diff options
| author | wtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-16 17:27:15 +0000 |
|---|---|---|
| committer | wtc@google.com <wtc@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-12-16 17:27:15 +0000 |
| commit | 822581d32a6836feae73b96a2ce494a058004423 (patch) | |
| tree | 925796acd3c3aeaa357378c096c5d9efec31bf36 /net/socket | |
| parent | ae89b8d559bfa6b3a2c1d404b21386bcc8995472 (diff) | |
| download | chromium_src-822581d32a6836feae73b96a2ce494a058004423.zip chromium_src-822581d32a6836feae73b96a2ce494a058004423.tar.gz chromium_src-822581d32a6836feae73b96a2ce494a058004423.tar.bz2 | |
Cache certificate verification results in memory.
R=agl
BUG=63357
TEST=none
Review URL: http://codereview.chromium.org/5386001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@69414 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
27 files changed, 152 insertions, 69 deletions
diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 1c998c6..f4da066 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -30,19 +30,21 @@ SSLClientSocket* DefaultSSLClientSocketFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) - return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); + return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config, + cert_verifier); #elif defined(USE_OPENSSL) return new SSLClientSocketOpenSSL(transport_socket, host_and_port, - ssl_config); + ssl_config, cert_verifier); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), cert_verifier, dns_cert_checker); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), cert_verifier, dns_cert_checker); #else NOTIMPLEMENTED(); return NULL; @@ -65,9 +67,10 @@ class DefaultClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { return g_ssl_factory(transport_socket, host_and_port, ssl_config, - ssl_host_info, dns_cert_checker); + ssl_host_info, cert_verifier, dns_cert_checker); } }; @@ -92,11 +95,12 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocket* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info) { + SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier) { ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, - ssl_host_info, + ssl_host_info, cert_verifier, NULL /* DnsCertProvenanceChecker */); } diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 0ab370a9..2a0cd7c 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -14,6 +14,7 @@ namespace net { class AddressList; +class CertVerifier; class ClientSocket; class ClientSocketHandle; class DnsCertProvenanceChecker; @@ -28,6 +29,7 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker); // An interface used to instantiate ClientSocket objects. Used to facilitate @@ -48,6 +50,7 @@ class ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. @@ -55,7 +58,8 @@ class ClientSocketFactory { ClientSocket* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier); // Returns the default ClientSocketFactory. static ClientSocketFactory* GetDefaultFactory(); diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 843b6be..7c0e2e1 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -110,6 +110,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc index 6c73c36..8516fbc 100644 --- a/net/socket/client_socket_pool_manager.cc +++ b/net/socket/client_socket_pool_manager.cc @@ -55,6 +55,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( NetLog* net_log, ClientSocketFactory* socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -63,6 +64,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( : net_log_(net_log), socket_factory_(socket_factory), host_resolver_(host_resolver), + cert_verifier_(cert_verifier), dnsrr_resolver_(dnsrr_resolver), dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), @@ -80,6 +82,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( g_max_sockets, g_max_sockets_per_group, &ssl_pool_histograms_, host_resolver, + cert_verifier, dnsrr_resolver, dns_cert_checker, ssl_host_info_factory, @@ -230,6 +233,7 @@ HttpProxyClientSocketPool* ClientSocketPoolManager::GetSocketPoolForHTTPProxy( g_max_sockets_per_proxy_server, g_max_sockets_per_group, &ssl_for_https_proxy_pool_histograms_, host_resolver_, + cert_verifier_, dnsrr_resolver_, dns_cert_checker_, ssl_host_info_factory_, @@ -266,6 +270,7 @@ SSLClientSocketPool* ClientSocketPoolManager::GetSocketPoolForSSLWithProxy( g_max_sockets_per_proxy_server, g_max_sockets_per_group, &ssl_pool_histograms_, host_resolver_, + cert_verifier_, dnsrr_resolver_, dns_cert_checker_, ssl_host_info_factory_, diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h index 823213e..cfcb465 100644 --- a/net/socket/client_socket_pool_manager.h +++ b/net/socket/client_socket_pool_manager.h @@ -6,8 +6,8 @@ // simple container for all of them. Most importantly, it handles the lifetime // and destruction order properly. -#ifndef NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_ -#define NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_ +#ifndef NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_H_ +#define NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_H_ #pragma once #include <map> @@ -23,6 +23,7 @@ class Value; namespace net { +class CertVerifier; class ClientSocketFactory; class ClientSocketPoolHistograms; class DnsCertProvenanceChecker; @@ -54,13 +55,14 @@ class OwnedPoolMap : public std::map<Key, Value> { } }; -} // internal +} // namespace internal class ClientSocketPoolManager : public NonThreadSafe { public: ClientSocketPoolManager(NetLog* net_log, ClientSocketFactory* socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -106,6 +108,7 @@ class ClientSocketPoolManager : public NonThreadSafe { NetLog* const net_log_; ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; + CertVerifier* const cert_verifier_; DnsRRResolver* const dnsrr_resolver_; DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; @@ -146,4 +149,4 @@ class ClientSocketPoolManager : public NonThreadSafe { } // namespace net -#endif // NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_ +#endif // NET_SOCKET_CLIENT_SOCKET_POOL_MANAGER_H_ diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index b2e738a..d88399d 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -402,7 +402,7 @@ int DeterministicMockTCPClientSocket::Read( return CompleteRead(); } -void DeterministicMockTCPClientSocket::CompleteWrite(){ +void DeterministicMockTCPClientSocket::CompleteWrite() { was_used_to_convey_data_ = true; write_pending_ = false; write_callback_->Run(write_result_); @@ -1016,6 +1016,7 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, @@ -1066,6 +1067,7 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index 0a01df3..73dd07c 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -537,6 +537,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; @@ -882,6 +883,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<DeterministicSocketData>& mock_data() { diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 488beeb..352b3b1 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -520,7 +520,8 @@ EnabledCipherSuites::EnabledCipherSuites() { SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config) + const SSLConfig& ssl_config, + CertVerifier* cert_verifier) : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), transport_read_callback_(this, &SSLClientSocketMac::OnTransportReadComplete), @@ -535,6 +536,7 @@ SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, user_read_buf_len_(0), user_write_buf_len_(0), next_handshake_state_(STATE_NONE), + cert_verifier_(cert_verifier), renegotiating_(false), client_cert_requested_(false), ssl_context_(NULL), @@ -1066,7 +1068,7 @@ int SSLClientSocketMac::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; - verifier_.reset(new CertVerifier); + verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &server_cert_verify_result_, &handshake_io_callback_); diff --git a/net/socket/ssl_client_socket_mac.h b/net/socket/ssl_client_socket_mac.h index e84bee4..a94b2bd 100644 --- a/net/socket/ssl_client_socket_mac.h +++ b/net/socket/ssl_client_socket_mac.h @@ -23,6 +23,7 @@ namespace net { class CertVerifier; class ClientSocketHandle; +class SingleRequestCertVerifier; // An SSL client socket implemented with Secure Transport. class SSLClientSocketMac : public SSLClientSocket { @@ -35,7 +36,8 @@ class SSLClientSocketMac : public SSLClientSocket { // the SSL settings. SSLClientSocketMac(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config); + const SSLConfig& ssl_config, + CertVerifier* cert_verifier); ~SSLClientSocketMac(); // SSLClientSocket methods: @@ -137,7 +139,8 @@ class SSLClientSocketMac : public SSLClientSocket { State next_handshake_state_; scoped_refptr<X509Certificate> server_cert_; - scoped_ptr<CertVerifier> verifier_; + CertVerifier* const cert_verifier_; + scoped_ptr<SingleRequestCertVerifier> verifier_; CertVerifyResult server_cert_verify_result_; // The initial handshake has already completed, and the current handshake diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index bf732e6..211e2a4 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -14,9 +14,11 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { delete ssl_host_info; - return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); + return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config, + cert_verifier); } } // namespace net diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index 5539136..ebda9c3 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -19,6 +19,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index bbfe12f..05cad27 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -408,6 +408,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_ctx) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), @@ -430,6 +431,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, server_cert_verify_result_(NULL), ssl_connection_status_(0), client_auth_cert_needed_(false), + cert_verifier_(cert_verifier), handshake_callback_called_(false), completed_handshake_(false), pseudo_connected_(false), @@ -2464,7 +2466,7 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; - verifier_.reset(new CertVerifier); + verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); server_cert_verify_result_ = &local_server_cert_verify_result_; return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &local_server_cert_verify_result_, diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 8798361..bca4166 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -32,6 +32,7 @@ class BoundNetLog; class CertVerifier; class ClientSocketHandle; class DnsCertProvenanceChecker; +class SingleRequestCertVerifier; class SSLHostInfo; class X509Certificate; @@ -48,6 +49,7 @@ class SSLClientSocketNSS : public SSLClientSocket { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dnsrr_resolver); ~SSLClientSocketNSS(); @@ -193,7 +195,8 @@ class SSLClientSocketNSS : public SSLClientSocket { std::vector<scoped_refptr<X509Certificate> > client_certs_; bool client_auth_cert_needed_; - scoped_ptr<CertVerifier> verifier_; + CertVerifier* const cert_verifier_; + scoped_ptr<SingleRequestCertVerifier> verifier_; // True if NSS has called HandshakeCallback. bool handshake_callback_called_; diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index e4c01f0..435ddff 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -19,10 +19,11 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), cert_verifier, dns_cert_checker); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index 15b05b2..ed5e588 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -19,6 +19,7 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index ab4ba6c..e485c8a 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -380,7 +380,8 @@ struct SslSetClearMask { SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config) + const SSLConfig& ssl_config, + CertVerifier* cert_verifier) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketOpenSSL::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -392,6 +393,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( user_write_callback_(NULL), completed_handshake_(false), client_auth_cert_needed_(false), + cert_verifier_(cert_verifier), ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( this, &SSLClientSocketOpenSSL::OnHandshakeIOComplete)), ssl_(NULL), @@ -813,7 +815,7 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; - verifier_.reset(new CertVerifier); + verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &server_cert_verify_result_, &handshake_io_callback_); diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 62cc4d4..d59b507 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -24,6 +24,7 @@ typedef struct x509_st X509; namespace net { class CertVerifier; +class SingleRequestCertVerifier; class SSLCertRequestInfo; class SSLConfig; class SSLInfo; @@ -37,7 +38,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { // settings. SSLClientSocketOpenSSL(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config); + const SSLConfig& ssl_config, + CertVerifier* cert_verifier); ~SSLClientSocketOpenSSL(); const HostPortPair& host_and_port() const { return host_and_port_; } @@ -131,7 +133,8 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { std::vector<scoped_refptr<X509Certificate> > client_certs_; bool client_auth_cert_needed_; - scoped_ptr<CertVerifier> verifier_; + CertVerifier* const cert_verifier_; + scoped_ptr<SingleRequestCertVerifier> verifier_; CompletionCallbackImpl<SSLClientSocketOpenSSL> handshake_io_callback_; // OpenSSL stuff diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 7124efa..deaf4f3 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -77,6 +77,7 @@ SSLConnectJob::SSLConnectJob( HttpProxyClientSocketPool* http_proxy_pool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -89,7 +90,8 @@ SSLConnectJob::SSLConnectJob( socks_pool_(socks_pool), http_proxy_pool_(http_proxy_pool), client_socket_factory_(client_socket_factory), - resolver_(host_resolver), + host_resolver_(host_resolver), + cert_verifier_(cert_verifier), dnsrr_resolver_(dnsrr_resolver), dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), @@ -289,7 +291,8 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->host_and_port(), - params_->ssl_config(), ssl_host_info_.release(), dns_cert_checker_)); + params_->ssl_config(), ssl_host_info_.release(), cert_verifier_, + dns_cert_checker_)); return ssl_socket_->Connect(&callback_); } @@ -360,7 +363,7 @@ ConnectJob* SSLClientSocketPool::SSLConnectJobFactory::NewConnectJob( return new SSLConnectJob(group_name, request.params(), ConnectionTimeout(), tcp_pool_, socks_pool_, http_proxy_pool_, client_socket_factory_, host_resolver_, - dnsrr_resolver_, dns_cert_checker_, + cert_verifier_, dnsrr_resolver_, dns_cert_checker_, ssl_host_info_factory_, delegate, net_log_); } @@ -370,6 +373,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( HttpProxyClientSocketPool* http_proxy_pool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -379,6 +383,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( http_proxy_pool_(http_proxy_pool), client_socket_factory_(client_socket_factory), host_resolver_(host_resolver), + cert_verifier_(cert_verifier), dnsrr_resolver_(dnsrr_resolver), dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), @@ -406,6 +411,7 @@ SSLClientSocketPool::SSLClientSocketPool( int max_sockets_per_group, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -424,8 +430,8 @@ SSLClientSocketPool::SSLClientSocketPool( base::TimeDelta::FromSeconds(kUsedIdleSocketTimeout), new SSLConnectJobFactory(tcp_pool, socks_pool, http_proxy_pool, client_socket_factory, host_resolver, - dnsrr_resolver, dns_cert_checker, - ssl_host_info_factory, + cert_verifier, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, net_log)), ssl_config_service_(ssl_config_service) { if (ssl_config_service_) diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 136516f..468d3ed1 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -22,6 +22,7 @@ namespace net { +class CertVerifier; class ClientSocketFactory; class ConnectJobFactory; class DnsCertProvenanceChecker; @@ -95,6 +96,7 @@ class SSLConnectJob : public ConnectJob { HttpProxyClientSocketPool* http_proxy_pool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -144,7 +146,8 @@ class SSLConnectJob : public ConnectJob { SOCKSClientSocketPool* const socks_pool_; HttpProxyClientSocketPool* const http_proxy_pool_; ClientSocketFactory* const client_socket_factory_; - HostResolver* const resolver_; + HostResolver* const host_resolver_; + CertVerifier* const cert_verifier_; DnsRRResolver* const dnsrr_resolver_; DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; @@ -173,6 +176,7 @@ class SSLClientSocketPool : public ClientSocketPool, int max_sockets_per_group, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -241,6 +245,7 @@ class SSLClientSocketPool : public ClientSocketPool, HttpProxyClientSocketPool* http_proxy_pool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, + CertVerifier* cert_verifier, DnsRRResolver* dnsrr_resolver, DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, @@ -262,6 +267,7 @@ class SSLClientSocketPool : public ClientSocketPool, HttpProxyClientSocketPool* const http_proxy_pool_; ClientSocketFactory* const client_socket_factory_; HostResolver* const host_resolver_; + CertVerifier* const cert_verifier_; DnsRRResolver* const dnsrr_resolver_; DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index 247638b..37e21ca 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -10,6 +10,7 @@ #include "base/time.h" #include "base/utf_string_conversions.h" #include "net/base/auth.h" +#include "net/base/cert_verifier.h" #include "net/base/mock_host_resolver.h" #include "net/base/net_errors.h" #include "net/base/test_completion_callback.h" @@ -36,9 +37,11 @@ class SSLClientSocketPoolTest : public testing::Test { protected: SSLClientSocketPoolTest() : host_resolver_(new MockHostResolver), + cert_verifier_(new CertVerifier), http_auth_handler_factory_(HttpAuthHandlerFactory::CreateDefault( host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), + cert_verifier_.get(), NULL /* dnsrr_resolver */, NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, @@ -96,7 +99,8 @@ class SSLClientSocketPoolTest : public testing::Test { kMaxSockets, kMaxSocketsPerGroup, ssl_histograms_.get(), - NULL, + NULL /* host_resolver */, + NULL /* cert_verifier */, NULL /* dnsrr_resolver */, NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, @@ -131,6 +135,7 @@ class SSLClientSocketPoolTest : public testing::Test { MockClientSocketFactory socket_factory_; scoped_ptr<HostResolver> host_resolver_; + scoped_ptr<CertVerifier> cert_verifier_; scoped_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_; scoped_refptr<HttpNetworkSession> session_; diff --git a/net/socket/ssl_client_socket_snapstart_unittest.cc b/net/socket/ssl_client_socket_snapstart_unittest.cc index ecb9789..d782993 100644 --- a/net/socket/ssl_client_socket_snapstart_unittest.cc +++ b/net/socket/ssl_client_socket_snapstart_unittest.cc @@ -41,8 +41,8 @@ namespace net { // pretends that certificate verification always succeeds. class TestSSLHostInfo : public SSLHostInfo { public: - TestSSLHostInfo() - : SSLHostInfo("example.com", kDefaultSSLConfig) { + explicit