	    }

	    /*

	    ** Gather record is blocked waiting for more record data to

	    ** arrive. Try to process what we have already received

	    */

	} else {

	    /* Gather record has finished getting a complete record */

	}

	/* See if any clear data is now available */

	available = ss->gs.writeOffset - ss->gs.readOffset;

	if (available == 0) {

	    /*

	    ** No partial data is available. Force error code to

	    ** EWOULDBLOCK so that caller will try again later. Note

	    ** that the error code is probably EWOULDBLOCK already,

	    ** but if it isn't (for example, if we received a zero

	    ** length record) then this will force it to be correct.

	    */

	    PORT_SetError(PR_WOULD_BLOCK_ERROR);

	    rv = SECFailure;

	    goto done;

	}

	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",

		     SSL_GETPID(), ss->fd, available));

    }

    /* Dole out clear data to reader */

    amount = PR_MIN(len, available);

    PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);

    if (!(flags & PR_MSG_PEEK)) {

	ss->gs.readOffset += amount;

    }

    PORT_Assert(ss->gs.readOffset <= ss->gs.writeOffset);

    rv = amount;

    SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",

		 SSL_GETPID(), ss->fd, amount, available));

    PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));

done:

    ssl_ReleaseRecvBufLock(ss);

    ssl_Release1stHandshakeLock(ss);

    return rv;

}

/************************************************************************/

/*

** Return SSLKEAType derived from cert's Public Key algorithm info.

*/

SSLKEAType

NSS_FindCertKEAType(CERTCertificate * cert)

{

  SSLKEAType keaType = kt_null; 

  int tag;

  if (!cert) goto loser;

  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));

  switch (tag) {

  case SEC_OID_X500_RSA_ENCRYPTION:

  case SEC_OID_PKCS1_RSA_ENCRYPTION:

    keaType = kt_rsa;

    break;

  case SEC_OID_ANSIX9_DSA_SIGNATURE: /* hah, signature, not a key? */

  case SEC_OID_X942_DIFFIE_HELMAN_KEY:

    keaType = kt_dh;

    break;

#ifndef NSS_DISABLE_ECC

  case SEC_OID_ANSIX962_EC_PUBLIC_KEY:

    keaType = kt_ecdh;

    break;

#endif /* NSS_DISABLE_ECC */

  default:

    keaType = kt_null;

  }

 loser:

  return keaType;

}

static const PRCallOnceType pristineCallOnce;

static       PRCallOnceType setupServerCAListOnce;

static SECStatus serverCAListShutdown(void* appData, void* nssData)

{

    PORT_Assert(ssl3_server_ca_list);

    if (ssl3_server_ca_list) {

	CERT_FreeDistNames(ssl3_server_ca_list);

	ssl3_server_ca_list = NULL;

    }

    setupServerCAListOnce = pristineCallOnce;

    return SECSuccess;

}

static PRStatus serverCAListSetup(void *arg)

{

    CERTCertDBHandle *dbHandle = (CERTCertDBHandle *)arg;

    SECStatus rv = NSS_RegisterShutdown(serverCAListShutdown, NULL);

    PORT_Assert(SECSuccess == rv);

    if (SECSuccess == rv) {

	ssl3_server_ca_list = CERT_GetSSLCACerts(dbHandle);

	return PR_SUCCESS;

    }

    return PR_FAILURE;

}

SECStatus

ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,

                       const CERTCertificateList *certChain,

                       ssl3KeyPair *keyPair, SSLKEAType kea)

{

    CERTCertificateList *localCertChain = NULL;

    sslServerCerts  *sc = ss->serverCerts + kea;

    /* load the server certificate */

    if (sc->serverCert != NULL) {

	CERT_DestroyCertificate(sc->serverCert);

    	sc->serverCert = NULL;

        sc->serverKeyBits = 0;

    }

    /* load the server cert chain */

    if (sc->serverCertChain != NULL) {

	CERT_DestroyCertificateList(sc->serverCertChain);

    	sc->serverCertChain = NULL;

    }

    if (cert) {

        sc->serverCert = CERT_DupCertificate(cert);

