search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Simplify VolumeManager by removing 'ready' event.
[chromium-blink-merge.git] / crypto / nss_util.cc
blob80191b3366f4b4c29eb478560c759cdda3d92669
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "crypto/nss_util.h"
6 #include "crypto/nss_util_internal.h"
7
8 #include <nss.h>
9 #include <pk11pub.h>
10 #include <plarena.h>
11 #include <prerror.h>
12 #include <prinit.h>
13 #include <prtime.h>
14 #include <secmod.h>
15
16 #if defined(OS_LINUX)
17 #include <linux/nfs_fs.h>
18 #include <sys/vfs.h>
19 #elif defined(OS_OPENBSD)
20 #include <sys/mount.h>
21 #include <sys/param.h>
22 #endif
23
24 #include <vector>
25
26 #include "base/debug/alias.h"
27 #include "base/environment.h"
28 #include "base/file_util.h"
29 #include "base/files/file_path.h"
30 #include "base/files/scoped_temp_dir.h"
31 #include "base/lazy_instance.h"
32 #include "base/logging.h"
33 #include "base/memory/scoped_ptr.h"
34 #include "base/metrics/histogram.h"
35 #include "base/native_library.h"
36 #include "base/strings/stringprintf.h"
37 #include "base/threading/thread_restrictions.h"
38 #include "build/build_config.h"
39
40 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not
41 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
42 // use NSS for crypto or certificate verification, and we don't use the NSS
43 // certificate and key databases.
44 #if defined(USE_NSS)
45 #include "base/synchronization/lock.h"
46 #include "crypto/crypto_module_blocking_password_delegate.h"
47 #endif // defined(USE_NSS)
48
49 namespace crypto {
50
51 namespace {
52
53 #if defined(OS_CHROMEOS)
54 const char kNSSDatabaseName[] = "Real NSS database";
55
56 // Constants for loading the Chrome OS TPM-backed PKCS #11 library.
57 const char kChapsModuleName[] = "Chaps";
58 const char kChapsPath[] = "libchaps.so";
59
60 // Fake certificate authority database used for testing.
61 static const base::FilePath::CharType kReadOnlyCertDB[] =
62 FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
63 #endif // defined(OS_CHROMEOS)
64
65 std::string GetNSSErrorMessage() {
66 std::string result;
67 if (PR_GetErrorTextLength()) {
68 scoped_ptr<char[]> error_text(new char[PR_GetErrorTextLength() + 1]);
69 PRInt32 copied = PR_GetErrorText(error_text.get());
70 result = std::string(error_text.get(), copied);
71 } else {
72 result = base::StringPrintf("NSS error code: %d", PR_GetError());
73 }
74 return result;
75 }
76
77 #if defined(USE_NSS)
78 base::FilePath GetDefaultConfigDirectory() {
79 base::FilePath dir = file_util::GetHomeDir();
80 if (dir.empty()) {
81 LOG(ERROR) << "Failed to get home directory.";
82 return dir;
83 }
84 dir = dir.AppendASCII(".pki").AppendASCII("nssdb");
85 if (!file_util::CreateDirectory(dir)) {
86 LOG(ERROR) << "Failed to create " << dir.value() << " directory.";
87 dir.clear();
88 }
89 return dir;
90 }
91
92 // On non-Chrome OS platforms, return the default config directory. On Chrome OS
93 // test images, return a read-only directory with fake root CA certs (which are
94 // used by the local Google Accounts server mock we use when testing our login
95 // code). On Chrome OS non-test images (where the read-only directory doesn't
96 // exist), return an empty path.
97 base::FilePath GetInitialConfigDirectory() {
98 #if defined(OS_CHROMEOS)
99 base::FilePath database_dir = base::FilePath(kReadOnlyCertDB);
100 if (!base::PathExists(database_dir))
101 database_dir.clear();
102 return database_dir;
103 #else
104 return GetDefaultConfigDirectory();
105 #endif // defined(OS_CHROMEOS)
106 }
107
108 // This callback for NSS forwards all requests to a caller-specified
109 // CryptoModuleBlockingPasswordDelegate object.
110 char* PKCS11PasswordFunc(PK11SlotInfo* slot, PRBool retry, void* arg) {
111 #if defined(OS_CHROMEOS)
112 // If we get asked for a password for the TPM, then return the
113 // well known password we use, as long as the TPM slot has been
114 // initialized.
115 if (crypto::IsTPMTokenReady()) {
116 std::string token_name;
117 std::string user_pin;
118 crypto::GetTPMTokenInfo(&token_name, &user_pin);
119 if (PK11_GetTokenName(slot) == token_name)
120 return PORT_Strdup(user_pin.c_str());
121 }
122 #endif
123 crypto::CryptoModuleBlockingPasswordDelegate* delegate =
124 reinterpret_cast<crypto::CryptoModuleBlockingPasswordDelegate*>(arg);
125 if (delegate) {
126 bool cancelled = false;
127 std::string password = delegate->RequestPassword(PK11_GetTokenName(slot),
128 retry != PR_FALSE,
129 &cancelled);
130 if (cancelled)
131 return NULL;
132 char* result = PORT_Strdup(password.c_str());
133 password.replace(0, password.size(), password.size(), 0);
134 return result;
135 }
136 DLOG(ERROR) << "PK11 password requested with NULL arg";
137 return NULL;
138 }
139
140 // NSS creates a local cache of the sqlite database if it detects that the
141 // filesystem the database is on is much slower than the local disk. The
142 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
143 // (NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=578561). So we set
144 // the NSS environment variable NSS_SDB_USE_CACHE to "yes" to override NSS's
145 // detection when database_dir is on NFS. See http://crbug.com/48585.
146 //
147 // TODO(wtc): port this function to other USE_NSS platforms. It is defined
148 // only for OS_LINUX and OS_OPENBSD simply because the statfs structure
149 // is OS-specific.
150 //
151 // Because this function sets an environment variable it must be run before we
152 // go multi-threaded.
153 void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) {
154 #if defined(OS_LINUX) || defined(OS_OPENBSD)
155 struct statfs buf;
156 if (statfs(database_dir.value().c_str(), &buf) == 0) {
157 #if defined(OS_LINUX)
158 if (buf.f_type == NFS_SUPER_MAGIC) {
159 #elif defined(OS_OPENBSD)
160 if (strcmp(buf.f_fstypename, MOUNT_NFS) == 0) {
161 #endif
162 scoped_ptr<base::Environment> env(base::Environment::Create());
163 const char* use_cache_env_var = "NSS_SDB_USE_CACHE";
164 if (!env->HasVar(use_cache_env_var))
165 env->SetVar(use_cache_env_var, "yes");
166 }
167 }
168 #endif // defined(OS_LINUX) || defined(OS_OPENBSD)
169 }
170
171 PK11SlotInfo* FindSlotWithTokenName(const std::string& token_name) {
172 AutoSECMODListReadLock auto_lock;
173 SECMODModuleList* head = SECMOD_GetDefaultModuleList();
174 for (SECMODModuleList* item = head; item != NULL; item = item->next) {
175 int slot_count = item->module->loaded ? item->module->slotCount : 0;
176 for (int i = 0; i < slot_count; i++) {
177 PK11SlotInfo* slot = item->module->slots[i];
178 if (PK11_GetTokenName(slot) == token_name)
179 return PK11_ReferenceSlot(slot);
180 }
181 }
182 return NULL;
183 }
184
185 #endif // defined(USE_NSS)
186
187 // A singleton to initialize/deinitialize NSPR.
188 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
189 // Now that we're leaking the singleton, we could merge back with the NSS
190 // singleton.
191 class NSPRInitSingleton {
192 private:
193 friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
194
195 NSPRInitSingleton() {
196 PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
197 }
198
199 // NOTE(willchan): We don't actually execute this code since we leak NSS to
200 // prevent non-joinable threads from using NSS after it's already been shut
201 // down.
202 ~NSPRInitSingleton() {
203 PL_ArenaFinish();
204 PRStatus prstatus = PR_Cleanup();
205 if (prstatus != PR_SUCCESS)
206 LOG(ERROR) << "PR_Cleanup failed; was NSPR initialized on wrong thread?";
207 }
208 };
209
210 base::LazyInstance<NSPRInitSingleton>::Leaky
211 g_nspr_singleton = LAZY_INSTANCE_INITIALIZER;
212
213 // This is a LazyInstance so that it will be deleted automatically when the
214 // unittest exits. NSSInitSingleton is a LeakySingleton, so it would not be
215 // deleted if it were a regular member.
