Route OCSP stapling through CertVerifier.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 51 matching lines @@
 
 #include <algorithm>
 #include <limits>
 #include <map>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
-#include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
@@ skipping 69 matching lines @@
 // entire SSL record.
 const int kRecvBufferSize = 17 * 1024;
 const int kSendBufferSize = 17 * 1024;
 
 // Used by SSLClientSocketNSS::Core to indicate there is no read result
 // obtained by a previous operation waiting to be returned to the caller.
 // This constant can be any non-negative/non-zero value (eg: it does not
 // overlap with any value of the net::Error range, including net::OK).
 const int kNoPendingReadResult = 1;
 
-#if defined(USE_NSS_CERTS)
-typedef SECStatus
-(*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg);
-
-// On Linux, we dynamically link against the system version of libnss3.so. In
-// order to continue working on systems without up-to-date versions of NSS we
-// lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
-
-// RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
-// runtime symbol resolution that we need.
-class RuntimeLibNSSFunctionPointers {
- public:
-  CacheOCSPResponseFromSideChannelFunction
-  GetCacheOCSPResponseFromSideChannelFunction() {
-    return cache_ocsp_response_from_side_channel_;
-  }
-
-  static RuntimeLibNSSFunctionPointers* GetInstance() {
-    return Singleton<RuntimeLibNSSFunctionPointers>::get();
-  }
-
- private:
-  friend struct DefaultSingletonTraits<RuntimeLibNSSFunctionPointers>;
-
-  RuntimeLibNSSFunctionPointers() {
-    cache_ocsp_response_from_side_channel_ =
-        (CacheOCSPResponseFromSideChannelFunction)
-        dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
-  }
-
-  CacheOCSPResponseFromSideChannelFunction
-      cache_ocsp_response_from_side_channel_;
-};
-
-CacheOCSPResponseFromSideChannelFunction
-GetCacheOCSPResponseFromSideChannelFunction() {
-  return RuntimeLibNSSFunctionPointers::GetInstance()
-    ->GetCacheOCSPResponseFromSideChannelFunction();
-}
-
-bool IsOCSPStaplingSupported() {
-  return GetCacheOCSPResponseFromSideChannelFunction() != NULL;
-}
-#else
-bool IsOCSPStaplingSupported() {
-  return false;
-}
-#endif
-
 // Helper functions to make it possible to log events from within the
 // SSLClientSocketNSS::Core.
 void AddLogEvent(const base::WeakPtr<BoundNetLog>& net_log,
                  NetLog::EventType event_type) {
   if (!net_log)
     return;
   net_log->AddEvent(event_type);
 }
 
 // Helper function to make it possible to log events from within the
@@ skipping 1839 matching lines @@
       SSL_PeerStapledOCSPResponses(nss_fd_);
   bool ocsp_responses_present = ocsp_responses && ocsp_responses->len;
   if (ocsp_requested)
     UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_responses_present);
   if (!ocsp_responses_present)
     return;
 
   nss_handshake_state_.stapled_ocsp_response = std::string(
       reinterpret_cast<char*>(ocsp_responses->items[0].data),
       ocsp_responses->items[0].len);
-
-  if (IsOCSPStaplingSupported()) {
-#if defined(USE_NSS_CERTS)
-    CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
-        GetCacheOCSPResponseFromSideChannelFunction();
-
-    cache_ocsp_response(
-        CERT_GetDefaultCertDB(),
-        nss_handshake_state_.server_cert_chain[0], PR_Now(),
-        &ocsp_responses->items[0], NULL);
-#endif
-  }
 }
 
 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
   // Note: This function may be called multiple times for a single connection
   // if renegotiations occur.
   nss_handshake_state_.ssl_connection_status = 0;
 
   SSLChannelInfo channel_info;
   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
                                     &channel_info, sizeof(channel_info));
@@ skipping 773 matching lines @@
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
 #ifdef SSL_ENABLE_OCSP_STAPLING
   // Request OCSP stapling even on platforms that don't support it, in
   // order to extract Certificate Transparency information.
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
-                     (IsOCSPStaplingSupported() ||
-                      ssl_config_.signed_cert_timestamps_enabled));
+  bool supports_ocsp_stapling =
+      cert_verifier_ && cert_verifier_->SupportsOCSPStapling();
+  rv = SSL_OptionSet(
+      nss_fd_, SSL_ENABLE_OCSP_STAPLING,
+      supports_ocsp_stapling || ssl_config_.signed_cert_timestamps_enabled);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet",
                          "SSL_ENABLE_OCSP_STAPLING");
   }
 #endif
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
                      ssl_config_.signed_cert_timestamps_enabled);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet",
@@ skipping 213 matching lines @@
   if (ssl_config_.rev_checking_enabled)
     flags |= CertVerifier::VERIFY_REV_CHECKING_ENABLED;
   if (ssl_config_.verify_ev_cert)
     flags |= CertVerifier::VERIFY_EV_CERT;
   if (ssl_config_.cert_io_enabled)
     flags |= CertVerifier::VERIFY_CERT_IO_ENABLED;
   if (ssl_config_.rev_checking_required_local_anchors)
     flags |= CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
   verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));
   return verifier_->Verify(
-      core_->state().server_cert.get(),
-      host_and_port_.host(),
-      flags,
-      SSLConfigService::GetCRLSet().get(),
-      &server_cert_verify_result_,
+      core_->state().server_cert.get(), host_and_port_.host(),
+      core_->state().stapled_ocsp_response, flags,
+      SSLConfigService::GetCRLSet().get(), &server_cert_verify_result_,
       base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
                  base::Unretained(this)),
       net_log_);
 }
 
 // Derived from AuthCertificateCallback() in
 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   verifier_.reset();
 
@@ skipping 116 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net