| OLD | NEW |
|---|
| 1 // Copyright (c) 2008 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2008 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/nss_init.h" | 5 #include "base/nss_init.h" |
| 6 | 6 |
| 7 #include <nss.h> | 7 #include <nss.h> |
| 8 | 8 |
| 9 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 | 9 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424 |
| 10 // until NSS 3.12.2 comes out and we update to it. | 10 // until NSS 3.12.2 comes out and we update to it. |
| 11 #define Lock FOO_NSS_Lock | 11 #define Lock FOO_NSS_Lock |
| 12 #include <secmod.h> |
| 12 #include <ssl.h> | 13 #include <ssl.h> |
| 13 #undef Lock | 14 #undef Lock |
| 14 | 15 |
| 16 #include "base/file_util.h" |
| 15 #include "base/logging.h" | 17 #include "base/logging.h" |
| 16 #include "base/singleton.h" | 18 #include "base/singleton.h" |
| 17 | 19 |
| 18 namespace { | 20 namespace { |
| 19 | 21 |
| 22 // Load nss's built-in root certs. |
| 23 SECMODModule *InitDefaultRootCerts() { |
| 24 const char* kModulePath = "libnssckbi.so"; |
| 25 char modparams[1024]; |
| 26 snprintf(modparams, sizeof(modparams), |
| 27 "name=\"Root Certs\" library=\"%s\"", kModulePath); |
| 28 SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE); |
| 29 if (root) |
| 30 return root; |
| 31 |
| 32 // Aw, snap. Can't find/load root cert shared library. |
| 33 // This will make it hard to talk to anybody via https. |
| 34 NOTREACHED(); |
| 35 return NULL; |
| 36 } |
| 37 |
| 20 class NSSInitSingleton { | 38 class NSSInitSingleton { |
| 21 public: | 39 public: |
| 22 NSSInitSingleton() { | 40 NSSInitSingleton() { |
| 41 |
| 42 // Initialize without using a persistant database (e.g. ~/.netscape) |
| 23 CHECK(NSS_NoDB_Init(".") == SECSuccess); | 43 CHECK(NSS_NoDB_Init(".") == SECSuccess); |
| 24 // Enable ciphers | 44 |
| 45 root_ = InitDefaultRootCerts(); |
| 46 |
| 25 NSS_SetDomesticPolicy(); | 47 NSS_SetDomesticPolicy(); |
| 48 |
| 49 // Explicitly enable exactly those ciphers with keys of at least 80 bits |
| 50 for (int i = 0; i < SSL_NumImplementedCiphers; i++) { |
| 51 SSLCipherSuiteInfo info; |
| 52 if (SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &info, |
| 53 sizeof(info)) == SECSuccess) { |
| 54 SSL_CipherPrefSetDefault(SSL_ImplementedCiphers[i], |
| 55 (info.effectiveKeyBits >= 80)); |
| 56 } |
| 57 } |
| 58 |
| 26 // Enable SSL | 59 // Enable SSL |
| 27 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); | 60 SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); |
| 61 |
| 62 // All other SSL options are set per-session by SSLClientSocket |
| 28 } | 63 } |
| 29 | 64 |
| 30 ~NSSInitSingleton() { | 65 ~NSSInitSingleton() { |
| 66 if (root_) { |
| 67 SECMOD_UnloadUserModule(root_); |
| 68 SECMOD_DestroyModule(root_); |
| 69 root_ = NULL; |
| 70 } |
| 71 |
| 31 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY | 72 // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY |
| 32 SSL_ClearSessionCache(); | 73 SSL_ClearSessionCache(); |
| 33 | 74 |
| 34 SECStatus status = NSS_Shutdown(); | 75 SECStatus status = NSS_Shutdown(); |
| 35 DCHECK(status == SECSuccess); | 76 if (status != SECSuccess) |
| 77 LOG(ERROR) << "NSS_Shutdown failed, leak? See " |
| 78 "http://code.google.com/p/chromium/issues/detail?id=4609"; |
| 36 } | 79 } |
| 80 private: |
| 81 SECMODModule *root_; |
| 37 }; | 82 }; |
| 38 | 83 |
| 39 } // namespace | 84 } // namespace |
| 40 | 85 |
| 41 namespace base { | 86 namespace base { |
| 42 | 87 |
| 43 void EnsureNSSInit() { | 88 void EnsureNSSInit() { |
| 44 Singleton<NSSInitSingleton>::get(); | 89 Singleton<NSSInitSingleton>::get(); |
| 45 } | 90 } |
| 46 | 91 |
| 47 } // namespace base | 92 } // namespace base |
| OLD | NEW |
|---|
Chromium Code Reviews
