blob: c8fd6fcb10df60f97758310f6f61030176f25c2e [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/multi_threaded_cert_verifier.h"
#include <algorithm>
#include <iterator>
#include <utility>
#include "base/bind.h"
#include "base/bind_helpers.h"
#include "base/callback_helpers.h"
#include "base/compiler_specific.h"
#include "base/containers/linked_list.h"
#include "base/memory/ptr_util.h"
#include "base/metrics/histogram_macros.h"
#include "base/sha1.h"
#include "base/task/post_task.h"
#include "base/threading/thread_restrictions.h"
#include "base/time/time.h"
#include "base/trace_event/trace_event.h"
#include "base/values.h"
#include "nb/memory_scope.h"
#include "net/base/hash_value.h"
#include "net/base/net_errors.h"
#include "net/base/trace_constants.h"
#include "net/cert/cert_verify_proc.h"
#include "net/cert/cert_verify_result.h"
#include "net/cert/crl_set.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_certificate_net_log_param.h"
#include "net/log/net_log_capture_mode.h"
#include "net/log/net_log_event_type.h"
#include "net/log/net_log_source.h"
#include "net/log/net_log_source_type.h"
#include "net/log/net_log_with_source.h"
namespace net {
class NetLogCaptureMode;
// Allows DoVerifyOnWorkerThread to wait on a base::WaitableEvent.
// DoVerifyOnWorkerThread may wait on network operations done on a separate
// sequence. For instance when using the NSS-based implementation of certificate
// verification, the library requires a blocking callback for fetching OCSP and
// AIA responses.
class MultiThreadedCertVerifierScopedAllowBaseSyncPrimitives
: public base::ScopedAllowBaseSyncPrimitives {};
////////////////////////////////////////////////////////////////////////////
//
// MultiThreadedCertVerifier is a thread-unsafe object which lives, dies, and is
// operated on a single thread, henceforth referred to as the "origin" thread.
//
// When an incoming Verify() request is received, MultiThreadedCertVerifier
// checks if there is an outstanding "job" (CertVerifierJob) in progress that
// can service the request. If there is, the request is attached to that job.
// Otherwise a new job is started.
//
// A job (CertVerifierJob) is a way to de-duplicate requests that are
// fundamentally doing the same verification. CertVerifierJob is similarly
// thread-unsafe and lives on the origin thread.
//
// To do the actual work, CertVerifierJob posts a task to TaskScheduler
// (PostTaskAndReply), and on completion notifies all requests attached to it.
//
// Cancellation:
//
// There are two ways for a request to be cancelled.
//
// (1) When the caller explicitly frees the Request.
//
// If the request was in-flight (attached to a job), then it is detached.
// Note that no effort is made to reap jobs which have no attached requests.
// (Because the worker task isn't cancelable).
//
// (2) When the MultiThreadedCertVerifier is deleted.
//
// This automatically cancels all outstanding requests. This is accomplished
// by deleting each of the jobs owned by the MultiThreadedCertVerifier,
// whose destructor in turn marks each attached request as canceled.
//
// TODO(eroman): If the MultiThreadedCertVerifier is deleted from within a
// callback, the remaining requests in the completing job will NOT be cancelled.
namespace {
std::unique_ptr<base::Value> CertVerifyResultCallback(
const CertVerifyResult& verify_result,
NetLogCaptureMode capture_mode) {
std::unique_ptr<base::DictionaryValue> results(new base::DictionaryValue());
results->SetBoolean("has_md5", verify_result.has_md5);
results->SetBoolean("has_md2", verify_result.has_md2);
results->SetBoolean("has_md4", verify_result.has_md4);
results->SetBoolean("is_issued_by_known_root",
verify_result.is_issued_by_known_root);
results->SetBoolean("is_issued_by_additional_trust_anchor",
verify_result.is_issued_by_additional_trust_anchor);
results->SetInteger("cert_status", verify_result.cert_status);
results->Set("verified_cert",
NetLogX509CertificateCallback(verify_result.verified_cert.get(),
capture_mode));
std::unique_ptr<base::ListValue> hashes(new base::ListValue());
for (auto it = verify_result.public_key_hashes.begin();
it != verify_result.public_key_hashes.end(); ++it) {
hashes->AppendString(it->ToString());
}
results->Set("public_key_hashes", std::move(hashes));
return std::move(results);
}
// Used to pass the result of CertVerifierJob::DoVerifyOnWorkerThread() to
// CertVerifierJob::OnJobCompleted().
