Rename USE_NSS to USE_NSS_CERTS.

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
@@ skipping 25 matching lines @@
 #include "base/metrics/histogram.h"
 #include "base/native_library.h"
 #include "base/path_service.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_checker.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/threading/worker_pool.h"
 #include "build/build_config.h"
 
-// USE_NSS means we use NSS for everything crypto-related.  If USE_NSS is not
-// defined, such as on Mac and Windows, we use NSS for SSL only -- we don't
-// use NSS for crypto or certificate verification, and we don't use the NSS
-// certificate and key databases.
-#if defined(USE_NSS)
+// USE_NSS_CERTS means NSS is used for certificates and platform integration.
+// This requires additional support to manage the platform certificate and key
+// stores.
+#if defined(USE_NSS_CERTS)
 #include "base/synchronization/lock.h"
 #include "crypto/nss_crypto_module_delegate.h"
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 
 namespace crypto {
 
 namespace {
 
 #if defined(OS_CHROMEOS)
 const char kUserNSSDatabaseName[] = "UserNSSDB";
 
 // Constants for loading the Chrome OS TPM-backed PKCS #11 library.
 const char kChapsModuleName[] = "Chaps";
 const char kChapsPath[] = "libchaps.so";
 
 // Fake certificate authority database used for testing.
 static const base::FilePath::CharType kReadOnlyCertDB[] =
     FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
 #endif  // defined(OS_CHROMEOS)
 
 std::string GetNSSErrorMessage() {
   std::string result;
   if (PR_GetErrorTextLength()) {
     scoped_ptr<char[]> error_text(new char[PR_GetErrorTextLength() + 1]);
     PRInt32 copied = PR_GetErrorText(error_text.get());
     result = std::string(error_text.get(), copied);
   } else {
     result = base::StringPrintf("NSS error code: %d", PR_GetError());
   }
   return result;
 }
 
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
 #if !defined(OS_CHROMEOS)
 base::FilePath GetDefaultConfigDirectory() {
   base::FilePath dir;
   PathService::Get(base::DIR_HOME, &dir);
   if (dir.empty()) {
     LOG(ERROR) << "Failed to get home directory.";
     return dir;
   }
   dir = dir.AppendASCII(".pki").AppendASCII("nssdb");
   if (!base::CreateDirectory(dir)) {
@@ skipping 41 matching lines @@
   return NULL;
 }
 
 // NSS creates a local cache of the sqlite database if it detects that the
 // filesystem the database is on is much slower than the local disk.  The
 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
 // (NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=578561).  So we set
 // the NSS environment variable NSS_SDB_USE_CACHE to "yes" to override NSS's
 // detection when database_dir is on NFS.  See http://crbug.com/48585.
 //
-// TODO(wtc): port this function to other USE_NSS platforms.  It is defined
-// only for OS_LINUX and OS_OPENBSD simply because the statfs structure
+// TODO(wtc): port this function to other USE_NSS_CERTS platforms.  It is
+// defined only for OS_LINUX and OS_OPENBSD simply because the statfs structure
 // is OS-specific.
 //
 // Because this function sets an environment variable it must be run before we
 // go multi-threaded.
 void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) {
   bool db_on_nfs = false;
 #if defined(OS_LINUX)
   base::FileSystemType fs_type = base::FILE_SYSTEM_UNKNOWN;
   if (base::GetFileSystemType(database_dir, &fs_type))
     db_on_nfs = (fs_type == base::FILE_SYSTEM_NFS);
 #elif defined(OS_OPENBSD)
   struct statfs buf;
   if (statfs(database_dir.value().c_str(), &buf) == 0)
     db_on_nfs = (strcmp(buf.f_fstypename, MOUNT_NFS) == 0);
 #else
   NOTIMPLEMENTED();
 #endif
 
   if (db_on_nfs) {
     scoped_ptr<base::Environment> env(base::Environment::Create());
     static const char kUseCacheEnvVar[] = "NSS_SDB_USE_CACHE";
     if (!env->HasVar(kUseCacheEnvVar))
       env->SetVar(kUseCacheEnvVar, "yes");
   }
 }
 
