From 4f38ffc015c54cb3e50443b1797e7753d49d5957 Mon Sep 17 00:00:00 2001 From: "sergeyu@chromium.org" Date: Tue, 23 Aug 2011 21:10:02 +0000 Subject: Remove DisableOCSP(). Instead of calling DisableOCSP() all SSL socket used in sandbox should be created with reb_checking_enabled flag set to false. BUG=93273 TEST=None Review URL: http://codereview.chromium.org/7685040 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97918 0039d316-1c4b-4281-b951-d872f2087c98 --- net/ocsp/nss_ocsp.cc | 21 +++------------------ net/ocsp/nss_ocsp.h | 7 ------- net/socket/ssl_client_socket_nss.cc | 10 ++++++---- net/socket/ssl_server_socket_nss.cc | 6 ------ 4 files changed, 9 insertions(+), 35 deletions(-) (limited to 'net') diff --git a/net/ocsp/nss_ocsp.cc b/net/ocsp/nss_ocsp.cc index ccff919..ec24107 100644 --- a/net/ocsp/nss_ocsp.cc +++ b/net/ocsp/nss_ocsp.cc @@ -41,8 +41,6 @@ namespace { pthread_mutex_t g_request_context_lock = PTHREAD_MUTEX_INITIALIZER; static net::URLRequestContext* g_request_context = NULL; -static bool g_disable_ocsp = false; - class OCSPRequestSession; class OCSPIOLoop { @@ -911,9 +909,6 @@ char* GetAlternateOCSPAIAInfo(CERTCertificate *cert) { namespace net { void SetMessageLoopForOCSP() { - // Must not be called when OCSP is disabled. - DCHECK(!g_disable_ocsp); - // Must have a MessageLoopForIO. DCHECK(MessageLoopForIO::current()); @@ -923,27 +918,17 @@ void SetMessageLoopForOCSP() { DCHECK(!used); } -void DisableOCSP() { - g_disable_ocsp = true; -} - void EnsureOCSPInit() { - if (!g_disable_ocsp) { - g_ocsp_io_loop.Get().StartUsing(); - g_ocsp_nss_initialization.Get(); - } + g_ocsp_io_loop.Get().StartUsing(); + g_ocsp_nss_initialization.Get(); } void ShutdownOCSP() { - if (!g_disable_ocsp) - g_ocsp_io_loop.Get().Shutdown(); + g_ocsp_io_loop.Get().Shutdown(); } // This function would be called before NSS initialization. void SetURLRequestContextForOCSP(URLRequestContext* request_context) { - // Must not be called when OCSP is disabled. - DCHECK(!g_disable_ocsp); - pthread_mutex_lock(&g_request_context_lock); if (request_context) { DCHECK(!g_request_context); diff --git a/net/ocsp/nss_ocsp.h b/net/ocsp/nss_ocsp.h index 93d07ce..bf67751 100644 --- a/net/ocsp/nss_ocsp.h +++ b/net/ocsp/nss_ocsp.h @@ -17,13 +17,6 @@ class URLRequestContext; // control the message loop for OCSP. NET_EXPORT void SetMessageLoopForOCSP(); -// Disables OCSP for the current process. This is needed to run SSL -// code in the renderer process. After this method is called all -// calls to EnsureOCSPInit() and ShutdownOCSP() are ignored. When -// OCSP is disabled SetMessageLoopForOCSP() and -// SetURLRequestContextForOCSP() are useless and should not be called. -NET_EXPORT void DisableOCSP(); - // Initializes OCSP handlers for NSS. This must be called before any // certificate verification functions. This function is thread-safe, and OCSP // handlers will only ever be initialized once. ShutdownOCSP() must be called diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 5380a9a..4fdecc9 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -838,10 +838,12 @@ int SSLClientSocketNSS::Init() { if (!NSS_IsInitialized()) return ERR_UNEXPECTED; #if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop - // by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureOCSPInit(); + if (ssl_config_.rev_checking_enabled) { + // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop + // by MessageLoopForIO::current(). + // X509Certificate::Verify() runs on a worker thread of CertVerifier. + EnsureOCSPInit(); + } #endif LeaveFunction(""); diff --git a/net/socket/ssl_server_socket_nss.cc b/net/socket/ssl_server_socket_nss.cc index 08d84b9..78410f8 100644 --- a/net/socket/ssl_server_socket_nss.cc +++ b/net/socket/ssl_server_socket_nss.cc @@ -762,12 +762,6 @@ int SSLServerSocketNSS::Init() { EnsureNSSSSLInit(); if (!NSS_IsInitialized()) return ERR_UNEXPECTED; -#if !defined(OS_MACOSX) && !defined(OS_WIN) - // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop - // by MessageLoopForIO::current(). - // X509Certificate::Verify() runs on a worker thread of CertVerifier. - EnsureOCSPInit(); -#endif return OK; } -- cgit v1.1