net: lookup OCSP cache function with dlsym.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 30 matching lines @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "net/socket/ssl_client_socket_nss.h"
 
 #include <certdb.h>
+#include <dlfcn.h>

[wtc, 2011/01/18 19:57:01]

BUG: this #include needs to be protected with an ifdef
because ssl_client_socket_nss.cc is also used on Windows.

You can use #if defined(OS_LINUX) to match the ifdef at
line 117.

[agl, 2011/01/18 20:29:45]

Done, thanks.

 #include <hasht.h>
 #include <keyhi.h>
 #include <nspr.h>
 #include <nss.h>
 #include <ocsp.h>
 #include <pk11pub.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <ssl.h>
 #include <sslerr.h>
 #include <sslproto.h>
 
 #include <limits>
 
 #include "base/compiler_specific.h"
+#include "base/logging.h"
 #include "base/metrics/histogram.h"
-#include "base/logging.h"
 #include "base/nss_util.h"
+#include "base/singleton.h"
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "net/base/address_list.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
@@ skipping 29 matching lines @@
 
 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a
 // Write to an SSL socket which we're False Starting. Since corking stops the
 // Finished message from being sent, the server sees an incomplete handshake
 // and some will time out such sockets quite aggressively.
 static const int kCorkTimeoutMs = 200;
 
 #if defined(OS_LINUX)
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
-// declare CERT_CacheOCSPResponseFromSideChannel to be a weak symbol. If, at
-// run time, we find that the symbol didn't resolve then we can avoid calling
-// the function.
-extern SECStatus
-CERT_CacheOCSPResponseFromSideChannel(
+// lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
+typedef SECStatus
+(*CacheOCSPResponseFromSideChannelFunction)(
     CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg) __attribute__((weak));
+    SECItem *encodedResponse, void *pwArg);
 
-static bool HaveCacheOCSPResponseFromSideChannelFunction() {
-  return CERT_CacheOCSPResponseFromSideChannel != NULL;
+// RuntimeLIBNSSFunctionPointers is a singleton which caches the results of any

[wtc, 2011/01/18 19:57:01]

Nit: LIBNSS => LibNSS

[agl, 2011/01/18 20:29:45]

Done.

+// runtime symbol resolution that we need.
+class RuntimeLIBNSSFunctionPointers {
+ public:
+  CacheOCSPResponseFromSideChannelFunction
+  GetCacheOCSPResponseFromSideChannelFunction() {
+    return cache_ocsp_response_from_side_channel_;
+  }
+
+  static RuntimeLIBNSSFunctionPointers* GetInstance() {
+    return Singleton<RuntimeLIBNSSFunctionPointers>::get();
+  }
+
+ private:
+  friend struct DefaultSingletonTraits<RuntimeLIBNSSFunctionPointers>;
+
+  RuntimeLIBNSSFunctionPointers() {
+    cache_ocsp_response_from_side_channel_ =
+        (CacheOCSPResponseFromSideChannelFunction)
+        dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
+  }
+
+  CacheOCSPResponseFromSideChannelFunction
+      cache_ocsp_response_from_side_channel_;
+};
+
+static CacheOCSPResponseFromSideChannelFunction
+GetCacheOCSPResponseFromSideChannelFunction() {
+  return RuntimeLIBNSSFunctionPointers::GetInstance()
+    ->GetCacheOCSPResponseFromSideChannelFunction();
 }
 #else
 // On other platforms we use the system's certificate validation functions.
 // Thus we need, in the future, to plumb the OCSP response into those system
 // functions. Until then, we act as if we didn't support OCSP stapling.
-static bool HaveCacheOCSPResponseFromSideChannelFunction() {
-  return false;
+static CacheOCSPResponseFromSideChannelFunction
+GetCacheOCSPResponseFromSideChannelFunction() {
+  return NULL;
 }
 #endif
 
 namespace net {
 
 // State machines are easier to debug if you log state transitions.
 // Enable these if you want to see what's going on.
 #if 1
 #define EnterFunction(x)
 #define LeaveFunction(x)
@@ skipping 507 matching lines @@
     rv = SSL_SetNextProtoNego(
        nss_fd_,
        reinterpret_cast<const unsigned char *>(ssl_config_.next_protos.data()),
        ssl_config_.next_protos.size());
     if (rv != SECSuccess)
       LogFailedNSSFunction(net_log_, "SSL_SetNextProtoNego", "");
   }
 #endif
 
 #ifdef SSL_ENABLE_OCSP_STAPLING
-  if (HaveCacheOCSPResponseFromSideChannelFunction() &&
+  if (GetCacheOCSPResponseFromSideChannelFunction() &&
       !ssl_config_.snap_start_enabled) {
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
     if (rv != SECSuccess)
       LogFailedNSSFunction(net_log_, "SSL_OptionSet (OCSP stapling)", "");
   }
 #endif
 
   rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
@@ skipping 1311 matching lines @@
                          certs[i]->derCert.len) != 0) {
                 predicted_cert_chain_correct_ = false;
                 break;
               }
             }
           }
         }
 
 #if defined(SSL_ENABLE_OCSP_STAPLING)
         // TODO: we need to be able to plumb an OCSP response into the system
-        // libraries. When we do, HaveCacheOCSPResponseFromSideChannelFunction
+        // libraries. When we do, GetOCSPResponseFromSideChannelFunction
         // needs to be updated for those platforms.
         if (!predicted_cert_chain_correct_ &&
-            HaveCacheOCSPResponseFromSideChannelFunction()) {
+            GetCacheOCSPResponseFromSideChannelFunction()) {

[wtc, 2011/01/18 19:57:01]

Nit: it would be nice to save the return value of
GetCacheOCSPResponseFromSideChannelFunction() in a local
variable, so that we can avoid the singleton overhead.

[agl, 2011/01/18 20:29:45]

Done.

           unsigned int len = 0;
           SSL_GetStapledOCSPResponse(nss_fd_, NULL, &len);
           if (len) {
             const unsigned int orig_len = len;
             scoped_array<uint8> ocsp_response(new uint8[orig_len]);
             SSL_GetStapledOCSPResponse(nss_fd_, ocsp_response.get(), &len);
             DCHECK_EQ(orig_len, len);
 
             SECItem ocsp_response_item;
             ocsp_response_item.type = siBuffer;
             ocsp_response_item.data = ocsp_response.get();
             ocsp_response_item.len = len;
 
-            CERT_CacheOCSPResponseFromSideChannel(
+            GetCacheOCSPResponseFromSideChannelFunction()(
                 CERT_GetDefaultCertDB(), server_cert_nss_, PR_Now(),
                 &ocsp_response_item, NULL);
           }
         }
 #endif
 
         SaveSnapStartInfo();
         // SSL handshake is completed. It's possible that we mispredicted the
         // NPN agreed protocol. In this case, we've just sent a request in the
         // wrong protocol! The higher levels of this network stack aren't
@@ skipping 463 matching lines @@
     case SSL_CONNECTION_VERSION_TLS1_1:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
       break;
     case SSL_CONNECTION_VERSION_TLS1_2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
       break;
   };
 }
 
 }  // namespace net