crypto_nss_mgt.c 2.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
  1. /* Copyright (c) 2001, Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file crypto_nss_mgt.c
  8. *
  9. * \brief Manage the NSS library (if used)
  10. **/
  11. #include "lib/crypt_ops/crypto_nss_mgt.h"
  12. #include "lib/log/log.h"
  13. #include "lib/log/util_bug.h"
  14. DISABLE_GCC_WARNING(strict-prototypes)
  15. #include <nss.h>
  16. #include <pk11func.h>
  17. #include <ssl.h>
  18. #include <prerror.h>
  19. #include <prtypes.h>
  20. #include <prinit.h>
  21. ENABLE_GCC_WARNING(strict-prototypes)
  22. const char *
  23. crypto_nss_get_version_str(void)
  24. {
  25. return NSS_GetVersion();
  26. }
  27. const char *
  28. crypto_nss_get_header_version_str(void)
  29. {
  30. return NSS_VERSION;
  31. }
  32. /** A password function that always returns NULL. */
  33. static char *
  34. nss_password_func_always_fail(PK11SlotInfo *slot,
  35. PRBool retry,
  36. void *arg)
  37. {
  38. (void) slot;
  39. (void) retry;
  40. (void) arg;
  41. return NULL;
  42. }
  43. void
  44. crypto_nss_early_init(void)
  45. {
  46. PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
  47. PK11_SetPasswordFunc(nss_password_func_always_fail);
  48. /* Eventually we should use NSS_Init() instead -- but that wants a
  49. directory. The documentation says that we can't use this if we want
  50. to use OpenSSL. */
  51. if (NSS_NoDB_Init(NULL) == SECFailure) {
  52. log_err(LD_CRYPTO, "Unable to initialize NSS.");
  53. crypto_nss_log_errors(LOG_ERR, "initializing NSS");
  54. tor_assert_unreached();
  55. }
  56. if (NSS_SetDomesticPolicy() == SECFailure) {
  57. log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
  58. crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
  59. tor_assert_unreached();
  60. }
  61. }
  62. void
  63. crypto_nss_log_errors(int severity, const char *doing)
  64. {
  65. PRErrorCode code = PR_GetError();
  66. /* XXXX how do I convert errors to strings? */
  67. if (doing) {
  68. tor_log(severity, LD_CRYPTO, "NSS error %u while %s", code, doing);
  69. } else {
  70. tor_log(severity, LD_CRYPTO, "NSS error %u", code);
  71. }
  72. }
  73. int
  74. crypto_nss_late_init(void)
  75. {
  76. /* Possibly, SSL_OptionSetDefault? */
  77. return 0;
  78. }
  79. void
  80. crypto_nss_global_cleanup(void)
  81. {
  82. NSS_Shutdown();
  83. }
  84. void
  85. crypto_nss_postfork(void)
  86. {
  87. crypto_nss_global_cleanup();
  88. crypto_nss_early_init();
  89. }