Logo Search packages:      
Sourcecode: xulrunner-1.9 version File versions

sslsock.c

/*
 * vtables (and methods that call through them) for the 4 types of 
 * SSLSockets supported.  Only one type is still supported.
 * Various other functions.
 *
 * ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is the Netscape security libraries.
 *
 * The Initial Developer of the Original Code is
 * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *   Dr Stephen Henson <stephen.henson@gemplus.com>
 *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
/* $Id: sslsock.c,v 1.55 2008/03/06 20:16:22 wtc%google.com Exp $ */
#include "seccomon.h"
#include "cert.h"
#include "keyhi.h"
#include "ssl.h"
#include "sslimpl.h"
#include "sslproto.h"
#include "nspr.h"
#include "private/pprio.h"
#include "blapi.h"
#include "nss.h"

#define SET_ERROR_CODE   /* reminder */

struct cipherPolicyStr {
      int         cipher;
      unsigned char     export;     /* policy value for export policy */
      unsigned char     france;     /* policy value for france policy */
};

typedef struct cipherPolicyStr cipherPolicy;

/* This table contains two preconfigured policies: Export and France.
** It is used only by the functions SSL_SetDomesticPolicy, 
** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
** Order of entries is not important.
*/
static cipherPolicy ssl_ciphers[] = {        /*   Export           France   */
 {  SSL_EN_RC4_128_WITH_MD5,            SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,         SSL_ALLOWED,     SSL_ALLOWED },
 {  SSL_EN_RC2_128_CBC_WITH_MD5,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
 {  SSL_EN_DES_64_CBC_WITH_MD5,               SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_RSA_WITH_RC4_128_MD5,           SSL_RESTRICTED,  SSL_NOT_ALLOWED },
 {  SSL_RSA_WITH_RC4_128_SHA,           SSL_RESTRICTED,  SSL_NOT_ALLOWED },
 {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_RESTRICTED,  SSL_NOT_ALLOWED },
 {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,     SSL_ALLOWED,     SSL_ALLOWED },
 {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,       SSL_ALLOWED,     SSL_ALLOWED },
 {  SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  SSL_RSA_WITH_NULL_SHA,              SSL_ALLOWED,     SSL_ALLOWED },
 {  SSL_RSA_WITH_NULL_MD5,              SSL_ALLOWED,     SSL_ALLOWED },
 {  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_RSA_WITH_AES_128_CBC_SHA,             SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_RSA_WITH_AES_256_CBC_SHA,             SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
 {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
#ifdef NSS_ENABLE_ECC
 {  TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED,     SSL_ALLOWED },
 {  TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_ALLOWED,     SSL_ALLOWED },
 {  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_ALLOWED,     SSL_ALLOWED },
 {  TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_ALLOWED,     SSL_ALLOWED },
 {  TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
 {  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
#endif /* NSS_ENABLE_ECC */
 {  0,                                  SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
};

static const sslSocketOps ssl_default_ops = {   /* No SSL. */
    ssl_DefConnect,
    NULL,
    ssl_DefBind,
    ssl_DefListen,
    ssl_DefShutdown,
    ssl_DefClose,
    ssl_DefRecv,
    ssl_DefSend,
    ssl_DefRead,
    ssl_DefWrite,
    ssl_DefGetpeername,
    ssl_DefGetsockname
};

static const sslSocketOps ssl_secure_ops = {    /* SSL. */
    ssl_SecureConnect,
    NULL,
    ssl_DefBind,
    ssl_DefListen,
    ssl_SecureShutdown,
    ssl_SecureClose,
    ssl_SecureRecv,
    ssl_SecureSend,
    ssl_SecureRead,
    ssl_SecureWrite,
    ssl_DefGetpeername,
    ssl_DefGetsockname
};

/*
** default settings for socket enables
*/
static sslOptions ssl_defaults = {
    PR_TRUE,      /* useSecurity        */
    PR_FALSE,     /* useSocks           */
    PR_FALSE,     /* requestCertificate */
    2,              /* requireCertificate */
    PR_FALSE,     /* handshakeAsClient  */
    PR_FALSE,     /* handshakeAsServer  */
    PR_TRUE,      /* enableSSL2         */
    PR_TRUE,      /* enableSSL3         */
    PR_TRUE,      /* enableTLS          */ /* now defaults to on in NSS 3.0 */
    PR_FALSE,     /* noCache            */
    PR_FALSE,     /* fdx                */
    PR_TRUE,      /* v2CompatibleHello  */
    PR_TRUE,      /* detectRollBack     */
    PR_FALSE,   /* noStepDown         */
    PR_FALSE,   /* bypassPKCS11       */
    PR_FALSE,   /* noLocks            */
    PR_FALSE,   /* enableSessionTickets */
};

sslSessionIDLookupFunc  ssl_sid_lookup;
sslSessionIDCacheFunc   ssl_sid_cache;
sslSessionIDUncacheFunc ssl_sid_uncache;

static PRBool ssl_inited = PR_FALSE;
static PRDescIdentity ssl_layer_id;

PRBool                  locksEverDisabled;      /* implicitly PR_FALSE */
PRBool                  ssl_force_locks;        /* implicitly PR_FALSE */
int                     ssl_lock_readers  = 1;  /* default true. */
char                    ssl_debug;
char                    ssl_trace;
FILE *                  ssl_trace_iob;
char lockStatus[] = "Locks are ENABLED.  ";
#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */

/* forward declarations. */
static sslSocket *ssl_NewSocket(PRBool makeLocks);
static SECStatus  ssl_MakeLocks(sslSocket *ss);
static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
                                  PRDescIdentity id);

/************************************************************************/

/*
** Lookup a socket structure from a file descriptor.
** Only functions called through the PRIOMethods table should use this.
** Other app-callable functions should use ssl_FindSocket.
*/
static sslSocket *
ssl_GetPrivate(PRFileDesc *fd)
{
    sslSocket *ss;

    PORT_Assert(fd != NULL);
    PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
    PORT_Assert(fd->identity == ssl_layer_id);

    if (fd->methods->file_type != PR_DESC_LAYERED ||
        fd->identity != ssl_layer_id) {
      PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
      return NULL;
    }

    ss = (sslSocket *)fd->secret;
    ss->fd = fd;
    return ss;
}

/* This function tries to find the SSL layer in the stack. 
 * It searches for the first SSL layer at or below the argument fd,
 * and failing that, it searches for the nearest SSL layer above the 
 * argument fd.  It returns the private sslSocket from the found layer.
 */
sslSocket *
ssl_FindSocket(PRFileDesc *fd)
{
    PRFileDesc *layer;
    sslSocket *ss;

    PORT_Assert(fd != NULL);
    PORT_Assert(ssl_layer_id != 0);

    layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
    if (layer == NULL) {
      PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
      return NULL;
    }

    ss = (sslSocket *)layer->secret;
    ss->fd = layer;
    return ss;
}

sslSocket *
ssl_DupSocket(sslSocket *os)
{
    sslSocket *ss;
    SECStatus rv;

    ss = ssl_NewSocket((PRBool)(!os->opt.noLocks));
    if (ss) {
      ss->opt                = os->opt;
      ss->opt.useSocks       = PR_FALSE;

      ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
      ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);

      ss->ops      = os->ops;
      ss->rTimeout = os->rTimeout;
      ss->wTimeout = os->wTimeout;
      ss->cTimeout = os->cTimeout;
      ss->dbHandle = os->dbHandle;

      /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
      ss->allowedByPolicy     = os->allowedByPolicy;
      ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
      ss->chosenPreference    = os->chosenPreference;
      PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);

      if (os->cipherSpecs) {
          ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
          if (ss->cipherSpecs) 
            PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
                        os->sizeCipherSpecs);
          ss->sizeCipherSpecs    = os->sizeCipherSpecs;
          ss->preferredCipher    = os->preferredCipher;
      } else {
          ss->cipherSpecs        = NULL;  /* produced lazily */
          ss->sizeCipherSpecs    = 0;
          ss->preferredCipher    = NULL;
      }
      if (ss->opt.useSecurity) {
          /* This int should be SSLKEAType, but CC on Irix complains,
           * during the for loop.
           */
          int i;
          sslServerCerts * oc = os->serverCerts;
          sslServerCerts * sc = ss->serverCerts;

          for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
            if (oc->serverCert && oc->serverCertChain) {
                sc->serverCert      = CERT_DupCertificate(oc->serverCert);
                sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
                if (!sc->serverCertChain) 
                  goto loser;
            } else {
                sc->serverCert      = NULL;
                sc->serverCertChain = NULL;
            }
            sc->serverKeyPair = oc->serverKeyPair ?
                        ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
            if (oc->serverKeyPair && !sc->serverKeyPair)
                goto loser;
              sc->serverKeyBits = oc->serverKeyBits;
          }
          ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
                              ssl3_GetKeyPairRef(os->stepDownKeyPair);
          ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
                              ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
/*
 * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
 * XXX We should detect this, and not just march on with NULL pointers.
 */
          ss->authCertificate       = os->authCertificate;
          ss->authCertificateArg    = os->authCertificateArg;
          ss->getClientAuthData     = os->getClientAuthData;
          ss->getClientAuthDataArg  = os->getClientAuthDataArg;
          ss->handleBadCert         = os->handleBadCert;
          ss->badCertArg            = os->badCertArg;
          ss->handshakeCallback     = os->handshakeCallback;
          ss->handshakeCallbackData = os->handshakeCallbackData;
          ss->pkcs11PinArg          = os->pkcs11PinArg;
    
          /* Create security data */
          rv = ssl_CopySecurityInfo(ss, os);
          if (rv != SECSuccess) {
            goto loser;
          }
      }
    }
    return ss;

loser:
    ssl_FreeSocket(ss);
    return NULL;
}

static void
ssl_DestroyLocks(sslSocket *ss)
{
    /* Destroy locks. */
    if (ss->firstHandshakeLock) {
      PZ_DestroyMonitor(ss->firstHandshakeLock);
      ss->firstHandshakeLock = NULL;
    }
    if (ss->ssl3HandshakeLock) {
      PZ_DestroyMonitor(ss->ssl3HandshakeLock);
      ss->ssl3HandshakeLock = NULL;
    }
    if (ss->specLock) {
      NSSRWLock_Destroy(ss->specLock);
      ss->specLock = NULL;
    }

    if (ss->recvLock) {
      PZ_DestroyLock(ss->recvLock);
      ss->recvLock = NULL;
    }
    if (ss->sendLock) {
      PZ_DestroyLock(ss->sendLock);
      ss->sendLock = NULL;
    }
    if (ss->xmitBufLock) {
      PZ_DestroyMonitor(ss->xmitBufLock);
      ss->xmitBufLock = NULL;
    }
    if (ss->recvBufLock) {
      PZ_DestroyMonitor(ss->recvBufLock);
      ss->recvBufLock = NULL;
    }
}

/* Caller holds any relevant locks */
static void
ssl_DestroySocketContents(sslSocket *ss)
{
    /* "i" should be of type SSLKEAType, but CC on IRIX complains during
     * the for loop.
     */
    int        i;

    /* Free up socket */
    ssl_DestroySecurityInfo(&ss->sec);

    ssl3_DestroySSL3Info(ss);

    PORT_Free(ss->saveBuf.buf);
    PORT_Free(ss->pendingBuf.buf);
    ssl_DestroyGather(&ss->gs);

    if (ss->peerID != NULL)
      PORT_Free(ss->peerID);
    if (ss->url != NULL)
      PORT_Free((void *)ss->url);   /* CONST */
    if (ss->cipherSpecs) {
      PORT_Free(ss->cipherSpecs);
      ss->cipherSpecs     = NULL;
      ss->sizeCipherSpecs = 0;
    }

    /* Clean up server configuration */
    for (i=kt_null; i < kt_kea_size; i++) {
      sslServerCerts * sc = ss->serverCerts + i;
      if (sc->serverCert != NULL)
          CERT_DestroyCertificate(sc->serverCert);
      if (sc->serverCertChain != NULL)
          CERT_DestroyCertificateList(sc->serverCertChain);
      if (sc->serverKeyPair != NULL)
          ssl3_FreeKeyPair(sc->serverKeyPair);
    }
    if (ss->stepDownKeyPair) {
      ssl3_FreeKeyPair(ss->stepDownKeyPair);
      ss->stepDownKeyPair = NULL;
    }
    if (ss->ephemeralECDHKeyPair) {
      ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
      ss->ephemeralECDHKeyPair = NULL;
    }
}

/*
 * free an sslSocket struct, and all the stuff that hangs off of it
 */
void
ssl_FreeSocket(sslSocket *ss)
{
#ifdef DEBUG
    sslSocket *fs;
    sslSocket  lSock;
#endif

/* Get every lock you can imagine!
** Caller already holds these:
**  SSL_LOCK_READER(ss);
**  SSL_LOCK_WRITER(ss);
*/
    ssl_Get1stHandshakeLock(ss);
    ssl_GetRecvBufLock(ss);
    ssl_GetSSL3HandshakeLock(ss);
    ssl_GetXmitBufLock(ss);
    ssl_GetSpecWriteLock(ss);

#ifdef DEBUG
    fs = &lSock;
    *fs = *ss;                      /* Copy the old socket structure, */
    PORT_Memset(ss, 0x1f, sizeof *ss);  /* then blast the old struct ASAP. */
#else
#define fs ss
#endif

    ssl_DestroySocketContents(fs);

    /* Release all the locks acquired above.  */
    SSL_UNLOCK_READER(fs);
    SSL_UNLOCK_WRITER(fs);
    ssl_Release1stHandshakeLock(fs);
    ssl_ReleaseRecvBufLock(fs);
    ssl_ReleaseSSL3HandshakeLock(fs);
    ssl_ReleaseXmitBufLock(fs);
    ssl_ReleaseSpecWriteLock(fs);

    ssl_DestroyLocks(fs);

    PORT_Free(ss);      /* free the caller's copy, not ours. */
    return;
}
#undef fs

