src/lib/crypt_ops/crypto_nss_mgt.c

   1 /* Copyright (c) 2001, Matej Pfajfar.
   2  * Copyright (c) 2001-2004, Roger Dingledine.
   3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
   4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
   5 /* See LICENSE for licensing information */
   6
   7 /**
   8  * \file crypto_nss_mgt.c
   9  *
  10  * \brief Manage the NSS library (if used)
  11  **/
  12
  13 #include "lib/crypt_ops/crypto_nss_mgt.h"
  14
  15 #include "lib/log/log.h"
  16 #include "lib/log/util_bug.h"
  17 #include "lib/string/printf.h"
  18
  19 DISABLE_GCC_WARNING("-Wstrict-prototypes")
  20 #include <nss.h>
  21 #include <pk11func.h>
  22 #include <ssl.h>
  23
  24 #include <prerror.h>
  25 #include <prtypes.h>
  26 #include <prinit.h>
  27 ENABLE_GCC_WARNING("-Wstrict-prototypes")
  28
  29 const char *
  30 crypto_nss_get_version_str(void)
  31 {
  32   return NSS_GetVersion();
  33 }
  34 const char *
  35 crypto_nss_get_header_version_str(void)
  36 {
  37   return NSS_VERSION;
  38 }
  39
  40 /** A password function that always returns NULL. */
  41 static char *
  42 nss_password_func_always_fail(PK11SlotInfo *slot,
  43                               PRBool retry,
  44                               void *arg)
  45 {
  46   (void) slot;
  47   (void) retry;
  48   (void) arg;
  49   return NULL;
  50 }
  51
  52 void
  53 crypto_nss_early_init(int nss_only)
  54 {
  55   if (! nss_only) {
  56     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
  57     PK11_SetPasswordFunc(nss_password_func_always_fail);
  58   }
  59
  60   /* Eventually we should use NSS_Init() instead -- but that wants a
  61      directory. The documentation says that we can't use this if we want
  62      to use OpenSSL. */
  63   if (NSS_NoDB_Init(NULL) == SECFailure) {
  64     log_err(LD_CRYPTO, "Unable to initialize NSS.");
  65     crypto_nss_log_errors(LOG_ERR, "initializing NSS");
  66     tor_assert_unreached();
  67   }
  68
  69   if (NSS_SetDomesticPolicy() == SECFailure) {
  70     log_err(LD_CRYPTO, "Unable to set NSS cipher policy.");
  71     crypto_nss_log_errors(LOG_ERR, "setting cipher policy");
  72     tor_assert_unreached();
  73   }
  74
  75   /* We need to override the default here, or NSS will reject all the
  76    * legacy Tor certificates. */
  77   SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024);
  78   if (rv != SECSuccess) {
  79     log_err(LD_CRYPTO, "Unable to set NSS min RSA key size");
  80     crypto_nss_log_errors(LOG_ERR, "setting cipher option.");
  81     tor_assert_unreached();
  82   }
  83 }
  84
  85 void
  86 crypto_nss_log_errors(int severity, const char *doing)
  87 {
  88   PRErrorCode code = PR_GetError();
  89   const char *string = PORT_ErrorToString(code);
  90   const char *name = PORT_ErrorToName(code);
  91   char buf[16];
  92   if (!string)
  93     string = "<unrecognized>";
  94   if (!name) {
  95     tor_snprintf(buf, sizeof(buf), "%d", code);
  96     name = buf;
  97   }
  98   if (doing) {
  99     tor_log(severity, LD_CRYPTO, "NSS error %s while %s: %s",
 100             name, doing, string);
 101   } else {
 102     tor_log(severity, LD_CRYPTO, "NSS error %s: %s", name, string);
 103   }
 104 }
 105
 106 int
 107 crypto_nss_late_init(void)
 108 {
 109   /* Possibly, SSL_OptionSetDefault? */
 110
 111   return 0;
 112 }
 113
 114 void
 115 crypto_nss_global_cleanup(void)
 116 {
 117   NSS_Shutdown();
 118   PL_ArenaFinish();
 119   PR_Cleanup();
 120 }
 121
 122 void
 123 crypto_nss_prefork(void)
 124 {
 125   NSS_Shutdown();
 126 }
 127
 128 void
 129 crypto_nss_postfork(void)
 130 {
 131   crypto_nss_early_init(1);
 132 }