216 base::LazyInstance<base::ScopedTempDir> g_test_nss_db_dir =
217 LAZY_INSTANCE_INITIALIZER;
218
219 // Force a crash with error info on NSS_NoDB_Init failure.
220 void CrashOnNSSInitFailure() {
221 int nss_error = PR_GetError();
222 int os_error = PR_GetOSError();
223 base::debug::Alias(&nss_error);
224 base::debug::Alias(&os_error);
225 LOG(ERROR) << "Error initializing NSS without a persistent database: "
226 << GetNSSErrorMessage();
227 LOG(FATAL) << "nss_error=" << nss_error << ", os_error=" << os_error;
228 }
229
230 class NSSInitSingleton {
231 public:
232 #if defined(OS_CHROMEOS)
233 void OpenPersistentNSSDB() {
234 if (!chromeos_user_logged_in_) {
235 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread.
236 // Temporarily allow it until we fix http://crbug.com/70119
237 base::ThreadRestrictions::ScopedAllowIO allow_io;
238 chromeos_user_logged_in_ = true;
239
240 // This creates another DB slot in NSS that is read/write, unlike
241 // the fake root CA cert DB and the "default" crypto key
242 // provider, which are still read-only (because we initialized
243 // NSS before we had a cryptohome mounted).
244 software_slot_ = OpenUserDB(GetDefaultConfigDirectory(),
245 kNSSDatabaseName);
246 }
247 }
248
249 void EnableTPMTokenForNSS() {
250 tpm_token_enabled_for_nss_ = true;
251 }
252
253 bool InitializeTPMToken(const std::string& token_name,
254 const std::string& user_pin) {
255 // If EnableTPMTokenForNSS hasn't been called, return false.
256 if (!tpm_token_enabled_for_nss_)
257 return false;
258
259 // If everything is already initialized, then return true.
260 if (chaps_module_ && tpm_slot_)
261 return true;
262
263 tpm_token_name_ = token_name;
264 tpm_user_pin_ = user_pin;
265
266 // This tries to load the Chaps module so NSS can talk to the hardware
267 // TPM.
268 if (!chaps_module_) {
269 chaps_module_ = LoadModule(
270 kChapsModuleName,
271 kChapsPath,
272 // For more details on these parameters, see:
273 // https://developer.mozilla.org/en/PKCS11_Module_Specs
274 // slotFlags=[PublicCerts] -- Certificates and public keys can be
275 // read from this slot without requiring a call to C_Login.
276 // askpw=only -- Only authenticate to the token when necessary.
277 "NSS=\"slotParams=(0={slotFlags=[PublicCerts] askpw=only})\"");
278 }
279 if (chaps_module_){
280 // If this gets set, then we'll use the TPM for certs with
281 // private keys, otherwise we'll fall back to the software
282 // implementation.
283 tpm_slot_ = GetTPMSlot();
284
285 return tpm_slot_ != NULL;
286 }
287 return false;
288 }
289
290 void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
291 if (!tpm_token_enabled_for_nss_) {
292 LOG(ERROR) << "GetTPMTokenInfo called before TPM Token is ready.";
293 return;
294 }
295 if (token_name)
296 *token_name = tpm_token_name_;
297 if (user_pin)
298 *user_pin = tpm_user_pin_;
299 }
300
301 bool IsTPMTokenReady() {
302 return tpm_slot_ != NULL;
303 }
304
305 PK11SlotInfo* GetTPMSlot() {
306 std::string token_name;
307 GetTPMTokenInfo(&token_name, NULL);
308 return FindSlotWithTokenName(token_name);
309 }
310 #endif // defined(OS_CHROMEOS)
311
312
313 bool OpenTestNSSDB() {
314 if (test_slot_)
315 return true;
316 if (!g_test_nss_db_dir.Get().CreateUniqueTempDir())
317 return false;
318 test_slot_ = OpenUserDB(g_test_nss_db_dir.Get().path(), kTestTPMTokenName);
319 return !!test_slot_;
320 }
321
322 void CloseTestNSSDB() {
323 if (!test_slot_)
324 return;
325 SECStatus status = SECMOD_CloseUserDB(test_slot_);
326 if (status != SECSuccess)
327 PLOG(ERROR) << "SECMOD_CloseUserDB failed: " << PORT_GetError();
328 PK11_FreeSlot(test_slot_);
329 test_slot_ = NULL;
330 ignore_result(g_test_nss_db_dir.Get().Delete());
331 }
332
333 PK11SlotInfo* GetPublicNSSKeySlot() {
334 if (test_slot_)
335 return PK11_ReferenceSlot(test_slot_);
336 if (software_slot_)
337 return PK11_ReferenceSlot(software_slot_);
338 return PK11_GetInternalKeySlot();
339 }
340
341 PK11SlotInfo* GetPrivateNSSKeySlot() {
342 if (test_slot_)
343 return PK11_ReferenceSlot(test_slot_);
344
345 #if defined(OS_CHROMEOS)
346 if (tpm_token_enabled_for_nss_) {
347 if (IsTPMTokenReady()) {
348 return PK11_ReferenceSlot(tpm_slot_);
349 } else {
350 // If we were supposed to get the hardware token, but were
351 // unable to, return NULL rather than fall back to sofware.
