In addition to Nelson's reply, I have two comments that are
more related to NSPR than to NSS.
> Hi,
>
> I am trying to import a newly connected Unix socket fd using
> PR_ImportTCPSocket(), to then use NSS for SSL. I am using the following
> sequence:
>
> PR_Init
PR_Init() is no longer needed. NSPR is now automatically
initialized the first time an NSPR function is called.
> NSS_InitReadWrite
> NSS_SetDomesticPolicy
> ...
> socket
> connect
> ...
> PR_ImportTCPSocket
Ideally, you should do all of your socket I/O with NSPR
functions.
We cannot guarantee that PR_ImportTCPSocket works under
all situations. This is why it is declared in a "private"
header file.
On Unix, under the current NSPR implementation, a side
effect of the PR_ImportTCPSocket call is that it sets the
O_NONBLOCK flag of the Unix file descriptor. Also,
PR_Close() on the imported socket will close the Unix
file descriptor as well.
> SSL_ImportFD
In your code, you have:
ssl_fdesc = SSL_ImportFD (NULL, fdesc);
In fact, if SSL_ImportFD succeeds, ssl_fdesc will be equal
to fdesc. That is, ssl_fdesc is either fdesc or NULL.
So you don't really need the ssl_fdesc local variable.
When NSPR pushes an I/O layer onto a stack of layers, it
does some magic copying to ensure that the top of the stack
is constant. This is not what some people expected.
> SSL_OptionSet (SSL_SECURITY)
> SSL_OptionSet (SSL_HANDSHAKE_AS_CLIENT)
> SSL_SetURL
> SSL_ForceHandshake
> ...
> PR_Write
>
> All of these succeed (SECSuccess is returned and PR_GetError returns
> 0).
You should only call PR_GetError() after a function returns a failure
status. The error code is undefined if a function returns successfully.
Wan-Teh
