Tor  0.4.7.0-alpha-dev
crypto_nss_mgt.c
Go to the documentation of this file.
1 /* Copyright (c) 2001, Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file crypto_nss_mgt.c
9  *
10  * \brief Manage the NSS library (if used)
11  **/
12 
14 
15 #include "lib/log/log.h"
16 #include "lib/log/util_bug.h"
17 #include "lib/string/printf.h"
18 
19 DISABLE_GCC_WARNING("-Wstrict-prototypes")
20 #include <nss.h>
21 #include <pk11func.h>
22 #include <ssl.h>
23 
24 #include <prerror.h>
25 #include <prtypes.h>
26 #include <prinit.h>
27 ENABLE_GCC_WARNING("-Wstrict-prototypes")
28 
29 const char *
30 crypto_nss_get_version_str(void)
31 {
32  return NSS_GetVersion();
33 }
34 const char *
35 crypto_nss_get_header_version_str(void)
36 {
37  return NSS_VERSION;
38 }
39 
40 /** A password function that always returns NULL. */
41 static char *
42 nss_password_func_always_fail(PK11SlotInfo *slot,
43  PRBool retry,
44  void *arg)
45 {
46  (void) slot;
47  (void) retry;
48  (void) arg;
49  return NULL;
50 }
51 
52 void
53 crypto_nss_early_init(int nss_only)
54 {
55  if (! nss_only) {
56  PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
57  PK11_SetPasswordFunc(nss_password_func_always_fail);
58  }
59 
60  /* Eventually we should use NSS_Init() instead -- but that wants a
61  directory. The documentation says that we can't use this if we want
62  to use OpenSSL. */
63  if (NSS_NoDB_Init(NULL) == SECFailure) {
64  log_err(LD_CRYPTO, "Unable to initialize NSS.");
65  crypto_nss_log_errors(LOG_ERR, "initializing NSS");
66  tor_assert_unreached();
67  }
68 
69  if (NSS_SetDomesticPolicy() == SECFailure) {
70  log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
71  crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
72  tor_assert_unreached();
73  }
74 
75  /* We need to override the default here, or NSS will reject all the
76  * legacy Tor certificates. */
77  SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
78  if (rv != SECSuccess) {
79  log_err(LD_CRYPTO, "Unable to set NSS min RSA key size");
80  crypto_nss_log_errors(LOG_ERR, "setting cipher option.");
81  tor_assert_unreached();
82  }
83 }
84 
85 void
86 crypto_nss_log_errors(int severity, const char *doing)
87 {
88  PRErrorCode code = PR_GetError();
89  const char *string = PORT_ErrorToString(code);
90  const char *name = PORT_ErrorToName(code);
91  char buf[16];
92  if (!string)
93  string = "<unrecognized>";
94  if (!name) {
95  tor_snprintf(buf, sizeof(buf), "%d", code);
96  name = buf;
97  }
98  if (doing) {
99  tor_log(severity, LD_CRYPTO, "NSS error %s while %s: %s",
100  name, doing, string);
101  } else {
102  tor_log(severity, LD_CRYPTO, "NSS error %s: %s", name, string);
103  }
104 }
105 
106 int
107 crypto_nss_late_init(void)
108 {
109  /* Possibly, SSL_OptionSetDefault? */
110 
111  return 0;
112 }
113 
114 void
115 crypto_nss_global_cleanup(void)
116 {
117  NSS_Shutdown();
118  PL_ArenaFinish();
119  PR_Cleanup();
120 }
121 
122 void
123 crypto_nss_prefork(void)
124 {
125  NSS_Shutdown();
126 }
127 
128 void
129 crypto_nss_postfork(void)
130 {
131  crypto_nss_early_init(1);
132 }
const char * name
Definition: config.c:2434
static char * nss_password_func_always_fail(PK11SlotInfo *slot, PRBool retry, void *arg)
Headers for crypto_nss_mgt.c.
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:590
Headers for log.c.
#define LD_CRYPTO
Definition: log.h:64
#define LOG_ERR
Definition: log.h:56
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
Header for printf.c.
Macros to manage assertions, fatal and non-fatal.