Commit 52d5f4da authored by Nick Mathewson's avatar Nick Mathewson 🐕
Browse files

Avoid spurious error logs when using NSS

The tls_log_errors() function now behaves differently for NSS than
it did for OpenSSL, so we need to tweak it a bit.
parent dd04fc35
......@@ -189,6 +189,9 @@ tor_tls_context_init(unsigned flags,
if (old_ctx != NULL) {
tor_tls_context_decref(old_ctx);
}
} else {
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a TLS context");
}
} else {
if (server_identity != NULL) {
......@@ -197,6 +200,9 @@ tor_tls_context_init(unsigned flags,
key_lifetime,
flags,
0);
if (rv1 < 0)
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a server TLS context");
} else {
tor_tls_context_t *old_ctx = server_tls_context;
server_tls_context = NULL;
......@@ -211,9 +217,11 @@ tor_tls_context_init(unsigned flags,
key_lifetime,
flags,
1);
if (rv2 < 0)
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO,
"constructing a client TLS context");
}
tls_log_errors(NULL, LOG_WARN, LD_CRYPTO, "constructing a TLS context");
return MIN(rv1, rv2);
}
......@@ -451,8 +459,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls,
r = 0;
done:
tor_x509_cert_free(cert);
/* Not expected to get invoked */
#ifdef ENABLE_OPENSSL
tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
#endif
return r;
}
......@@ -323,8 +323,10 @@ void
tls_log_errors(tor_tls_t *tls, int severity, int domain,
const char *doing)
{
/* XXXX This implementation isn't right for NSS -- it logs the last error
whether anything actually failed or not. */
/* This implementation is a little different for NSS than it is for OpenSSL
-- it logs the last error whether anything actually failed or not. So we
have to only call it when something has gone wrong and we have a real
error to report. */
(void)tls;
PRErrorCode code = PORT_GetError();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment