diff options
26 files changed, 154 insertions, 99 deletions
diff --git a/build/common.gypi b/build/common.gypi index 3289014..400081b 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -741,6 +741,15 @@ 'use_nss_certs%': 0, }], + # NSS verifier usage. + # On non-OpenSSL iOS configurations, certificates use the operating + # system library, but the verifier uses the bundled copy of NSS. + ['(OS=="linux" or OS=="freebsd" or OS=="openbsd" or OS=="solaris") or (OS=="ios" and use_openssl==0)', { + 'use_nss_verifier%': 1, + }, { + 'use_nss_verifier%': 0, + }], + # libudev usage. This currently only affects the content layer. ['OS=="linux" and embedded==0', { 'use_udev%': 1, @@ -1153,6 +1162,7 @@ 'use_openssl%': '<(use_openssl)', 'use_openssl_certs%': '<(use_openssl_certs)', 'use_nss_certs%': '<(use_nss_certs)', + 'use_nss_verifier%': '<(use_nss_verifier)', 'use_udev%': '<(use_udev)', 'os_bsd%': '<(os_bsd)', 'os_posix%': '<(os_posix)', @@ -2125,6 +2135,9 @@ ['use_nss_certs==1', { 'grit_defines': ['-D', 'use_nss_certs'], }], + ['use_nss_verifier==1', { + 'grit_defines': ['-D', 'use_nss_verifier'], + }], ['use_ozone==1', { 'grit_defines': ['-D', 'use_ozone'], }], @@ -3086,6 +3099,9 @@ ['<(use_nss_certs)==1 and >(nacl_untrusted_build)==0', { 'defines': ['USE_NSS_CERTS=1'], }], + ['<(use_nss_verifier)==1 and >(nacl_untrusted_build)==0', { + 'defines': ['USE_NSS_VERIFIER=1'], + }], ['<(chromeos)==1 and >(nacl_untrusted_build)==0', { 'defines': ['OS_CHROMEOS=1'], }], diff --git a/build/config/BUILD.gn b/build/config/BUILD.gn index cfa910d..dca62fd 100644 --- a/build/config/BUILD.gn +++ b/build/config/BUILD.gn @@ -128,6 +128,9 @@ config("feature_flags") { if (use_nss_certs) { defines += [ "USE_NSS_CERTS=1" ] } + if (use_nss_verifier) { + defines += [ "USE_NSS_VERIFIER=1" ] + } if (use_ozone) { defines += [ "USE_OZONE=1" ] } diff --git a/build/config/crypto.gni b/build/config/crypto.gni index 99ce428..7d671cf 100644 --- a/build/config/crypto.gni +++ b/build/config/crypto.gni @@ -24,7 +24,12 @@ declare_args() { # is unsupported. use_openssl_certs = is_android || is_nacl -# True if NSS is used for certificate verification. Note that this is -# independent from use_openssl. It is possible to use OpenSSL for the crypto -# library, but NSS for the platform certificate library. +# True if NSS is used for certificate handling. Note that this is independent +# from use_openssl. It is possible to use OpenSSL for the crypto library, but +# NSS for the platform certificate library. use_nss_certs = is_linux + +# True if NSS is used for certificate verification. On non-OpenSSL iOS +# configurations, certificates use the operating system library, but the +# verifier uses the bundled copy of NSS. +use_nss_verifier = use_nss_certs || (is_ios && !use_openssl) diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index a7cb9e8..5bd6436 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -803,7 +803,6 @@ class NSSInitSingleton { } } -#if defined(USE_NSS_CERTS) || defined(OS_IOS) // Load nss's built-in root certs. SECMODModule* InitDefaultRootCerts() { SECMODModule* root = LoadModule("Root Certs", "libnssckbi.so", NULL); @@ -843,7 +842,6 @@ class NSSInitSingleton { } return module; } -#endif bool tpm_token_enabled_for_nss_; bool initializing_tpm_token_; diff --git a/ios/chrome/browser/ios_chrome_io_thread.mm b/ios/chrome/browser/ios_chrome_io_thread.mm index 0fbdab0..4e76c5a 100644 --- a/ios/chrome/browser/ios_chrome_io_thread.mm +++ b/ios/chrome/browser/ios_chrome_io_thread.mm @@ -140,12 +140,18 @@ const char