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
 // singleton.
 class NSPRInitSingleton {
  private:
   friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
 
   NSPRInitSingleton() {
@@ skipping 437 matching lines @@
           base::Bind(&NSSInitSingleton::GetSystemNSSKeySlotCallback,
                      base::Unretained(this) /* singleton is leaky */,
                      callback);
     }
     if (IsTPMTokenReady(wrapped_callback))
       return ScopedPK11Slot(PK11_ReferenceSlot(tpm_slot_.get()));
     return ScopedPK11Slot();
   }
 #endif
 
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
   base::Lock* write_lock() {
     return &write_lock_;
   }
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 
   // This method is used to force NSS to be initialized without a DB.
   // Call this method before NSSInitSingleton() is constructed.
   static void ForceNoDBInit() {
     force_nodb_init_ = true;
   }
 
  private:
   friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
 
@@ skipping 23 matching lines @@
     if (!NSS_VersionCheck("3.14.3")) {
       LOG(FATAL) << "NSS_VersionCheck(\"3.14.3\") failed. NSS >= 3.14.3 is "
                     "required. Please upgrade to the latest NSS, and if you "
                     "still get this error, contact your distribution "
                     "maintainer.";
     }
 
     SECStatus status = SECFailure;
     bool nodb_init = force_nodb_init_;
 
-#if !defined(USE_NSS)
+#if !defined(USE_NSS_CERTS)
     // Use the system certificate store, so initialize NSS without database.
     nodb_init = true;
 #endif
 
     if (nodb_init) {
       status = NSS_NoDB_Init(NULL);
       if (status != SECSuccess) {
         CrashOnNSSInitFailure();
         return;
       }
 #if defined(OS_IOS)
       root_ = InitDefaultRootCerts();
 #endif  // defined(OS_IOS)
     } else {
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
       base::FilePath database_dir = GetInitialConfigDirectory();
       if (!database_dir.empty()) {
         // This duplicates the work which should have been done in
         // EarlySetupForNSSInit. However, this function is idempotent so
         // there's no harm done.
         UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
 
         // Initialize with a persistent database (likely, ~/.pki/nssdb).
         // Use "sql:" which can be shared by multiple processes safely.
         std::string nss_config_dir =
@@ skipping 26 matching lines @@
       PK11SlotInfo* slot = PK11_GetInternalKeySlot();
       if (slot) {
         // PK11_InitPin may write to the keyDB, but no other thread can use NSS
         // yet, so we don't need to lock.
         if (PK11_NeedUserInit(slot))
           PK11_InitPin(slot, NULL, NULL);
         PK11_FreeSlot(slot);
       }
 
       root_ = InitDefaultRootCerts();
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
     }
 
     // Disable MD5 certificate signatures. (They are disabled by default in
     // NSS 3.14.)
     NSS_SetAlgorithmPolicy(SEC_OID_MD5, 0, NSS_USE_ALG_IN_CERT_SIGNATURE);
     NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
                            0, NSS_USE_ALG_IN_CERT_SIGNATURE);
 
     // The UMA bit is conditionally set for this histogram in
     // components/startup_metric_utils.cc .
@@ skipping 24 matching lines @@
     }
 
     SECStatus status = NSS_Shutdown();
     if (status != SECSuccess) {
       // We VLOG(1) because this failure is relatively harmless (leaking, but
       // we're shutting down anyway).
       VLOG(1) << "NSS_Shutdown failed; see http://crbug.com/4609";
     }
   }
 
-#if defined(USE_NSS) || defined(OS_IOS)
+#if defined(USE_NSS_CERTS) || defined(OS_IOS)
   // Load nss's built-in root certs.
   SECMODModule* InitDefaultRootCerts() {
     SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL);
     if (root)
       return root;
 
