Tor 0.4.9.0-alpha-dev
crypto_nss_mgt.c
Go to the documentation of this file.
1/* Copyright (c) 2001, Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * \file crypto_nss_mgt.c
9 *
10 * \brief Manage the NSS library (if used)
11 **/
12
13#include "lib/crypt_ops/crypto_nss_mgt.h"
14
15#include "lib/log/log.h"
16#include "lib/log/util_bug.h"
17#include "lib/string/printf.h"
18
19DISABLE_GCC_WARNING("-Wstrict-prototypes")
20#include <nss.h>
21#include <pk11func.h>
22#include <ssl.h>
23
24#include <prerror.h>
25#include <prtypes.h>
26#include <prinit.h>
27ENABLE_GCC_WARNING("-Wstrict-prototypes")
28
29const char *
30crypto_nss_get_version_str(void)
31{
32 return NSS_GetVersion();
33}
34const char *
35crypto_nss_get_header_version_str(void)
36{
37 return NSS_VERSION;
38}
39
40/** A password function that always returns NULL. */
41static char *
42nss_password_func_always_fail(PK11SlotInfo *slot,
43 PRBool retry,
44 void *arg)
45{
46 (void) slot;
47 (void) retry;
48 (void) arg;
49 return NULL;
50}
51
52void
53crypto_nss_early_init(int nss_only)
54{
55 if (! nss_only) {
56 PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
57 PK11_SetPasswordFunc(nss_password_func_always_fail);
58 }
59
60 /* Eventually we should use NSS_Init() instead -- but that wants a
61 directory. The documentation says that we can't use this if we want
62 to use OpenSSL. */
63 if (NSS_NoDB_Init(NULL) == SECFailure) {
64 log_err(LD_CRYPTO, "Unable to initialize NSS.");
65 crypto_nss_log_errors(LOG_ERR, "initializing NSS");
66 tor_assert_unreached();
67 }
68
69 if (NSS_SetDomesticPolicy() == SECFailure) {
70 log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
71 crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
72 tor_assert_unreached();
73 }
74
75 /* We need to override the default here, or NSS will reject all the
76 * legacy Tor certificates. */
77 SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
78 if (rv != SECSuccess) {
79 log_err(LD_CRYPTO, "Unable to set NSS min RSA key size");
80 crypto_nss_log_errors(LOG_ERR, "setting cipher option.");
81 tor_assert_unreached();
82 }
83}
84
85void
86crypto_nss_log_errors(int severity, const char *doing)
87{
88 PRErrorCode code = PR_GetError();
89 const char *string = PORT_ErrorToString(code);
90 const char *name = PORT_ErrorToName(code);
91 char buf[16];
92 if (!string)
93 string = "<unrecognized>";
94 if (!name) {
95 tor_snprintf(buf, sizeof(buf), "%d", code);
96 name = buf;
97 }
98 if (doing) {
99 tor_log(severity, LD_CRYPTO, "NSS error %s while %s: %s",
100 name, doing, string);
101 } else {
102 tor_log(severity, LD_CRYPTO, "NSS error %s: %s", name, string);
103 }
104}
105
106int
107crypto_nss_late_init(void)
108{
109 /* Possibly, SSL_OptionSetDefault? */
110
111 return 0;
112}
113
114void
115crypto_nss_global_cleanup(void)
116{
117 NSS_Shutdown();
118 PL_ArenaFinish();
119 PR_Cleanup();
120}
121
122void
123crypto_nss_prefork(void)
124{
125 NSS_Shutdown();
126}
127
128void
129crypto_nss_postfork(void)
130{
131 crypto_nss_early_init(1);
132}
name
const char * name
Definition: config.c:2462
nss_password_func_always_fail
static char * nss_password_func_always_fail(PK11SlotInfo *slot, PRBool retry, void *arg)
Definition: crypto_nss_mgt.c:42
crypto_nss_mgt.h
Headers for crypto_nss_mgt.c.
tor_log
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:591
log.h
Headers for log.c.
LD_CRYPTO
#define LD_CRYPTO
Definition: log.h:64
LOG_ERR
#define LOG_ERR
Definition: log.h:56
tor_snprintf
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
printf.h
Header for printf.c.
util_bug.h
Macros to manage assertions, fatal and non-fatal.
Generated by doxygen 1.9.4