| blob | 69d74f555cfe434b501f9abd3cce1de28ff3583c |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
8 #include <nss.h>
9 #include <pk11pub.h>
10 #include <plarena.h>
11 #include <prerror.h>
12 #include <prinit.h>
13 #include <prtime.h>
14 #include <secmod.h>
16 #if defined(OS_LINUX)
17 #include <linux/nfs_fs.h>
18 #include <sys/vfs.h>
19 #elif defined(OS_OPENBSD)
20 #include <sys/mount.h>
21 #include <sys/param.h>
22 #endif
24 #include <vector>
39 #if defined(OS_CHROMEOS)
41 #endif
43 // USE_NSS means we use NSS for everything crypto-related. If USE_NSS is not
44 // defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
45 // use NSS for crypto or certificate verification, and we don't use the NSS
46 // certificate and key databases.
47 #if defined(USE_NSS)
56 #if defined(OS_CHROMEOS)
59 // Constants for loading the Chrome OS TPM-backed PKCS #11 library.
63 // Fake certificate authority database used for testing.
76 }
78 }
80 #if defined(USE_NSS)
86 }
91 }
93 }
95 #if defined(OS_CHROMEOS)
96 // Supplemental user key id.
100 };
104 // On non-chromeos platforms, return the default config directory.
105 // On chromeos, return a read-only directory with fake root CA certs for testing
106 // (which will not exist on non-testing images). These root CA certs are used
107 // by the local Google Accounts server mock we use when testing our login code.
108 // If this directory is not present, NSS_Init() will fail. It is up to the
109 // caller to failover to NSS_NoDB_Init() at that point.
111 #if defined(OS_CHROMEOS)
113 #else
116 }
118 // This callback for NSS forwards all requests to a caller-specified
119 // CryptoModuleBlockingPasswordDelegate object.
121 #if defined(OS_CHROMEOS)
122 // If we get asked for a password for the TPM, then return the
123 // well known password we use, as long as the TPM slot has been
124 // initialized.
131 }
132 #endif
145 }
148 }
150 // NSS creates a local cache of the sqlite database if it detects that the
151 // filesystem the database is on is much slower than the local disk. The
152 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
153 // (NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=578561). So we set
154 // the NSS environment variable NSS_SDB_USE_CACHE to "yes" to override NSS's
155 // detection when database_dir is on NFS. See http://crbug.com/48585.
156 //
157 // TODO(wtc): port this function to other USE_NSS platforms. It is defined
158 // only for OS_LINUX and OS_OPENBSD simply because the statfs structure
159 // is OS-specific.
160 //
161 // Because this function sets an environment variable it must be run before we
162 // go multi-threaded.
164 #if defined(OS_LINUX) || defined(OS_OPENBSD)
167 #if defined(OS_LINUX)
169 #elif defined(OS_OPENBSD)
171 #endif
176 }
177 }
179 }
182 AutoSECMODListReadLock auto_lock;
190 }
191 }
193 }
197 // A singleton to initialize/deinitialize NSPR.
198 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
199 // Now that we're leaking the singleton, we could merge back with the NSS
200 // singleton.
207 }
209 // NOTE(willchan): We don't actually execute this code since we leak NSS to
210 // prevent non-joinable threads from using NSS after it's already been shut
211 // down.
217 }
218 };
223 // This is a LazyInstance so that it will be deleted automatically when the
224 // unittest exits. NSSInitSingleton is a LeakySingleton, so it would not be
225 // deleted if it were a regular member.
227 LAZY_INSTANCE_INITIALIZER;
229 // Force a crash with error info on NSS_NoDB_Init failure.
238 }
242 #if defined(OS_CHROMEOS)
245 // GetDefaultConfigDirectory causes us to do blocking IO on UI thread.
246 // Temporarily allow it until we fix http://crbug.com/70119
250 // This creates another DB slot in NSS that is read/write, unlike
251 // the fake root CA cert DB and the "default" crypto key
252 // provider, which are still read-only (because we initialized
253 // NSS before we had a cryptohome mounted).
255 kNSSDatabaseName);
256 }
257 }
261 }
265 // If EnableTPMTokenForNSS hasn't been called, return false.
269 // If everything is already initialized, then return true.
276 // This tries to load the Chaps module so NSS can talk to the hardware
277 // TPM.
280 kChapsModuleName,
281 kChapsPath,
282 // For more details on these parameters, see:
283 // https://developer.mozilla.org/en/PKCS11_Module_Specs
284 // slotFlags=[PublicCerts] -- Certificates and public keys can be
285 // read from this slot without requiring a call to C_Login.
286 // askpw=only -- Only authenticate to the token when necessary.
288 }
290 // If this gets set, then we'll use the TPM for certs with
291 // private keys, otherwise we'll fall back to the software
292 // implementation.
296 }
298 }
304 }
309 }
313 }
319 }
326 SECItem keyID;
340 // Find/generate AES key.
