Remove traces of USE_NSS_CERTS from crypto/

crypto/nss_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "crypto/nss_util.h"
 
 #include <nss.h>
 #include <pk11pub.h>
 #include <plarena.h>
 #include <prerror.h>
@@ skipping 26 matching lines @@
 #include "base/environment.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/message_loop/message_loop.h"
 #include "base/native_library.h"
 #include "base/path_service.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
+#include "base/synchronization/lock.h"
 #include "base/threading/thread_checker.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/threading/worker_pool.h"
 #include "build/build_config.h"
-
-// USE_NSS_CERTS means NSS is used for certificates and platform integration.
-// This requires additional support to manage the platform certificate and key
-// stores.
-#if defined(USE_NSS_CERTS)
-#include "base/synchronization/lock.h"
 #include "crypto/nss_crypto_module_delegate.h"
-#endif  // defined(USE_NSS_CERTS)
 
 namespace crypto {
 
 namespace {
 
 #if defined(OS_CHROMEOS)
 const char kUserNSSDatabaseName[] = "UserNSSDB";
 
 // Constants for loading the Chrome OS TPM-backed PKCS #11 library.
 const char kChapsModuleName[] = "Chaps";
 const char kChapsPath[] = "libchaps.so";
 
 // Fake certificate authority database used for testing.
 static const base::FilePath::CharType kReadOnlyCertDB[] =
     FILE_PATH_LITERAL("/etc/fake_root_ca/nssdb");
 #endif  // defined(OS_CHROMEOS)
 
 std::string GetNSSErrorMessage() {
   std::string result;
   if (PR_GetErrorTextLength()) {
     std::unique_ptr<char[]> error_text(new char[PR_GetErrorTextLength() + 1]);
     PRInt32 copied = PR_GetErrorText(error_text.get());
     result = std::string(error_text.get(), copied);
   } else {
     result = base::StringPrintf("NSS error code: %d", PR_GetError());
   }
   return result;
 }
 
-#if defined(USE_NSS_CERTS)
 #if !defined(OS_CHROMEOS)
 base::FilePath GetDefaultConfigDirectory() {
   base::FilePath dir;
   PathService::Get(base::DIR_HOME, &dir);
   if (dir.empty()) {
     LOG(ERROR) << "Failed to get home directory.";
     return dir;
   }
   dir = dir.AppendASCII(".pki").AppendASCII("nssdb");
   if (!base::CreateDirectory(dir)) {
@@ skipping 41 matching lines @@
   return NULL;
 }
 
 // NSS creates a local cache of the sqlite database if it detects that the
 // filesystem the database is on is much slower than the local disk.  The
 // detection doesn't work with the latest versions of sqlite, such as 3.6.22
 // (NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=578561).  So we set
 // the NSS environment variable NSS_SDB_USE_CACHE to "yes" to override NSS's
 // detection when database_dir is on NFS.  See http://crbug.com/48585.
 //
-// TODO(wtc): port this function to other USE_NSS_CERTS platforms.  It is
-// defined only for OS_LINUX and OS_OPENBSD simply because the statfs structure
-// is OS-specific.
-//
 // Because this function sets an environment variable it must be run before we
 // go multi-threaded.
 void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) {
   bool db_on_nfs = false;
 #if defined(OS_LINUX)
   base::FileSystemType fs_type = base::FILE_SYSTEM_UNKNOWN;
   if (base::GetFileSystemType(database_dir, &fs_type))
     db_on_nfs = (fs_type == base::FILE_SYSTEM_NFS);
 #elif defined(OS_OPENBSD)
   struct statfs buf;
   if (statfs(database_dir.value().c_str(), &buf) == 0)
     db_on_nfs = (strcmp(buf.f_fstypename, MOUNT_NFS) == 0);
 #else
   NOTIMPLEMENTED();
 #endif
 
   if (db_on_nfs) {
     std::unique_ptr<base::Environment> env(base::Environment::Create());
     static const char kUseCacheEnvVar[] = "NSS_SDB_USE_CACHE";
     if (!env->HasVar(kUseCacheEnvVar))
       env->SetVar(kUseCacheEnvVar, "yes");
   }
 }
 
-#endif  // defined(USE_NSS_CERTS)
-
 // A singleton to initialize/deinitialize NSPR.
 // Separate from the NSS singleton because we initialize NSPR on the UI thread.
 // Now that we're leaking the singleton, we could merge back with the NSS
 // singleton.
 class NSPRInitSingleton {
  private:
   friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
 
   NSPRInitSingleton() {
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
@@ skipping 473 matching lines @@
           base::Bind(&NSSInitSingleton::GetSystemNSSKeySlotCallback,
                      base::Unretained(this) /* singleton is leaky */,
                      callback);
     }
     if (IsTPMTokenReady(wrapped_callback))
       return ScopedPK11Slot(PK11_ReferenceSlot(tpm_slot_.get()));
     return ScopedPK11Slot();
   }
 #endif
 
-#if defined(USE_NSS_CERTS)
   base::Lock* write_lock() {
     return &write_lock_;
   }
-#endif  // defined(USE_NSS_CERTS)
 
  private:
   friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
 
   NSSInitSingleton()
       : tpm_token_enabled_for_nss_(false),
         initializing_tpm_token_(false),
         chaps_module_(NULL),
         root_(NULL) {
     // It's safe to construct on any thread, since LazyInstance will prevent any
@@ skipping 11 matching lines @@
     // Also check the run-time NSS version.
     // NSS_VersionCheck is a >= check, not strict equality.
     if (!NSS_VersionCheck("3.14.3")) {
       LOG(FATAL) << "NSS_VersionCheck(\"3.14.3\") failed. NSS >= 3.14.3 is "
                     "required. Please upgrade to the latest NSS, and if you "
                     "still get this error, contact your distribution "
                     "maintainer.";
     }
 
     SECStatus status = SECFailure;
-    bool nodb_init = false;
+    base::FilePath database_dir = GetInitialConfigDirectory();
+    if (!database_dir.empty()) {
+      // This duplicates the work which should have been done in
+      // EarlySetupForNSSInit. However, this function is idempotent so
+      // there's no harm done.
+      UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
 
-#if !defined(USE_NSS_CERTS)
-    // Use the system certificate store, so initialize NSS without database.
-    nodb_init = true;
+      // Initialize with a persistent database (likely, ~/.pki/nssdb).
+      // Use "sql:" which can be shared by multiple processes safely.
+      std::string nss_config_dir =
+          base::StringPrintf("sql:%s", database_dir.value().c_str());
+#if defined(OS_CHROMEOS)
+      status = NSS_Init(nss_config_dir.c_str());
+#else
+      status = NSS_InitReadWrite(nss_config_dir.c_str());
 #endif
-
-    if (nodb_init) {
+      if (status != SECSuccess) {
+        LOG(ERROR) << "Error initializing NSS with a persistent "
+                      "database (" << nss_config_dir
+                   << "): " << GetNSSErrorMessage();
+      }
+    }
+    if (status != SECSuccess) {
+      VLOG(1) << "Initializing NSS without a persistent database.";
       status = NSS_NoDB_Init(NULL);
       if (status != SECSuccess) {
         CrashOnNSSInitFailure();
         return;
       }
-#if defined(OS_IOS)
-      root_ = InitDefaultRootCerts();
-#endif  // defined(OS_IOS)
-    } else {
-#if defined(USE_NSS_CERTS)
-      base::FilePath database_dir = GetInitialConfigDirectory();
-      if (!database_dir.empty()) {
-        // This duplicates the work which should have been done in
-        // EarlySetupForNSSInit. However, this function is idempotent so
-        // there's no harm done.
-        UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
+    }
 
-        // Initialize with a persistent database (likely, ~/.pki/nssdb).
-        // Use "sql:" which can be shared by multiple processes safely.
-        std::string nss_config_dir =
-            base::StringPrintf("sql:%s", database_dir.value().c_str());
-#if defined(OS_CHROMEOS)
-        status = NSS_Init(nss_config_dir.c_str());
-#else
-        status = NSS_InitReadWrite(nss_config_dir.c_str());
-#endif
-        if (status != SECSuccess) {
-          LOG(ERROR) << "Error initializing NSS with a persistent "
-                        "database (" << nss_config_dir
-                     << "): " << GetNSSErrorMessage();
-        }
-      }
-      if (status != SECSuccess) {
-        VLOG(1) << "Initializing NSS without a persistent database.";
-        status = NSS_NoDB_Init(NULL);
-        if (status != SECSuccess) {
-          CrashOnNSSInitFailure();
-          return;
-        }
-      }
+    PK11_SetPasswordFunc(PKCS11PasswordFunc);
 
-      PK11_SetPasswordFunc(PKCS11PasswordFunc);
+    // If we haven't initialized the password for the NSS databases,
+    // initialize an empty-string password so that we don't need to
+    // log in.
+    PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+    if (slot) {
+      // PK11_InitPin may write to the keyDB, but no other thread can use NSS
+      // yet, so we don't need to lock.
+      if (PK11_NeedUserInit(slot))
+        PK11_InitPin(slot, NULL, NULL);
+      PK11_FreeSlot(slot);
+    }
 
-      // If we haven't initialized the password for the NSS databases,
-      // initialize an empty-string password so that we don't need to
-      // log in.
-      PK11SlotInfo* slot = PK11_GetInternalKeySlot();
-      if (slot) {
-        // PK11_InitPin may write to the keyDB, but no other thread can use NSS
-        // yet, so we don't need to lock.
-        if (PK11_NeedUserInit(slot))
-          PK11_InitPin(slot, NULL, NULL);
-        PK11_FreeSlot(slot);
-      }
-
-      root_ = InitDefaultRootCerts();
-#endif  // defined(USE_NSS_CERTS)
-    }
+    root_ = InitDefaultRootCerts();
 
