Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(301)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/cert_verify_proc_mac.cc

Issue 11016004: Force crypto::AppleKeychain access to be guarded by a Big Global Lock (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: comment update Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/base/cert_verify_proc_mac.h ('k') | net/base/x509_certificate_mac.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/cert_verify_proc_mac.h" 5 #include "net/base/cert_verify_proc_mac.h"
6 6
7 #include <CommonCrypto/CommonDigest.h> 7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h> 8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h> 9 #include <Security/Security.h>
10 10
11 #include <string> 11 #include <string>
12 #include <vector> 12 #include <vector>
13 13
14 #include "base/logging.h" 14 #include "base/logging.h"
15 #include "base/mac/mac_logging.h" 15 #include "base/mac/mac_logging.h"
16 #include "base/mac/scoped_cftyperef.h" 16 #include "base/mac/scoped_cftyperef.h"
17 #include "base/sha1.h" 17 #include "base/sha1.h"
18 #include "base/string_piece.h" 18 #include "base/string_piece.h"
19 #include "base/synchronization/lock.h"
20 #include "crypto/mac_security_services_lock.h"
19 #include "crypto/nss_util.h" 21 #include "crypto/nss_util.h"
20 #include "crypto/sha2.h" 22 #include "crypto/sha2.h"
21 #include "net/base/asn1_util.h" 23 #include "net/base/asn1_util.h"
22 #include "net/base/cert_status_flags.h" 24 #include "net/base/cert_status_flags.h"
23 #include "net/base/cert_verifier.h" 25 #include "net/base/cert_verifier.h"
24 #include "net/base/cert_verify_result.h" 26 #include "net/base/cert_verify_result.h"
25 #include "net/base/crl_set.h" 27 #include "net/base/crl_set.h"
26 #include "net/base/net_errors.h" 28 #include "net/base/net_errors.h"
27 #include "net/base/test_root_certs.h" 29 #include "net/base/test_root_certs.h"
28 #include "net/base/x509_certificate.h" 30 #include "net/base/x509_certificate.h"
(...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after
355 if (status) 357 if (status)
356 return NetErrorFromOSStatus(status); 358 return NetErrorFromOSStatus(status);
357 359
358 // Create and configure a SecTrustRef, which takes our certificate(s) 360 // Create and configure a SecTrustRef, which takes our certificate(s)
359 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an 361 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an
360 // array of certificates, the first of which is the certificate we're 362 // array of certificates, the first of which is the certificate we're
361 // verifying, and the subsequent (optional) certificates are used for 363 // verifying, and the subsequent (optional) certificates are used for
362 // chain building. 364 // chain building.
363 ScopedCFTypeRef<CFArrayRef> cert_array(cert->CreateOSCertChainForCert()); 365 ScopedCFTypeRef<CFArrayRef> cert_array(cert->CreateOSCertChainForCert());
364 366
365 // From here on, only one thread can be active at a time. We have had a number 367 // Serialize all calls that may use the Keychain, to work around various
366 // of sporadic crashes in the SecTrustEvaluate call below, way down inside 368 // issues in OS X 10.6+ with multi-threaded access to Security.framework.
367 // Apple's cert code, which we suspect are caused by a thread-safety issue. 369 base::AutoLock lock(crypto::GetMacSecurityServicesLock());
368 // So as a speculative fix allow only one thread to use SecTrust on this cert.
369 base::AutoLock lock(verification_lock_);
370 370
371 SecTrustRef trust_ref = NULL; 371 SecTrustRef trust_ref = NULL;
372 status = SecTrustCreateWithCertificates(cert_array, trust_policies, 372 status = SecTrustCreateWithCertificates(cert_array, trust_policies,
373 &trust_ref); 373 &trust_ref);
374 if (status) 374 if (status)
375 return NetErrorFromOSStatus(status); 375 return NetErrorFromOSStatus(status);
376 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref); 376 ScopedCFTypeRef<SecTrustRef> scoped_trust_ref(trust_ref);
377 377
378 if (TestRootCerts::HasInstance()) { 378 if (TestRootCerts::HasInstance()) {
379 status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref); 379 status = TestRootCerts::GetInstance()->FixupSecTrustRef(trust_ref);
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after
583 } 583 }
584 } 584 }
585 585
586 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes); 586 AppendPublicKeyHashes(completed_chain, &verify_result->public_key_hashes);
587 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain); 587 verify_result->is_issued_by_known_root = IsIssuedByKnownRoot(completed_chain);
588 588
589 return OK; 589 return OK;
590 } 590 }
591 591
592 } // namespace net 592 } // namespace net
OLDNEW
« no previous file with comments | « net/base/cert_verify_proc_mac.h ('k') | net/base/x509_certificate_mac.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698