1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
/* Copyright (c) 2001, Matej Pfajfar.
* Copyright (c) 2001-2004, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file crypto_nss_mgt.c
*
* \brief Manage the NSS library (if used)
**/
#include "lib/crypt_ops/crypto_nss_mgt.h"
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/string/printf.h"
DISABLE_GCC_WARNING(strict-prototypes)
#include <nss.h>
#include <pk11func.h>
#include <ssl.h>
#include <prerror.h>
#include <prtypes.h>
#include <prinit.h>
ENABLE_GCC_WARNING(strict-prototypes)
const char *
crypto_nss_get_version_str(void)
{
return NSS_GetVersion();
}
const char *
crypto_nss_get_header_version_str(void)
{
return NSS_VERSION;
}
/** A password function that always returns NULL. */
static char *
nss_password_func_always_fail(PK11SlotInfo *slot,
PRBool retry,
void *arg)
{
(void) slot;
(void) retry;
(void) arg;
return NULL;
}
void
crypto_nss_early_init(void)
{
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
PK11_SetPasswordFunc(nss_password_func_always_fail);
/* Eventually we should use NSS_Init() instead -- but that wants a
directory. The documentation says that we can't use this if we want
to use OpenSSL. */
if (NSS_NoDB_Init(NULL) == SECFailure) {
log_err(LD_CRYPTO, "Unable to initialize NSS.");
crypto_nss_log_errors(LOG_ERR, "initializing NSS");
tor_assert_unreached();
}
if (NSS_SetDomesticPolicy() == SECFailure) {
log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
tor_assert_unreached();
}
/* We need to override the default here, or NSS will reject all the
* legacy Tor certificates. */
SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
if (rv != SECSuccess) {
log_err(LD_CRYPTO, "Unable to set NSS min RSA key size");
crypto_nss_log_errors(LOG_ERR, "setting cipher option.");
tor_assert_unreached();
}
}
void
crypto_nss_log_errors(int severity, const char *doing)
{
PRErrorCode code = PR_GetError();
const char *string = PORT_ErrorToString(code);
const char *name = PORT_ErrorToName(code);
char buf[16];
if (!string)
string = "<unrecognized>";
if (!name) {
tor_snprintf(buf, sizeof(buf), "%d", code);
name = buf;
}
if (doing) {
tor_log(severity, LD_CRYPTO, "NSS error %s while %s: %s",
name, doing, string);
} else {
tor_log(severity, LD_CRYPTO, "NSS error %s: %s", name, string);
}
}
int
crypto_nss_late_init(void)
{
/* Possibly, SSL_OptionSetDefault? */
return 0;
}
void
crypto_nss_global_cleanup(void)
{
NSS_Shutdown();
}
void
crypto_nss_postfork(void)
{
crypto_nss_global_cleanup();
crypto_nss_early_init();
}
|