352 return NULL;
353 }
354 }
355 #endif
356 // If we weren't supposed to enable the TPM for NSS, then return
357 // the software slot.
358 if (software_slot_)
359 return PK11_ReferenceSlot(software_slot_);
360 return PK11_GetInternalKeySlot();
361 }
362
363 #if defined(USE_NSS)
364 base::Lock* write_lock() {
365 return &write_lock_;
366 }
367 #endif // defined(USE_NSS)
368
369 // This method is used to force NSS to be initialized without a DB.
370 // Call this method before NSSInitSingleton() is constructed.
371 static void ForceNoDBInit() {
372 force_nodb_init_ = true;
373 }
374
375 private:
376 friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
377
378 NSSInitSingleton()
379 : tpm_token_enabled_for_nss_(false),
380 chaps_module_(NULL),
381 software_slot_(NULL),
382 test_slot_(NULL),
383 tpm_slot_(NULL),
384 root_(NULL),
385 chromeos_user_logged_in_(false) {
386 base::TimeTicks start_time = base::TimeTicks::Now();
387 EnsureNSPRInit();
388
389 // We *must* have NSS >= 3.14.3.
390 COMPILE_ASSERT(
391 (NSS_VMAJOR == 3 && NSS_VMINOR == 14 && NSS_VPATCH >= 3) ||
392 (NSS_VMAJOR == 3 && NSS_VMINOR > 14) ||
393 (NSS_VMAJOR > 3),
394 nss_version_check_failed);
395 // Also check the run-time NSS version.
396 // NSS_VersionCheck is a >= check, not strict equality.
397 if (!NSS_VersionCheck("3.14.3")) {
398 LOG(FATAL) << "NSS_VersionCheck(\"3.14.3\") failed. NSS >= 3.14.3 is "
399 "required. Please upgrade to the latest NSS, and if you "
400 "still get this error, contact your distribution "
401 "maintainer.";
402 }
403
404 SECStatus status = SECFailure;
405 bool nodb_init = force_nodb_init_;
406
407 #if !defined(USE_NSS)
408 // Use the system certificate store, so initialize NSS without database.
409 nodb_init = true;
410 #endif
411
412 if (nodb_init) {
413 status = NSS_NoDB_Init(NULL);
414 if (status != SECSuccess) {
415 CrashOnNSSInitFailure();
416 return;
417 }
418 #if defined(OS_IOS)
419 root_ = InitDefaultRootCerts();
420 #endif // defined(OS_IOS)
421 } else {
422 #if defined(USE_NSS)
423 base::FilePath database_dir = GetInitialConfigDirectory();
424 if (!database_dir.empty()) {
425 // This duplicates the work which should have been done in
426 // EarlySetupForNSSInit. However, this function is idempotent so
427 // there's no harm done.
428 UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
429
430 // Initialize with a persistent database (likely, ~/.pki/nssdb).
431 // Use "sql:" which can be shared by multiple processes safely.
