piros
/
tor


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
							/* Copyright (c) 2001, Matej Pfajfar.
 * Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
 * Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */

/**
 * \file crypto_nss_mgt.c
 *
 * \brief Manage the NSS library (if used)
 **/

#include "lib/crypt_ops/crypto_nss_mgt.h"

#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/string/printf.h"

DISABLE_GCC_WARNING(strict-prototypes)
#include <nss.h>
#include <pk11func.h>
#include <ssl.h>

#include <prerror.h>
#include <prtypes.h>
#include <prinit.h>
ENABLE_GCC_WARNING(strict-prototypes)

const char *
crypto_nss_get_version_str(void)
{
  return NSS_GetVersion();
}
const char *
crypto_nss_get_header_version_str(void)
{
  return NSS_VERSION;
}

/** A password function that always returns NULL. */
static char *
nss_password_func_always_fail(PK11SlotInfo *slot,
                              PRBool retry,
                              void *arg)
{
  (void) slot;
  (void) retry;
  (void) arg;
  return NULL;
}

void
crypto_nss_early_init(void)
{
  PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
  PK11_SetPasswordFunc(nss_password_func_always_fail);

  /* Eventually we should use NSS_Init() instead -- but that wants a
     directory. The documentation says that we can't use this if we want
     to use OpenSSL. */
  if (NSS_NoDB_Init(NULL) == SECFailure) {
    log_err(LD_CRYPTO, "Unable to initialize NSS.");
    crypto_nss_log_errors(LOG_ERR, "initializing NSS");
    tor_assert_unreached();
  }

  if (NSS_SetDomesticPolicy() == SECFailure) {
    log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
    crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
    tor_assert_unreached();
  }

  /* We need to override the default here, or NSS will reject all the
   * legacy Tor certificates. */
  SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
  if (rv != SECSuccess) {
    log_err(LD_CRYPTO, "Unable to set NSS min RSA key size");
    crypto_nss_log_errors(LOG_ERR, "setting cipher option.");
    tor_assert_unreached();
  }
}

void
crypto_nss_log_errors(int severity, const char *doing)
{
  PRErrorCode code = PR_GetError();
  const char *string = PORT_ErrorToString(code);
  const char *name = PORT_ErrorToName(code);
  char buf[16];
  if (!string)
    string = "<unrecognized>";
  if (!name) {
    tor_snprintf(buf, sizeof(buf), "%d", code);
    name = buf;
  }
  if (doing) {
    tor_log(severity, LD_CRYPTO, "NSS error %s while %s: %s",
            name, doing, string);
  } else {
    tor_log(severity, LD_CRYPTO, "NSS error %s: %s", name, string);
  }
}

int
crypto_nss_late_init(void)
{
  /* Possibly, SSL_OptionSetDefault? */

  return 0;
}

void
crypto_nss_global_cleanup(void)
{
  NSS_Shutdown();
}

void
crypto_nss_postfork(void)
{
  crypto_nss_global_cleanup();
  crypto_nss_early_init();
}