/************************************************************************/
SECStatus 
ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
{
    PRFileDesc *       osfd = ss->fd->lower;
    SECStatus         rv = SECFailure;
    PRSocketOptionData opt;

    opt.option         = PR_SockOpt_NoDelay;
    opt.value.no_delay = (PRBool)!enabled;

    if (osfd->methods->setsocketoption) {
        rv = (SECStatus) osfd->methods->setsocketoption(osfd, &opt);
    } else {
        PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    }

    return rv;
}

static void
ssl_ChooseOps(sslSocket *ss)
{
    ss->ops = ss->opt.useSecurity ? &ssl_secure_ops : &ssl_default_ops;
}

/* Called from SSL_Enable (immediately below) */
static SECStatus
PrepareSocket(sslSocket *ss)
{
    SECStatus     rv = SECSuccess;

    ssl_ChooseOps(ss);
    return rv;
}

SECStatus
SSL_Enable(PRFileDesc *fd, int which, PRBool on)
{
    return SSL_OptionSet(fd, which, on);
}

static const PRCallOnceType pristineCallOnce;
static PRCallOnceType setupBypassOnce;

static SECStatus SSL_BypassShutdown(void* appData, void* nssData)
{
    /* unload freeBL shared library from memory */
    BL_Unload();
    setupBypassOnce = pristineCallOnce;
    return SECSuccess;
}

static PRStatus SSL_BypassRegisterShutdown(void)
{
    SECStatus rv = NSS_RegisterShutdown(SSL_BypassShutdown, NULL);
    PORT_Assert(SECSuccess == rv);
    return SECSuccess == rv ? PR_SUCCESS : PR_FAILURE;
}

static PRStatus SSL_BypassSetup(void)
{
    return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
}

SECStatus
SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
{
    sslSocket *ss = ssl_FindSocket(fd);
    SECStatus  rv = SECSuccess;
    PRBool     holdingLocks;

    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
      return SECFailure;
    }

    holdingLocks = (!ss->opt.noLocks);
    ssl_Get1stHandshakeLock(ss);
    ssl_GetSSL3HandshakeLock(ss);

    switch (which) {
      case SSL_SOCKS:
      ss->opt.useSocks = PR_FALSE;
      rv = PrepareSocket(ss);
      if (on) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          rv = SECFailure;
      }
      break;

      case SSL_SECURITY:
      ss->opt.useSecurity = on;
      rv = PrepareSocket(ss);
      break;

      case SSL_REQUEST_CERTIFICATE:
      ss->opt.requestCertificate = on;
      break;

      case SSL_REQUIRE_CERTIFICATE:
      ss->opt.requireCertificate = on;
      break;

      case SSL_HANDSHAKE_AS_CLIENT:
      if ( ss->opt.handshakeAsServer && on ) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          rv = SECFailure;
          break;
      }
      ss->opt.handshakeAsClient = on;
      break;

      case SSL_HANDSHAKE_AS_SERVER:
      if ( ss->opt.handshakeAsClient && on ) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          rv = SECFailure;
          break;
      }
      ss->opt.handshakeAsServer = on;
      break;

      case SSL_ENABLE_TLS:
      ss->opt.enableTLS       = on;
      ss->preferredCipher     = NULL;
      if (ss->cipherSpecs) {
          PORT_Free(ss->cipherSpecs);
          ss->cipherSpecs     = NULL;
          ss->sizeCipherSpecs = 0;
      }
      break;

      case SSL_ENABLE_SSL3:
      ss->opt.enableSSL3      = on;
      ss->preferredCipher     = NULL;
      if (ss->cipherSpecs) {
          PORT_Free(ss->cipherSpecs);
          ss->cipherSpecs     = NULL;
          ss->sizeCipherSpecs = 0;
      }
      break;

      case SSL_ENABLE_SSL2:
      ss->opt.enableSSL2       = on;
      if (on) {
          ss->opt.v2CompatibleHello = on;
      }
      ss->preferredCipher     = NULL;
      if (ss->cipherSpecs) {
          PORT_Free(ss->cipherSpecs);
          ss->cipherSpecs     = NULL;
          ss->sizeCipherSpecs = 0;
      }
      break;

      case SSL_NO_CACHE:
      ss->opt.noCache = on;
      break;

      case SSL_ENABLE_FDX:
      if (on && ss->opt.noLocks) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          rv = SECFailure;
      }
            ss->opt.fdx = on;
      break;

      case SSL_V2_COMPATIBLE_HELLO:
            ss->opt.v2CompatibleHello = on;
      if (!on) {
          ss->opt.enableSSL2    = on;
      }
      break;

      case SSL_ROLLBACK_DETECTION:  
      ss->opt.detectRollBack = on;
        break;

      case SSL_NO_STEP_DOWN:        
      ss->opt.noStepDown     = on;         
      if (on) 
          SSL_DisableExportCipherSuites(fd);
      break;

      case SSL_BYPASS_PKCS11:
      if (ss->handshakeBegun) {
          PORT_SetError(PR_INVALID_STATE_ERROR);
          rv = SECFailure;
      } else {
            if (PR_FALSE != on) {
                if (PR_SUCCESS == SSL_BypassSetup() ) {
                    ss->opt.bypassPKCS11   = on;
                } else {
                    rv = SECFailure;
                }
            } else {
                ss->opt.bypassPKCS11   = PR_FALSE;
            }
      }
      break;

      case SSL_NO_LOCKS:
      if (on && ss->opt.fdx) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          rv = SECFailure;
      }
      if (on && ssl_force_locks) 
          on = PR_FALSE;      /* silent override */
      ss->opt.noLocks   = on;
      if (on) {
          locksEverDisabled = PR_TRUE;
          strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
      } else if (!holdingLocks) {
          rv = ssl_MakeLocks(ss);
          if (rv != SECSuccess) {
            ss->opt.noLocks   = PR_TRUE;
          }
      }
      break;

      case SSL_ENABLE_SESSION_TICKETS:
      ss->opt.enableSessionTickets = on;
      break;

      default:
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      rv = SECFailure;
    }

    /* We can't use the macros for releasing the locks here,
     * because ss->opt.noLocks might have changed just above.
     * We must release these locks (monitors) here, if we aquired them above,
     * regardless of the current value of ss->opt.noLocks.
     */
    if (holdingLocks) {
      PZ_ExitMonitor((ss)->ssl3HandshakeLock);
      PZ_ExitMonitor((ss)->firstHandshakeLock);
    }

    return rv;
}

SECStatus
SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
{
    sslSocket *ss = ssl_FindSocket(fd);
    SECStatus  rv = SECSuccess;
    PRBool     on = PR_FALSE;

    if (!pOn) {
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
      *pOn = PR_FALSE;
      return SECFailure;
    }

    ssl_Get1stHandshakeLock(ss);
    ssl_GetSSL3HandshakeLock(ss);

    switch (which) {
    case SSL_SOCKS:               on = PR_FALSE;               break;
    case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
    case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
    case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
    case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
    case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
    case SSL_ENABLE_TLS:          on = ss->opt.enableTLS;          break;
    case SSL_ENABLE_SSL3:         on = ss->opt.enableSSL3;         break;
    case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
    case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
    case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
    case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
    case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
    case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
    case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
    case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
    case SSL_ENABLE_SESSION_TICKETS:
      on = ss->opt.enableSessionTickets;
      break;

    default:
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      rv = SECFailure;
    }

    ssl_ReleaseSSL3HandshakeLock(ss);
    ssl_Release1stHandshakeLock(ss);