TestSSLHostInfo(CertVerifier* cert_verifier) + : SSLHostInfo("example.com", kDefaultSSLConfig, cert_verifier) { if (!saved_.empty()) Parse(saved_); cert_verification_complete_ = true; @@ -194,7 +194,7 @@ class SSLClientSocketSnapStartTest : public PlatformTest { scoped_ptr<SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( transport, HostPortPair("example.com", 443), ssl_config_, - new TestSSLHostInfo())); + new TestSSLHostInfo(&cert_verifier_), &cert_verifier_)); TestCompletionCallback callback; int rv = sock->Connect(&callback); @@ -265,6 +265,7 @@ class SSLClientSocketSnapStartTest : public PlatformTest { } base::ProcessHandle child_; + CertVerifier cert_verifier_; ClientSocketFactory* const socket_factory_; struct sockaddr_in remote_; int client_; diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index 0410a06..9ba5cbf 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -5,6 +5,7 @@ #include "net/socket/ssl_client_socket.h" #include "net/base/address_list.h" +#include "net/base/cert_verifier.h" #include "net/base/host_resolver.h" #include "net/base/io_buffer.h" #include "net/base/net_log.h" @@ -26,11 +27,24 @@ const net::SSLConfig kDefaultSSLConfig; class SSLClientSocketTest : public PlatformTest { public: SSLClientSocketTest() - : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()) { + : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()), + cert_verifier_(new net::CertVerifier) { } protected: + net::SSLClientSocket* CreateSSLClientSocket( + net::ClientSocket* transport_socket, + const net::HostPortPair& host_and_port, + const net::SSLConfig& ssl_config) { + return socket_factory_->CreateSSLClientSocket(transport_socket, + host_and_port, + ssl_config, + NULL, + cert_verifier_.get()); + } + net::ClientSocketFactory* socket_factory_; + scoped_ptr<net::CertVerifier> cert_verifier_; }; //----------------------------------------------------------------------------- @@ -67,7 +81,8 @@ TEST_F(SSLClientSocketTest, Connect) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, + NULL, cert_verifier_.get())); EXPECT_FALSE(sock->IsConnected()); @@ -107,8 +122,8 @@ TEST_F(SSLClientSocketTest, ConnectExpired) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); EXPECT_FALSE(sock->IsConnected()); @@ -150,8 +165,8 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); EXPECT_FALSE(sock->IsConnected()); @@ -196,8 +211,8 @@ TEST_F(SSLClientSocketTest, FLAKY_ConnectClientAuthCertRequested) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); EXPECT_FALSE(sock->IsConnected()); @@ -243,8 +258,8 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) { ssl_config.client_cert = NULL; scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), ssl_config, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + ssl_config)); EXPECT_FALSE(sock->IsConnected()); @@ -289,8 +304,8 @@ TEST_F(SSLClientSocketTest, Read) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -345,7 +360,8 @@ TEST_F(SSLClientSocketTest, Read_FullDuplex) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, + NULL, cert_verifier_.get())); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -398,8 +414,8 @@ TEST_F(SSLClientSocketTest, Read_SmallChunks) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -448,8 +464,8 @@ TEST_F(SSLClientSocketTest, Read_Interrupted) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -518,8 +534,8 @@ TEST_F(SSLClientSocketTest, PrematureApplicationData) { EXPECT_EQ(net::OK, rv); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + kDefaultSSLConfig)); rv = sock->Connect(&callback); EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); @@ -560,8 +576,8 @@ TEST_F(SSLClientSocketTest, CipherSuiteDisables) { ssl_config.disabled_cipher_suites.push_back(kCiphersToDisable[i]); scoped_ptr<net::SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair(), ssl_config, NULL)); + CreateSSLClientSocket(transport, test_server.host_port_pair(), + ssl_config)); EXPECT_FALSE(sock->IsConnected()); diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 19c3814..ae4d4b5 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -376,7 +376,8 @@ static const int kRecvBufferSize = (5 + 16*1024 + 64); SSLClientSocketWin::SSLClientSocketWin(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config) + const SSLConfig& ssl_config, + CertVerifier* cert_verifier) : ALLOW_THIS_IN_INITIALIZER_LIST( handshake_io_callback_(this, &SSLClientSocketWin::OnHandshakeIOComplete)), @@ -393,6 +394,7 @@ SSLClientSocketWin::SSLClientSocketWin(ClientSocketHandle* transport_socket, user_write_callback_(NULL), user_write_buf_len_(0), next_state_(STATE_NONE), + cert_verifier_(cert_verifier), creds_(NULL), isc_status_(SEC_E_OK), payload_send_buffer_len_(0), @@ -1124,7 +1126,7 @@ int