Refactor EnsureNSSInit. Move the NSS SSL library

initialization to SSLClientSocketNSS in src/net so that src/base does not depend on the NSS SSL library. Call PL_ArenaFinish in the NSPRInitSingleton destructor instead of the NSSInitSingleton destructor because PLArena is part of NSPR. R=agl,ukai BUG=28744 TEST=covered by existing tests. Review URL: http://codereview.chromium.org/554096 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@37223 0039d316-1c4b-4281-b951-d872f2087c98
author: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-01-27 02:58:03 +0000
committer: wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-01-27 02:58:03 +0000
commit: 829296f90376786ffe556cd83540d404e988c36d (patch)
tree: 62d3d04a5e215129afa21eea78dcb179b07ca9db
parent: 7eb2110136de4cb6b31c76f489e6290b1ce8b6fd (diff)
download: chromium_src-829296f90376786ffe556cd83540d404e988c36d.zip
chromium_src-829296f90376786ffe556cd83540d404e988c36d.tar.gz
chromium_src-829296f90376786ffe556cd83540d404e988c36d.tar.bz2
2 files changed, 61 insertions, 42 deletions
diff --git a/base/nss_util.cc b/base/nss_util.cc
index 2f7ff7f..f440f70 100644
--- a/base/nss_util.cc
+++ b/base/nss_util.cc
@@ -4,7 +4,6 @@
 
 #include "base/nss_util.h"
 
-#include <dlfcn.h>
 #include <nss.h>
 #include <plarena.h>
 #include <prerror.h>
@@ -12,7 +11,6 @@
 #include <prtime.h>
 #include <pk11pub.h>
 #include <secmod.h>
-#include <ssl.h>
 
 #include "base/file_util.h"
 #include "base/logging.h"
@@ -41,7 +39,7 @@ SECMODModule *InitDefaultRootCerts() {
   const char* kModulePath = "libnssckbi.so";
   char modparams[1024];
   snprintf(modparams, sizeof(modparams),
-          "name=\"Root Certs\" library=\"%s\"", kModulePath);
+           "name=\"Root Certs\" library=\"%s\"", kModulePath);
   SECMODModule *root = SECMOD_LoadUserModule(modparams, NULL, PR_FALSE);
   if (root)
     return root;
@@ -61,6 +59,7 @@ class NSPRInitSingleton {
   }
 
   ~NSPRInitSingleton() {
+    PL_ArenaFinish();
     PRStatus prstatus = PR_Cleanup();
     if (prstatus != PR_SUCCESS) {
       LOG(ERROR) << "PR_Cleanup failed; was NSPR initialized on wrong thread?";
@@ -118,37 +117,6 @@ class NSSInitSingleton {
     }
 
     root_ = InitDefaultRootCerts();
-
-    NSS_SetDomesticPolicy();
-
-#if defined(USE_SYSTEM_SSL)
-    // Use late binding to avoid scary but benign warning
-    // "Symbol `SSL_ImplementedCiphers' has different size in shared object,
-    //  consider re-linking"
-    const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>(
-        dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers"));
-    if (pSSL_ImplementedCiphers == NULL) {
-      NOTREACHED() << "Can't get list of supported ciphers";
-      return;
-    }
-#else
-#define pSSL_ImplementedCiphers SSL_ImplementedCiphers
-#endif
-
-    // Explicitly enable exactly those ciphers with keys of at least 80 bits
-    for (int i = 0; i < SSL_NumImplementedCiphers; i++) {
-      SSLCipherSuiteInfo info;
-      if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,
-                                 sizeof(info)) == SECSuccess) {
-        SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],
-                                 (info.effectiveKeyBits >= 80));
-      }
-    }
-
-    // Enable SSL
-    SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
-
-    // All other SSL options are set per-session by SSLClientSocket.
   }
 
   ~NSSInitSingleton() {
@@ -158,9 +126,6 @@ class NSSInitSingleton {
       root_ = NULL;
     }
 
-    // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY
-    SSL_ClearSessionCache();
-
     SECStatus status = NSS_Shutdown();
     if (status != SECSuccess) {
       // We LOG(INFO) because this failure is relatively harmless
@@ -168,8 +133,6 @@ class NSSInitSingleton {
       LOG(INFO) << "NSS_Shutdown failed; see "
                    "http://code.google.com/p/chromium/issues/detail?id=4609";
     }
-
-    PL_ArenaFinish();
   }
 
  private:
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 350a4c9..29af7f0 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -47,6 +47,9 @@
 