    *pOn = on;
    return rv;
}

SECStatus
SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
{
    SECStatus  rv = SECSuccess;
    PRBool     on = PR_FALSE;

    if (!pOn) {
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }

    switch (which) {
    case SSL_SOCKS:               on = PR_FALSE;                        break;
    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
    case SSL_ENABLE_TLS:          on = ssl_defaults.enableTLS;          break;
    case SSL_ENABLE_SSL3:         on = ssl_defaults.enableSSL3;         break;
    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
    case SSL_NO_CACHE:            on = ssl_defaults.noCache;            break;
    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
    case SSL_NO_STEP_DOWN:        on = ssl_defaults.noStepDown;         break;
    case SSL_BYPASS_PKCS11:       on = ssl_defaults.bypassPKCS11;       break;
    case SSL_NO_LOCKS:            on = ssl_defaults.noLocks;            break;
    case SSL_ENABLE_SESSION_TICKETS:
      on = ssl_defaults.enableSessionTickets;
      break;

    default:
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      rv = SECFailure;
    }

    *pOn = on;
    return rv;
}

/* XXX Use Global Lock to protect this stuff. */
SECStatus
SSL_EnableDefault(int which, PRBool on)
{
    return SSL_OptionSetDefault(which, on);
}

SECStatus
SSL_OptionSetDefault(PRInt32 which, PRBool on)
{
    switch (which) {
      case SSL_SOCKS:
      ssl_defaults.useSocks = PR_FALSE;
      if (on) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return SECFailure;
      }
      break;

      case SSL_SECURITY:
      ssl_defaults.useSecurity = on;
      break;

      case SSL_REQUEST_CERTIFICATE:
      ssl_defaults.requestCertificate = on;
      break;

      case SSL_REQUIRE_CERTIFICATE:
      ssl_defaults.requireCertificate = on;
      break;

      case SSL_HANDSHAKE_AS_CLIENT:
      if ( ssl_defaults.handshakeAsServer && on ) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return SECFailure;
      }
      ssl_defaults.handshakeAsClient = on;
      break;

      case SSL_HANDSHAKE_AS_SERVER:
      if ( ssl_defaults.handshakeAsClient && on ) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return SECFailure;
      }
      ssl_defaults.handshakeAsServer = on;
      break;

      case SSL_ENABLE_TLS:
      ssl_defaults.enableTLS = on;
      break;

      case SSL_ENABLE_SSL3:
      ssl_defaults.enableSSL3 = on;
      break;

      case SSL_ENABLE_SSL2:
      ssl_defaults.enableSSL2 = on;
      if (on) {
          ssl_defaults.v2CompatibleHello = on;
      }
      break;

      case SSL_NO_CACHE:
      ssl_defaults.noCache = on;
      break;

      case SSL_ENABLE_FDX:
      if (on && ssl_defaults.noLocks) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return SECFailure;
      }
            ssl_defaults.fdx = on;
      break;

      case SSL_V2_COMPATIBLE_HELLO:
            ssl_defaults.v2CompatibleHello = on;
      if (!on) {
          ssl_defaults.enableSSL2    = on;
      }
      break;

      case SSL_ROLLBACK_DETECTION:  
      ssl_defaults.detectRollBack = on;
      break;

      case SSL_NO_STEP_DOWN:        
      ssl_defaults.noStepDown     = on;         
      if (on)
          SSL_DisableDefaultExportCipherSuites();
      break;

      case SSL_BYPASS_PKCS11:
        if (PR_FALSE != on) {
            if (PR_SUCCESS == SSL_BypassSetup()) {
                ssl_defaults.bypassPKCS11   = on;
            } else {
                return SECFailure;
            }
        } else {
            ssl_defaults.bypassPKCS11   = PR_FALSE;
        }
      break;

      case SSL_NO_LOCKS:
      if (on && ssl_defaults.fdx) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return SECFailure;
      }
      if (on && ssl_force_locks) 
          on = PR_FALSE;            /* silent override */
      ssl_defaults.noLocks        = on;
      if (on) {
          locksEverDisabled = PR_TRUE;
          strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
      }
      break;

      case SSL_ENABLE_SESSION_TICKETS:
      ssl_defaults.enableSessionTickets = on;
      break;

      default:
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }
    return SECSuccess;
}

/* function tells us if the cipher suite is one that we no longer support. */
static PRBool 
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
    switch (suite) {
    case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
    case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
    case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
      return PR_TRUE;
    default:
      return PR_FALSE;
    }
}

/* Part of the public NSS API.
 * Since this is a global (not per-socket) setting, we cannot use the
 * HandshakeLock to protect this.  Probably want a global lock.
 */
SECStatus
SSL_SetPolicy(long which, int policy)
{
    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
      /* one of the two old FIPS ciphers */
      if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
          which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
      else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
          which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
    }
    if (ssl_IsRemovedCipherSuite(which))
      return SECSuccess;
    return SSL_CipherPolicySet(which, policy);
}

SECStatus
SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
{
    SECStatus rv;

    if (ssl_IsRemovedCipherSuite(which)) {
      rv = SECSuccess;
    } else if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_SetPolicy(which, policy);
    } else {
      rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
    }
    return rv;
}

SECStatus
SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
{
    SECStatus rv;

    if (!oPolicy) {
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }
    if (ssl_IsRemovedCipherSuite(which)) {
      *oPolicy = SSL_NOT_ALLOWED;
      rv = SECSuccess;
    } else if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_GetPolicy(which, oPolicy);
    } else {
      rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
    }
    return rv;
}

/* Part of the public NSS API.
 * Since this is a global (not per-socket) setting, we cannot use the
 * HandshakeLock to protect this.  Probably want a global lock.
 * These changes have no effect on any sslSockets already created. 
 */
SECStatus
SSL_EnableCipher(long which, PRBool enabled)
{
    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
      /* one of the two old FIPS ciphers */
      if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
          which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
      else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
          which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
    }
    if (ssl_IsRemovedCipherSuite(which))
      return SECSuccess;
    return SSL_CipherPrefSetDefault(which, enabled);
}

SECStatus
SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
{
    SECStatus rv;

    if (ssl_IsRemovedCipherSuite(which))
      return SECSuccess;
    if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
      PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
      return SECFailure;
    }
    if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_CipherPrefSetDefault(which, enabled);
    } else {
      rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
    }
    return rv;
}

SECStatus 
SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
{
    SECStatus  rv;
    
    if (!enabled) {
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }
    if (ssl_IsRemovedCipherSuite(which)) {
      *enabled = PR_FALSE;
      rv = SECSuccess;
    } else if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_CipherPrefGetDefault(which, enabled);
    } else {
      rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
    }
    return rv;
}

SECStatus
SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
{
    SECStatus rv;
    sslSocket *ss = ssl_FindSocket(fd);
    
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
      return SECFailure;
    }
    if (ssl_IsRemovedCipherSuite(which))
      return SECSuccess;
    if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
      PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
      return SECFailure;
    }
    if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_CipherPrefSet(ss, which, enabled);
    } else {
      rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
    }
    return rv;
}

SECStatus 
SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
{
    SECStatus  rv;
    sslSocket *ss = ssl_FindSocket(fd);
    
    if (!enabled) {
      PORT_SetError(SEC_ERROR_INVALID_ARGS);
      return SECFailure;
    }
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
      *enabled = PR_FALSE;
      return SECFailure;
    }
    if (ssl_IsRemovedCipherSuite(which)) {
      *enabled = PR_FALSE;
      rv = SECSuccess;
    } else if (SSL_IS_SSL2_CIPHER(which)) {
      rv = ssl2_CipherPrefGet(ss, which, enabled);
    } else {
      rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
    }
    return rv;
}

SECStatus
NSS_SetDomesticPolicy(void)
{
#ifndef EXPORT_VERSION
    SECStatus      status = SECSuccess;
    cipherPolicy * policy;

    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
      status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
      if (status != SECSuccess)
          break;
    }
    return status;
#else
    return NSS_SetExportPolicy();
#endif
}

SECStatus
NSS_SetExportPolicy(void)
{
    SECStatus      status = SECSuccess;
    cipherPolicy * policy;

    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
      status = SSL_SetPolicy(policy->cipher, policy->export);
      if (status != SECSuccess)
          break;
    }
    return status;
}

SECStatus
NSS_SetFrancePolicy(void)
{
    SECStatus      status = SECSuccess;
    cipherPolicy * policy;

    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
      status = SSL_SetPolicy(policy->cipher, policy->france);
      if (status != SECSuccess)
          break;
    }
    return status;
}



/* LOCKS ??? XXX */
PRFileDesc *
SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
{
    sslSocket * ns = NULL;
    PRStatus    rv;
    PRNetAddr   addr;

    if (model == NULL) {
      /* Just create a default socket if we're given NULL for the model */
      ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks));
    } else {
      sslSocket * ss = ssl_FindSocket(model);
      if (ss == NULL) {
          SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
                  SSL_GETPID(), model));
          return NULL;
      }
      ns = ssl_DupSocket(ss);
    }
    if (ns == NULL)
      return NULL;

    rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
    if (rv != PR_SUCCESS) {
      ssl_FreeSocket(ns);
      SET_ERROR_CODE
      return NULL;
    }
#ifdef _WIN32
    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
#endif
    ns = ssl_FindSocket(fd);
    PORT_Assert(ns);
    if (ns)
      ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
    return fd;
}

/************************************************************************/
/* The following functions are the TOP LEVEL SSL functions.
** They all get called through the NSPRIOMethods table below.
*/

static PRFileDesc * PR_CALLBACK
ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
{
    sslSocket  *ss;
    sslSocket  *ns      = NULL;
    PRFileDesc *newfd   = NULL;
    PRFileDesc *osfd;
    PRStatus    status;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
      return NULL;
    }

    /* IF this is a listen socket, there shouldn't be any I/O going on */
    SSL_LOCK_READER(ss);
    SSL_LOCK_WRITER(ss);
    ssl_Get1stHandshakeLock(ss);
    ssl_GetSSL3HandshakeLock(ss);

    ss->cTimeout = timeout;

    osfd = ss->fd->lower;

    /* First accept connection */
    newfd = osfd->methods->accept(osfd, sockaddr, timeout);
    if (newfd == NULL) {
      SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
             SSL_GETPID(), ss->fd, PORT_GetError()));
    } else {
      /* Create ssl module */
      ns = ssl_DupSocket(ss);
    }

    ssl_ReleaseSSL3HandshakeLock(ss);
    ssl_Release1stHandshakeLock(ss);
    SSL_UNLOCK_WRITER(ss);
    SSL_UNLOCK_READER(ss);                /* ss isn't used below here. */

    if (ns == NULL)
      goto loser;

    /* push ssl module onto the new socket */
    status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
    if (status != PR_SUCCESS)
      goto loser;

    /* Now start server connection handshake with client.
    ** Don't need locks here because nobody else has a reference to ns yet.
    */
    if ( ns->opt.useSecurity ) {
      if ( ns->opt.handshakeAsClient ) {
          ns->handshake = ssl2_BeginClientHandshake;
          ss->handshaking = sslHandshakingAsClient;
      } else {
          ns->handshake = ssl2_BeginServerHandshake;
          ss->handshaking = sslHandshakingAsServer;
      }
    }
    ns->TCPconnected = 1;
    return newfd;

loser:
    if (ns != NULL)
      ssl_FreeSocket(ns);
    if (newfd != NULL)
      PR_Close(newfd);
    return NULL;
}

static PRStatus PR_CALLBACK
ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
{
    sslSocket *ss;
    PRStatus   rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
      return PR_FAILURE;
    }

    /* IF this is a listen socket, there shouldn't be any I/O going on */
    SSL_LOCK_READER(ss);
    SSL_LOCK_WRITER(ss);

    ss->cTimeout = timeout;
    rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
#ifdef _WIN32
    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
#endif

    SSL_UNLOCK_WRITER(ss);
    SSL_UNLOCK_READER(ss);

    return rv;
}

static PRStatus PR_CALLBACK
ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
{
    sslSocket * ss = ssl_GetPrivate(fd);
    PRStatus    rv;

    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
      return PR_FAILURE;
    }
    SSL_LOCK_READER(ss);
    SSL_LOCK_WRITER(ss);

    rv = (PRStatus)(*ss->ops->bind)(ss, addr);

    SSL_UNLOCK_WRITER(ss);
    SSL_UNLOCK_READER(ss);
    return rv;
}

static PRStatus PR_CALLBACK
ssl_Listen(PRFileDesc *fd, PRIntn backlog)
{
    sslSocket * ss = ssl_GetPrivate(fd);
    PRStatus    rv;

    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
      return PR_FAILURE;
    }
    SSL_LOCK_READER(ss);
    SSL_LOCK_WRITER(ss);

    rv = (PRStatus)(*ss->ops->listen)(ss, backlog);

    SSL_UNLOCK_WRITER(ss);
    SSL_UNLOCK_READER(ss);
    return rv;
}

static PRStatus PR_CALLBACK
ssl_Shutdown(PRFileDesc *fd, PRIntn how)
{
    sslSocket * ss = ssl_GetPrivate(fd);
    PRStatus    rv;

    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
      return PR_FAILURE;
    }
    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
      SSL_LOCK_READER(ss);
    }
    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
      SSL_LOCK_WRITER(ss);
    }

    rv = (PRStatus)(*ss->ops->shutdown)(ss, how);

    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
      SSL_UNLOCK_WRITER(ss);
    }
    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
      SSL_UNLOCK_READER(ss);
    }
    return rv;
}

static PRStatus PR_CALLBACK
ssl_Close(PRFileDesc *fd)
{
    sslSocket *ss;
    PRStatus   rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
      return PR_FAILURE;
    }

    /* There must not be any I/O going on */
    SSL_LOCK_READER(ss);
    SSL_LOCK_WRITER(ss);