SSLClientSocketWin::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; - verifier_.reset(new CertVerifier); + verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &server_cert_verify_result_, &handshake_io_callback_); diff --git a/net/socket/ssl_client_socket_win.h b/net/socket/ssl_client_socket_win.h index 61c67f0..2bb1853 100644 --- a/net/socket/ssl_client_socket_win.h +++ b/net/socket/ssl_client_socket_win.h @@ -28,6 +28,7 @@ class BoundNetLog; class CertVerifier; class ClientSocketHandle; class HostPortPair; +class SingleRequestCertVerifier; // An SSL client socket implemented with the Windows Schannel. class SSLClientSocketWin : public SSLClientSocket { @@ -40,7 +41,8 @@ class SSLClientSocketWin : public SSLClientSocket { // the SSL settings. SSLClientSocketWin(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, - const SSLConfig& ssl_config); + const SSLConfig& ssl_config, + CertVerifier* cert_verifier); ~SSLClientSocketWin(); // SSLClientSocket methods: @@ -145,7 +147,8 @@ class SSLClientSocketWin : public SSLClientSocket { SecPkgContext_StreamSizes stream_sizes_; scoped_refptr<X509Certificate> server_cert_; - scoped_ptr<CertVerifier> verifier_; + CertVerifier* const cert_verifier_; + scoped_ptr<SingleRequestCertVerifier> verifier_; CertVerifyResult server_cert_verify_result_; CredHandle* creds_; diff --git a/net/socket/ssl_host_info.cc b/net/socket/ssl_host_info.cc index 8c1b79f..527c2db 100644 --- a/net/socket/ssl_host_info.cc +++ b/net/socket/ssl_host_info.cc @@ -7,7 +7,6 @@ #include "base/metrics/histogram.h" #include "base/pickle.h" #include "base/string_piece.h" -#include "net/base/cert_verifier.h" #include "net/base/ssl_config_service.h" #include "net/base/x509_certificate.h" #include "net/socket/ssl_client_socket.h" @@ -29,7 +28,8 @@ void SSLHostInfo::State::Clear() { SSLHostInfo::SSLHostInfo( const std::string& hostname, - const SSLConfig& ssl_config) + const SSLConfig& ssl_config, + CertVerifier* cert_verifier) : cert_verification_complete_(false), cert_verification_error_(ERR_CERT_INVALID), hostname_(hostname), @@ -37,6 +37,7 @@ SSLHostInfo::SSLHostInfo( cert_verification_callback_(NULL), rev_checking_enabled_(ssl_config.rev_checking_enabled), verify_ev_cert_(ssl_config.verify_ev_cert), + verifier_(cert_verifier), callback_(new CancelableCompletionCallback<SSLHostInfo>( ALLOW_THIS_IN_INITIALIZER_LIST(this), &SSLHostInfo::VerifyCallback)) { @@ -110,12 +111,11 @@ bool SSLHostInfo::ParseInner(const std::string& data) { flags |= X509Certificate::VERIFY_EV_CERT; if (rev_checking_enabled_) flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; - verifier_.reset(new CertVerifier); VLOG(1) << "Kicking off verification for " << hostname_; verification_start_time_ = base::TimeTicks::Now(); verification_end_time_ = base::TimeTicks(); - if (verifier_->Verify(cert_.get(), hostname_, flags, - &cert_verify_result_, callback_) == OK) { + if (verifier_.Verify(cert_.get(), hostname_, flags, + &cert_verify_result_, callback_) == OK) { VerifyCallback(OK); } } else { diff --git a/net/socket/ssl_host_info.h b/net/socket/ssl_host_info.h index 782293e..8f1502b 100644 --- a/net/socket/ssl_host_info.h +++ b/net/socket/ssl_host_info.h @@ -11,13 +11,13 @@ #include "base/ref_counted.h" #include "base/scoped_ptr.h" #include "base/time.h" +#include "net/base/cert_verifier.h" #include "net/base/cert_verify_result.h" #include "net/base/completion_callback.h" #include "net/socket/ssl_client_socket.h" namespace net { -class CertVerifier; class X509Certificate; struct SSLConfig; @@ -27,7 +27,9 @@ struct SSLConfig; // certificates. class SSLHostInfo { public: - SSLHostInfo(const std::string& hostname, const SSLConfig& ssl_config); + SSLHostInfo(const std::string& hostname, + const SSLConfig& ssl_config, + CertVerifier *certVerifier); virtual ~SSLHostInfo(); // Start will commence the lookup. This must be called before any other @@ -127,7 +129,7 @@ class SSLHostInfo { base::TimeTicks verification_start_time_; base::TimeTicks verification_end_time_; CertVerifyResult cert_verify_result_; - scoped_ptr<CertVerifier> verifier_; + SingleRequestCertVerifier verifier_; scoped_refptr<X509Certificate> cert_; scoped_refptr<CancelableCompletionCallback<SSLHostInfo> > callback_; }; diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index c44815c..454f5b8 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -149,7 +149,7 @@ class MockPendingClientSocket : public ClientSocket { virtual bool IsConnectedAndIdle() const { return is_connected_; } - virtual int GetPeerAddress(AddressList* address) const{ + virtual int GetPeerAddress(AddressList* address) const { return ERR_UNEXPECTED; } virtual const BoundNetLog& NetLog() const { @@ -251,6 +251,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, + CertVerifier* cert_verifier, DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; |