kNpnTrialDisabledGroupNamePrefix[] = "Disable"; // Used for the "system" URLRequestContext. class SystemURLRequestContext : public net::URLRequestContext { public: - SystemURLRequestContext() { net::SetURLRequestContextForNSSHttpIO(this); } + SystemURLRequestContext() { +#if defined(USE_NSS_VERIFIER) + net::SetURLRequestContextForNSSHttpIO(this); +#endif + } private: ~SystemURLRequestContext() override { AssertNoURLRequests(); +#if defined(USE_NSS_VERIFIER) net::SetURLRequestContextForNSSHttpIO(nullptr); +#endif } }; @@ -377,7 +383,9 @@ void IOSChromeIOThread::Init() { TRACE_EVENT0("startup", "IOSChromeIOThread::Init"); DCHECK_CURRENTLY_ON(web::WebThread::IO); +#if defined(USE_NSS_VERIFIER) net::SetMessageLoopForNSSHttpIO(); +#endif const base::CommandLine& command_line = *base::CommandLine::ForCurrentProcess(); @@ -474,7 +482,9 @@ void IOSChromeIOThread::Init() { } void IOSChromeIOThread::CleanUp() { +#if defined(USE_NSS_VERIFIER) net::ShutdownNSSHttpIO(); +#endif system_url_request_context_getter_ = nullptr; diff --git a/ios/crnet/crnet_environment.mm b/ios/crnet/crnet_environment.mm index b5ba3fe..ee2fcee 100644 --- a/ios/crnet/crnet_environment.mm +++ b/ios/crnet/crnet_environment.mm @@ -153,11 +153,15 @@ void CrNetEnvironment::Initialize() { CHECK(base::i18n::InitializeICU()); url::Initialize(); base::CommandLine::Init(0, nullptr); + +#if defined(USE_NSS_VERIFIER) // This needs to happen on the main thread. NSPR's initialization sets up its // memory allocator; if this is not done before other threads are created, // this initialization can race to cause accidental free/allocation // mismatches. crypto::EnsureNSPRInit(); +#endif + // Without doing this, StatisticsRecorder::FactoryGet() leaks one histogram // per call after the first for a given name. base::StatisticsRecorder::Initialize(); @@ -288,7 +292,9 @@ void CrNetEnvironment::Install() { proxy_config_service_ = net::ProxyService::CreateSystemProxyConfigService( network_io_thread_->task_runner(), nullptr); +#if defined(USE_NSS_VERIFIER) net::SetURLRequestContextForNSSHttpIO(main_context_.get()); +#endif main_context_getter_ = new CrNetURLRequestContextGetter( main_context_.get(), network_io_thread_->task_runner()); base::subtle::MemoryBarrier(); @@ -306,7 +312,9 @@ void CrNetEnvironment::InstallIntoSessionConfiguration( CrNetEnvironment::~CrNetEnvironment() { net::HTTPProtocolHandlerDelegate::SetInstance(nullptr); +#if defined(USE_NSS_VERIFIER) net::SetURLRequestContextForNSSHttpIO(nullptr); +#endif } net::URLRequestContextGetter* CrNetEnvironment::GetMainContextGetter() { diff --git a/ios/web/app/web_main_loop.mm b/ios/web/app/web_main_loop.mm index be504e0..ac91ba6 100644 --- a/ios/web/app/web_main_loop.mm +++ b/ios/web/app/web_main_loop.mm @@ -54,8 +54,10 @@ void WebMainLoop::EarlyInitialization() { parts_->PreEarlyInitialization(); } +#if defined(USE_NSS_VERIFIER) // We want to be sure to init NSPR on the main thread. crypto::EnsureNSPRInit(); +#endif if (parts_) { parts_->PostEarlyInitialization(); diff --git a/net/BUILD.gn b/net/BUILD.gn index fbc32ebb..dcb0a8f 100644 --- a/net/BUILD.gn +++ b/net/BUILD.gn @@ -178,15 +178,11 @@ if (!is_nacl) { "ssl/token_binding_nss.cc", ] if (is_ios) { - # Always removed for !ios below. net_shared_sources -= [ - "cert/cert_verify_proc_nss.cc", - "cert/cert_verify_proc_nss.h", + "cert/x509_util_ios.cc", + "cert/x509_util_ios.h", ] } - if (!use_nss_certs && !is_ios) { - net_shared_sources -= [ "cert/x509_util_nss.h" ] - } } else { net_shared_sources -= [ "cert/ct_log_verifier_openssl.cc", @@ -290,18 +286,6 @@ if (!is_nacl) { "third_party/mozilla_security_manager/nsPKCS12Blob.cpp", "third_party/mozilla_security_manager/nsPKCS12Blob.h", ] - if (!is_ios) { - # These files are part of the partial implementation of NSS on iOS so - # keep them in that case (even though use_nss_certs is not set). - net_shared_sources -= [ - "cert/cert_verify_proc_nss.cc", - "cert/cert_verify_proc_nss.h", - "cert/test_root_certs_nss.cc", - "cert/x509_util_nss_certs.cc", - "cert_net/nss_ocsp.cc", - "cert_net/nss_ocsp.h", - ] - } if (is_chromeos) { # These were already removed on non-ChromeOS. net_shared_sources -= [ @@ -323,6 +307,19 @@ if (!is_nacl) { net_shared_sources += [ "third_party/nss/ssl/cmpcert.c" ] } + if (!use_nss_verifier) { + # These files are part of the partial implementation of NSS for + # cert verification, so keep them in that case. + net_shared_sources -= [ + "cert/cert_verify_proc_nss.cc", + "cert/cert_verify_proc_nss.h", + "cert/test_root_certs_nss.cc", + "cert/x509_util_nss_certs.cc", + "cert_net/nss_ocsp.cc", + "cert_net/nss_ocsp.h", + ] + } + if (is_chromecast && use_nss_certs) { net_shared_sources += [ "ssl/ssl_platform_key_chromecast.cc" ] net_shared_sources -= [ "ssl/ssl_platform_key_nss.cc" ] @@ -718,7 +715,7 @@ source_set("test_support") { public_deps += [ "//third_party/protobuf:py_proto" ] } - if (use_nss_certs || is_ios) { + if (use_nss_verifier) { public_deps += [ "//crypto:platform" ] } @@ -1526,9 +1523,8 @@ test("net_unittests") { sources -= [ "http/http_auth_handler_negotiate_unittest.cc" ] } - if (!use_nss_certs && !is_ios) { - # Only include this test when on Posix and using NSS for - # cert verification or on iOS (which also uses NSS for certs). + if (!use_nss_verifier) { + # Only include this test when using NSS for cert verification. sources -= [ "cert_net/nss_ocsp_unittest.cc" ] } diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc index 1c9dede..eba84e6 100644 --- a/net/cert/cert_verify_proc.cc +++ b/net/cert/cert_verify_proc.cc @@ -26,7 +26,7 @@ #include "net/cert/x509_certificate.h" #include "url/url_canon.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "net/cert/cert_verify_proc_nss.h" #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) #include "net/cert/cert_verify_proc_openssl.h" @@ -203,7 +203,7 @@ struct HashToArrayComparator { // static CertVerifyProc* CertVerifyProc::CreateDefault() { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) return new CertVerifyProcNSS(); #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) return new CertVerifyProcOpenSSL(); diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc index be7f4d1..1202d04 100644 --- a/net/cert/cert_verify_proc_unittest.cc +++ b/net/cert/cert_verify_proc_unittest.cc @@ -245,7 +245,7 @@ TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { NULL, empty_cert_list_, &verify_result); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_ANDROID) +#if defined(USE_NSS_VERIFIER) || defined(OS_ANDROID) EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error); #else // TOOD(bulach): investigate why macosx and win aren't returning @@ -255,7 +255,7 @@ TEST_F(CertVerifyProcTest, PaypalNullCertParsing) { // Either the system crypto library should correctly report a certificate // name mismatch, or our certificate blacklist should cause us to report an // invalid certificate. -#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) || defined(OS_WIN) EXPECT_TRUE(verify_result.cert_status & (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID)); #endif diff --git a/net/cert/ev_root_ca_metadata.cc b/net/cert/ev_root_ca_metadata.cc index a5ac6e2..33afaf2 100644 --- a/net/cert/ev_root_ca_metadata.cc +++ b/net/cert/ev_root_ca_metadata.cc @@ -4,7 +4,7 @@ #include "net/cert/ev_root_ca_metadata.