    /* By the time this function returns, 
    ** ss is an invalid pointer, and the locks to which it points have 
    ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
    ** where the LOCK calls and the corresponding UNLOCK calls are not in
    ** the same function scope.  The unlock calls are in ssl_FreeSocket().
    */
    rv = (PRStatus)(*ss->ops->close)(ss);

    return rv;
}

static int PR_CALLBACK
ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
       PRIntervalTime timeout)
{
    sslSocket *ss;
    int        rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
      return SECFailure;
    }
    SSL_LOCK_READER(ss);
    ss->rTimeout = timeout;
    if (!ss->opt.fdx)
      ss->wTimeout = timeout;
    rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
    SSL_UNLOCK_READER(ss);
    return rv;
}

static int PR_CALLBACK
ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
       PRIntervalTime timeout)
{
    sslSocket *ss;
    int        rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
      return SECFailure;
    }
    SSL_LOCK_WRITER(ss);
    ss->wTimeout = timeout;
    if (!ss->opt.fdx)
      ss->rTimeout = timeout;
    rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
    SSL_UNLOCK_WRITER(ss);
    return rv;
}

static int PR_CALLBACK
ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
{
    sslSocket *ss;
    int        rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
      return SECFailure;
    }
    SSL_LOCK_READER(ss);
    ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
    if (!ss->opt.fdx)
      ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
    rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
    SSL_UNLOCK_READER(ss);
    return rv;
}

static int PR_CALLBACK
ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
{
    sslSocket *ss;
    int        rv;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
      return SECFailure;
    }
    SSL_LOCK_WRITER(ss);
    ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
    if (!ss->opt.fdx)
      ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
    rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
    SSL_UNLOCK_WRITER(ss);
    return rv;
}

static PRStatus PR_CALLBACK
ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
{
    sslSocket *ss;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
      return PR_FAILURE;
    }
    return (PRStatus)(*ss->ops->getpeername)(ss, addr);
}

/*
*/
SECStatus
ssl_GetPeerInfo(sslSocket *ss)
{
    PRFileDesc *      osfd;
    int               rv;
    PRNetAddr         sin;

    osfd = ss->fd->lower;

    PORT_Memset(&sin, 0, sizeof(sin));
    rv = osfd->methods->getpeername(osfd, &sin);
    if (rv < 0) {
      return SECFailure;
    }
    ss->TCPconnected = 1;
    if (sin.inet.family == PR_AF_INET) {
        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
      ss->sec.ci.port = sin.inet.port;
    } else if (sin.ipv6.family == PR_AF_INET6) {
      ss->sec.ci.peer = sin.ipv6.ip;
      ss->sec.ci.port = sin.ipv6.port;
    } else {
      PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
      return SECFailure;
    }
    return SECSuccess;
}

static PRStatus PR_CALLBACK
ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
{
    sslSocket *ss;

    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
      return PR_FAILURE;
    }
    return (PRStatus)(*ss->ops->getsockname)(ss, name);
}

SECStatus PR_CALLBACK
SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
{
    sslSocket *ss;

    ss = ssl_FindSocket(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
             SSL_GETPID(), fd));
      return SECFailure;
    }

    ss->peerID = PORT_Strdup(peerID);
    return SECSuccess;
}

#define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)

static PRInt16 PR_CALLBACK
ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
{
    sslSocket *ss;
    PRInt16    new_flags = how_flags;     /* should select on these flags. */
    PRNetAddr  addr;

    *p_out_flags = 0;
    ss = ssl_GetPrivate(fd);
    if (!ss) {
      SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
             SSL_GETPID(), fd));
      return 0;   /* don't poll on this socket */
    }

    if (ss->opt.useSecurity && 
      ss->handshaking != sslHandshakingUndetermined &&
        !ss->firstHsDone &&
      (how_flags & PR_POLL_RW)) {
      if (!ss->TCPconnected) {
          ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
      }
      /* If it's not connected, then presumably the application is polling
      ** on read or write appropriately, so don't change it. 
      */
      if (ss->TCPconnected) {
          if (!ss->handshakeBegun) {
            /* If the handshake has not begun, poll on read or write 
            ** based on the local application's role in the handshake,
            ** not based on what the application requested.
            */
            new_flags &= ~PR_POLL_RW;
            if (ss->handshaking == sslHandshakingAsClient) {
                new_flags |= PR_POLL_WRITE;
            } else { /* handshaking as server */
                new_flags |= PR_POLL_READ;
            }
          } else 
          /* First handshake is in progress */
          if (ss->lastWriteBlocked) {
            if (new_flags & PR_POLL_READ) {
                /* The caller is waiting for data to be received, 
                ** but the initial handshake is blocked on write, or the 
                ** client's first handshake record has not been written.
                ** The code should select on write, not read.
                */
                new_flags ^=  PR_POLL_READ;        /* don't select on read. */
                new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
            }
          } else if (new_flags & PR_POLL_WRITE) {
                /* The caller is trying to write, but the handshake is 
                ** blocked waiting for data to read, and the first 
                ** handshake has been sent.  so do NOT to poll on write.
                */
                new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
                new_flags |=  PR_POLL_READ;        /* do    select on read. */
          }
      }
    } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
      *p_out_flags = PR_POLL_READ;  /* it's ready already. */
      return new_flags;
    } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
             (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
      new_flags |=  PR_POLL_WRITE;   /* also select on write. */
    } 
    if (new_flags && (fd->lower->methods->poll != NULL)) {
      PRInt16    lower_out_flags = 0;
      PRInt16    lower_new_flags;
        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 
                                         &lower_out_flags);
      if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
          PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
          if (lower_out_flags & PR_POLL_READ) 
            out_flags |= PR_POLL_WRITE;
          if (lower_out_flags & PR_POLL_WRITE) 
            out_flags |= PR_POLL_READ;
          *p_out_flags = out_flags;
          new_flags = how_flags;
      } else {
          *p_out_flags = lower_out_flags;
          new_flags    = lower_new_flags;
      }
    }

    return new_flags;
}

static PRInt32 PR_CALLBACK
ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
             const void *headers, PRInt32 hlen,
             PRTransmitFileFlags flags, PRIntervalTime timeout)
{
    PRSendFileData sfd;

    sfd.fd = fd;
    sfd.file_offset = 0;
    sfd.file_nbytes = 0;
    sfd.header = headers;
    sfd.hlen = hlen;
    sfd.trailer = NULL;
    sfd.tlen = 0;

    return sd->methods->sendfile(sd, &sfd, flags, timeout);
}


PRBool
ssl_FdIsBlocking(PRFileDesc *fd)
{
    PRSocketOptionData opt;
    PRStatus           status;

    opt.option             = PR_SockOpt_Nonblocking;
    opt.value.non_blocking = PR_FALSE;
    status = PR_GetSocketOption(fd, &opt);
    if (status != PR_SUCCESS)
      return PR_FALSE;
    return (PRBool)!opt.value.non_blocking;
}

PRBool
ssl_SocketIsBlocking(sslSocket *ss)
{
    return ssl_FdIsBlocking(ss->fd);
}

PRInt32  sslFirstBufSize = 8 * 1024;
PRInt32  sslCopyLimit    = 1024;

static PRInt32 PR_CALLBACK
ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
           PRIntervalTime timeout)
{
    PRInt32            bufLen;
    PRInt32            left;
    PRInt32            rv;
    PRInt32            sent      =  0;
    const PRInt32      first_len = sslFirstBufSize;
    const PRInt32      limit     = sslCopyLimit;
    PRBool             blocking;
    PRIOVec            myIov   = { 0, 0 };
    char               buf[MAX_FRAGMENT_LENGTH];

    if (vectors > PR_MAX_IOVECTOR_SIZE) {
      PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
      return -1;
    }
    blocking = ssl_FdIsBlocking(fd);

