From 74b12ef0c25a688f63a783ac33bd4cef0692263f Mon Sep 17 00:00:00 2001
From: davidben <davidben@chromium.org>
Date: Fri, 17 Jul 2015 09:47:17 -0700
Subject: Support OCSP stapling on iOS.

There's no need to limit it to USE_NSS_CERTS builds.

BUG=508971

Review URL: https://codereview.chromium.org/1223323010

Cr-Commit-Position: refs/heads/master@{#339271}
---
 net/cert/cert_verify_proc_nss.cc        | 16 ++++++++--------
 net/cert/cert_verify_proc_nss.h         |  4 +---
 net/url_request/url_request_unittest.cc |  2 +-
 3 files changed, 10 insertions(+), 12 deletions(-)

(limited to 'net')

diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index 02a584f..9ee65ee 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -15,6 +15,7 @@
 #include <sslerr.h>
 
 #include "base/logging.h"
+#include "build/build_config.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/sha2.h"
@@ -35,6 +36,8 @@
 
 #if defined(USE_NSS_CERTS)
 #include <dlfcn.h>
+#else
+#include <ocsp.h>
 #endif
 
 namespace net {
@@ -765,6 +768,9 @@ CertVerifyProcNSS::CertVerifyProcNSS()
     : cache_ocsp_response_from_side_channel_(
           reinterpret_cast<CacheOCSPResponseFromSideChannelFunction>(
               dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel")))
+#else
+    : cache_ocsp_response_from_side_channel_(
+          &CERT_CacheOCSPResponseFromSideChannel)
 #endif
 {
 }
@@ -776,12 +782,7 @@ bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
 }
 
 bool CertVerifyProcNSS::SupportsOCSPStapling() const {
-#if defined(USE_NSS_CERTS)
   return cache_ocsp_response_from_side_channel_;
-#else
-  // TODO(davidben): Support OCSP stapling on iOS.
-  return false;
-#endif
 }
 
 int CertVerifyProcNSS::VerifyInternalImpl(
@@ -802,7 +803,6 @@ int CertVerifyProcNSS::VerifyInternalImpl(
   CERTCertificate* cert_handle = cert->os_cert_handle();
 #endif  // defined(OS_IOS)
 
-#if defined(USE_NSS_CERTS)
   if (!ocsp_response.empty() && cache_ocsp_response_from_side_channel_) {
     // Note: NSS uses a thread-safe global hash table, so this call will
     // affect any concurrent verification operations on |cert| or copies of
@@ -813,9 +813,9 @@ int CertVerifyProcNSS::VerifyInternalImpl(
         const_cast<char*>(ocsp_response.data()));
     ocsp_response_item.len = ocsp_response.size();
     cache_ocsp_response_from_side_channel_(CERT_GetDefaultCertDB(), cert_handle,
-                                           PR_Now(), &ocsp_response_item, NULL);
+                                           PR_Now(), &ocsp_response_item,
+                                           nullptr);
   }
-#endif  // defined(USE_NSS_CERTS)
 
   if (!cert->VerifyNameMatch(hostname,
                              &verify_result->common_name_fallback_used)) {
diff --git a/net/cert/cert_verify_proc_nss.h b/net/cert/cert_verify_proc_nss.h
index 5a4b361..c7b90b7 100644
--- a/net/cert/cert_verify_proc_nss.h
+++ b/net/cert/cert_verify_proc_nss.h
@@ -44,16 +44,14 @@ class NET_EXPORT_PRIVATE CertVerifyProcNSS : public CertVerifyProc {
                      const CertificateList& additional_trust_anchors,
                      CertVerifyResult* verify_result) override;
 
-#if defined(USE_NSS_CERTS)
   using CacheOCSPResponseFromSideChannelFunction =
       SECStatus (*)(CERTCertDBHandle* handle,
                     CERTCertificate* cert,
                     PRTime time,
-                    SECItem* encodedResponse,
+                    const SECItem* encodedResponse,
                     void* pwArg);
   const CacheOCSPResponseFromSideChannelFunction
       cache_ocsp_response_from_side_channel_;
-#endif
 };
 
 }  // namespace net
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 5582f5a..85fe449 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -8449,7 +8449,7 @@ static bool SystemSupportsOCSP() {
 }
 
 static bool SystemSupportsOCSPStapling() {
-#if defined(USE_NSS_CERTS)
+#if defined(USE_NSS_CERTS) || defined(OS_IOS)
   return true;
 #elif defined(OS_WIN)
   return base::win::GetVersion() >= base::win::VERSION_VISTA;
-- 
cgit v1.1