Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ocsp/nss_ocsp.h" | 5 #include "net/ocsp/nss_ocsp.h" |
| 6 | 6 |
| 7 #include <certt.h> | 7 #include <certt.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <ocsp.h> | 9 #include <ocsp.h> |
| 10 #include <nspr.h> | 10 #include <nspr.h> |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 33 #include "net/base/load_flags.h" | 33 #include "net/base/load_flags.h" |
| 34 #include "net/http/http_request_headers.h" | 34 #include "net/http/http_request_headers.h" |
| 35 #include "net/http/http_response_headers.h" | 35 #include "net/http/http_response_headers.h" |
| 36 #include "net/url_request/url_request.h" | 36 #include "net/url_request/url_request.h" |
| 37 #include "net/url_request/url_request_context.h" | 37 #include "net/url_request/url_request_context.h" |
| 38 | 38 |
| 39 namespace { | 39 namespace { |
| 40 | 40 |
| 41 // Protects |g_request_context|. | 41 // Protects |g_request_context|. |
| 42 pthread_mutex_t g_request_context_lock = PTHREAD_MUTEX_INITIALIZER; | 42 pthread_mutex_t g_request_context_lock = PTHREAD_MUTEX_INITIALIZER; |
| 43 static net::URLRequestContext* g_request_context = NULL; | 43 net::URLRequestContext* g_request_context = NULL; |
| 44 | |
| 45 // The default timeout for OCSP in NSS is 60 seconds. Adjust this value to | |
| 46 // 15 seconds, which matches the default on Windows. | |
| 47 const int kOcspTimeoutInSecs = 15; | |
| 44 | 48 |
| 45 class OCSPRequestSession; | 49 class OCSPRequestSession; |
| 46 | 50 |
| 47 class OCSPIOLoop { | 51 class OCSPIOLoop { |
| 48 public: | 52 public: |
| 49 void StartUsing() { | 53 void StartUsing() { |
| 50 base::AutoLock autolock(lock_); | 54 base::AutoLock autolock(lock_); |
| 51 used_ = true; | 55 used_ = true; |
| 52 io_loop_ = MessageLoopForIO::current(); | 56 io_loop_ = MessageLoopForIO::current(); |
| 53 DCHECK(io_loop_); | 57 DCHECK(io_loop_); |
| (...skipping 484 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 538 ft->setPostDataFcn = OCSPSetPostData; | 542 ft->setPostDataFcn = OCSPSetPostData; |
| 539 ft->addHeaderFcn = OCSPAddHeader; | 543 ft->addHeaderFcn = OCSPAddHeader; |
| 540 ft->trySendAndReceiveFcn = OCSPTrySendAndReceive; | 544 ft->trySendAndReceiveFcn = OCSPTrySendAndReceive; |
| 541 ft->cancelFcn = NULL; | 545 ft->cancelFcn = NULL; |
| 542 ft->freeFcn = OCSPFree; | 546 ft->freeFcn = OCSPFree; |
| 543 SECStatus status = SEC_RegisterDefaultHttpClient(&client_fcn_); | 547 SECStatus status = SEC_RegisterDefaultHttpClient(&client_fcn_); |
| 544 if (status != SECSuccess) { | 548 if (status != SECSuccess) { |
| 545 NOTREACHED() << "Error initializing OCSP: " << PR_GetError(); | 549 NOTREACHED() << "Error initializing OCSP: " << PR_GetError(); |
| 546 } | 550 } |
| 547 | 551 |
| 552 // The default NSS value for OCSP timeouts is 60 seconds. Set this to be | |
|
wtc
2012/08/24 21:52:08
Nit: omit this comment because it is already in fr
Ryan Sleevi
2012/08/24 21:58:24
They suggest (no less than) 3 seconds, but I think
| |
| 553 // something more sane. | |
| 554 CERT_SetOCSPTimeout(kOcspTimeoutInSecs); | |
|
wtc
2012/08/24 21:52:08
I verified that this function always returns SECSu
Ryan Sleevi
2012/08/24 21:58:24
Yes, I checked this function, at least couldn't fi
| |
| 555 | |
| 548 // Work around NSS bugs 524013 and 564334. NSS incorrectly thinks the | 556 // Work around NSS bugs 524013 and 564334. NSS incorrectly thinks the |
| 549 // CRLs for Network Solutions Certificate Authority have bad signatures, | 557 // CRLs for Network Solutions Certificate Authority have bad signatures, |
| 550 // which causes certificates issued by that CA to be reported as revoked. | 558 // which causes certificates issued by that CA to be reported as revoked. |
| 551 // By using OCSP for those certificates, which don't have AIA extensions, | 559 // By using OCSP for those certificates, which don't have AIA extensions, |
| 552 // we can work around these bugs. See http://crbug.com/41730. | 560 // we can work around these bugs. See http://crbug.com/41730. |
| 553 CERT_StringFromCertFcn old_callback = NULL; | 561 CERT_StringFromCertFcn old_callback = NULL; |
| 554 status = CERT_RegisterAlternateOCSPAIAInfoCallBack( | 562 status = CERT_RegisterAlternateOCSPAIAInfoCallBack( |
| 555 GetAlternateOCSPAIAInfo, &old_callback); | 563 GetAlternateOCSPAIAInfo, &old_callback); |
| 556 if (status == SECSuccess) { | 564 if (status == SECSuccess) { |
| 557 DCHECK(!old_callback); | 565 DCHECK(!old_callback); |
| (...skipping 373 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 931 void SetURLRequestContextForNSSHttpIO(URLRequestContext* request_context) { | 939 void SetURLRequestContextForNSSHttpIO(URLRequestContext* request_context) { |
| 932 pthread_mutex_lock(&g_request_context_lock); | 940 pthread_mutex_lock(&g_request_context_lock); |
| 933 if (request_context) { | 941 if (request_context) { |
| 934 DCHECK(!g_request_context); | 942 DCHECK(!g_request_context); |
| 935 } | 943 } |
| 936 g_request_context = request_context; | 944 g_request_context = request_context; |
| 937 pthread_mutex_unlock(&g_request_context_lock); | 945 pthread_mutex_unlock(&g_request_context_lock); |
| 938 } | 946 } |
| 939 | 947 |
| 940 } // namespace net | 948 } // namespace net |
| OLD | NEW |