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include <cert.h> #include <pkcs11n.h> #include <secerr.h> @@ -15,13 +15,13 @@ #include "base/lazy_instance.h" #include "base/logging.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "crypto/nss_util.h" #endif namespace net { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) || defined(OS_WIN) +#if defined(USE_NSS_VERIFIER) || defined(OS_WIN) // Raw metadata. struct EVMetadata { // kMaxOIDsPerCA is the number of OIDs that we can support per root CA. At @@ -503,7 +503,7 @@ EVRootCAMetadata* EVRootCAMetadata::GetInstance() { return g_ev_root_ca_metadata.Pointer(); } -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const { return policy_oids_.find(policy_oid) != policy_oids_.end(); } @@ -649,7 +649,7 @@ bool EVRootCAMetadata::RemoveEVCA(const SHA1HashValue& fingerprint) { EVRootCAMetadata::EVRootCAMetadata() { // Constructs the object from the raw metadata in ev_root_ca_metadata. -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) crypto::EnsureNSSInit(); for (size_t i = 0; i < arraysize(ev_root_ca_metadata); i++) { diff --git a/net/cert/ev_root_ca_metadata.h b/net/cert/ev_root_ca_metadata.h index 508e188..967dcbb 100644 --- a/net/cert/ev_root_ca_metadata.h +++ b/net/cert/ev_root_ca_metadata.h @@ -7,7 +7,7 @@ #include "build/build_config.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include <secoidt.h> #endif @@ -31,7 +31,7 @@ namespace net { // extended-validation (EV) certificates. class NET_EXPORT_PRIVATE EVRootCAMetadata { public: -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) typedef SECOidTag PolicyOID; #elif defined(OS_WIN) typedef const char* PolicyOID; @@ -39,7 +39,7 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata { static EVRootCAMetadata* GetInstance(); -#if defined(USE_NSS_CERTS) || defined(OS_WIN) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) || defined(OS_WIN) // Returns true if policy_oid is an EV policy OID of some root CA. bool IsEVPolicyOID(PolicyOID policy_oid) const; @@ -64,7 +64,7 @@ class NET_EXPORT_PRIVATE EVRootCAMetadata { EVRootCAMetadata(); ~EVRootCAMetadata(); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) typedef std::map<SHA1HashValue, std::vector<PolicyOID>, SHA1HashValueLessThan> PolicyOIDMap; diff --git a/net/cert/multi_threaded_cert_verifier.cc b/net/cert/multi_threaded_cert_verifier.cc index 714b291..f900a1f 100644 --- a/net/cert/multi_threaded_cert_verifier.cc +++ b/net/cert/multi_threaded_cert_verifier.cc @@ -29,7 +29,7 @@ #include "net/cert/x509_certificate_net_log_param.h" #include "net/log/net_log.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include <private/pprthred.h> // PR_DetachThread #endif @@ -237,15 +237,15 @@ void DoVerifyOnWorkerThread(const scoped_refptr<CertVerifyProc>& verify_proc, *error = verify_proc->Verify(cert.get(), hostname, ocsp_response, flags, crl_set.get(), additional_trust_anchors, result); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) - // Detach the thread from NSPR. - // Calling NSS functions attaches the thread to NSPR, which stores - // the NSPR thread ID in thread-specific data. - // The threads in our thread pool terminate after we have called - // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets - // segfaults on shutdown when the threads' thread-specific data - // destructors