432 std::string nss_config_dir =
433 base::StringPrintf("sql:%s", database_dir.value().c_str());
434 #if defined(OS_CHROMEOS)
435 status = NSS_Init(nss_config_dir.c_str());
436 #else
437 status = NSS_InitReadWrite(nss_config_dir.c_str());
438 #endif
439 if (status != SECSuccess) {
440 LOG(ERROR) << "Error initializing NSS with a persistent "
441 "database (" << nss_config_dir
442 << "): " << GetNSSErrorMessage();
443 }
444 }
445 if (status != SECSuccess) {
446 VLOG(1) << "Initializing NSS without a persistent database.";
447 status = NSS_NoDB_Init(NULL);
448 if (status != SECSuccess) {
449 CrashOnNSSInitFailure();
450 return;
451 }
452 }
453
454 PK11_SetPasswordFunc(PKCS11PasswordFunc);
455
456 // If we haven't initialized the password for the NSS databases,
457 // initialize an empty-string password so that we don't need to
458 // log in.
459 PK11SlotInfo* slot = PK11_GetInternalKeySlot();
460 if (slot) {
461 // PK11_InitPin may write to the keyDB, but no other thread can use NSS
462 // yet, so we don't need to lock.
463 if (PK11_NeedUserInit(slot))
464 PK11_InitPin(slot, NULL, NULL);
465 PK11_FreeSlot(slot);
466 }
467
468 root_ = InitDefaultRootCerts();
469 #endif // defined(USE_NSS)
470 }
471
472 // Disable MD5 certificate signatures. (They are disabled by default in
473 // NSS 3.14.)
474 NSS_SetAlgorithmPolicy(SEC_OID_MD5, 0, NSS_USE_ALG_IN_CERT_SIGNATURE);
475 NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
476 0, NSS_USE_ALG_IN_CERT_SIGNATURE);
477
478 // The UMA bit is conditionally set for this histogram in
479 // chrome/common/startup_metric_utils.cc .
480 HISTOGRAM_CUSTOM_TIMES("Startup.SlowStartupNSSInit",
481 base::TimeTicks::Now() - start_time,
482 base::TimeDelta::FromMilliseconds(10),
483 base::TimeDelta::FromHours(1),
484 50);
485 }
486
487 // NOTE(willchan): We don't actually execute this code since we leak NSS to
488 // prevent non-joinable threads from using NSS after it's already been shut
489 // down.
490 ~NSSInitSingleton() {
491 if (tpm_slot_) {
492 PK11_FreeSlot(tpm_slot_);
493 tpm_slot_ = NULL;
494 }
495 if (software_slot_) {
496 SECMOD_CloseUserDB(software_slot_);
497 PK11_FreeSlot(software_slot_);
498 software_slot_ = NULL;
499 }
500 CloseTestNSSDB();
501 if (root_) {
502 SECMOD_UnloadUserModule(root_);
503 SECMOD_DestroyModule(root_);
504 root_ = NULL;
505 }
506 if (chaps_module_) {
507 SECMOD_UnloadUserModule(chaps_module_);
508 SECMOD_DestroyModule(chaps_module_);
509 chaps_module_ = NULL;
510 }
511
512 SECStatus status = NSS_Shutdown();
513 if (status != SECSuccess) {
514 // We VLOG(1) because this failure is relatively harmless (leaking, but
515 // we're shutting down anyway).
516 VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609";
517 }
518 }
519
520 #if defined(USE_NSS) || defined(OS_IOS)
521 // Load nss's built-in root certs.
522 SECMODModule* InitDefaultRootCerts() {
523 SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL);
524 if (root)
525 return root;
526
527 // Aw, snap. Can't find/load root cert shared library.
528 // This will make it hard to talk to anybody via https.
529 NOTREACHED();
530 return NULL;
531 }
532
533 // Load the given module for this NSS session.
534 SECMODModule* LoadModule(const char* name,
535 const char* library_path,
536 const char* params) {
537 std::string modparams = base::StringPrintf(
538 "name=\"%s\" library=\"%s\" %s",
539 name, library_path, params ? params : "");
540
541 // Shouldn't need to const_cast here, but SECMOD doesn't properly
542 // declare input string arguments as const. Bug
543 // https://bugzilla.mozilla.org/show_bug.cgi?id=642546 was filed
544 // on NSS codebase to address this.
545 SECMODModule* module = SECMOD_LoadUserModule(
546 const_cast<char*>(modparams.c_str()), NULL, PR_FALSE);
547 if (!module) {
548 LOG(ERROR) << "Error loading " << name << " module into NSS: "
549 << GetNSSErrorMessage();
550 return NULL;
551 }
552 return module;
553 }
554 #endif
555
556 static PK11SlotInfo* OpenUserDB(const base::FilePath& path,
557 const char* description) {
558 const std::string modspec =
559 base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
560 path.value().c_str(), description);
561 PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
562 if (db_slot) {
563 if (PK11_NeedUserInit(db_slot))
564 PK11_InitPin(db_slot, NULL, NULL);
565 }
566 else {
567 LOG(ERROR) << "Error opening persistent database (" << modspec
568 << "): " << GetNSSErrorMessage();
569 }
570 return db_slot;
571 }
572
573 // If this is set to true NSS is forced to be initialized without a DB.
574 static bool force_nodb_init_;
575
576 bool tpm_token_enabled_for_nss_;
577 std::string tpm_token_name_;
578 std::string tpm_user_pin_;
579 SECMODModule* chaps_module_;
580 PK11SlotInfo* software_slot_;
581 PK11SlotInfo* test_slot_;
582 PK11SlotInfo* tpm_slot_;
583 SECMODModule* root_;
584 bool chromeos_user_logged_in_;
585 #if defined(USE_NSS)
586 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
587 // is fixed, we will no longer need the lock.
588 base::Lock write_lock_;
589 #endif // defined(USE_NSS)
590 };
591
592 // static
593 bool NSSInitSingleton::force_nodb_init_ = false;
594
595 base::LazyInstance<NSSInitSingleton>::Leaky
596 g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
597 } // namespace
598
599 const char kTestTPMTokenName[] = "Test DB";
600
601 #if defined(USE_NSS)
602 void EarlySetupForNSSInit() {
603 base::FilePath database_dir = GetInitialConfigDirectory();
604 if (!database_dir.empty())
605 UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
606 }
607 #endif
608
609 void EnsureNSPRInit() {
610 g_nspr_singleton.Get();
611 }
612
613 void InitNSSSafely() {
614 // We might fork, but we haven't loaded any security modules.
615 DisableNSSForkCheck();
616 // If we're sandboxed, we shouldn't be able to open user security modules,
617 // but it's more correct to tell NSS to not even try.
618 // Loading user security modules would have security implications.
619 ForceNSSNoDBInit();
620 // Initialize NSS.
621 EnsureNSSInit();
622 }
623
624 void EnsureNSSInit() {
625 // Initializing SSL causes us to do blocking IO.
626 // Temporarily allow it until we fix
627 // http://code.google.com/p/chromium/issues/detail?id=59847
628 base::ThreadRestrictions::ScopedAllowIO allow_io;
629 g_nss_singleton.Get();
630 }
631
632 void ForceNSSNoDBInit() {
633 NSSInitSingleton::ForceNoDBInit();
634 }
635
636 void DisableNSSForkCheck() {
637 scoped_ptr<base::Environment> env(base::Environment::Create());
638 env->SetVar("NSS_STRICT_NOFORK", "DISABLED");
639 }
640
641 void LoadNSSLibraries() {
642 // Some NSS libraries are linked dynamically so load them here.
643 #if defined(USE_NSS)
644 // Try to search for multiple directories to load the libraries.
645 std::vector<base::FilePath> paths;
646
647 // Use relative path to Search PATH for the library files.
648 paths.push_back(base::FilePath());
649
650 // For Debian derivatives NSS libraries are located here.
651 paths.push_back(base::FilePath("/usr/lib/nss"));
652
653 // Ubuntu 11.10 (Oneiric) and Debian Wheezy place the libraries here.
654 #if defined(ARCH_CPU_X86_64)
655 paths.push_back(base::FilePath("/usr/lib/x86_64-linux-gnu/nss"));
656 #elif defined(ARCH_CPU_X86)
657 paths.push_back(base::FilePath("/usr/lib/i386-linux-gnu/nss"));
658 #elif defined(ARCH_CPU_ARMEL)
659 paths.push_back(base::FilePath("/usr/lib/arm-linux-gnueabi/nss"));
660 #elif defined(ARCH_CPU_MIPSEL)
661 paths.push_back(base::FilePath("/usr/lib/mipsel-linux-gnu/nss"));
662 #endif
663
664 // A list of library files to load.