#define K16 sizeof(buf)
#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
#define HANDLE_ERR(rv, len) \
    if (rv != len) { \
      if (rv < 0) { \
          if (!blocking \
            && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
            && (sent > 0)) { \
            return sent; \
          } else { \
            return -1; \
          } \
      } \
      /* Only a nonblocking socket can have partial sends */ \
      PR_ASSERT(!blocking); \
      return sent + rv; \
    } 
#define SEND(bfr, len) \
    do { \
      rv = ssl_Send(fd, bfr, len, 0, timeout); \
      HANDLE_ERR(rv, len) \
      sent += len; \
    } while (0)

    /* Make sure the first write is at least 8 KB, if possible. */
    KILL_VECTORS
    if (!vectors)
      return ssl_Send(fd, 0, 0, 0, timeout);
    GET_VECTOR;
    if (!vectors) {
      return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
    }
    if (myIov.iov_len < first_len) {
      PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
      bufLen = myIov.iov_len;
      left = first_len - bufLen;
      while (vectors && left) {
          int toCopy;
          GET_VECTOR;
          toCopy = PR_MIN(left, myIov.iov_len);
          PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
          bufLen         += toCopy;
          left           -= toCopy;
          myIov.iov_base += toCopy;
          myIov.iov_len  -= toCopy;
      }
      SEND( buf, bufLen );
    }

    while (vectors || myIov.iov_len) {
      PRInt32   addLen;
      if (!myIov.iov_len) {
          GET_VECTOR;
      }
      while (myIov.iov_len >= K16) {
          SEND(myIov.iov_base, K16);
          myIov.iov_base += K16;
          myIov.iov_len  -= K16;
      }
      if (!myIov.iov_len)
          continue;

      if (!vectors || myIov.iov_len > limit) {
          addLen = 0;
      } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
          /* Addlen is already computed. */;
      } else if (vectors > 1 && 
           iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
           addLen = limit - myIov.iov_len;
      } else 
          addLen = 0;

      if (!addLen) {
          SEND( myIov.iov_base, myIov.iov_len );
          myIov.iov_len = 0;
          continue;
      }
      PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
      bufLen = myIov.iov_len;
      do {
          GET_VECTOR;
          PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
          myIov.iov_base += addLen;
          myIov.iov_len  -= addLen;
          bufLen         += addLen;

          left = PR_MIN( limit, K16 - bufLen);
          if (!vectors        /* no more left */
          ||  myIov.iov_len > 0     /* we didn't use that one all up */
          ||  bufLen >= K16         /* it's full. */
          ) {
            addLen = 0;
          } else if ((addLen = iov->iov_len % K16) <= left) {
            /* Addlen is already computed. */;
          } else if (vectors > 1 && 
             iov[1].iov_len % K16 + addLen <= left + limit) {
             addLen = left;
          } else 
            addLen = 0;

      } while (addLen);
      SEND( buf, bufLen );
    } 
    return sent;
}

/*
 * These functions aren't implemented.
 */

static PRInt32 PR_CALLBACK
ssl_Available(PRFileDesc *fd)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return SECFailure;
}

static PRInt64 PR_CALLBACK
ssl_Available64(PRFileDesc *fd)
{
    PRInt64 res;

    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    LL_I2L(res, -1L);
    return res;
}

static PRStatus PR_CALLBACK
ssl_FSync(PRFileDesc *fd)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return PR_FAILURE;
}

static PRInt32 PR_CALLBACK
ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return SECFailure;
}

static PRInt64 PR_CALLBACK
ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
    PRInt64 res;

    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    LL_I2L(res, -1L);
    return res;
}

static PRStatus PR_CALLBACK
ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return PR_FAILURE;
}

static PRStatus PR_CALLBACK
ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return PR_FAILURE;
}

static PRInt32 PR_CALLBACK
ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
           PRNetAddr *addr, PRIntervalTime timeout)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return SECFailure;
}

static PRInt32 PR_CALLBACK
ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
         const PRNetAddr *addr, PRIntervalTime timeout)
{
    PORT_Assert(0);
    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
    return SECFailure;
}

static const PRIOMethods ssl_methods = {
    PR_DESC_LAYERED,
    ssl_Close,                /* close        */
    ssl_Read,                 /* read         */
    ssl_Write,                /* write        */
    ssl_Available,            /* available    */
    ssl_Available64,          /* available64  */
    ssl_FSync,                /* fsync        */
    ssl_Seek,                 /* seek         */
    ssl_Seek64,               /* seek64       */
    ssl_FileInfo,             /* fileInfo     */
    ssl_FileInfo64,           /* fileInfo64   */
    ssl_WriteV,               /* writev       */
    ssl_Connect,              /* connect      */
    ssl_Accept,               /* accept       */
    ssl_Bind,                 /* bind         */
    ssl_Listen,               /* listen       */
    ssl_Shutdown,             /* shutdown     */
    ssl_Recv,                 /* recv         */
    ssl_Send,                 /* send         */
    ssl_RecvFrom,             /* recvfrom     */
    ssl_SendTo,               /* sendto       */
    ssl_Poll,                 /* poll         */
    PR_EmulateAcceptRead,       /* acceptread   */
    ssl_TransmitFile,           /* transmitfile */
    ssl_GetSockName,          /* getsockname  */
    ssl_GetPeerName,          /* getpeername  */
    NULL,                     /* getsockopt   OBSOLETE */
    NULL,                     /* setsockopt   OBSOLETE */
    NULL,                     /* getsocketoption   */
    NULL,                     /* setsocketoption   */
    PR_EmulateSendFile,       /* Send a (partial) file with header/trailer*/
    NULL,                     /* reserved for future use */
    NULL,                     /* reserved for future use */
    NULL,                     /* reserved for future use */
    NULL,                     /* reserved for future use */
    NULL                      /* reserved for future use */
};


static PRIOMethods combined_methods;

static void
ssl_SetupIOMethods(void)
{
          PRIOMethods *new_methods  = &combined_methods;
    const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
    const PRIOMethods *my_methods   = &ssl_methods;

    *new_methods = *nspr_methods;

    new_methods->file_type         = my_methods->file_type;
    new_methods->close             = my_methods->close;
    new_methods->read              = my_methods->read;
    new_methods->write             = my_methods->write;
    new_methods->available         = my_methods->available;
    new_methods->available64       = my_methods->available64;
    new_methods->fsync             = my_methods->fsync;
    new_methods->seek              = my_methods->seek;
    new_methods->seek64            = my_methods->seek64;
    new_methods->fileInfo          = my_methods->fileInfo;
    new_methods->fileInfo64        = my_methods->fileInfo64;
    new_methods->writev            = my_methods->writev;
    new_methods->connect           = my_methods->connect;
    new_methods->accept            = my_methods->accept;
    new_methods->bind              = my_methods->bind;
    new_methods->listen            = my_methods->listen;
    new_methods->shutdown          = my_methods->shutdown;
    new_methods->recv              = my_methods->recv;
    new_methods->send              = my_methods->send;
    new_methods->recvfrom          = my_methods->recvfrom;
    new_methods->sendto            = my_methods->sendto;
    new_methods->poll              = my_methods->poll;
    new_methods->acceptread        = my_methods->acceptread;
    new_methods->transmitfile      = my_methods->transmitfile;
    new_methods->getsockname       = my_methods->getsockname;
    new_methods->getpeername       = my_methods->getpeername;
/*  new_methods->getsocketoption   = my_methods->getsocketoption; */
/*  new_methods->setsocketoption   = my_methods->setsocketoption; */
    new_methods->sendfile          = my_methods->sendfile;

}

static PRCallOnceType initIoLayerOnce;

static PRStatus  
ssl_InitIOLayer(void)
{
    ssl_layer_id = PR_GetUniqueIdentity("SSL");
    ssl_SetupIOMethods();
    ssl_inited = PR_TRUE;
    return PR_SUCCESS;
}

static PRStatus
ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
{
    PRFileDesc *layer   = NULL;
    PRStatus    status;

    if (!ssl_inited) {
      PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
    }

    if (ns == NULL)
      goto loser;

    layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
    if (layer == NULL)
      goto loser;
    layer->secret = (PRFilePrivate *)ns;

    /* Here, "stack" points to the PRFileDesc on the top of the stack.
    ** "layer" points to a new FD that is to be inserted into the stack.
    ** If layer is being pushed onto the top of the stack, then 
    ** PR_PushIOLayer switches the contents of stack and layer, and then
    ** puts stack on top of layer, so that after it is done, the top of 
    ** stack is the same "stack" as it was before, and layer is now the 
    ** FD for the former top of stack.
    ** After this call, stack always points to the top PRFD on the stack.
    ** If this function fails, the contents of stack and layer are as 
    ** they were before the call.
    */
    status = PR_PushIOLayer(stack, id, layer);
    if (status != PR_SUCCESS)
      goto loser;

    ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
    return PR_SUCCESS;

loser:
    if (layer) {
      layer->dtor(layer); /* free layer */
    }
    return PR_FAILURE;
}

/* if this fails, caller must destroy socket. */
static SECStatus
ssl_MakeLocks(sslSocket *ss)
{
    ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
    if (!ss->firstHandshakeLock) 
      goto loser;
    ss->ssl3HandshakeLock  = PZ_NewMonitor(nssILockSSL);
    if (!ss->ssl3HandshakeLock) 
      goto loser;
    ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
    if (!ss->specLock) 
      goto loser;
    ss->recvBufLock        = PZ_NewMonitor(nssILockSSL);
    if (!ss->recvBufLock) 
      goto loser;
    ss->xmitBufLock        = PZ_NewMonitor(nssILockSSL);
    if (!ss->xmitBufLock) 
      goto loser;
    ss->writerThread       = NULL;
    if (ssl_lock_readers) {
      ss->recvLock       = PZ_NewLock(nssILockSSL);
      if (!ss->recvLock) 
          goto loser;
      ss->sendLock       = PZ_NewLock(nssILockSSL);
      if (!ss->sendLock) 
          goto loser;
    }
    return SECSuccess;
loser:
    ssl_DestroyLocks(ss);
    return SECFailure;
}

#if (defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)) && !defined(_WIN32_WCE)
#define NSS_HAVE_GETENV 1
#endif

/*
** Create a newsocket structure for a file descriptor.
*/
static sslSocket *
ssl_NewSocket(PRBool makeLocks)
{
    sslSocket *ss;
#if defined( NSS_HAVE_GETENV )
    static int firsttime = 1;

    if (firsttime) {
      char * ev;
      firsttime = 0;
#ifdef DEBUG
      ev = getenv("SSLDEBUGFILE");
      if (ev && ev[0]) {
          ssl_trace_iob = fopen(ev, "w");
      }
      if (!ssl_trace_iob) {
          ssl_trace_iob = stderr;
      }
#ifdef TRACE
      ev = getenv("SSLTRACE");
      if (ev && ev[0]) {
          ssl_trace = atoi(ev);
          SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
      }
#endif /* TRACE */
      ev = getenv("SSLDEBUG");
      if (ev && ev[0]) {
          ssl_debug = atoi(ev);
          SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
      }
#endif /* DEBUG */
      ev = getenv("SSLBYPASS");
      if (ev && ev[0]) {
          ssl_defaults.bypassPKCS11 = (ev[0] == '1');
          SSL_TRACE(("SSL: bypass default set to %d", \
                  ssl_defaults.bypassPKCS11));
      }
      ev = getenv("SSLFORCELOCKS");
      if (ev && ev[0] == '1') {
          ssl_force_locks = PR_TRUE;
          ssl_defaults.noLocks = 0;
          strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
          SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
      }
    }
#endif /* NSS_HAVE_GETENV */
    if (ssl_force_locks)
      makeLocks = PR_TRUE;

    /* Make a new socket and get it ready */
    ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
    if (ss) {
        /* This should be of type SSLKEAType, but CC on IRIX
       * complains during the for loop.
       */
      int i;
      SECStatus status;
 
      ss->opt                = ssl_defaults;
      ss->opt.useSocks       = PR_FALSE;
      ss->opt.noLocks        = !makeLocks;

      ss->peerID             = NULL;
      ss->rTimeout             = PR_INTERVAL_NO_TIMEOUT;
      ss->wTimeout             = PR_INTERVAL_NO_TIMEOUT;
      ss->cTimeout             = PR_INTERVAL_NO_TIMEOUT;
      ss->cipherSpecs        = NULL;
        ss->sizeCipherSpecs    = 0;  /* produced lazily */
        ss->preferredCipher    = NULL;
        ss->url                = NULL;

      for (i=kt_null; i < kt_kea_size; i++) {
          sslServerCerts * sc = ss->serverCerts + i;
          sc->serverCert      = NULL;
          sc->serverCertChain = NULL;
          sc->serverKeyPair   = NULL;
          sc->serverKeyBits   = 0;
      }
      ss->stepDownKeyPair    = NULL;
      ss->dbHandle           = CERT_GetDefaultCertDB();

      /* Provide default implementation of hooks */
      ss->authCertificate    = SSL_AuthCertificate;
      ss->authCertificateArg = (void *)ss->dbHandle;
      ss->getClientAuthData  = NULL;
      ss->handleBadCert      = NULL;
      ss->badCertArg         = NULL;
      ss->pkcs11PinArg       = NULL;

      ssl_ChooseOps(ss);
      ssl2_InitSocketPolicy(ss);
      ssl3_InitSocketPolicy(ss);

      if (makeLocks) {
          status = ssl_MakeLocks(ss);
          if (status != SECSuccess)
            goto loser;
      }
      status = ssl_CreateSecurityInfo(ss);
      if (status != SECSuccess) 
          goto loser;
      status = ssl_InitGather(&ss->gs);
      if (status != SECSuccess) {
loser:
          ssl_DestroySocketContents(ss);
          ssl_DestroyLocks(ss);
          PORT_Free(ss);
          ss = NULL;
      }
    }
    return ss;
}


Generated by  Doxygen 1.6.0   Back to index