diff options
| -rw-r--r-- | net/base/ssl_config_service.cc | 3 | ||||
| -rw-r--r-- | net/base/ssl_config_service.h | 7 | ||||
| -rw-r--r-- | net/base/x509_certificate.h | 1 | ||||
| -rw-r--r-- | net/base/x509_certificate_nss.cc | 22 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_mac.cc | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_nss.cc | 12 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl.cc | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_win.cc | 2 | ||||
| -rw-r--r-- | remoting/protocol/authenticator_test_base.h | 2 | ||||
| -rw-r--r-- | remoting/protocol/ssl_hmac_channel_authenticator.cc | 3 | ||||
| -rw-r--r-- | remoting/protocol/ssl_hmac_channel_authenticator_unittest.cc | 2 |
11 files changed, 43 insertions, 15 deletions
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc index 9644041..c46b73b 100644 --- a/net/base/ssl_config_service.cc +++ b/net/base/ssl_config_service.cc @@ -26,7 +26,8 @@ SSLConfig::SSLConfig() false_start_enabled(true), send_client_cert(false), verify_ev_cert(false), - ssl3_fallback(false) { + ssl3_fallback(false), + cert_io_enabled(true) { } SSLConfig::~SSLConfig() { diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h index a6e3a3b..0c5abc1 100644 --- a/net/base/ssl_config_service.h +++ b/net/base/ssl_config_service.h @@ -99,6 +99,13 @@ struct NET_EXPORT SSLConfig { bool ssl3_fallback; // True if we are falling back to SSL 3.0 (one still // needs to clear tls1_enabled). + // If cert_io_enabled is false, then certificate verification will not + // result in additional HTTP requests. (For example: to fetch missing + // intermediates or to perform OCSP/CRL fetches.) It also implies that online + // revocation checking is disabled. + // NOTE: currently only effective on Linux + bool cert_io_enabled; + // The list of application level protocols supported. If set, this will // enable Next Protocol Negotiation (if supported). The order of the // protocols doesn't matter expect for one case: if the server supports Next diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h index 2b89c55..95dde89 100644 --- a/net/base/x509_certificate.h +++ b/net/base/x509_certificate.h @@ -93,6 +93,7 @@ class NET_EXPORT X509Certificate enum VerifyFlags { VERIFY_REV_CHECKING_ENABLED = 1 << 0, VERIFY_EV_CERT = 1 << 1, + VERIFY_CERT_IO_ENABLED = 1 << 2, }; enum Format { diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc index 835f9ee..1bf456ed5 100644 --- a/net/base/x509_certificate_nss.cc +++ b/net/base/x509_certificate_nss.cc @@ -396,7 +396,8 @@ void ParseDate(SECItem* der_date, base::Time* result) { // Forward declarations. SECStatus RetryPKIXVerifyCertWithWorkarounds( X509Certificate::OSCertHandle cert_handle, int num_policy_oids, - std::vector<CERTValInParam>* cvin, CERTValOutParam* cvout); + bool cert_io_enabled, std::vector<CERTValInParam>* cvin, + CERTValOutParam* cvout); SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle); // Call CERT_PKIXVerifyCert for the cert_handle. @@ -406,6 +407,7 @@ SECOidTag GetFirstCertPolicy(X509Certificate::OSCertHandle cert_handle); // Caller must initialize cvout before calling this function. SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, bool check_revocation, + bool cert_io_enabled, const SECOidTag* policy_oids, int num_policy_oids, CERTValOutParam* cvout) { @@ -517,7 +519,7 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, &cvin[0], cvout, NULL); if (rv != SECSuccess) { rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids, - &cvin, cvout); + cert_io_enabled, &cvin, cvout); } return rv; } @@ -527,7 +529,8 @@ SECStatus PKIXVerifyCert(X509Certificate::OSCertHandle cert_handle, // arguments or local variables of PKIXVerifyCert. SECStatus RetryPKIXVerifyCertWithWorkarounds( X509Certificate::OSCertHandle cert_handle, int num_policy_oids, - std::vector<CERTValInParam>* cvin, CERTValOutParam* cvout) { + bool cert_io_enabled, std::vector<CERTValInParam>* cvin, + CERTValOutParam* cvout) { // We call this function when the first CERT_PKIXVerifyCert call in // PKIXVerifyCert failed, so we initialize |rv| to SECFailure. SECStatus rv = SECFailure; @@ -543,8 +546,9 @@ SECStatus RetryPKIXVerifyCertWithWorkarounds( // missing intermediate CA certificate, and fail with the // SEC_ERROR_BAD_SIGNATURE error (NSS bug 524013), so we also retry with // cert_pi_useAIACertFetch on SEC_ERROR_BAD_SIGNATURE. - if (nss_error == SEC_ERROR_UNKNOWN_ISSUER || - nss_error == SEC_ERROR_BAD_SIGNATURE) { + if (cert_io_enabled && + (nss_error == SEC_ERROR_UNKNOWN_ISSUER || + nss_error == SEC_ERROR_BAD_SIGNATURE)) { DCHECK_EQ(cvin->back().type, cert_pi_end); cvin->pop_back(); in_param.type = cert_pi_useAIACertFetch; @@ -902,12 +906,15 @@ int X509Certificate::VerifyInternal(const std::string& hostname, cvout[cvout_index].type = cert_po_end; ScopedCERTValOutParam scoped_cvout(cvout); - bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED); + bool cert_io_enabled = flags & VERIFY_CERT_IO_ENABLED; + bool check_revocation = (flags & VERIFY_REV_CHECKING_ENABLED) && + cert_io_enabled; if (check_revocation) { verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED; } - status = PKIXVerifyCert(cert_handle_, check_revocation, NULL, 0, cvout); + status = PKIXVerifyCert( + cert_handle_, check_revocation, cert_io_enabled, NULL, 0, cvout); if (crl_set) { CRLSetResult crl_set_result = CheckRevocationWithCRLSet( @@ -982,6 +989,7 @@ bool X509Certificate::VerifyEV(int flags) const { SECStatus status = PKIXVerifyCert(cert_handle_, flags & VERIFY_REV_CHECKING_ENABLED, + flags & VERIFY_CERT_IO_ENABLED, metadata->GetPolicyOIDs(), metadata->NumPolicyOIDs(), cvout); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 927da8c..a89d689 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -1158,6 +1158,8 @@ int SSLClientSocketMac::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 688b8e6..2b9c73d 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -821,10 +821,12 @@ int SSLClientSocketNSS::Init() { if (!NSS_IsInitialized()) return ERR_UNEXPECTED; #if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO - // loop by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureNSSHttpIOInit(); + if (ssl_config_.cert_io_enabled) { + // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO + // loop by MessageLoopForIO::current(). + // X509Certificate::Verify() runs on a worker thread of CertVerifier. + EnsureNSSHttpIOInit(); + } #endif LeaveFunction(""); @@ -1702,6 +1704,8 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); server_cert_verify_result_ = &local_server_cert_verify_result_; return verifier_->Verify( diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index f55c613..a29acf6 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -906,6 +906,8 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index 990faeb..4e61c6f 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -1180,6 +1180,8 @@ int SSLClientSocketWin::DoVerifyCert() { flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED; if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; + if (ssl_config_.cert_io_enabled) + flags |= X509Certificate::VERIFY_CERT_IO_ENABLED; verifier_.reset(new SingleRequestCertVerifier(cert_verifier_)); return verifier_->Verify( server_cert_, host_and_port_.host(), flags, diff --git a/remoting/protocol/authenticator_test_base.h b/remoting/protocol/authenticator_test_base.h index 6233423..cf2a73e 100644 --- a/remoting/protocol/authenticator_test_base.h +++ b/remoting/protocol/authenticator_test_base.h @@ -49,7 +49,7 @@ class AuthenticatorTestBase : public testing::Test { void OnClientConnected(net::Error error, scoped_ptr<net::StreamSocket> socket); - MessageLoopForIO message_loop_; + MessageLoop message_loop_; scoped_ptr<crypto::RSAPrivateKey> private_key_; std::string host_cert_; diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc index 0fba849..99df767 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator.cc +++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc @@ -97,8 +97,9 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( // because we use self-signed certs. Disable it so that the SSL // layer doesn't try to initialize OCSP (OCSP works only on the IO // thread). - ssl_config.allowed_bad_certs.push_back(cert_and_status); + ssl_config.cert_io_enabled = false; ssl_config.rev_checking_enabled = false; + ssl_config.allowed_bad_certs.push_back(cert_and_status); net::HostPortPair host_and_port(kSslFakeHostName, 0); net::SSLClientSocketContext context; diff --git a/remoting/protocol/ssl_hmac_channel_authenticator_unittest.cc b/remoting/protocol/ssl_hmac_channel_authenticator_unittest.cc index 7084163..5af5299 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator_unittest.cc +++ b/remoting/protocol/ssl_hmac_channel_authenticator_unittest.cc @@ -104,7 +104,7 @@ class SslHmacChannelAuthenticatorTest : public testing::Test { client_socket_ = socket.Pass(); } - MessageLoopForIO message_loop_; + MessageLoop message_loop_; scoped_ptr<crypto::RSAPrivateKey> private_key_; std::string host_cert_; |