diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-08-23 10:13:32 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-09-04 14:52:35 -0400 |
| commit | 52d5f4da12cf4a9647a896395209121cbf9483c4 (patch) | |
| tree | e51464ec07f43c6fe37ccf1aeb6cf25bf641892c /src/lib/tls | |
| parent | dd04fc35c665976f9fc9ff586cbf7fe34d9cc241 (diff) | |
| download | tor-52d5f4da12cf4a9647a896395209121cbf9483c4.tar.gz tor-52d5f4da12cf4a9647a896395209121cbf9483c4.zip | |
Avoid spurious error logs when using NSS
The tls_log_errors() function now behaves differently for NSS than
it did for OpenSSL, so we need to tweak it a bit.
Diffstat (limited to 'src/lib/tls')
| -rw-r--r-- | src/lib/tls/tortls.c | 13 | ||||
| -rw-r--r-- | src/lib/tls/tortls_nss.c | 6 |
2 files changed, 15 insertions, 4 deletions
diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c index cc9738599e..edf421b4db 100644 --- a/src/lib/tls/tortls.c +++ b/src/lib/tls/tortls.c @@ -189,6 +189,9 @@ tor_tls_context_init(unsigned flags, if (old_ctx != NULL) { tor_tls_context_decref(old_ctx); } + } else { + tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, + "constructing a TLS context"); } } else { if (server_identity != NULL) { @@ -197,6 +200,9 @@ tor_tls_context_init(unsigned flags, key_lifetime, flags, 0); + if (rv1 < 0) + tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, + "constructing a server TLS context"); } else { tor_tls_context_t *old_ctx = server_tls_context; server_tls_context = NULL; @@ -211,9 +217,11 @@ tor_tls_context_init(unsigned flags, key_lifetime, flags, 1); + if (rv2 < 0) + tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, + "constructing a client TLS context"); } - tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context"); return MIN(rv1, rv2); } @@ -451,8 +459,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls, r = 0; done: tor_x509_cert_free(cert); - /* Not expected to get invoked */ +#ifdef ENABLE_OPENSSL tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime"); +#endif return r; } diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 671c018471..40a98dd87e 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -323,8 +323,10 @@ void tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing) { - /* XXXX This implementation isn't right for NSS -- it logs the last error - whether anything actually failed or not. */ + /* This implementation is a little different for NSS than it is for OpenSSL + -- it logs the last error whether anything actually failed or not. So we + have to only call it when something has gone wrong and we have a real + error to report. */ (void)tls; PRErrorCode code = PORT_GetError(); |