// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/multi_threaded_cert_verifier.h" #include <algorithm> #include "base/bind.h" #include "base/bind_helpers.h" #include "base/compiler_specific.h" #include "base/message_loop/message_loop.h" #include "base/metrics/histogram.h" #include "base/stl_util.h" #include "base/synchronization/lock.h" #include "base/threading/worker_pool.h" #include "base/time/time.h" #include "net/base/net_errors.h" #include "net/base/net_log.h" #include "net/cert/cert_trust_anchor_provider.h" #include "net/cert/cert_verify_proc.h" #include "net/cert/crl_set.h" #include "net/cert/x509_certificate.h" #include "net/cert/x509_certificate_net_log_param.h" #if defined(USE_NSS) || defined(OS_IOS) #include <private/pprthred.h> // PR_DetachThread #endif namespace net { //////////////////////////////////////////////////////////////////////////// // Life of a request: // // MultiThreadedCertVerifier CertVerifierJob CertVerifierWorker Request // | (origin loop) (worker loop) // | // Verify() // |---->-------------------------------------<creates> // | // |---->-------------------<creates> // | // |---->-------------------------------------------------------<creates> // | // |---->---------------------------------------Start // | | // | PostTask // | // | <starts verifying> // |---->-------------------AddRequest | // | // | // | // Finish // | // PostTask // // | // DoReply // |----<-----------------------------------------| // HandleResult // | // |---->------------------HandleResult // | // |------>---------------------------Post // // // // On a cache hit, MultiThreadedCertVerifier::Verify() returns synchronously // without posting a task to a worker thread. namespace { // The default value of max_cache_entries_. const unsigned kMaxCacheEntries = 256; // The number of seconds for which we'll cache a cache entry. const unsigned kTTLSecs = 1800; // 30 minutes. } // namespace MultiThreadedCertVerifier::CachedResult::CachedResult() : error(ERR_FAILED) {} MultiThreadedCertVerifier::CachedResult::~CachedResult() {} MultiThreadedCertVerifier::CacheValidityPeriod::CacheValidityPeriod( const base::Time& now) : verification_time(now), expiration_time(now) { } MultiThreadedCertVerifier::CacheValidityPeriod::CacheValidityPeriod( const base::Time& now, const base::Time& expiration) : verification_time(now), expiration_time(expiration) { } bool MultiThreadedCertVerifier::CacheExpirationFunctor::operator()( const CacheValidityPeriod& now, const CacheValidityPeriod& expiration) const { // Ensure this functor is being used for expiration only, and not strict // weak ordering/sorting. |now| should only ever contain a single // base::Time. // Note: DCHECK_EQ is not used due to operator<< overloading requirements. DCHECK(now.verification_time == now.expiration_time); // |now| contains only a single time (verification_time), while |expiration| // contains the validity range - both when the certificate was verified and // when the verification result should expire. // // If the user receives a "not yet valid" message, and adjusts their clock // foward to the correct time, this will (typically) cause // now.verification_time to advance past expiration.expiration_time, thus // treating the cached result as an expired entry and re-verifying. // If the user receives a "expired" message, and adjusts their clock // backwards to the correct time, this will cause now.verification_time to // be less than expiration_verification_time, thus treating the cached // result as an expired entry and re-verifying. // If the user receives either of those messages, and does not adjust their // clock, then the result will be (typically) be cached until the expiration // TTL. // // This algorithm is only problematic if the user consistently keeps // adjusting their clock backwards in increments smaller than the expiration // TTL, in which case, cached elements continue to be added. However, // because the cache has a fixed upper bound, if no entries are expired, a // 'random' entry will be, thus