     // Aw, snap.  Can't find/load root cert shared library.
     // This will make it hard to talk to anybody via https.
     // TODO(mattm): Re-add the NOTREACHED here when crbug.com/310972 is fixed.
     return NULL;
@@ skipping 52 matching lines @@
   typedef std::vector<base::Closure> TPMReadyCallbackList;
   TPMReadyCallbackList tpm_ready_callback_list_;
   SECMODModule* chaps_module_;
   crypto::ScopedPK11Slot tpm_slot_;
   SECMODModule* root_;
 #if defined(OS_CHROMEOS)
   typedef std::map<std::string, ChromeOSUserData*> ChromeOSUserMap;
   ChromeOSUserMap chromeos_user_map_;
   ScopedPK11Slot test_system_slot_;
 #endif
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
   // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 
   base::ThreadChecker thread_checker_;
 };
 
 // static
 bool NSSInitSingleton::force_nodb_init_ = false;
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
 }  // namespace
 
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
 ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
                                  const std::string& description) {
   const std::string modspec =
       base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
                          path.value().c_str(),
                          description.c_str());
   PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
   if (db_slot) {
     if (PK11_NeedUserInit(db_slot))
       PK11_InitPin(db_slot, NULL, NULL);
@@ skipping 38 matching lines @@
   NSSInitSingleton::ForceNoDBInit();
 }
 
 void DisableNSSForkCheck() {
   scoped_ptr<base::Environment> env(base::Environment::Create());
   env->SetVar("NSS_STRICT_NOFORK", "DISABLED");
 }
 
 void LoadNSSLibraries() {
   // Some NSS libraries are linked dynamically so load them here.
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
   // Try to search for multiple directories to load the libraries.
   std::vector<base::FilePath> paths;
 
   // Use relative path to Search PATH for the library files.
   paths.push_back(base::FilePath());
 
   // For Debian derivatives NSS libraries are located here.
   paths.push_back(base::FilePath("/usr/lib/nss"));
 
   // Ubuntu 11.10 (Oneiric) and Debian Wheezy place the libraries here.
@@ skipping 28 matching lines @@
         break;
       }
     }
   }
 
   if (loaded == libs.size()) {
     VLOG(3) << "NSS libraries loaded.";
   } else {
     LOG(ERROR) << "Failed to load NSS libraries.";
   }
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 }
 
 bool CheckNSSVersion(const char* version) {
   return !!NSS_VersionCheck(version);
 }
 
-#if defined(USE_NSS)
+#if defined(USE_NSS_CERTS)
 base::Lock* GetNSSWriteLock() {
   return g_nss_singleton.Get().write_lock();
 }
 
 AutoNSSWriteLock::AutoNSSWriteLock() : lock_(GetNSSWriteLock()) {
   // May be NULL if the lock is not needed in our version of NSS.
   if (lock_)
     lock_->Acquire();
 }
 
 AutoNSSWriteLock::~AutoNSSWriteLock() {
   if (lock_) {
     lock_->AssertAcquired();
     lock_->Release();
   }
 }
 
 AutoSECMODListReadLock::AutoSECMODListReadLock()
       : lock_(SECMOD_GetDefaultModuleListLock()) {
     SECMOD_GetReadLock(lock_);
   }
 
 AutoSECMODListReadLock::~AutoSECMODListReadLock() {
   SECMOD_ReleaseReadLock(lock_);
 }
-#endif  // defined(USE_NSS)
+#endif  // defined(USE_NSS_CERTS)
 
 #if defined(OS_CHROMEOS)
 ScopedPK11Slot GetSystemNSSKeySlot(
     const base::Callback<void(ScopedPK11Slot)>& callback) {
   return g_nss_singleton.Get().GetSystemNSSKeySlot(callback);
 }
 
 void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
   g_nss_singleton.Get().SetSystemKeySlotForTesting(slot.Pass());
 }
@@ skipping 69 matching lines @@
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 #if !defined(OS_CHROMEOS)
 PK11SlotInfo* GetPersistentNSSKeySlot() {
   return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 #endif
 
 }  // namespace crypto