Only prime NSS in the sandbox for NSS ports.

This code, if all goes well, can actually be deleted now. But leave it there as ifdefs for now case we still need to revert the chimera. Now that no calls to InitNSSSafely and friends are built in USE_OPENSSL ports, the LoadNSSLibraries calls and /dev/urandom fopen override may be removed. They were only added to support NSS in the sandbox. BUG=506323 Review URL: https://codereview.chromium.org/1274483002 Cr-Commit-Position: refs/heads/master@{#342846}
author: davidben <davidben@chromium.org> 2015-08-11 11:18:58 -0700
committer: Commit bot <commit-bot@chromium.org> 2015-08-11 18:19:44 +0000
commit: 2e6b37998c8f65dced46b22d7b0abf96c602d1b2 (patch)
tree: 423a72eaaaf4f127e7af1d557b96febac46135f3 /crypto
parent: f50ac9a7e506173b9db2d4d7c94a9534c284ba23 (diff)
download: chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.zip
chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.tar.gz
chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.tar.bz2
2 files changed, 25 insertions, 1 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 125591c..4e8aab4 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -670,11 +670,13 @@ class NSSInitSingleton {
   }
 #endif  // defined(USE_NSS_CERTS)
 
+#if !defined(USE_OPENSSL)
   // This method is used to force NSS to be initialized without a DB.
   // Call this method before NSSInitSingleton() is constructed.
   static void ForceNoDBInit() {
     force_nodb_init_ = true;
   }
+#endif
 
  private:
   friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
@@ -708,7 +710,13 @@ class NSSInitSingleton {
     }
 
     SECStatus status = SECFailure;
-    bool nodb_init = force_nodb_init_;
+    bool nodb_init = false;
+
+#if !defined(USE_OPENSSL)
+    // ForceNoDBInit was called.
+    if (force_nodb_init_)
+      nodb_init = true;
+#endif
 
 #if !defined(USE_NSS_CERTS)
     // Use the system certificate store, so initialize NSS without database.
@@ -867,8 +875,10 @@ class NSSInitSingleton {
     }
   }
 
+#if !defined(USE_OPENSSL)
   // If this is set to true NSS is forced to be initialized without a DB.
   static bool force_nodb_init_;
+#endif
 
   bool tpm_token_enabled_for_nss_;
   bool initializing_tpm_token_;
@@ -891,8 +901,10 @@ class NSSInitSingleton {
   base::ThreadChecker thread_checker_;
 };
 
+#if !defined(USE_OPENSSL)
 // static
 bool NSSInitSingleton::force_nodb_init_ = false;
+#endif
 
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
@@ -927,6 +939,7 @@ void EnsureNSPRInit() {
   g_nspr_singleton.Get();
 }
 
+#if !defined(USE_OPENSSL)
 void InitNSSSafely() {
   // We might fork, but we haven't loaded any security modules.
   DisableNSSForkCheck();
@@ -937,6 +950,7 @@ void InitNSSSafely() {
   // Initialize NSS.
   EnsureNSSInit();
 }
+#endif  // !defined(USE_OPENSSL)
 
 void EnsureNSSInit() {
   // Initializing SSL causes us to do blocking IO.
@@ -946,6 +960,8 @@ void EnsureNSSInit() {
   g_nss_singleton.Get();
 }
 
+#if !defined(USE_OPENSSL)
+
 void ForceNSSNoDBInit() {
   NSSInitSingleton::ForceNoDBInit();
 }
@@ -1009,6 +1025,8 @@ void LoadNSSLibraries() {
 #endif  // defined(USE_NSS_CERTS)
 }
 
+#endif  // !defined(USE_OPENSSL)
+
 bool CheckNSSVersion(const char* version) {
   return !!NSS_VersionCheck(version);
 }
diff --git a/crypto/nss_util.h b/crypto/nss_util.h
index 1ca0de3..98b0f72 100644
--- a/crypto/nss_util.h
+++ b/crypto/nss_util.h
@@ -33,6 +33,7 @@ CRYPTO_EXPORT void EarlySetupForNSSInit();
 // thread-safe, and NSPR will only ever be initialized once.
 CRYPTO_EXPORT void EnsureNSPRInit();
 
+#if !defined(USE_OPENSSL)
 // Initialize NSS safely for strict sandboxing.  This function tells NSS to not
 // load user security modules, and makes sure NSS will have proper entropy in a
 // restricted, sandboxed environment.
@@ -43,12 +44,15 @@ CRYPTO_EXPORT void EnsureNSPRInit();
 //
 // Make sure to get an LGTM from the Chrome Security Team if you use this.
 CRYPTO_EXPORT void InitNSSSafely();
+#endif  // !defined(USE_OPENSSL)
 
 // Initialize NSS if it isn't already initialized.  This must be called before
 // any other NSS functions.  This function is thread-safe, and NSS will only
 // ever be initialized once.
 CRYPTO_EXPORT void EnsureNSSInit();
 
+#if !defined(USE_OPENSSL)
+
 // Call this before calling EnsureNSSInit() will force NSS to initialize
 // without a persistent DB.  This is used for the special case where access of
 // persistent DB is prohibited.
@@ -86,6 +90,8 @@ CRYPTO_EXPORT void DisableNSSForkCheck();
 // certificates.
 CRYPTO_EXPORT void LoadNSSLibraries();
 
+#endif  // !USE_OPENSSL
+
 // Check if the current NSS version is greater than or equals to |version|.
 // A sample version string is "3.12.3".
 bool CheckNSSVersion(const char* version);
author	davidben <davidben@chromium.org>	2015-08-11 11:18:58 -0700
committer	Commit bot <commit-bot@chromium.org>	2015-08-11 18:19:44 +0000
commit	2e6b37998c8f65dced46b22d7b0abf96c602d1b2 (patch)
tree	423a72eaaaf4f127e7af1d557b96febac46135f3 /crypto
parent	f50ac9a7e506173b9db2d4d7c94a9534c284ba23 (diff)
download	chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.zip chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.tar.gz chromium_src-2e6b37998c8f65dced46b22d7b0abf96c602d1b2.tar.bz2