struct ResultHelper {
int error;
CertVerifyResult result;
};
int GetFlagsForConfig(const CertVerifier::Config& config) {
int flags = 0;
if (config.enable_rev_checking)
flags |= CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
if (config.require_rev_checking_local_anchors)
flags |= CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
if (config.enable_sha1_local_anchors)
flags |= CertVerifyProc::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS;
if (config.disable_symantec_enforcement)
flags |= CertVerifyProc::VERIFY_DISABLE_SYMANTEC_ENFORCEMENT;
return flags;
}
} // namespace
// Represents the output and result callback of a request. The
// CertVerifierRequest is owned by the caller that initiated the call to
// CertVerifier::Verify().
class CertVerifierRequest : public base::LinkNode<CertVerifierRequest>,
public CertVerifier::Request {
public:
CertVerifierRequest(CertVerifierJob* job,
CompletionOnceCallback callback,
CertVerifyResult* verify_result,
const NetLogWithSource& net_log)
: job_(job),
callback_(std::move(callback)),
verify_result_(verify_result),
net_log_(net_log) {
net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_REQUEST);
}
// Cancels the request.
~CertVerifierRequest() override {
if (job_) {
// Cancel the outstanding request.
net_log_.AddEvent(NetLogEventType::CANCELLED);
net_log_.EndEvent(NetLogEventType::CERT_VERIFIER_REQUEST);
// Remove the request from the Job. No attempt is made to cancel the job
// even though it may no longer have any requests attached to it. Because
// it is running on a worker thread aborting it isn't feasible.
RemoveFromList();
}
}
// Copies the contents of |verify_result| to the caller's
// CertVerifyResult and calls the callback.
void Post(const ResultHelper& verify_result) {
DCHECK(job_);
job_ = nullptr;
net_log_.EndEvent(NetLogEventType::CERT_VERIFIER_REQUEST);
*verify_result_ = verify_result.result;
base::ResetAndReturn(&callback_).Run(verify_result.error);
}
void OnJobCancelled() {
job_ = nullptr;
callback_.Reset();
}
const NetLogWithSource& net_log() const { return net_log_; }
private:
CertVerifierJob* job_; // Not owned.
CompletionOnceCallback callback_;
CertVerifyResult* verify_result_;
const NetLogWithSource net_log_;
};
// DoVerifyOnWorkerThread runs the verification synchronously on a worker
// thread.
std::unique_ptr<ResultHelper> DoVerifyOnWorkerThread(
const scoped_refptr<CertVerifyProc>& verify_proc,
const scoped_refptr<X509Certificate>& cert,
const std::string& hostname,
const std::string& ocsp_response,
int flags,
const scoped_refptr<CRLSet>& crl_set,
const CertificateList& additional_trust_anchors) {
TRACK_MEMORY_SCOPE("Net");
TRACE_EVENT0(kNetTracingCategory, "DoVerifyOnWorkerThread");
auto verify_result = std::make_unique<ResultHelper>();
MultiThreadedCertVerifierScopedAllowBaseSyncPrimitives
allow_base_sync_primitives;
verify_result->error = verify_proc->Verify(
cert.get(), hostname, ocsp_response, flags, crl_set.get(),
additional_trust_anchors, &verify_result->result);
return verify_result;
}
// CertVerifierJob lives only on the verifier's origin message loop.
class CertVerifierJob {
public:
CertVerifierJob(const CertVerifier::RequestParams& key,
NetLog* net_log,
MultiThreadedCertVerifier* cert_verifier)
: key_(key),
start_time_(base::TimeTicks::Now()),
net_log_(NetLogWithSource::Make(net_log,
NetLogSourceType::CERT_VERIFIER_JOB)),
cert_verifier_(cert_verifier),
is_first_job_(false),
weak_ptr_factory_(this) {
net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_JOB,
base::Bind(&NetLogX509CertificateCallback,
base::Unretained(key.certificate().get())));
}
// Indicates whether this was the first job started by the CertVerifier. This
// is only used for logging certain UMA stats.
void set_is_first_job(bool is_first_job) { is_first_job_ = is_first_job; }
#if defined(STARBOARD) && defined(ENABLE_IGNORE_CERTIFICATE_ERRORS)
void set_ignore_certificate_errors(bool ignore_certificate_errors) {
ignore_certificate_errors_ = ignore_certificate_errors;
}
#endif
const CertVerifier::RequestParams& key() const { return key_; }
// Posts a task to TaskScheduler to do the verification. Once the verification
// has completed, it will call OnJobCompleted() on the origin thread.
void Start(const scoped_refptr<CertVerifyProc>& verify_proc,
const CertVerifier::Config& config,
uint32_t config_id) {
int flags = GetFlagsForConfig(config);
if (key_.flags() & CertVerifier::VERIFY_DISABLE_NETWORK_FETCHES) {
flags &= ~CertVerifyProc::VERIFY_REV_CHECKING_ENABLED;
flags &= ~CertVerifyProc::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS;
}
base::PostTaskWithTraitsAndReplyWithResult(
FROM_HERE,
{base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
base::BindOnce(&DoVerifyOnWorkerThread, verify_proc, key_.certificate(),
key_.hostname(), key_.ocsp_response(), flags,
config.crl_set, config.additional_trust_anchors),
base::BindOnce(&CertVerifierJob::OnJobCompleted,
weak_ptr_factory_.GetWeakPtr(), config_id));
}
~CertVerifierJob() {
// If the job is in progress, cancel it.
if (cert_verifier_) {
cert_verifier_ = nullptr;
net_log_.AddEvent(NetLogEventType::CANCELLED);
net_log_.EndEvent(NetLogEventType::CERT_VERIFIER_JOB);
// Notify each request of the cancellation.
for (base::LinkNode<CertVerifierRequest>* it = requests_.head();
it != requests_.end(); it = it->next()) {
it->value()->OnJobCancelled();
}
}
}
// Creates and attaches a request to the Job.
std::unique_ptr<CertVerifierRequest> CreateRequest(
CompletionOnceCallback callback,
CertVerifyResult* verify_result,
const NetLogWithSource& net_log) {
std::unique_ptr<CertVerifierRequest> request(new CertVerifierRequest(
this, std::move(callback), verify_result, net_log));
request->net_log().AddEvent(
NetLogEventType::CERT_VERIFIER_REQUEST_BOUND_TO_JOB,
net_log_.source().ToEventParametersCallback());
requests_.Append(request.get());
return request;
}
private:
using RequestList = base::LinkedList<CertVerifierRequest>;
// Called on completion of the Job to log UMA metrics and NetLog events.
void LogMetrics(const ResultHelper& verify_result) {
net_log_.EndEvent(
NetLogEventType::CERT_VERIFIER_JOB,
base::Bind(&CertVerifyResultCallback, verify_result.result));
base::TimeDelta latency = base::TimeTicks::Now() - start_time_;
if (cert_verifier_->should_record_histograms_) {
UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_Job_Latency", latency,
base::TimeDelta::FromMilliseconds(1),
base::TimeDelta::FromMinutes(10), 100);
if (is_first_job_) {
UMA_HISTOGRAM_CUSTOM_TIMES("Net.CertVerifier_First_Job_Latency",
latency,
base::TimeDelta::FromMilliseconds(1),
base::TimeDelta::FromMinutes(10), 100);
}
}
}
void OnJobCompleted(uint32_t config_id,
std::unique_ptr<ResultHelper> verify_result) {
TRACE_EVENT0(kNetTracingCategory, "CertVerifierJob::OnJobCompleted");
std::unique_ptr<CertVerifierJob> keep_alive =
cert_verifier_->RemoveJob(this);
#if defined(STARBOARD) && defined(ENABLE_IGNORE_CERTIFICATE_ERRORS)
if (ignore_certificate_errors_) {
verify_result->result.verified_cert = key_.certificate();
verify_result->result.cert_status = MapNetErrorToCertStatus(OK);
verify_result->error = OK;
}
#endif
LogMetrics(*verify_result);
if (cert_verifier_->verify_complete_callback_ &&
config_id == cert_verifier_->config_id_) {
cert_verifier_->verify_complete_callback_.Run(
key_, net_log_, verify_result->error, verify_result->result,
base::TimeTicks::Now() - start_time_, is_first_job_);
}
cert_verifier_ = nullptr;
// TODO(eroman): If the cert_verifier_ is deleted from within one of the
// callbacks, any remaining requests for that job should be cancelled. Right
// now they will be called.
while (!requests_.empty()) {
base::LinkNode<CertVerifierRequest>* request = requests_.head();
request->RemoveFromList();
request->value()->Post(*verify_result);
}
}
const CertVerifier::RequestParams key_;
// The tick count of when the job started. This is used to measure how long
// the job actually took to complete.
const base::TimeTicks start_time_;
RequestList requests_; // Non-owned.
const NetLogWithSource net_log_;
MultiThreadedCertVerifier* cert_verifier_; // Non-owned.
bool is_first_job_;
#if defined(STARBOARD) && defined(ENABLE_IGNORE_CERTIFICATE_ERRORS)
bool ignore_certificate_errors_ = false;
#endif
base::WeakPtrFactory<CertVerifierJob> weak_ptr_factory_;
};
MultiThreadedCertVerifier::MultiThreadedCertVerifier(
scoped_refptr<CertVerifyProc> verify_proc)
: requests_(0), inflight_joins_(0), verify_proc_(verify_proc) {}
MultiThreadedCertVerifier::~MultiThreadedCertVerifier() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
}
// static
std::unique_ptr<MultiThreadedCertVerifier>
MultiThreadedCertVerifier::CreateForDualVerificationTrial(
scoped_refptr<CertVerifyProc> verify_proc,
VerifyCompleteCallback verify_complete_callback,
bool should_record_histograms) {
return base::WrapUnique(new net::MultiThreadedCertVerifier(
std::move(verify_proc), std::move(verify_complete_callback),
should_record_histograms));
}
int MultiThreadedCertVerifier::Verify(const RequestParams& params,
CertVerifyResult* verify_result,
CompletionOnceCallback callback,
std::unique_ptr<Request>* out_req,
const NetLogWithSource& net_log) {
out_req->reset();
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
if (callback.is_null() || !verify_result || params.hostname().empty())
return ERR_INVALID_ARGUMENT;
requests_++;
// See if an identical request is currently in flight.
CertVerifierJob* job = FindJob(params);
if (job) {
// An identical request is in flight already. We'll just attach our
// callback.
inflight_joins_++;
} else {
// Need to make a new job.
std::unique_ptr<CertVerifierJob> new_job =
std::make_unique<CertVerifierJob>(params, net_log.net_log(), this);
#if defined(STARBOARD) && defined(ENABLE_IGNORE_CERTIFICATE_ERRORS)
new_job->set_ignore_certificate_errors(ignore_certificate_errors_);
#endif
new_job->Start(verify_proc_, config_, config_id_);
job = new_job.get();
joinable_[job] = std::move(new_job);
if (requests_ == 1)
job->set_is_first_job(true);
}
std::unique_ptr<CertVerifierRequest> request =
job->CreateRequest(std::move(callback), verify_result, net_log);
*out_req = std::move(request);
return ERR_IO_PENDING;
}
void MultiThreadedCertVerifier::SetConfig(const CertVerifier::Config& config) {
++config_id_;
config_ = config;
// In C++17, this would be a .merge() call to combine |joinable_| into
// |inflight_|.
inflight_.insert(std::make_move_iterator(joinable_.begin()),
std::make_move_iterator(joinable_.end()));
joinable_.clear();
}
bool MultiThreadedCertVerifier::JobComparator::operator()(
const CertVerifierJob* job1,
const CertVerifierJob* job2) const {
return job1->key() < job2->key();
}
MultiThreadedCertVerifier::MultiThreadedCertVerifier(
scoped_refptr<CertVerifyProc> verify_proc,
VerifyCompleteCallback verify_complete_callback,
bool should_record_histograms)
: config_id_(0),
requests_(0),
inflight_joins_(0),
verify_proc_(verify_proc),
verify_complete_callback_(std::move(verify_complete_callback)),
should_record_histograms_(should_record_histograms) {}
std::unique_ptr<CertVerifierJob> MultiThreadedCertVerifier::RemoveJob(
CertVerifierJob* job) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
// See if it's a job from the current generation.
auto joinable_it = joinable_.find(job);
if (joinable_it != joinable_.end()) {
std::unique_ptr<CertVerifierJob> job_ptr = std::move(joinable_it->second);
joinable_.erase(joinable_it);
return job_ptr;
}
// Otherwise, find it and remove it from previous generations.
auto it = inflight_.find(job);
DCHECK(it != inflight_.end());
std::unique_ptr<CertVerifierJob> job_ptr = std::move(it->second);
inflight_.erase(it);
return job_ptr;
}
struct MultiThreadedCertVerifier::JobToRequestParamsComparator {
bool operator()(const std::pair<CertVerifierJob* const,
std::unique_ptr<CertVerifierJob>>& item,
const CertVerifier::RequestParams& value) const {
return item.first->key() < value;
}
};
CertVerifierJob* MultiThreadedCertVerifier::FindJob(const RequestParams& key) {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
// The JobSet is kept in sorted order so items can be found using binary
// search.
auto it = std::lower_bound(joinable_.begin(), joinable_.end(), key,
JobToRequestParamsComparator());
if (it != joinable_.end() && !(key < it->first->key()))
return it->first;
return nullptr;
}
} // namespace net