net/cert/nss_profile_filter_chromeos.cc - Issue 123633002: ChromeOS: Fix crash if login profile triggers client auth.

Side by Side Diff: net/cert/nss_profile_filter_chromeos.cc

Issue 123633002: ChromeOS: Fix crash if login profile triggers client auth. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: . Created 6 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/nss_profile_filter_chromeos.h"	5 #include "net/cert/nss_profile_filter_chromeos.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/callback.h"	8 #include "base/callback.h"

9 #include "base/strings/stringprintf.h"	9 #include "base/strings/stringprintf.h"

10	10

(...skipping 29 matching lines...) Expand all Loading...
40 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,	40 void NSSProfileFilterChromeOS::Init(crypto::ScopedPK11Slot public_slot,

41 crypto::ScopedPK11Slot private_slot) {	41 crypto::ScopedPK11Slot private_slot) {

42 public_slot_ = public_slot.Pass();	42 public_slot_ = public_slot.Pass();

43 private_slot_ = private_slot.Pass();	43 private_slot_ = private_slot.Pass();

44 }	44 }

45	45

46 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {	46 bool NSSProfileFilterChromeOS::IsModuleAllowed(PK11SlotInfo* slot) const {

47 // If this is one of the public/private slots for this profile, allow it.	47 // If this is one of the public/private slots for this profile, allow it.

48 if (slot == public_slot_.get() \|\| slot == private_slot_.get())	48 if (slot == public_slot_.get() \|\| slot == private_slot_.get())

49 return true;	49 return true;

50 // If it's from the read-only slot, allow it.	50 // If it's from the read-only slots, allow it.

51 if (PK11_IsInternalKeySlot(slot))	51 if (PK11_IsInternalKeySlot(slot) \|\|

	52 slot == crypto::ScopedPK11Slot(PK11_GetInternalSlot()))
	Ryan Sleevi 2014/01/11 02:56:13 Why not PK11_IsInternal? Why not PK11_IsInternal? mattm 2014/01/11 03:23:23 PK11_IsInternal matches any of the nss software sl Show quoted text On 2014/01/11 02:56:13, Ryan Sleevi wrote: > Why not PK11_IsInternal? PK11_IsInternal matches any of the nss software slots. Ryan Sleevi 2014/01/11 03:36:14 Yeah, but I thought they showed up as removable sl Show quoted text On 2014/01/11 03:23:23, mattm wrote: > On 2014/01/11 02:56:13, Ryan Sleevi wrote: > > Why not PK11_IsInternal? > > PK11_IsInternal matches any of the nss software slots. Yeah, but I thought they showed up as removable slots (PK11_IsRemovable) mattm 2014/01/14 02:29:06 Ok, changed to use PK11_IsInternal && !PK11_IsRemo Show quoted text On 2014/01/11 03:36:14, Ryan Sleevi wrote: > On 2014/01/11 03:23:23, mattm wrote: > > On 2014/01/11 02:56:13, Ryan Sleevi wrote: > > > Why not PK11_IsInternal? > > > > PK11_IsInternal matches any of the nss software slots. > > Yeah, but I thought they showed up as removable slots (PK11_IsRemovable) Ok, changed to use PK11_IsInternal && !PK11_IsRemovable
52 return true;	53 return true;

	54 // If \|public_slot_\| or \|private_slot_\| is null, there isn't a way to get the

	55 // modules to use in the final test.

	56 if (!public_slot_.get() \|\| !private_slot_.get()) {

	57 // Allow the root certs module which would normally be allowed by the final

	58 // test.

	59 if (PK11_HasRootCerts(slot))

	60 return true;
	Ryan Sleevi 2014/01/11 02:56:13 This is so that roots display in the UI, right? W This is so that roots display in the UI, right? Why not white list this first - PK11_IsInternalKeySlot(slot) mattm 2014/01/11 03:23:23 Yeah. Show quoted text On 2014/01/11 02:56:13, Ryan Sleevi wrote: > This is so that roots display in the UI, right? Yeah. Show quoted text > Why not white list this first - PK11_IsInternalKeySlot(slot) Just that it normally already gets handled by the final test, so this avoids a bit of redundancy. I could move it there if it seems cleaner. Ryan Sleevi 2014/01/11 03:36:14 I was going to suggest moving it before / outside Show quoted text On 2014/01/11 03:23:23, mattm wrote: > On 2014/01/11 02:56:13, Ryan Sleevi wrote: > > This is so that roots display in the UI, right? > > Yeah. > > > Why not white list this first - PK11_IsInternalKeySlot(slot) > > Just that it normally already gets handled by the final test, so this avoids a > bit of redundancy. I could move it there if it seems cleaner. I was going to suggest moving it before / outside of the if (eg: line 54). It's redundant to the check on 66/67, but it doesn't hurt to short-circuit and be explicit mattm 2014/01/14 02:29:06 Done. Show quoted text On 2014/01/11 03:36:14, Ryan Sleevi wrote: > On 2014/01/11 03:23:23, mattm wrote: > > On 2014/01/11 02:56:13, Ryan Sleevi wrote: > > > This is so that roots display in the UI, right? > > > > Yeah. > > > > > Why not white list this first - PK11_IsInternalKeySlot(slot) > > > > Just that it normally already gets handled by the final test, so this avoids a > > bit of redundancy. I could move it there if it seems cleaner. > > I was going to suggest moving it before / outside of the if (eg: line 54). It's > redundant to the check on 66/67, but it doesn't hurt to short-circuit and be > explicit Done.
	61 return false;

	62 }

53 // If this is not the internal (file-system) module or the TPM module, allow	63 // If this is not the internal (file-system) module or the TPM module, allow

54 // it.	64 // it.

55 SECMODModule* module_for_slot = PK11_GetModule(slot);	65 SECMODModule* module_for_slot = PK11_GetModule(slot);

56 if (module_for_slot != PK11_GetModule(public_slot_.get()) &&	66 if (module_for_slot != PK11_GetModule(public_slot_.get()) &&

57 module_for_slot != PK11_GetModule(private_slot_.get()))	67 module_for_slot != PK11_GetModule(private_slot_.get()))

58 return true;	68 return true;

59 return false;	69 return false;

60 }	70 }

61	71

62 bool NSSProfileFilterChromeOS::IsCertAllowed(	72 bool NSSProfileFilterChromeOS::IsCertAllowed(

(...skipping 35 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
98 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter)	108 ModuleNotAllowedForProfilePredicate(const NSSProfileFilterChromeOS& filter)

99 : filter_(filter) {}	109 : filter_(filter) {}

100	110

101 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()(	111 bool NSSProfileFilterChromeOS::ModuleNotAllowedForProfilePredicate::operator()(

102 const scoped_refptr<CryptoModule>& module) const {	112 const scoped_refptr<CryptoModule>& module) const {

103 return !filter_.IsModuleAllowed(module->os_module_handle());	113 return !filter_.IsModuleAllowed(module->os_module_handle());

104 }	114 }

105	115

106 } // namespace net	116 } // namespace net

107	117

OLD	NEW

« no previous file with comments | « crypto/nss_util_internal.h ('k') | net/cert/nss_profile_filter_chromeos_unittest.cc » ('j') | net/cert/nss_profile_filter_chromeos_unittest.cc » ('J')