        /* get the size of the cert's public key, and remember it */

        sc->serverKeyBits = SECKEY_PublicKeyStrengthInBits(keyPair->pubKey);

        if (!certChain) {

            localCertChain =

                CERT_CertChainFromCert(sc->serverCert, certUsageSSLServer,

                                       PR_TRUE);

            if (!localCertChain)

                goto loser;

        }

        sc->serverCertChain = (certChain) ? CERT_DupCertList(certChain) :

                                            localCertChain;

        if (!sc->serverCertChain) {

            goto loser;

        }

        localCertChain = NULL;      /* consumed */

    }

    /* get keyPair */

    if (sc->serverKeyPair != NULL) {

        ssl3_FreeKeyPair(sc->serverKeyPair);

        sc->serverKeyPair = NULL;

    }

    if (keyPair) {

        SECKEY_CacheStaticFlags(keyPair->privKey);

        sc->serverKeyPair = ssl3_GetKeyPairRef(keyPair);

    }

    if (kea == kt_rsa && cert && sc->serverKeyBits > 512 &&

        !ss->opt.noStepDown && !ss->stepDownKeyPair) { 

        if (ssl3_CreateRSAStepDownKeys(ss) != SECSuccess) {

            goto loser;

        }

    }

    if (kea == ssl_kea_dh || kea == ssl_kea_rsa) {

        if (ssl3_SelectDHParams(ss) != SECSuccess) {

            goto loser;

        }

     }

    return SECSuccess;

loser:

    if (localCertChain) {

        CERT_DestroyCertificateList(localCertChain);

    }

    if (sc->serverCert != NULL) {

	CERT_DestroyCertificate(sc->serverCert);

	sc->serverCert = NULL;

    }

    if (sc->serverCertChain != NULL) {

	CERT_DestroyCertificateList(sc->serverCertChain);

	sc->serverCertChain = NULL;

    }

    if (sc->serverKeyPair != NULL) {

	ssl3_FreeKeyPair(sc->serverKeyPair);

	sc->serverKeyPair = NULL;

    }

    return SECFailure;

}

/* XXX need to protect the data that gets changed here.!! */

SECStatus

SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,

		       SECKEYPrivateKey *key, SSL3KEAType kea)

{

    return SSL_ConfigSecureServerWithCertChain(fd, cert, NULL, key, kea);

}

SECStatus

SSL_ConfigSecureServerWithCertChain(PRFileDesc *fd, CERTCertificate *cert,

                                    const CERTCertificateList *certChainOpt,

                                    SECKEYPrivateKey *key, SSL3KEAType kea)

{

    sslSocket *ss;

    SECKEYPublicKey *pubKey = NULL;

    ssl3KeyPair *keyPair = NULL;

    SECStatus rv = SECFailure;

    ss = ssl_FindSocket(fd);

    if (!ss) {

	return SECFailure;

    }

    /* Both key and cert must have a value or be NULL */

    /* Passing a value of NULL will turn off key exchange algorithms that were

     * previously turned on */

    if (!cert != !key) {

	PORT_SetError(SEC_ERROR_INVALID_ARGS);

	return SECFailure;

    }

    /* make sure the key exchange is recognized */

    if ((kea >= kt_kea_size) || (kea < kt_null)) {

	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);

	return SECFailure;

    }

    if (kea != NSS_FindCertKEAType(cert)) {

    	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);

	return SECFailure;

    }

    if (cert) {

    	/* get the size of the cert's public key, and remember it */

	pubKey = CERT_ExtractPublicKey(cert);

	if (!pubKey) 

            return SECFailure;

    }

    if (key) {

	SECKEYPrivateKey * keyCopy	= NULL;

	CK_MECHANISM_TYPE  keyMech	= CKM_INVALID_MECHANISM;

	if (key->pkcs11Slot) {

	    PK11SlotInfo * bestSlot;

	    bestSlot = PK11_ReferenceSlot(key->pkcs11Slot);

	    if (bestSlot) {

		keyCopy = PK11_CopyTokenPrivKeyToSessionPrivKey(bestSlot, key);

		PK11_FreeSlot(bestSlot);