[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Avoid spurious error logs when using NSS
commit 52d5f4da12cf4a9647a896395209121cbf9483c4
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu Aug 23 10:13:32 2018 -0400
Avoid spurious error logs when using NSS
The tls_log_errors() function now behaves differently for NSS than
it did for OpenSSL, so we need to tweak it a bit.
---
src/lib/tls/tortls.c | 13 +++++++++++--
src/lib/tls/tortls_nss.c | 6 ++++--
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
index cc9738599..edf421b4d 100644
--- a/src/lib/tls/tortls.c
+++ b/src/lib/tls/tortls.c
@@ -189,6 +189,9 @@ tor_tls_context_init(unsigned flags,
if (old_ctx != NULL) {
tor_tls_context_decref(old_ctx);
}
+ } else {
+ tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+ "constructing a TLS context");
}
} else {
if (server_identity != NULL) {
@@ -197,6 +200,9 @@ tor_tls_context_init(unsigned flags,
key_lifetime,
flags,
0);
+ if (rv1 < 0)
+ tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+ "constructing a server TLS context");
} else {
tor_tls_context_t *old_ctx = server_tls_context;
server_tls_context = NULL;
@@ -211,9 +217,11 @@ tor_tls_context_init(unsigned flags,
key_lifetime,
flags,
1);
+ if (rv2 < 0)
+ tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
+ "constructing a client TLS context");
}
- tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
return MIN(rv1, rv2);
}
@@ -451,8 +459,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls,
r = 0;
done:
tor_x509_cert_free(cert);
- /* Not expected to get invoked */
+#ifdef ENABLE_OPENSSL
tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
+#endif
return r;
}
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
index 671c01847..40a98dd87 100644
--- a/src/lib/tls/tortls_nss.c
+++ b/src/lib/tls/tortls_nss.c
@@ -323,8 +323,10 @@ void
tls_log_errors(tor_tls_t *tls, int severity, int domain,
const char *doing)
{
- /* XXXX This implementation isn't right for NSS -- it logs the last error
- whether anything actually failed or not. */
+ /* This implementation is a little different for NSS than it is for OpenSSL
+ -- it logs the last error whether anything actually failed or not. So we
+ have to only call it when something has gone wrong and we have a real
+ error to report. */
(void)tls;
PRErrorCode code = PORT_GetError();
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits