| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/cert_verifier.h" | 5 #include "net/base/cert_verifier.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/compiler_specific.h" | 9 #include "base/compiler_specific.h" |
| 10 #include "base/message_loop.h" | 10 #include "base/message_loop.h" |
| 11 #include "base/metrics/histogram.h" | 11 #include "base/metrics/histogram.h" |
| 12 #include "base/stl_util.h" | 12 #include "base/stl_util.h" |
| 13 #include "base/synchronization/lock.h" | 13 #include "base/synchronization/lock.h" |
| 14 #include "base/time.h" | 14 #include "base/time.h" |
| 15 #include "base/threading/worker_pool.h" | 15 #include "base/threading/worker_pool.h" |
| 16 #include "net/base/crl_set.h" |
| 16 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 17 #include "net/base/net_log.h" | 18 #include "net/base/net_log.h" |
| 18 #include "net/base/x509_certificate.h" | 19 #include "net/base/x509_certificate.h" |
| 19 | 20 |
| 20 #if defined(USE_NSS) | 21 #if defined(USE_NSS) |
| 21 #include <private/pprthred.h> // PR_DetachThread | 22 #include <private/pprthred.h> // PR_DetachThread |
| 22 #endif | 23 #endif |
| 23 | 24 |
| 24 namespace net { | 25 namespace net { |
| 25 | 26 |
| (...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 135 | 136 |
| 136 | 137 |
| 137 // CertVerifierWorker runs on a worker thread and takes care of the blocking | 138 // CertVerifierWorker runs on a worker thread and takes care of the blocking |
| 138 // process of performing the certificate verification. Deletes itself | 139 // process of performing the certificate verification. Deletes itself |
| 139 // eventually if Start() succeeds. | 140 // eventually if Start() succeeds. |
| 140 class CertVerifierWorker { | 141 class CertVerifierWorker { |
| 141 public: | 142 public: |
| 142 CertVerifierWorker(X509Certificate* cert, | 143 CertVerifierWorker(X509Certificate* cert, |
| 143 const std::string& hostname, | 144 const std::string& hostname, |
| 144 int flags, | 145 int flags, |
| 146 CRLSet* crl_set, |
| 145 CertVerifier* cert_verifier) | 147 CertVerifier* cert_verifier) |
| 146 : cert_(cert), | 148 : cert_(cert), |
| 147 hostname_(hostname), | 149 hostname_(hostname), |
| 148 flags_(flags), | 150 flags_(flags), |
| 151 crl_set_(crl_set), |
| 149 origin_loop_(MessageLoop::current()), | 152 origin_loop_(MessageLoop::current()), |
| 150 cert_verifier_(cert_verifier), | 153 cert_verifier_(cert_verifier), |
| 151 canceled_(false), | 154 canceled_(false), |
| 152 error_(ERR_FAILED) { | 155 error_(ERR_FAILED) { |
| 153 } | 156 } |
| 154 | 157 |
| 155 bool Start() { | 158 bool Start() { |
| 156 DCHECK_EQ(MessageLoop::current(), origin_loop_); | 159 DCHECK_EQ(MessageLoop::current(), origin_loop_); |
| 157 | 160 |
| 158 return base::WorkerPool::PostTask( | 161 return base::WorkerPool::PostTask( |
| 159 FROM_HERE, base::Bind(&CertVerifierWorker::Run, base::Unretained(this)), | 162 FROM_HERE, base::Bind(&CertVerifierWorker::Run, base::Unretained(this)), |
| 160 true /* task is slow */); | 163 true /* task is slow */); |
| 161 } | 164 } |
| 162 | 165 |
| 163 // Cancel is called from the origin loop when the CertVerifier is getting | 166 // Cancel is called from the origin loop when the CertVerifier is getting |
| 164 // deleted. | 167 // deleted. |
| 165 void Cancel() { | 168 void Cancel() { |
| 166 DCHECK_EQ(MessageLoop::current(), origin_loop_); | 169 DCHECK_EQ(MessageLoop::current(), origin_loop_); |
| 167 base::AutoLock locked(lock_); | 170 base::AutoLock locked(lock_); |
| 168 canceled_ = true; | 171 canceled_ = true; |
| 169 } | 172 } |
| 170 | 173 |
| 171 private: | 174 private: |
| 172 void Run() { | 175 void Run() { |
| 173 // Runs on a worker thread. | 176 // Runs on a worker thread. |
| 174 error_ = cert_->Verify(hostname_, flags_, &verify_result_); | 177 error_ = cert_->Verify(hostname_, flags_, crl_set_, &verify_result_); |
| 175 #if defined(USE_NSS) | 178 #if defined(USE_NSS) |
| 176 // Detach the thread from NSPR. | 179 // Detach the thread from NSPR. |
| 177 // Calling NSS functions attaches the thread to NSPR, which stores | 180 // Calling NSS functions attaches the thread to NSPR, which stores |
| 178 // the NSPR thread ID in thread-specific data. | 181 // the NSPR thread ID in thread-specific data. |
| 179 // The threads in our thread pool terminate after we have called | 182 // The threads in our thread pool terminate after we have called |
| 180 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets | 183 // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets |
| 181 // segfaults on shutdown when the threads' thread-specific data | 184 // segfaults on shutdown when the threads' thread-specific data |
| 182 // destructors run. | 185 // destructors run. |
| 183 PR_DetachThread(); | 186 PR_DetachThread(); |
| 184 #endif | 187 #endif |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 224 } | 227 } |
| 225 } | 228 } |
| 226 | 229 |
| 227 if (canceled) | 230 if (canceled) |
| 228 delete this; | 231 delete this; |
| 229 } | 232 } |
| 230 | 233 |
| 231 scoped_refptr<X509Certificate> cert_; | 234 scoped_refptr<X509Certificate> cert_; |
| 232 const std::string hostname_; | 235 const std::string hostname_; |
| 233 const int flags_; | 236 const int flags_; |
| 237 scoped_refptr<CRLSet> crl_set_; |
| 234 MessageLoop* const origin_loop_; | 238 MessageLoop* const origin_loop_; |
| 235 CertVerifier* const cert_verifier_; | 239 CertVerifier* const cert_verifier_; |
| 236 | 240 |
| 237 // lock_ protects canceled_. | 241 // lock_ protects canceled_. |
| 238 base::Lock lock_; | 242 base::Lock lock_; |
| 239 | 243 |
| 240 // If canceled_ is true, | 244 // If canceled_ is true, |
| 241 // * origin_loop_ cannot be accessed by the worker thread, | 245 // * origin_loop_ cannot be accessed by the worker thread, |
| 242 // * cert_verifier_ cannot be accessed by any thread. | 246 // * cert_verifier_ cannot be accessed by any thread. |
| 243 bool canceled_; | 247 bool canceled_; |
| (...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 339 | 343 |
| 340 CertVerifier::~CertVerifier() { | 344 CertVerifier::~CertVerifier() { |
| 341 STLDeleteValues(&inflight_); | 345 STLDeleteValues(&inflight_); |
| 342 | 346 |
| 343 CertDatabase::RemoveObserver(this); | 347 CertDatabase::RemoveObserver(this); |
| 344 } | 348 } |
| 345 | 349 |
| 346 int CertVerifier::Verify(X509Certificate* cert, | 350 int CertVerifier::Verify(X509Certificate* cert, |
| 347 const std::string& hostname, | 351 const std::string& hostname, |
| 348 int flags, | 352 int flags, |
| 353 CRLSet* crl_set, |
| 349 CertVerifyResult* verify_result, | 354 CertVerifyResult* verify_result, |
| 350 const CompletionCallback& callback, | 355 const CompletionCallback& callback, |
| 351 RequestHandle* out_req, | 356 RequestHandle* out_req, |
| 352 const BoundNetLog& net_log) { | 357 const BoundNetLog& net_log) { |
| 353 DCHECK(CalledOnValidThread()); | 358 DCHECK(CalledOnValidThread()); |
| 354 | 359 |
| 355 if (callback.is_null() || !verify_result || hostname.empty()) { | 360 if (callback.is_null() || !verify_result || hostname.empty()) { |
| 356 *out_req = NULL; | 361 *out_req = NULL; |
| 357 return ERR_INVALID_ARGUMENT; | 362 return ERR_INVALID_ARGUMENT; |
| 358 } | 363 } |
| (...skipping 20 matching lines...) Expand all Loading... |
| 379 std::map<RequestParams, CertVerifierJob*>::const_iterator j; | 384 std::map<RequestParams, CertVerifierJob*>::const_iterator j; |
| 380 j = inflight_.find(key); | 385 j = inflight_.find(key); |
| 381 if (j != inflight_.end()) { | 386 if (j != inflight_.end()) { |
| 382 // An identical request is in flight already. We'll just attach our | 387 // An identical request is in flight already. We'll just attach our |
| 383 // callback. | 388 // callback. |
| 384 inflight_joins_++; | 389 inflight_joins_++; |
| 385 job = j->second; | 390 job = j->second; |
| 386 } else { | 391 } else { |
| 387 // Need to make a new request. | 392 // Need to make a new request. |
| 388 CertVerifierWorker* worker = new CertVerifierWorker(cert, hostname, flags, | 393 CertVerifierWorker* worker = new CertVerifierWorker(cert, hostname, flags, |
| 389 this); | 394 crl_set, this); |
| 390 job = new CertVerifierJob( | 395 job = new CertVerifierJob( |
| 391 worker, | 396 worker, |
| 392 BoundNetLog::Make(net_log.net_log(), NetLog::SOURCE_CERT_VERIFIER_JOB)); | 397 BoundNetLog::Make(net_log.net_log(), NetLog::SOURCE_CERT_VERIFIER_JOB)); |
| 393 if (!worker->Start()) { | 398 if (!worker->Start()) { |
| 394 delete job; | 399 delete job; |
| 395 delete worker; | 400 delete worker; |
| 396 *out_req = NULL; | 401 *out_req = NULL; |
| 397 // TODO(wtc): log to the NetLog. | 402 // TODO(wtc): log to the NetLog. |
| 398 LOG(ERROR) << "CertVerifierWorker couldn't be started."; | 403 LOG(ERROR) << "CertVerifierWorker couldn't be started."; |
| 399 return ERR_INSUFFICIENT_RESOURCES; // Just a guess. | 404 return ERR_INSUFFICIENT_RESOURCES; // Just a guess. |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 496 SingleRequestCertVerifier::~SingleRequestCertVerifier() { | 501 SingleRequestCertVerifier::~SingleRequestCertVerifier() { |
| 497 if (cur_request_) { | 502 if (cur_request_) { |
| 498 cert_verifier_->CancelRequest(cur_request_); | 503 cert_verifier_->CancelRequest(cur_request_); |
| 499 cur_request_ = NULL; | 504 cur_request_ = NULL; |
| 500 } | 505 } |
| 501 } | 506 } |
| 502 | 507 |
| 503 int SingleRequestCertVerifier::Verify(X509Certificate* cert, | 508 int SingleRequestCertVerifier::Verify(X509Certificate* cert, |
| 504 const std::string& hostname, | 509 const std::string& hostname, |
| 505 int flags, | 510 int flags, |
| 511 CRLSet* crl_set, |
| 506 CertVerifyResult* verify_result, | 512 CertVerifyResult* verify_result, |
| 507 const CompletionCallback& callback, | 513 const CompletionCallback& callback, |
| 508 const BoundNetLog& net_log) { | 514 const BoundNetLog& net_log) { |
| 509 // Should not be already in use. | 515 // Should not be already in use. |
| 510 DCHECK(!cur_request_ && cur_request_callback_.is_null()); | 516 DCHECK(!cur_request_ && cur_request_callback_.is_null()); |
| 511 | 517 |
| 512 // Do a synchronous verification. | 518 // Do a synchronous verification. |
| 513 if (callback.is_null()) | 519 if (callback.is_null()) |
| 514 return cert->Verify(hostname, flags, verify_result); | 520 return cert->Verify(hostname, flags, crl_set, verify_result); |
| 515 | 521 |
| 516 CertVerifier::RequestHandle request = NULL; | 522 CertVerifier::RequestHandle request = NULL; |
| 517 | 523 |
| 518 // We need to be notified of completion before |callback| is called, so that | 524 // We need to be notified of completion before |callback| is called, so that |
| 519 // we can clear out |cur_request_*|. | 525 // we can clear out |cur_request_*|. |
| 520 int rv = cert_verifier_->Verify( | 526 int rv = cert_verifier_->Verify( |
| 521 cert, hostname, flags, verify_result, | 527 cert, hostname, flags, crl_set, verify_result, |
| 522 base::Bind(&SingleRequestCertVerifier::OnVerifyCompletion, | 528 base::Bind(&SingleRequestCertVerifier::OnVerifyCompletion, |
| 523 base::Unretained(this)), | 529 base::Unretained(this)), |
| 524 &request, net_log); | 530 &request, net_log); |
| 525 | 531 |
| 526 if (rv == ERR_IO_PENDING) { | 532 if (rv == ERR_IO_PENDING) { |
| 527 // Cleared in OnVerifyCompletion(). | 533 // Cleared in OnVerifyCompletion(). |
| 528 cur_request_ = request; | 534 cur_request_ = request; |
| 529 cur_request_callback_ = callback; | 535 cur_request_callback_ = callback; |
| 530 } | 536 } |
| 531 | 537 |
| 532 return rv; | 538 return rv; |
| 533 } | 539 } |
| 534 | 540 |
| 535 void SingleRequestCertVerifier::OnVerifyCompletion(int result) { | 541 void SingleRequestCertVerifier::OnVerifyCompletion(int result) { |
| 536 DCHECK(cur_request_ && !cur_request_callback_.is_null()); | 542 DCHECK(cur_request_ && !cur_request_callback_.is_null()); |
| 537 | 543 |
| 538 CompletionCallback callback = cur_request_callback_; | 544 CompletionCallback callback = cur_request_callback_; |
| 539 | 545 |
| 540 // Clear the outstanding request information. | 546 // Clear the outstanding request information. |
| 541 cur_request_ = NULL; | 547 cur_request_ = NULL; |
| 542 cur_request_callback_.Reset(); | 548 cur_request_callback_.Reset(); |
| 543 | 549 |
| 544 // Call the user's original callback. | 550 // Call the user's original callback. |
| 545 callback.Run(result); | 551 callback.Run(result); |
| 546 } | 552 } |
| 547 | 553 |
| 548 } // namespace net | 554 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8342054:
net: enable CRL sets behind a command line flag. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src