keeping the memory constraints bounded over // time. return now.verification_time >= expiration.verification_time && now.verification_time < expiration.expiration_time; }; // Represents the output and result callback of a request. class CertVerifierRequest { public: CertVerifierRequest(const CompletionCallback& callback, CertVerifyResult* verify_result, const BoundNetLog& net_log) : callback_(callback), verify_result_(verify_result), net_log_(net_log) { net_log_.BeginEvent(NetLog::TYPE_CERT_VERIFIER_REQUEST); } ~CertVerifierRequest() { } // Ensures that the result callback will never be made. void Cancel() { callback_.Reset(); verify_result_ = NULL; net_log_.AddEvent(NetLog::TYPE_CANCELLED); net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_REQUEST); } // Copies the contents of |verify_result| to the caller's // CertVerifyResult and calls the callback. void Post(const MultiThreadedCertVerifier::CachedResult& verify_result) { if (!callback_.is_null()) { net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_REQUEST); *verify_result_ = verify_result.result; callback_.Run(verify_result.error); } delete this; } bool canceled() const { return callback_.is_null(); } const BoundNetLog& net_log() const { return net_log_; } private: CompletionCallback callback_; CertVerifyResult* verify_result_; const BoundNetLog net_log_; }; // CertVerifierWorker runs on a worker thread and takes care of the blocking // process of performing the certificate verification. Deletes itself // eventually if Start() succeeds. class CertVerifierWorker { public: CertVerifierWorker(CertVerifyProc* verify_proc, X509Certificate* cert, const std::string& hostname, int flags, CRLSet* crl_set, const CertificateList& additional_trust_anchors, MultiThreadedCertVerifier* cert_verifier) : verify_proc_(verify_proc), cert_(cert), hostname_(hostname), flags_(flags), crl_set_(crl_set), additional_trust_anchors_(additional_trust_anchors), origin_loop_(base::MessageLoop::current()), cert_verifier_(cert_verifier), canceled_(false), error_(ERR_FAILED) { } // Returns the certificate being verified. May only be called /before/ // Start() is called. X509Certificate* certificate() const { return cert_.get(); } bool Start() { DCHECK_EQ(base::MessageLoop::current(), origin_loop_); return base::WorkerPool::PostTask( FROM_HERE, base::Bind(&CertVerifierWorker::Run, base::Unretained(this)), true /* task is slow */); } // Cancel is called from the origin loop when the MultiThreadedCertVerifier is // getting deleted. void Cancel() { DCHECK_EQ(base::MessageLoop::current(), origin_loop_); base::AutoLock locked(lock_); canceled_ = true; } private: void Run() { // Runs on a worker thread. error_ = verify_proc_->Verify(cert_.get(), hostname_, flags_, crl_set_.get(), additional_trust_anchors_, &verify_result_); #if defined(USE_NSS) || defined(OS_IOS) // Detach the thread from NSPR. // Calling NSS functions attaches the thread to NSPR, which stores // the NSPR thread ID in thread-specific data. // The threads in our thread pool terminate after we have called // PR_Cleanup. Unless we detach them from NSPR, net_unittests gets // segfaults on shutdown when the threads' thread-specific data // destructors run. PR_DetachThread(); #endif Finish(); } // DoReply runs on the origin thread. void DoReply() { DCHECK_EQ(base::MessageLoop::current(), origin_loop_); { // We lock here because the worker thread could still be in Finished, // after the PostTask, but before unlocking |lock_|. If we do not lock in // this case, we will end up deleting a locked Lock, which can lead to // memory leaks or worse errors. base::AutoLock locked(lock_); if (!canceled_) { cert_verifier_->HandleResult(cert_.get(), hostname_, flags_, additional_trust_anchors_, error_, verify_result_); } } delete this; } void Finish() { // Runs on the worker thread. // We assume that the origin loop outlives the MultiThreadedCertVerifier. If // the MultiThreadedCertVerifier is deleted, it will call Cancel on us. If // it does so before the Acquire, we'll delete ourselves and return. If