run. - PR_DetachThread(); +#if defined(USE_NSS_VERIFIER) + // Detach the thread from NSPR. + // Calling NSS functions attaches the thread to NSPR, which stores + // the NSPR thread ID in thread-specific data. + // The threads in our thread pool terminate after we have called + // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets + // segfaults on shutdown when the threads' thread-specific data + // destructors run. + PR_DetachThread(); #endif } @@ -591,4 +591,3 @@ CertVerifierJob* MultiThreadedCertVerifier::FindJob(const RequestParams& key) { } } // namespace net - diff --git a/net/cert/test_root_certs.h b/net/cert/test_root_certs.h index a7d0fd2..412bbe8 100644 --- a/net/cert/test_root_certs.h +++ b/net/cert/test_root_certs.h @@ -11,7 +11,7 @@ #include "build/build_config.h" #include "net/base/net_export.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include <list> #elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID) #include <vector> @@ -67,7 +67,7 @@ class NET_EXPORT TestRootCerts { #if defined(USE_NSS_CERTS) bool Contains(CERTCertificate* cert) const; -#elif defined(OS_MACOSX) && !defined(OS_IOS) +#elif defined(OS_MACOSX) && !defined(USE_NSS_VERIFIER) CFArrayRef temporary_roots() const { return temporary_roots_; } // Modifies the root certificates of |trust_ref| to include the @@ -102,7 +102,7 @@ class NET_EXPORT TestRootCerts { // Performs platform-dependent initialization. void Init(); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) // It is necessary to maintain a cache of the original certificate trust // settings, in order to restore them when Clear() is called. class TrustEntry; diff --git a/net/cert/test_root_certs_unittest.cc b/net/cert/test_root_certs_unittest.cc index e55c147..2f449e7 100644 --- a/net/cert/test_root_certs_unittest.cc +++ b/net/cert/test_root_certs_unittest.cc @@ -14,7 +14,7 @@ #include "net/test/cert_test_util.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include <nss.h> #endif @@ -68,7 +68,7 @@ TEST(TestRootCertsTest, AddFromFile) { // the results of the rest of net_unittests, ensuring that the trust status // is properly being set and cleared. TEST(TestRootCertsTest, OverrideTrust) { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) if (NSS_VersionCheck("3.14.2") && !NSS_VersionCheck("3.15")) { // See http://bugzil.la/863947 for details LOG(INFO) << "Skipping test for NSS 3.14.2 - NSS 3.15"; diff --git a/net/cert/x509_util_nss.h b/net/cert/x509_util_nss.h index 11e34da..c656264 100644 --- a/net/cert/x509_util_nss.h +++ b/net/cert/x509_util_nss.h @@ -28,7 +28,7 @@ namespace net { namespace x509_util { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) // Parses the Principal attribute from |name| and outputs the result in // |principal|. void ParsePrincipal(CERTName* name, @@ -127,7 +127,7 @@ bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain, std::string GetUniqueNicknameForSlot(const std::string& nickname, const SECItem* subject, PK11SlotInfo* slot); -#endif // defined(USE_NSS_CERTS) || defined(OS_IOS) +#endif // defined(USE_NSS_VERIFIER) } // namespace x509_util diff --git a/net/net.gyp b/net/net.gyp index 01958a6..8d1991a 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -192,7 +192,7 @@ '../third_party/boringssl/boringssl.gyp:boringssl', ], }], - [ 'use_nss_certs == 1 or OS == "ios" or use_openssl == 0', { + [ 'use_nss_verifier == 1', { 'conditions': [ [ 'desktop_linux == 1 or chromeos == 1', { 'dependencies': [ @@ -226,13 +226,20 @@ 'http/http_auth_handler_negotiate_unittest.cc', ], }], - [ 'use_nss_certs == 0 and OS != "ios"', { - # Only include this test when using system NSS for cert verification - # or on iOS (which also uses NSS for certs). + [ 'use_nss_verifier == 0', { + # Only include this test when using NSS for cert verification. 