Avoid spurious error logs when using NSS

The tls_log_errors() function now behaves differently for NSS than
it did for OpenSSL, so we need to tweak it a bit.
This commit is contained in:
Nick Mathewson 2018-08-23 10:13:32 -04:00
parent dd04fc35c6
commit 52d5f4da12
2 changed files with 15 additions and 4 deletions

View File

@ -189,6 +189,9 @@ tor_tls_context_init(unsigned flags,
if (old_ctx != NULL) { if (old_ctx != NULL) {
tor_tls_context_decref(old_ctx); tor_tls_context_decref(old_ctx);
} }
} else {
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a TLS context");
} }
} else { } else {
if (server_identity != NULL) { if (server_identity != NULL) {
@ -197,6 +200,9 @@ tor_tls_context_init(unsigned flags,
key_lifetime, key_lifetime,
flags, flags,
0); 0);
if (rv1 < 0)
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a server TLS context");
} else { } else {
tor_tls_context_t *old_ctx = server_tls_context; tor_tls_context_t *old_ctx = server_tls_context;
server_tls_context = NULL; server_tls_context = NULL;
@ -211,9 +217,11 @@ tor_tls_context_init(unsigned flags,
key_lifetime, key_lifetime,
flags, flags,
1); 1);
if (rv2 < 0)
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a client TLS context");
} }
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
return MIN(rv1, rv2); return MIN(rv1, rv2);
} }
@ -451,8 +459,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls,
r = 0; r = 0;
done: done:
tor_x509_cert_free(cert); tor_x509_cert_free(cert);
/* Not expected to get invoked */ #ifdef ENABLE_OPENSSL
tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime"); tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
#endif
return r; return r;
} }

View File

@ -323,8 +323,10 @@ void
tls_log_errors(tor_tls_t *tls, int severity, int domain, tls_log_errors(tor_tls_t *tls, int severity, int domain,
const char *doing) const char *doing)
{ {
/* XXXX This implementation isn't right for NSS -- it logs the last error /* This implementation is a little different for NSS than it is for OpenSSL
whether anything actually failed or not. */ -- it logs the last error whether anything actually failed or not. So we
have to only call it when something has gone wrong and we have a real
error to report. */
(void)tls; (void)tls;
PRErrorCode code = PORT_GetError(); PRErrorCode code = PORT_GetError();