diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-15 22:44:30 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-03-15 22:44:30 +0000 |
| commit | 526b3f20f632e243bc8145cb2f152d50841f9dc3 (patch) | |
| tree | dd5a8957e1f417389b7e8776f1373118db03554b /net | |
| parent | f64da26e69609ca3a4a9250847d9b1c731171c6d (diff) | |
| download | chromium_src-526b3f20f632e243bc8145cb2f152d50841f9dc3.zip chromium_src-526b3f20f632e243bc8145cb2f152d50841f9dc3.tar.gz chromium_src-526b3f20f632e243bc8145cb2f152d50841f9dc3.tar.bz2 | |
Add an SSLConfig option to explicit disable NSSHttpIO.
This appears to be the least-bad solution to the problem that remoting can't
run SSL sockets on an IO MessageLoop. See linked bug for details.
BUG=118247
TEST=remoting_unittests
Review URL: http://codereview.chromium.org/9702075
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@127015 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/ssl_config_service.cc | 3 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 7 | ||||
| -rw-r--r-- | net/base/x509_certificate.h | 1 | ||||
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 22 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 12 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_win.cc | 2 |
8 files changed, 39 insertions, 12 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 9644041..c46b73b 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -26,7 +26,8 @@ SSLConfig::SSLConfig() false_start_enabled(true), send_client_cert(false), verify_ev_cert(false), - ssl3_fallback(false) { + ssl3_fallback(false), + cert_io_enabled(true) { } SSLConfig::~SSLConfig() { diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index a6e3a3b..0c5abc1 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -99,6 +99,13 @@ struct NET_EXPORT SSLConfig { bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still // needs to clear tls1_enabled). + // If cert_io_enabled is false, then certificate verification will not + // result in additional HTTP requests. (For example: to fetch missing + // intermediates or to perform OCSP/CRL fetches.) It also implies that online + // revocation checking is disabled. + // NOTE: currently only effective on Linux + bool cert_io_enabled; + // The list of application level protocols supported. If set, this will // enable Next Protocol Negotiation (if supported). The order of the // protocols doesn't matter expect for one case: if the server supports Next diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index 2b89c55..95dde89 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -93,6 +93,7 @@ class NET_EXPORT X509Certificate enum VerifyFlags { VERIFY_REV_CHECKING_ENABLED = 1 << 0, VERIFY_EV_CERT = 1 << 1, + VERIFY_CERT_IO_ENABLED = 1 << 2, }; enum Format { diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 835f9ee..1bf456ed5 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -396,7 +396,8 @@ void ParseDate(SECItem* der_date, base::Time* result) { // Forward declarations. SECStatus RetryPKIXVerifyCertWithWorkarounds( X509Certificate::OSCertHandle cert_handle, int num_policy_oids, - std::vector<CERTValInParam>* cvin, CERTValOutParam* cvout); + bool cert_io_enabled, std::vector<CERTValInParam>* cvin, + CERTValOutParam* cvout); SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle); // Call CERT_PKIXVerifyCert for the cert_handle. @@ -406,6 +407,7 @@ SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle); // Caller must initialize cvout before calling this function. SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, bool check_revocation, + bool cert_io_enabled, const SECOidTag* policy_oids, int num_policy_oids, CERTValOutParam* cvout) { @@ -517,7 +519,7 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, &cvin[0], cvout, NULL); if (rv != SECSuccess) { rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids, - &cvin, cvout); + cert_io_enabled, &cvin, cvout); } return rv; } @@ -527,7 +529,8 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, // arguments or local variables of PKIXVerifyCert. SECStatus RetryPKIXVerifyCertWithWorkarounds( X509Certificate::OSCertHandle cert_handle, int num_policy_oids, - std::vector<CERTValInParam>* cvin, CERTValOutParam* cvout) { + bool cert_io_enabled, std::vector<CERTValInParam>* cvin, + CERTValOutParam* cvout) { // We call this function when the first CERT_PKIXVerifyCert call in // PKIXVerifyCert failed, so we initialize |rv| to SECFailure. SECStatus rv = SECFailure; @@ -543,8 +546,9 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds( // missing intermediate CA certificate, and fail with the // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE. - if (nss_error == SEC_ERROR_UNKNOWN_ISSUER || - nss_error == SEC_ERROR_BAD_SIGNATURE) { + if (cert_io_enabled && + (nss_error == SEC_ERROR_UNKNOWN_ISSUER || + nss_error == SEC_ERROR_BAD_SIGNATURE)) { DCHECK_EQ(cvin->back().type, cert_pi_end); cvin->pop_back(); in_param.type = cert_pi_useAIACertFetch; @@ -902,12 +906,15 @@ int X509Certificate::VerifyInternal(const std::string& hostname, cvout[cvout_index].type = cert_po_end; ScopedCERTValOutParam scoped_cvout(cvout); - bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); + bool cert_io_enabled = flags & VERIFY_CERT_IO_ENABLED; + bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED) && + cert_io_enabled; if (check_revocation) { verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; } - status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout); + status = PKIXVerifyCert( + cert_handle_, check_revocation, cert_io_enabled, NULL, 0, cvout); if (crl_set) { CRLSetResult crl_set_result = CheckRevocationWithCRLSet( @@ -982,6 +989,7 @@ bool X509Certificate::VerifyEV(int flags) const { SECStatus status = PKIXVerifyCert(cert_handle_, flags & VERIFY_REV_CHECKING_ENABLED, + flags & VERIFY_CERT_IO_ENABLED, metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs(), cvout); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 927da8c..a89d689 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -1158,6 +1158,8 @@ int SSLClientSocketMac::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 688b8e6..2b9c73d 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -821,10 +821,12 @@ int SSLClientSocketNSS::Init() { if (!NSS_IsInitialized()) return ERR_UNEXPECTED; #if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO - // loop by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureNSSHttpIOInit(); + if (ssl_config_.cert_io_enabled) { + // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO + // loop by MessageLoopForIO::current(). + // X509Certificate::Verify() runs on a worker thread of CertVerifier. + EnsureNSSHttpIOInit(); + } #endif LeaveFunction(""); @@ -1702,6 +1704,8 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); server_cert_verify_result_ = &local_server_cert_verify_result_; return verifier_->Verify( diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index f55c613..a29acf6 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -906,6 +906,8 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 990faeb..4e61c6f 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -1180,6 +1180,8 @@ int SSLClientSocketWin::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, |