it's // trying to do so concurrently, then it'll block on the lock and we'll call // PostTask while the MultiThreadedCertVerifier (and therefore the // MessageLoop) is still alive. // If it does so after this function, we assume that the MessageLoop will // process pending tasks. In which case we'll notice the |canceled_| flag // in DoReply. bool canceled; { base::AutoLock locked(lock_); canceled = canceled_; if (!canceled) { origin_loop_->PostTask( FROM_HERE, base::Bind( &CertVerifierWorker::DoReply, base::Unretained(this))); } } if (canceled) delete this; } scoped_refptr<CertVerifyProc> verify_proc_; scoped_refptr<X509Certificate> cert_; const std::string hostname_; const int flags_; scoped_refptr<CRLSet> crl_set_; const CertificateList additional_trust_anchors_; base::MessageLoop* const origin_loop_; MultiThreadedCertVerifier* const cert_verifier_; // lock_ protects canceled_. base::Lock lock_; // If canceled_ is true, // * origin_loop_ cannot be accessed by the worker thread, // * cert_verifier_ cannot be accessed by any thread. bool canceled_; int error_; CertVerifyResult verify_result_; DISALLOW_COPY_AND_ASSIGN(CertVerifierWorker); }; // A CertVerifierJob is a one-to-one counterpart of a CertVerifierWorker. It // lives only on the CertVerifier's origin message loop. class CertVerifierJob { public: CertVerifierJob(CertVerifierWorker* worker, const BoundNetLog& net_log) : start_time_(base::TimeTicks::Now()), worker_(worker), net_log_(net_log) { net_log_.BeginEvent( NetLog::TYPE_CERT_VERIFIER_JOB, base::Bind(&NetLogX509CertificateCallback, base::Unretained(worker_->certificate()))); } ~CertVerifierJob() { if (worker_) { net_log_.AddEvent(NetLog::TYPE_CANCELLED); net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_JOB); worker_->Cancel(); DeleteAllCanceled(); } } void AddRequest(CertVerifierRequest* request) { request->net_log().AddEvent( NetLog::TYPE_CERT_VERIFIER_REQUEST_BOUND_TO_JOB, net_log_.source().ToEventParametersCallback()); requests_.push_back(request); } void HandleResult( const MultiThreadedCertVerifier::CachedResult& verify_result) { worker_ = NULL; net_log_.EndEvent(NetLog::TYPE_CERT_VERIFIER_JOB); UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency", base::TimeTicks::Now() - start_time_, base::TimeDelta::FromMilliseconds(1), base::TimeDelta::FromMinutes(10), 100); PostAll(verify_result); } private: void PostAll(const MultiThreadedCertVerifier::CachedResult& verify_result) { std::vector<CertVerifierRequest*> requests; requests_.swap(requests); for (std::vector<CertVerifierRequest*>::iterator i = requests.begin(); i != requests.end(); i++) { (*i)->Post(verify_result); // Post() causes the CertVerifierRequest to delete itself. } } void DeleteAllCanceled() { for (std::vector<CertVerifierRequest*>::iterator i = requests_.begin(); i != requests_.end(); i++) { if ((*i)->canceled()) { delete *i; } else { LOG(DFATAL) << "CertVerifierRequest leaked!"; } } } const base::TimeTicks start_time_; std::vector<CertVerifierRequest*> requests_; CertVerifierWorker* worker_; const BoundNetLog net_log_; }; MultiThreadedCertVerifier::MultiThreadedCertVerifier( CertVerifyProc* verify_proc) : cache_(kMaxCacheEntries), requests_(0), cache_hits_(0), inflight_joins_(0), verify_proc_(verify_proc), trust_anchor_provider_(NULL) { CertDatabase::GetInstance()->AddObserver(this); } MultiThreadedCertVerifier::~MultiThreadedCertVerifier() { STLDeleteValues(&inflight_); CertDatabase::GetInstance()->RemoveObserver(this); } void MultiThreadedCertVerifier::SetCertTrustAnchorProvider( CertTrustAnchorProvider* trust_anchor_provider) { DCHECK(CalledOnValidThread()); trust_anchor_provider_ = trust_anchor_provider; } int MultiThreadedCertVerifier::Verify(X509Certificate* cert, const std::string& hostname, int flags, CRLSet* crl_set, CertVerifyResult* verify_result, const CompletionCallback& callback, RequestHandle* out_req, const BoundNetLog& net_log) { DCHECK(CalledOnValidThread()); if (callback.is_null() || !verify_result || hostname.empty()) { *out_req = NULL; return