blob: 07a75993ada7573528231098c2ce81c3babddf35 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/socket/client_socket_factory.h"
#include "base/lazy_instance.h"
#include "base/thread_task_runner_handle.h"
#include "base/threading/sequenced_worker_pool.h"
#include "base/single_thread_task_runner.h"
#include "build/build_config.h"
#include "net/base/cert_database.h"
#include "net/socket/client_socket_handle.h"
#if defined(OS_WIN)
#include "net/socket/ssl_client_socket_nss.h"
#include "net/socket/ssl_client_socket_win.h"
#elif defined(USE_OPENSSL)
#include "net/socket/ssl_client_socket_openssl.h"
#elif defined(USE_NSS) || defined(OS_IOS)
#include "net/socket/ssl_client_socket_nss.h"
#elif defined(OS_MACOSX)
#include "net/socket/ssl_client_socket_mac.h"
#include "net/socket/ssl_client_socket_nss.h"
#endif
#include "net/socket/tcp_client_socket.h"
#if !defined(__LB_SHELL__) && !defined(OS_STARBOARD)
#include "net/udp/udp_client_socket.h"
#endif
namespace net {
class X509Certificate;
namespace {
bool g_use_system_ssl = false;
// ChromeOS and Linux may require interaction with smart cards or TPMs, which
// may cause NSS functions to block for upwards of several seconds. To avoid
// blocking all activity on the current task runner, such as network or IPC
// traffic, run NSS SSL functions on a dedicated thread.
#if defined(OS_CHROMEOS) || defined(OS_LINUX)
bool g_use_dedicated_nss_thread = true;
#else
bool g_use_dedicated_nss_thread = false;
#endif
class DefaultClientSocketFactory : public ClientSocketFactory,
public CertDatabase::Observer {
public:
DefaultClientSocketFactory() {
if (g_use_dedicated_nss_thread) {
// Use a single thread for the worker pool.
worker_pool_ = new base::SequencedWorkerPool(1, "NSS SSL Thread");
nss_thread_task_runner_ =
worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior(
worker_pool_->GetSequenceToken(),
base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN);
}
CertDatabase::GetInstance()->AddObserver(this);
}
virtual ~DefaultClientSocketFactory() {
// Note: This code never runs, as the factory is defined as a Leaky
// singleton.
CertDatabase::GetInstance()->RemoveObserver(this);
}
virtual void OnCertAdded(const X509Certificate* cert) override {
ClearSSLSessionCache();
}
virtual void OnCertTrustChanged(const X509Certificate* cert) override {
// Per wtc, we actually only need to flush when trust is reduced.
// Always flush now because OnCertTrustChanged does not tell us this.
// See comments in ClientSocketPoolManager::OnCertTrustChanged.
ClearSSLSessionCache();
}
virtual DatagramClientSocket* CreateDatagramClientSocket(
DatagramSocket::BindType bind_type,
const RandIntCallback& rand_int_cb,
NetLog* net_log,
const NetLog::Source& source) override {
#if !defined(__LB_SHELL__) && !defined(OS_STARBOARD)
return new UDPClientSocket(bind_type, rand_int_cb, net_log, source);
#else
return NULL;
#endif
}
virtual StreamSocket* CreateTransportClientSocket(
const AddressList& addresses,
NetLog* net_log,
const NetLog::Source& source) override {
return new TCPClientSocket(addresses, net_log, source);
}
virtual SSLClientSocket* CreateSSLClientSocket(
ClientSocketHandle* transport_socket,
const HostPortPair& host_and_port,
const SSLConfig& ssl_config,
const SSLClientSocketContext& context) override {
// nss_thread_task_runner_ may be NULL if g_use_dedicated_nss_thread is
// false or if the dedicated NSS thread failed to start. If so, cause NSS
// functions to execute on the current task runner.
//
// Note: The current task runner is obtained on each call due to unit
// tests, which may create and tear down the current thread's TaskRunner
// between each test. Because the DefaultClientSocketFactory is leaky, it
// may span multiple tests, and thus the current task runner may change
// from call to call.
scoped_refptr<base::SequencedTaskRunner> nss_task_runner(
nss_thread_task_runner_);
if (!nss_task_runner)
nss_task_runner = base::ThreadTaskRunnerHandle::Get();
#if defined(USE_OPENSSL)
return new SSLClientSocketOpenSSL(transport_socket, host_and_port,
ssl_config, context);
#elif defined(USE_NSS) || defined(OS_IOS)
return new SSLClientSocketNSS(nss_task_runner, transport_socket,
host_and_port, ssl_config, context);
#elif defined(OS_WIN)
if (g_use_system_ssl) {
return new SSLClientSocketWin(transport_socket, host_and_port,
ssl_config, context);
}
return new SSLClientSocketNSS(nss_task_runner, transport_socket,
host_and_port, ssl_config,
context);
#elif defined(OS_MACOSX)
if (g_use_system_ssl) {
return new SSLClientSocketMac(transport_socket, host_and_port,
ssl_config, context);
}
return new SSLClientSocketNSS(nss_task_runner, transport_socket,
host_and_port, ssl_config,
context);
#else
NOTIMPLEMENTED();
return NULL;
#endif
}
virtual void ClearSSLSessionCache() override {
SSLClientSocket::ClearSessionCache();
}
private:
scoped_refptr<base::SequencedWorkerPool> worker_pool_;
scoped_refptr<base::SequencedTaskRunner> nss_thread_task_runner_;
};
static base::LazyInstance<DefaultClientSocketFactory>::Leaky
g_default_client_socket_factory = LAZY_INSTANCE_INITIALIZER;
} // namespace
// Deprecated function (http://crbug.com/37810) that takes a StreamSocket.
SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket(
StreamSocket* transport_socket,
const HostPortPair& host_and_port,
const SSLConfig& ssl_config,
const SSLClientSocketContext& context) {
ClientSocketHandle* socket_handle = new ClientSocketHandle();
socket_handle->set_socket(transport_socket);
return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config,
context);
}
// static
ClientSocketFactory* ClientSocketFactory::GetDefaultFactory() {
return g_default_client_socket_factory.Pointer();
}
// static
void ClientSocketFactory::UseSystemSSL() {
g_use_system_ssl = true;
#if defined(OS_WIN)
// Reflect the capability of SSLClientSocketWin.
SSLConfigService::SetDefaultVersionMax(SSL_PROTOCOL_VERSION_TLS1);
#elif defined(OS_MACOSX) && !defined(OS_IOS)
// Reflect the capability of SSLClientSocketMac.
SSLConfigService::SetDefaultVersionMax(SSL_PROTOCOL_VERSION_TLS1);
#endif
}
} // namespace net