665 std::vector<std::string> libs;
666 libs.push_back("libsoftokn3.so");
667 libs.push_back("libfreebl3.so");
668
669 // For each combination of library file and path, check for existence and
670 // then load.
671 size_t loaded = 0;
672 for (size_t i = 0; i < libs.size(); ++i) {
673 for (size_t j = 0; j < paths.size(); ++j) {
674 base::FilePath path = paths[j].Append(libs[i]);
675 base::NativeLibrary lib = base::LoadNativeLibrary(path, NULL);
676 if (lib) {
677 ++loaded;
678 break;
679 }
680 }
681 }
682
683 if (loaded == libs.size()) {
684 VLOG(3) << "NSS libraries loaded.";
685 } else {
686 LOG(ERROR) << "Failed to load NSS libraries.";
687 }
688 #endif
689 }
690
691 bool CheckNSSVersion(const char* version) {
692 return !!NSS_VersionCheck(version);
693 }
694
695 #if defined(USE_NSS)
696 ScopedTestNSSDB::ScopedTestNSSDB()
697 : is_open_(g_nss_singleton.Get().OpenTestNSSDB()) {
698 }
699
700 ScopedTestNSSDB::~ScopedTestNSSDB() {
701 // Don't close when NSS is < 3.15.1, because it would require an additional
702 // sleep for 1 second after closing the database, due to
703 // http://bugzil.la/875601.
704 if (NSS_VersionCheck("3.15.1")) {
705 g_nss_singleton.Get().CloseTestNSSDB();
706 }
707 }
708
709 base::Lock* GetNSSWriteLock() {
710 return g_nss_singleton.Get().write_lock();
711 }
712
713 AutoNSSWriteLock::AutoNSSWriteLock() : lock_(GetNSSWriteLock()) {
714 // May be NULL if the lock is not needed in our version of NSS.
715 if (lock_)
716 lock_->Acquire();
717 }
718
719 AutoNSSWriteLock::~AutoNSSWriteLock() {
720 if (lock_) {
721 lock_->AssertAcquired();
722 lock_->Release();
723 }
724 }
725
726 AutoSECMODListReadLock::AutoSECMODListReadLock()
727 : lock_(SECMOD_GetDefaultModuleListLock()) {
728 SECMOD_GetReadLock(lock_);
729 }
730
731 AutoSECMODListReadLock::~AutoSECMODListReadLock() {
732 SECMOD_ReleaseReadLock(lock_);
733 }
734
735 #endif // defined(USE_NSS)
736
737 #if defined(OS_CHROMEOS)
738 void OpenPersistentNSSDB() {
739 g_nss_singleton.Get().OpenPersistentNSSDB();
740 }
741
742 void EnableTPMTokenForNSS() {
743 g_nss_singleton.Get().EnableTPMTokenForNSS();
744 }
745
746 void GetTPMTokenInfo(std::string* token_name, std::string* user_pin) {
747 g_nss_singleton.Get().GetTPMTokenInfo(token_name, user_pin);
748 }
749
750 bool IsTPMTokenReady() {
751 return g_nss_singleton.Get().IsTPMTokenReady();
752 }
753
754 bool InitializeTPMToken(const std::string& token_name,
755 const std::string& user_pin) {
756 return g_nss_singleton.Get().InitializeTPMToken(token_name, user_pin);
757 }
758 #endif // defined(OS_CHROMEOS)
759
760 base::Time PRTimeToBaseTime(PRTime prtime) {
761 return base::Time::FromInternalValue(
762 prtime + base::Time::UnixEpoch().ToInternalValue());
763 }
764
765 PRTime BaseTimeToPRTime(base::Time time) {
766 return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
767 }
768
769 PK11SlotInfo* GetPublicNSSKeySlot() {
770 return g_nss_singleton.Get().GetPublicNSSKeySlot();
771 }
772
773 PK11SlotInfo* GetPrivateNSSKeySlot() {
774 return g_nss_singleton.Get().GetPrivateNSSKeySlot();
775 }
776
777 } // namespace crypto