345 kKeySizeInBytes,
347 }
349 done:
354 }
365 }
375 }
376 }
384 }
390 #if defined(OS_CHROMEOS)
395 // If we were supposed to get the hardware token, but were
396 // unable to, return NULL rather than fall back to sofware.
398 }
399 }
400 #endif
401 // If we weren't supposed to enable the TPM for NSS, then return
402 // the software slot.
406 }
408 #if defined(USE_NSS)
411 }
414 // This method is used to force NSS to be initialized without a DB.
415 // Call this method before NSSInitSingleton() is constructed.
418 }
433 // We *must* have NSS >= 3.12.3. See bug 26448.
438 nss_version_check_failed);
439 // Also check the run-time NSS version.
440 // NSS_VersionCheck is a >= check, not strict equality.
442 // It turns out many people have misconfigured NSS setups, where
443 // their run-time NSPR doesn't match the one their NSS was compiled
444 // against. So rather than aborting, complain loudly.
446 "We depend on NSS >= 3.12.3, and this error is not fatal "
447 "only because many people have busted NSS setups (for "
448 "example, using the wrong version of NSPR). "
449 "Please upgrade to the latest NSS and NSPR, and if you "
450 "still get this error, contact your distribution "
452 }
457 #if !defined(USE_NSS)
458 // Use the system certificate store, so initialize NSS without database.
460 #endif
467 }
468 #if defined(OS_IOS)
472 #if defined(USE_NSS)
475 // This duplicates the work which should have been done in
476 // EarlySetupForNSSInit. However, this function is idempotent so
477 // there's no harm done.
480 // Initialize with a persistent database (likely, ~/.pki/nssdb).
481 // Use "sql:" which can be shared by multiple processes safely.
484 #if defined(OS_CHROMEOS)
486 #else
488 #endif
493 }
494 }
501 }
502 }
506 // If we haven't initialized the password for the NSS databases,
507 // initialize an empty-string password so that we don't need to
508 // log in.
511 // PK11_InitPin may write to the keyDB, but no other thread can use NSS
512 // yet, so we don't need to lock.
516 }
520 }
522 // Disable MD5 certificate signatures. (They are disabled by default in
523 // NSS 3.14.)
527 }
529 // NOTE(willchan): We don't actually execute this code since we leak NSS to
530 // prevent non-joinable threads from using NSS after it's already been shut
531 // down.
536 }
541 }
547 }
552 }
556 // We VLOG(1) because this failure is relatively harmless (leaking, but
557 // we're shutting down anyway).
559 }
560 }
562 #if defined(USE_NSS) || defined(OS_IOS)
563 // Load nss's built-in root certs.
569 // Aw, snap. Can't find/load root cert shared library.
570 // This will make it hard to talk to anybody via https.
573 }
575 // Load the given module for this NSS session.
583 // Shouldn't need to const_cast here, but SECMOD doesn't properly
584 // declare input string arguments as const. Bug
585 // https://bugzilla.mozilla.org/show_bug.cgi?id=642546 was filed
586 // on NSS codebase to address this.
593 }
595 }
596 #endif
607 }
611 }
613 }
615 // If this is set to true NSS is forced to be initialized without a DB.
627 #if defined(USE_NSS)
628 // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
629 // is fixed, we will no longer need the lock.
632 };
634 // static
641 #if defined(USE_NSS)
646 }
647 #endif
651 }
654 // We might fork, but we haven't loaded any security modules.
656 // If we're sandboxed, we shouldn't be able to open user security modules,
657 // but it's more correct to tell NSS to not even try.
658 // Loading user security modules would have security implications.
660 // Initialize NSS.
662 }
665 // Initializing SSL causes us to do blocking IO.
666 // Temporarily allow it until we fix
667 // http://code.google.com/p/chromium/issues/detail?id=59847
670 }
674 }
679 }
682 // Some NSS libraries are linked dynamically so load them here.
683 #if defined(USE_NSS)
684 // Try to search for multiple directories to load the libraries.
687 // Use relative path to Search PATH for the library files.
690 // For Debian derivatives NSS libraries are located here.
693 // Ubuntu 11.10 (Oneiric) places the libraries here.
694 #if defined(ARCH_CPU_X86_64)
696 #elif defined(ARCH_CPU_X86)
698 #elif defined(ARCH_CPU_ARMEL)
700 #endif
702 // A list of library files to load.
707 // For each combination of library file and path, check for existence and
708 // then load.
717 }
718 }
719 }
725 }
726 #endif
727 }
731 }
733 #if defined(USE_NSS)
736 }
739 // TODO(mattm): Close the dababase once NSS 3.14 is required,
740 // which fixes https://bugzilla.mozilla.org/show_bug.cgi?id=588269
741 // Resource leaks are suppressed. http://crbug.com/156433 .
742 }
746 }
749 // May be NULL if the lock is not needed in our version of NSS.
752 }
758 }
759 }
764 }
768 }
772 #if defined(OS_CHROMEOS)
775 }
779 }
783 }
787 }
792 }
796 }
802 }
806 }
810 }
814 }