summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authoragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-07-02 18:07:13 +0000
committeragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-07-02 18:07:13 +0000
commit3367c52a9ce0da75fa487f386b17df74b5fa44ed (patch)
treee93ec2298621a34d84f6c2d14c63dce8f27311c3 /net
parent2fb3e36cba45f937baadec58dca6e3dfb3a92519 (diff)
downloadchromium_src-3367c52a9ce0da75fa487f386b17df74b5fa44ed.zip
chromium_src-3367c52a9ce0da75fa487f386b17df74b5fa44ed.tar.gz
chromium_src-3367c52a9ce0da75fa487f386b17df74b5fa44ed.tar.bz2
net: Change how we detect OCSP vs CRL requests from NSS.
(Addresses wtc's comments in http://codereview.chromium.org/2834030/show) http://codereview.chromium.org/2827042/show git-svn-id: svn://svn.chromium.org/chrome/trunk/src@51543 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/ocsp/nss_ocsp.cc82
1 files changed, 58 insertions, 24 deletions
diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc
index 6f8f1c3..c020a71 100644
--- a/net/ocsp/nss_ocsp.cc
+++ b/net/ocsp/nss_ocsp.cc
@@ -599,7 +599,11 @@ SECStatus OCSPTrySendAndReceive(SEC_HTTP_REQUEST_SESSION request,
const char** http_response_headers,
const char** http_response_data,
PRUint32* http_response_data_len) {
- base::Time start_time, end_time;
+ if (http_response_data_len) {
+ // We must always set an output value, even on failure. The output value 0
+ // means the failure was unrelated to the acceptable response data length.
+ *http_response_data_len = 0;
+ }
LOG(INFO) << "OCSP try send and receive";
DCHECK(!MessageLoop::current());
@@ -612,24 +616,63 @@ SECStatus OCSPTrySendAndReceive(SEC_HTTP_REQUEST_SESSION request,
// We support blocking mode only, so this function shouldn't be called
// again when req has stareted or finished.
NOTREACHED();
- goto failed;
+ PORT_SetError(SEC_ERROR_BAD_HTTP_RESPONSE); // Simple approximation.
+ return SECFailure;
}
- start_time = base::Time::Now();
+ const base::Time start_time = base::Time::Now();
req->Start();
- if (!req->Wait())
- goto failed;
- end_time = base::Time::Now();
-
- if (req->http_request_method() == "POST") {
- UMA_HISTOGRAM_TIMES("Net.OCSPRequestTimeMs", end_time - start_time);
- } else if (req->http_request_method() == "GET") {
- UMA_HISTOGRAM_TIMES("Net.CRLRequestTimeMs", end_time - start_time);
+ if (!req->Wait() || req->http_response_code() == static_cast<PRUint16>(-1)) {
+ // If the response code is -1, the request failed and there is no response.
+ PORT_SetError(SEC_ERROR_BAD_HTTP_RESPONSE); // Simple approximation.
+ return SECFailure;
+ }
+ const base::TimeDelta duration = base::Time::Now() - start_time;
+
+ // We want to know if this was:
+ // 1) An OCSP request
+ // 2) A CRL request
+ // 3) A request for a missing intermediate certificate
+ // There's no sure way to do this, so we use heuristics like MIME type and
+ // URL.
+ const char* mime_type = req->http_response_content_type().c_str();
+ bool is_ocsp_resp =
+ strcasecmp(mime_type, "application/ocsp-response") == 0;
+ bool is_crl_resp = strcasecmp(mime_type, "application/x-pkcs7-crl") == 0 ||
+ strcasecmp(mime_type, "application/x-x509-crl") == 0 ||
+ strcasecmp(mime_type, "application/pkix-crl") == 0;
+ bool is_crt_resp =
+ strcasecmp(mime_type, "application/x-x509-ca-cert") == 0 ||
+ strcasecmp(mime_type, "application/x-x509-server-cert") == 0 ||
+ strcasecmp(mime_type, "application/pkix-cert") == 0 ||
+ strcasecmp(mime_type, "application/pkcs7-mime") == 0;
+ bool known_resp_type = is_crt_resp || is_crt_resp || is_ocsp_resp;
+
+ bool crl_in_url = false, crt_in_url = false, ocsp_in_url = false,
+ have_url_hint = false;
+ if (!known_resp_type) {
+ const char* path = req->url().path().c_str();
+ const char* host = req->url().host().c_str();
+ crl_in_url = strcasestr(path, ".crl") != NULL;
+ crt_in_url = strcasestr(path, ".crt") != NULL ||
+ strcasestr(path, ".p7c") != NULL ||
+ strcasestr(path, ".cer") != NULL;
+ ocsp_in_url = strcasestr(host, "ocsp") != NULL;
+ have_url_hint = crl_in_url || crt_in_url || ocsp_in_url;
+ }
+
+ if (is_ocsp_resp ||
+ (!known_resp_type && (ocsp_in_url ||
+ (!have_url_hint &&
+ req->http_request_method() == "POST")))) {
+ UMA_HISTOGRAM_TIMES("Net.OCSPRequestTimeMs", duration);
+ } else if (is_crl_resp || (!known_resp_type && crl_in_url)) {
+ UMA_HISTOGRAM_TIMES("Net.CRLRequestTimeMs", duration);
+ } else if (is_crt_resp || (!known_resp_type && crt_in_url)) {
+ UMA_HISTOGRAM_TIMES("Net.CRTRequestTimeMs", duration);
+ } else {
+ UMA_HISTOGRAM_TIMES("Net.UnknownTypeRequestTimeMs", duration);
}
-
- // If the response code is -1, the request failed and there is no response.
- if (req->http_response_code() == static_cast<PRUint16>(-1))
- goto failed;
return OCSPSetResponse(
req, http_response_code,
@@ -637,15 +680,6 @@ SECStatus OCSPTrySendAndReceive(SEC_HTTP_REQUEST_SESSION request,
http_response_headers,
http_response_data,
http_response_data_len);
-
- failed:
- if (http_response_data_len) {
- // We must always set an output value, even on failure. The output value 0
- // means the failure was unrelated to the acceptable response data length.
- *http_response_data_len = 0;
- }
- PORT_SetError(SEC_ERROR_BAD_HTTP_RESPONSE); // Simple approximation.
- return SECFailure;
}
SECStatus OCSPFree(SEC_HTTP_REQUEST_SESSION request) {