4 files changed, 92 insertions, 4 deletions
diff --git a/base/base.gypi b/base/base.gypi
index 53d097e..db55e02 100644
--- a/base/base.gypi
+++ b/base/base.gypi
@@ -358,6 +358,8 @@
       }],
       ['base_extra_target', {
         'sources': [
+          'crypto/capi_util.cc',
+          'crypto/capi_util.h',
           'crypto/cssm_init.cc',
           'crypto/cssm_init.h',
           'crypto/encryptor.h',
@@ -484,6 +486,8 @@
                 'base_drag_source.cc',
                 'base_drop_target.cc',
                 'cpu.cc',
+                'crypto/capi_util.h',
+                'crypto/capi_util.cc',
                 'debug_on_start.cc',
                 'event_recorder.cc',
                 'file_version_info.cc',
diff --git a/base/crypto/capi_util.cc b/base/crypto/capi_util.cc
new file mode 100644
index 0000000..0499492
--- /dev/null
+++ b/base/crypto/capi_util.cc
@@ -0,0 +1,50 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/crypto/capi_util.h"
+
+#include "base/basictypes.h"
+#include "base/lock.h"
+#include "base/singleton.h"
+
+namespace {
+
+class CAPIUtilSingleton {
+ public:
+  static CAPIUtilSingleton* GetInstance() {
+    return Singleton<CAPIUtilSingleton>::get();
+  }
+
+  // Returns a lock to guard calls to CryptAcquireContext with
+  // CRYPT_DELETEKEYSET or CRYPT_NEWKEYSET.
+  Lock& acquire_context_lock() {
+    return acquire_context_lock_;
+  }
+
+ private:
+  friend class Singleton<CAPIUtilSingleton>;
+  friend struct DefaultSingletonTraits<CAPIUtilSingleton>;
+
+  CAPIUtilSingleton() {}
+
+  Lock acquire_context_lock_;
+
+  DISALLOW_COPY_AND_ASSIGN(CAPIUtilSingleton);
+};
+
+}  // namespace
+
+namespace base {
+
+BOOL CryptAcquireContextLocked(HCRYPTPROV* prov,
+                               const TCHAR* container,
+                               const TCHAR* provider,
+                               DWORD prov_type,
+                               DWORD flags)
+{
+  AutoLock lock(CAPIUtilSingleton::GetInstance()->acquire_context_lock());
+  return CryptAcquireContext(prov, container, provider, prov_type, flags);
+}
+
+}  // namespace base
diff --git a/base/crypto/capi_util.h b/base/crypto/capi_util.h
new file mode 100644
index 0000000..9f26403
--- /dev/null
+++ b/base/crypto/capi_util.h
@@ -0,0 +1,31 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BASE_CRYPTO_CAPI_UTIL_H_
+#define BASE_CRYPTO_CAPI_UTIl_H_
+
+#include <windows.h>
+#include <wincrypt.h>
+
+namespace base {
+
+// CryptAcquireContext when passed CRYPT_NEWKEYSET or CRYPT_DELETEKEYSET in
+// flags is not thread-safe. For such calls, we create a global lock to
+// synchronize it.
+//
+// From "Threading Issues with Cryptographic Service Providers",
+// <http://msdn.microsoft.com/en-us/library/aa388149(v=VS.85).aspx>:
+//
+// "The CryptAcquireContext function is generally thread safe unless
+// CRYPT_NEWKEYSET or CRYPT_DELETEKEYSET is specified in the dwFlags
+// parameter."
+BOOL CryptAcquireContextLocked(HCRYPTPROV* prov,
+                               const TCHAR* container,
+                               const TCHAR* provider,
+                               DWORD prov_type,
+                               DWORD flags);
+
+}  // namespace base
+
+#endif  // BASE_CRYPTO_CAPI_UTIl_H_
diff --git a/net/base/keygen_handler_win.cc b/net/base/keygen_handler_win.cc
index 42997b6..3d97d17 100644
--- a/net/base/keygen_handler_win.cc
+++ b/net/base/keygen_handler_win.cc
@@ -16,6 +16,7 @@
 
 #include "base/base64.h"
 #include "base/basictypes.h"
+#include "base/crypto/capi_util.h"
 #include "base/logging.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
@@ -250,8 +251,9 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
 
     // Only create new key containers, so that existing key containers are not
     // overwritten.
-    ok = CryptAcquireContext(&prov, new_key_id.c_str(), NULL, PROV_RSA_FULL,
-                             CRYPT_SILENT | CRYPT_NEWKEYSET);
+    ok = base::CryptAcquireContextLocked(&prov, new_key_id.c_str(), NULL,
+                                         PROV_RSA_FULL,
+                                         CRYPT_SILENT | CRYPT_NEWKEYSET);
 
     if (ok || GetLastError() != NTE_BAD_KEYSET)
       break;
@@ -301,8 +303,9 @@ std::string KeygenHandler::GenKeyAndSignChallenge() {
     prov = NULL;
     if (!stores_key_) {
       // Fully destroys any of the keys that were created and releases prov.
-      CryptAcquireContext(&prov, new_key_id.c_str(), NULL, PROV_RSA_FULL,
-                          CRYPT_SILENT | CRYPT_DELETEKEYSET);
+      base::CryptAcquireContextLocked(&prov, new_key_id.c_str(), NULL,
+                                      PROV_RSA_FULL,
+                                      CRYPT_SILENT | CRYPT_DELETEKEYSET);
     }
   }