'sources!': [ 'cert_net/nss_ocsp_unittest.cc', ], }], + [ 'use_nss_verifier == 0 and OS == "ios"', { + # Only include these files on iOS when using NSS for cert + # verification. + 'sources!': [ + 'cert/x509_util_ios.cc', + 'cert/x509_util_ios.h', + ], + }], [ 'use_openssl==1', { 'sources!': [ 'quic/test_tools/crypto_test_utils_nss.cc', @@ -262,7 +269,7 @@ 'sources!': [ 'base/directory_lister_unittest.cc', 'base/directory_listing_unittest.cc', - 'url_request/url_request_file_dir_job_unittest.cc', + 'url_request/url_request_file_dir_job_unittest.cc', 'url_request/url_request_file_job_unittest.cc', ], }], @@ -356,6 +363,7 @@ 'data/url_request_unittest/', 'data/verify_certificate_chain_unittest/', 'data/verify_name_match_unittest/names/', + 'data/verify_signed_data_unittest/', ], 'test_data_prefix': 'net', }, @@ -605,7 +613,7 @@ 'test/spawned_test_server/spawned_test_server.h', ], }], - ['use_nss_certs == 1 or OS == "ios"', { + ['use_nss_verifier == 1', { 'conditions': [ [ 'desktop_linux == 1 or chromeos == 1', { 'dependencies': [ diff --git a/net/net_common.gypi b/net/net_common.gypi index 2c6182a..9bd4aac 100644 --- a/net/net_common.gypi +++ b/net/net_common.gypi @@ -113,6 +113,7 @@ 'cert/ct_objects_extractor_nss.cc', 'cert/jwk_serializer_nss.cc', 'cert/scoped_nss_types.h', + 'cert/x509_certificate_ios.cc', 'cert/x509_util_nss.cc', 'quic/crypto/aead_base_decrypter_nss.cc', 'quic/crypto/aead_base_encrypter_nss.cc', @@ -191,7 +192,7 @@ ], }, ], - [ 'use_nss_certs == 1 or OS == "ios" or use_openssl == 0', { + [ 'use_nss_verifier == 1', { 'conditions': [ # Pull in the bundled or system NSS as appropriate. [ 'desktop_linux == 1 or chromeos == 1', { @@ -262,19 +263,13 @@ 'base/crypto_module_nss.cc', 'base/keygen_handler_nss.cc', 'cert/cert_database_nss.cc', - 'cert/cert_verify_proc_nss.cc', - 'cert/cert_verify_proc_nss.h', 'cert/nss_cert_database.cc', 'cert/nss_cert_database.h', 'cert/nss_cert_database_chromeos.cc', 'cert/nss_cert_database_chromeos.h', 'cert/nss_profile_filter_chromeos.cc', 'cert/nss_profile_filter_chromeos.h', - 'cert/test_root_certs_nss.cc', 'cert/x509_certificate_nss.cc', - 'cert/x509_util_nss_certs.cc', - 'cert_net/nss_ocsp.cc', - 'cert_net/nss_ocsp.h', 'ssl/client_cert_store_nss.cc', 'ssl/client_cert_store_nss.h', 'ssl/client_key_store.cc', @@ -289,6 +284,17 @@ ], }, ], + [ 'use_nss_verifier != 1', { + 'sources!': [ + 'cert/cert_verify_proc_nss.cc', + 'cert/cert_verify_proc_nss.h', + 'cert/test_root_certs_nss.cc', + 'cert/x509_util_nss_certs.cc', + 'cert_net/nss_ocsp.cc', + 'cert_net/nss_ocsp.h', + ], + }, + ], # client_cert_store_nss.c requires NSS_CmpCertChainWCANames from NSS's # libssl, but our bundled copy is not built in OpenSSL ports. Pull that # file in directly. @@ -297,6 +303,12 @@ 'third_party/nss/ssl/cmpcert.c', ], }], + [ 'OS == "ios" and use_nss_verifier == 0', { + 'sources!': [ + 'cert/x509_util_ios.cc', + 'cert/x509_util_ios.h', + ], + }], [ 'enable_websockets == 1', { 'sources': ['<@(net_websockets_sources)'] }], @@ -410,16 +422,6 @@ ['include', '^base/network_interfaces_mac\\.cc$'], ['include', '^base/network_interfaces_mac\\.h$'], ['include', '^base/platform_mime_util_mac\\.mm$'], - # The iOS implementation only partially uses NSS and thus does not - # defines |use_nss_certs|. In particular the |USE_NSS_CERTS| - # preprocessor definition is not used. The following files are needed - # though: - ['include', '^cert/cert_verify_proc_nss\\.cc$'], - ['include', '^cert/cert_verify_proc_nss\\.h$'], - ['include', '^cert/test_root_certs_nss\\.cc$'], - ['include', '^cert/x509_util_nss_certs\\.cc$'], - ['include', '^cert_net/nss_ocsp\\.cc$'], - ['include', '^cert_net/nss_ocsp\\.h$'], ['include', '^proxy/proxy_resolver_mac\\.cc$'], ['include', '^proxy/proxy_server_mac\\.cc$'], ], diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 135045f..f1f00d1 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -2667,7 +2667,7 @@ int SSLClientSocketNSS::Init() { EnsureNSSSSLInit(); if (!NSS_IsInitialized()) return ERR_UNEXPECTED; -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) if (ssl_config_.cert_io_enabled) { // We must call EnsureNSSHttpIOInit() here, on the IO thread, to get the IO // loop by MessageLoopForIO::current(). diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 89482bb..46de320 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -58,7 +58,7 @@ #include "net/ssl/ssl_key_logger.h" #endif -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "net/cert_net/nss_ocsp.h" #endif @@ -884,7 +884,7 @@ int SSLClientSocketOpenSSL::Init() { DCHECK(!ssl_); DCHECK(!transport_bio_); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) if (ssl_config_.cert_io_enabled) { // TODO(davidben): Move this out of SSLClientSocket. See // https://crbug.com/539520. diff --git a/net/test/embedded_test_server/embedded_test_server_unittest.cc b/net/test/embedded_test_server/embedded_test_server_unittest.cc index a08d3b7..bdd4a82 100644 --- a/net/test/embedded_test_server/embedded_test_server_unittest.cc +++ b/net/test/embedded_test_server/embedded_test_server_unittest.cc @@ -30,7 +30,7 @@ #include "net/url_request/url_request_test_util.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "net/cert_net/nss_ocsp.h" #endif @@ -122,7 +122,7 @@ class EmbeddedTestServerTest } void SetUp() override { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) // This is needed so NSS's HTTP client functions are initialized on the // right thread. These tests create SSLClientSockets on a different thread. // TODO(davidben): Initialization can't be deferred to SSLClientSocket. See @@ -145,7 +145,7 @@ class EmbeddedTestServerTest void TearDown() override { if (server_->Started()) ASSERT_TRUE(server_->ShutdownAndWaitUntilComplete()); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) ShutdownNSSHttpIO(); #endif } @@ -496,7 +496,7 @@ typedef std::tr1::tuple<bool, bool, EmbeddedTestServer::Type> class EmbeddedTestServerThreadingTest : public testing::TestWithParam<ThreadingTestParams> { void SetUp() override { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) // This is needed so NSS's HTTP client functions are initialized on the // right thread. These tests create SSLClientSockets on a different thread. // TODO(davidben): Initialization can't be deferred to SSLClientSocket. See @@ -507,7 +507,7 @@ class EmbeddedTestServerThreadingTest } void TearDown() override { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) ShutdownNSSHttpIO(); #endif } diff --git a/net/test/net_test_suite.cc b/net/test/net_test_suite.cc index a657d26..561f149 100644 --- a/net/test/net_test_suite.cc +++ b/net/test/net_test_suite.cc @@ -10,7 +10,7 @@ #include "net/spdy/spdy_session.