tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 52d5f4da12cf4a9647a896395209121cbf9483c4
parent dd04fc35c665976f9fc9ff586cbf7fe34d9cc241
Author: Nick Mathewson <nickm@torproject.org>
Date:   Thu, 23 Aug 2018 10:13:32 -0400

Avoid spurious error logs when using NSS

The tls_log_errors() function now behaves differently for NSS than
it did for OpenSSL, so we need to tweak it a bit.

Diffstat:

Msrc/lib/tls/tortls.c | 13+++++++++++--


Msrc/lib/tls/tortls_nss.c | 6++++--


2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
@@ -189,6 +189,9 @@ tor_tls_context_init(unsigned flags,
       if (old_ctx != NULL) {
         tor_tls_context_decref(old_ctx);
       }
+    } else {
+      tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+                     "constructing a TLS context");
     }
   } else {
     if (server_identity != NULL) {
@@ -197,6 +200,9 @@ tor_tls_context_init(unsigned flags,
                                      key_lifetime,
                                      flags,
                                      0);
+      if (rv1 < 0)
+        tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+                       "constructing a server TLS context");
     } else {
       tor_tls_context_t *old_ctx = server_tls_context;
       server_tls_context = NULL;
@@ -211,9 +217,11 @@ tor_tls_context_init(unsigned flags,
                                    key_lifetime,
                                    flags,
                                    1);
+    if (rv2 < 0)
+        tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+                       "constructing a client TLS context");
   }
 
-  tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
   return MIN(rv1, rv2);
 }
 
@@ -451,8 +459,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls,
   r = 0;
  done:
   tor_x509_cert_free(cert);
-  /* Not expected to get invoked */
+#ifdef ENABLE_OPENSSL
   tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
+#endif
 
   return r;
 }
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
@@ -323,8 +323,10 @@ void
 tls_log_errors(tor_tls_t *tls, int severity, int domain,
                const char *doing)
 {
-  /* XXXX This implementation isn't right for NSS -- it logs the last error
-     whether anything actually failed or not. */
+  /* This implementation is a little different for NSS than it is for OpenSSL
+     -- it logs the last error whether anything actually failed or not. So we
+     have to only call it when something has gone wrong and we have a real
+     error to report. */
 
   (void)tls;
   PRErrorCode code = PORT_GetError();