     // Disable MD5 certificate signatures. (They are disabled by default in
     // NSS 3.14.)
     NSS_SetAlgorithmPolicy(SEC_OID_MD5, 0, NSS_USE_ALG_IN_CERT_SIGNATURE);
     NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
                            0, NSS_USE_ALG_IN_CERT_SIGNATURE);
   }
 
   // NOTE(willchan): We don't actually execute this code since we leak NSS to
   // prevent non-joinable threads from using NSS after it's already been shut
@@ skipping 67 matching lines @@
   typedef std::vector<base::Closure> TPMReadyCallbackList;
   TPMReadyCallbackList tpm_ready_callback_list_;
   SECMODModule* chaps_module_;
   crypto::ScopedPK11Slot tpm_slot_;
   SECMODModule* root_;
 #if defined(OS_CHROMEOS)
   typedef std::map<std::string, ChromeOSUserData*> ChromeOSUserMap;
   ChromeOSUserMap chromeos_user_map_;
   ScopedPK11Slot test_system_slot_;
 #endif
-#if defined(USE_NSS_CERTS)
   // TODO(davidben): When https://bugzilla.mozilla.org/show_bug.cgi?id=564011
   // is fixed, we will no longer need the lock.
   base::Lock write_lock_;
-#endif  // defined(USE_NSS_CERTS)
 
   base::ThreadChecker thread_checker_;
 };
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
 }  // namespace
 
-#if defined(USE_NSS_CERTS)
 ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
                                  const std::string& description) {
   const std::string modspec =
       base::StringPrintf("configDir='sql:%s' tokenDescription='%s'",
                          path.value().c_str(),
                          description.c_str());
   PK11SlotInfo* db_slot = SECMOD_OpenUserDB(modspec.c_str());
   if (db_slot) {
     if (PK11_NeedUserInit(db_slot))
       PK11_InitPin(db_slot, NULL, NULL);
   } else {
     LOG(ERROR) << "Error opening persistent database (" << modspec
                << "): " << GetNSSErrorMessage();
   }
   return ScopedPK11Slot(db_slot);
 }
 
 void EarlySetupForNSSInit() {
   base::FilePath database_dir = GetInitialConfigDirectory();
   if (!database_dir.empty())
     UseLocalCacheOfNSSDatabaseIfNFS(database_dir);
 }
-#endif
 
 void EnsureNSPRInit() {
   g_nspr_singleton.Get();
 }
 
 void EnsureNSSInit() {
   // Initializing SSL causes us to do blocking IO.
   // Temporarily allow it until we fix
   //   http://code.google.com/p/chromium/issues/detail?id=59847
   base::ThreadRestrictions::ScopedAllowIO allow_io;
   g_nss_singleton.Get();
 }
 
 bool CheckNSSVersion(const char* version) {
   return !!NSS_VersionCheck(version);
 }
 
-#if defined(USE_NSS_CERTS)
 base::Lock* GetNSSWriteLock() {
   return g_nss_singleton.Get().write_lock();
 }
 
 AutoNSSWriteLock::AutoNSSWriteLock() : lock_(GetNSSWriteLock()) {
   // May be NULL if the lock is not needed in our version of NSS.
   if (lock_)
     lock_->Acquire();
 }
 
 AutoNSSWriteLock::~AutoNSSWriteLock() {
   if (lock_) {
     lock_->AssertAcquired();
     lock_->Release();
   }
 }
 
 AutoSECMODListReadLock::AutoSECMODListReadLock()
       : lock_(SECMOD_GetDefaultModuleListLock()) {
     SECMOD_GetReadLock(lock_);
   }
 
 AutoSECMODListReadLock::~AutoSECMODListReadLock() {
   SECMOD_ReleaseReadLock(lock_);
 }
-#endif  // defined(USE_NSS_CERTS)
 
 #if defined(OS_CHROMEOS)
 ScopedPK11Slot GetSystemNSSKeySlot(
     const base::Callback<void(ScopedPK11Slot)>& callback) {
   return g_nss_singleton.Get().GetSystemNSSKeySlot(callback);
 }
 
 void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
   g_nss_singleton.Get().SetSystemKeySlotForTesting(std::move(slot));
 }
@@ skipping 69 matching lines @@
   return time.ToInternalValue() - base::Time::UnixEpoch().ToInternalValue();
 }
 
 #if !defined(OS_CHROMEOS)
 PK11SlotInfo* GetPersistentNSSKeySlot() {
   return g_nss_singleton.Get().GetPersistentNSSKeySlot();
 }
 #endif
 
 }  // namespace crypto