ERR_INVALID_ARGUMENT; } requests_++; const CertificateList empty_cert_list; const CertificateList& additional_trust_anchors = trust_anchor_provider_ ? trust_anchor_provider_->GetAdditionalTrustAnchors() : empty_cert_list; const RequestParams key(cert->fingerprint(), cert->ca_fingerprint(), hostname, flags, additional_trust_anchors); const CertVerifierCache::value_type* cached_entry = cache_.Get(key, CacheValidityPeriod(base::Time::Now())); if (cached_entry) { ++cache_hits_; *out_req = NULL; *verify_result = cached_entry->result; return cached_entry->error; } // No cache hit. See if an identical request is currently in flight. CertVerifierJob* job; std::map<RequestParams, CertVerifierJob*>::const_iterator j; j = inflight_.find(key); if (j != inflight_.end()) { // An identical request is in flight already. We'll just attach our // callback. inflight_joins_++; job = j->second; } else { // Need to make a new request. CertVerifierWorker* worker = new CertVerifierWorker(verify_proc_.get(), cert, hostname, flags, crl_set, additional_trust_anchors, this); job = new CertVerifierJob( worker, BoundNetLog::Make(net_log.net_log(), NetLog::SOURCE_CERT_VERIFIER_JOB)); if (!worker->Start()) { delete job; delete worker; *out_req = NULL; // TODO(wtc): log to the NetLog. LOG(ERROR) << "CertVerifierWorker couldn't be started."; return ERR_INSUFFICIENT_RESOURCES; // Just a guess. } inflight_.insert(std::make_pair(key, job)); } CertVerifierRequest* request = new CertVerifierRequest(callback, verify_result, net_log); job->AddRequest(request); *out_req = request; return ERR_IO_PENDING; } void MultiThreadedCertVerifier::CancelRequest(RequestHandle req) { DCHECK(CalledOnValidThread()); CertVerifierRequest* request = reinterpret_cast<CertVerifierRequest*>(req); request->Cancel(); } MultiThreadedCertVerifier::RequestParams::RequestParams( const SHA1HashValue& cert_fingerprint_arg, const SHA1HashValue& ca_fingerprint_arg, const std::string& hostname_arg, int flags_arg, const CertificateList& additional_trust_anchors) : hostname(hostname_arg), flags(flags_arg) { hash_values.reserve(2 + additional_trust_anchors.size()); hash_values.push_back(cert_fingerprint_arg); hash_values.push_back(ca_fingerprint_arg); for (size_t i = 0; i < additional_trust_anchors.size(); ++i) hash_values.push_back(additional_trust_anchors[i]->fingerprint()); } MultiThreadedCertVerifier::RequestParams::~RequestParams() {} bool MultiThreadedCertVerifier::RequestParams::operator<( const RequestParams& other) const { // |flags| is compared before |cert_fingerprint|, |ca_fingerprint|, and // |hostname| under assumption that integer comparisons are faster than // memory and string comparisons. if (flags != other.flags) return flags < other.flags; if (hostname != other.hostname) return hostname < other.hostname; return std::lexicographical_compare( hash_values.begin(), hash_values.end(), other.hash_values.begin(), other.hash_values.end(), net::SHA1HashValueLessThan()); } // HandleResult is called by CertVerifierWorker on the origin message loop. // It deletes CertVerifierJob. void MultiThreadedCertVerifier::HandleResult( X509Certificate* cert, const std::string& hostname, int flags, const CertificateList& additional_trust_anchors, int error, const CertVerifyResult& verify_result) { DCHECK(CalledOnValidThread()); const RequestParams key(cert->fingerprint(), cert->ca_fingerprint(), hostname, flags, additional_trust_anchors); CachedResult cached_result; cached_result.error = error; cached_result.result = verify_result; base::Time now = base::Time::Now(); cache_.Put( key, cached_result, CacheValidityPeriod(now), CacheValidityPeriod(now, now + base::TimeDelta::FromSeconds(kTTLSecs))); std::map<RequestParams, CertVerifierJob*>::iterator j; j = inflight_.find(key); if (j == inflight_.end()) { NOTREACHED(); return; } CertVerifierJob* job = j->second; inflight_.erase(j); job->HandleResult(cached_result); delete job; } void MultiThreadedCertVerifier::OnCACertChanged( const X509Certificate* cert) { DCHECK(CalledOnValidThread()); ClearCache(); } } // namespace net