bug 806992 EV initialization blocks the first certificate verification thread for a long time r=bsmith r=honzab

2024-09-13 09:24:08 -07:00 · 2012-11-22 15:57:59 -05:00 · 2012-11-22 15:57:59 -05:00 · 3d5a1836dc
commit 3d5a1836dc
parent 3b2659e71b
3 changed files with 54 additions and 0 deletions
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -102,6 +102,7 @@
 #include "nsNSSCleaner.h"
 #include "nsRecentBadCerts.h"
 #include "nsNSSIOLayer.h"
+#include "nsNSSShutDown.h"

 #include "mozilla/Assertions.h"
 #include "nsIThreadPool.h"
@ -1219,6 +1220,50 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
  return SECFailure;
 }

+class InitializeIdentityInfo : public nsRunnable
+                             , public nsNSSShutDownObject
+{
+private:
+  NS_IMETHOD Run()
+  {
+    nsNSSShutDownPreventionLock nssShutdownPrevention;
+    if (isAlreadyShutDown())
+      return NS_OK;
+
+    nsresult rv;
+    nsCOMPtr<nsINSSComponent> inss = do_GetService(PSM_COMPONENT_CONTRACTID, &rv);
+    if (NS_SUCCEEDED(rv))
+      inss->EnsureIdentityInfoLoaded();
+    return NS_OK;
+  }
+
+  virtual void virtualDestroyNSSReference()
+  {
+  }
+
+  ~InitializeIdentityInfo()
+  {
+    nsNSSShutDownPreventionLock nssShutdownPrevention;
+    if (!isAlreadyShutDown())
+      shutdown(calledFromObject);
+  }
+};
+
+void EnsureServerVerificationInitialized()
+{
+  // Should only be called from socket transport thread due to the static
+  // variable and the reference to gCertVerificationThreadPool
+
+  static bool triggeredCertVerifierInit = false;
+  if (triggeredCertVerifierInit)
+    return;
+  triggeredCertVerifierInit = true;
+
+  RefPtr<InitializeIdentityInfo> initJob = new InitializeIdentityInfo();
+  if (gCertVerificationThreadPool)
+    gCertVerificationThreadPool->Dispatch(initJob, NS_DISPATCH_NORMAL);
+}
+
 SSLServerCertVerificationResult::SSLServerCertVerificationResult(
        TransportSecurityInfo * infoObject, PRErrorCode errorCode,
        SSLErrorMessageType errorMessageType)
--- a/security/manager/ssl/src/SSLServerCertVerification.h
+++ b/security/manager/ssl/src/SSLServerCertVerification.h
@ -14,6 +14,10 @@ namespace mozilla { namespace psm {
 SECStatus AuthCertificateHook(void *arg, PRFileDesc *fd, 
                              PRBool checkSig, PRBool isServer);

+// EnsureServerVerificationInitialized() posts an event to a cert
+// verification thread to run nsINSSComponent::EnsureIdentityInfoLoaded()
+// exactly once. It must be called from socket thread.
+void EnsureServerVerificationInitialized();
 } } // namespace mozilla::psm

 #endif
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@ -2362,6 +2362,11 @@ nsSSLIOLayerImportFD(PRFileDesc *fd,
    NS_NOTREACHED("SSL_SetURL failed");
    goto loser;
  }
+
+  // This is an optimization to make sure the identity info dataset is parsed
+  // and loaded on a separate thread and can be overlapped with network latency.
+  EnsureServerVerificationInitialized();
+
  return sslSock;
 loser:
  if (sslSock) {