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "net/cert_net/nss_ocsp.h" #endif @@ -33,7 +33,7 @@ void NetTestSuite::Initialize() { } void NetTestSuite::Shutdown() { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) net::ShutdownNSSHttpIO(); #endif diff --git a/net/url_request/url_fetcher_impl_unittest.cc b/net/url_request/url_fetcher_impl_unittest.cc index 9b0c562..6a79b1b 100644 --- a/net/url_request/url_fetcher_impl_unittest.cc +++ b/net/url_request/url_fetcher_impl_unittest.cc @@ -42,7 +42,7 @@ #include "net/url_request/url_request_throttler_manager.h" #include "testing/gtest/include/gtest/gtest.h" -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) #include "net/cert_net/nss_ocsp.h" #endif @@ -422,14 +422,14 @@ class URLFetcherTest : public testing::Test { kDefaultResponsePath)); ASSERT_TRUE(hanging_url_.is_valid()); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) crypto::EnsureNSSInit(); EnsureNSSHttpIOInit(); #endif } void TearDown() override { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) ShutdownNSSHttpIO(); #endif } diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index 17ead4c..714283a 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -9133,7 +9133,7 @@ class HTTPSOCSPTest : public HTTPSRequestTest { CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get()); test_root_.reset(new ScopedTestRoot(root_cert.get())); -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) SetURLRequestContextForNSSHttpIO(&context_); EnsureNSSHttpIOInit(); #endif @@ -9162,7 +9162,7 @@ class HTTPSOCSPTest : public HTTPSRequestTest { } ~HTTPSOCSPTest() override { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) ShutdownNSSHttpIO(); #endif } @@ -9202,7 +9202,7 @@ static CertStatus ExpectedCertStatusForFailedOnlineRevocationCheck() { // If it does not, then tests which rely on 'hard fail' behaviour should be // skipped. static bool SystemSupportsHardFailRevocationChecking() { -#if defined(OS_WIN) || defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(OS_WIN) || defined(USE_NSS_VERIFIER) return true; #else return false; @@ -9241,7 +9241,7 @@ static bool SystemSupportsOCSP() { } static bool SystemSupportsOCSPStapling() { -#if defined(USE_NSS_CERTS) || defined(OS_IOS) +#if defined(USE_NSS_VERIFIER) return true; #elif defined(OS_WIN) return base::win::GetVersion() >= base::win::VERSION_VISTA; diff --git a/tools/gn/docs/cookbook.md b/tools/gn/docs/cookbook.md index 3fa16e2..febc16c 100644 --- a/tools/gn/docs/cookbook.md +++ b/tools/gn/docs/cookbook.md @@ -279,6 +279,7 @@ places are noted in the table below. | `use_gnome_keyring` (0/1) | `is_desktop_linux` (true/false) | | | `use_goma` (0/1) | `use_goma` (true/false) | `//build/toolchain/goma.gni` | | `use_nss_certs` (0/1) | `use_nss_certs` (true/false) | `//build/config/crypto.gni` (Many of these conditions can be deleted, see the "SSL" notes on targets below.) | +| `use_nss_verifier` (0/1) | `use_nss_verifier` (true/false) | `//build/config/crypto.gni` (Many of these conditions can be deleted, see the "SSL" notes on targets below.) | | `use_openssl` (0/1) | `use_openssl` (true/false) | `//build/config/crypto.gni` (Many of these conditions can be deleted, see the "SSL" notes on targets below.) | | `use_pango` (0/1) | `use_pango` (true/false) | `//build/config/ui.gni` | | `use_ozone` (0/1) | `use_ozone` (true/false) | `//build/config/ui.gni` | diff --git a/tools/grit/grit_rule.gni b/tools/grit/grit_rule.gni index f60d8fa..68e5976 100644 --- a/tools/grit/grit_rule.gni +++ b/tools/grit/grit_rule.gni @@ -159,6 +159,13 @@ if (use_nss_certs) { ] } +if (use_nss_verifier) { + grit_defines += [ + "-D", + "use_nss_verifier", + ] +} + if (use_ozone) { grit_defines += [ "-D", |