 #include "net/socket/ssl_client_socket_nss.h"
 
+#if defined(USE_SYSTEM_SSL)
+#include <dlfcn.h>
+#endif
 #include <certdb.h>
 #include <keyhi.h>
 #include <nspr.h>
@@ -59,6 +62,7 @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/nss_util.h"
+#include "base/singleton.h"
 #include "base/string_util.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/io_buffer.h"
@@ -96,6 +100,57 @@ namespace net {
 
 namespace {
 
+class NSSSSLInitSingleton {
+ public:
+  NSSSSLInitSingleton() {
+    base::EnsureNSSInit();
+
+    NSS_SetDomesticPolicy();
+
+#if defined(USE_SYSTEM_SSL)
+    // Use late binding to avoid scary but benign warning
+    // "Symbol `SSL_ImplementedCiphers' has different size in shared object,
+    //  consider re-linking"
+    const PRUint16* pSSL_ImplementedCiphers = static_cast<const PRUint16*>(
+        dlsym(RTLD_DEFAULT, "SSL_ImplementedCiphers"));
+    if (pSSL_ImplementedCiphers == NULL) {
+      NOTREACHED() << "Can't get list of supported ciphers";
+      return;
+    }
+#else
+#define pSSL_ImplementedCiphers SSL_ImplementedCiphers
+#endif
+
+    // Explicitly enable exactly those ciphers with keys of at least 80 bits
+    for (int i = 0; i < SSL_NumImplementedCiphers; i++) {
+      SSLCipherSuiteInfo info;
+      if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,
+                                 sizeof(info)) == SECSuccess) {
+        SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],
+                                 (info.effectiveKeyBits >= 80));
+      }
+    }
+
+    // Enable SSL.
+    SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+
+    // All other SSL options are set per-session by SSLClientSocket.
+  }
+
+  ~NSSSSLInitSingleton() {
+    // Have to clear the cache, or NSS_Shutdown fails with SEC_ERROR_BUSY.
+    SSL_ClearSessionCache();
+  }
+};
+
+// Initialize the NSS SSL library if it isn't already initialized.  This must
+// be called before any other NSS SSL functions.  This function is
+// thread-safe, and the NSS SSL library will only ever be initialized once.
+// The NSS SSL library will be properly shut down on program exit.
+void EnsureNSSSSLInit() {
+  Singleton<NSSSSLInitSingleton>::get();
+}
+
 // The default error mapping function.
 // Maps an NSPR error code to a network error code.
 int MapNSPRError(PRErrorCode err) {
@@ -193,8 +248,9 @@ SSLClientSocketNSS::~SSLClientSocketNSS() {
 
 int SSLClientSocketNSS::Init() {
   EnterFunction("");
-  // Initialize NSS in a threadsafe way.
-  base::EnsureNSSInit();
+  // Initialize the NSS SSL library in a threadsafe way.  This also
+  // initializes the NSS base library.
+  EnsureNSSSSLInit();
   // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop
   // by MessageLoopForIO::current().
   // X509Certificate::Verify() runs on a worker thread of CertVerifier.
@@ -576,7 +632,7 @@ SSLClientSocketNSS::GetNextProto(std::string* proto) {
   }
   // We don't check for truncation because sizeof(buf) is large enough to hold
   // the maximum protocol size.
-  switch(state) {
+  switch (state) {
     case SSL_NEXT_PROTO_NO_SUPPORT:
       proto->clear();
       return kNextProtoUnsupported;
author	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-01-27 02:58:03 +0000
committer	wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-01-27 02:58:03 +0000
commit	829296f90376786ffe556cd83540d404e988c36d (patch)
tree	62d3d04a5e215129afa21eea78dcb179b07ca9db
parent	7eb2110136de4cb6b31c76f489e6290b1ce8b6fd (diff)
download	chromium_src-829296f90376786ffe556cd83540d404e988c36d.zip chromium_src-829296f90376786ffe556cd83540d404e988c36d.tar.gz chromium_src-829296f90376786ffe556cd83540d404e988c36d.tar.bz2