Our HTTP client callback functions for NSS must set an NSS/NSPR error...

net/ocsp/nss_ocsp.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ocsp/nss_ocsp.h"
 
 #include <certt.h>
 #include <certdb.h>
 #include <ocsp.h>
 #include <nspr.h>
@@ skipping 79 matching lines @@
     return request_context_;
   }
 
  private:
   friend struct DefaultSingletonTraits<OCSPInitSingleton>;
 
   OCSPInitSingleton()
       : io_loop_(MessageLoopForIO::current()) {
     DCHECK(io_loop_);
     io_loop_->AddDestructionObserver(this);
+
+    // NSS calls the functions in the function table to download certificates
+    // or CRLs or talk to OCSP responders over HTTP.  These functions must
+    // set an NSS/NSPR error code when they fail.  Otherwise NSS will get the
+    // residual error code from an earlier failed function call.
     client_fcn_.version = 1;
     SEC_HttpClientFcnV1Struct *ft = &client_fcn_.fcnTable.ftable1;
     ft->createSessionFcn = OCSPCreateSession;
     ft->keepAliveSessionFcn = OCSPKeepAliveSession;
     ft->freeSessionFcn = OCSPFreeSession;
     ft->createFcn = OCSPCreate;
     ft->setPostDataFcn = OCSPSetPostData;
     ft->addHeaderFcn = OCSPAddHeader;
     ft->trySendAndReceiveFcn = OCSPTrySendAndReceive;
     ft->cancelFcn = NULL;
@@ skipping 304 matching lines @@
       : host_(host), port_(port) {}
   ~OCSPServerSession() {}
 
   OCSPRequestSession* CreateRequest(const char* http_protocol_variant,
                                     const char* path_and_query_string,
                                     const char* http_request_method,
                                     const PRIntervalTime timeout) {
     // We dont' support "https" because we haven't thought about
     // whether it's safe to re-enter this code from talking to an OCSP
     // responder over SSL.
-    if (strcmp(http_protocol_variant, "http") != 0)
+    if (strcmp(http_protocol_variant, "http") != 0) {
+      PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
       return NULL;
+    }
 
     // TODO(ukai): If |host| is an IPv6 literal, we need to quote it with
     //  square brackets [].
     std::string url_string(StringPrintf("%s://%s:%d%s",
                                         http_protocol_variant,
                                         host_.c_str(),
                                         port_,
                                         path_and_query_string));
     LOG(INFO) << "URL [" << url_string << "]";
     GURL url(url_string);
@@ skipping 12 matching lines @@
 
 
 // OCSP Http Client functions.
 // Our Http Client functions operate in blocking mode.
 SECStatus OCSPCreateSession(const char* host, PRUint16 portnum,
                             SEC_HTTP_SERVER_SESSION* pSession) {
   LOG(INFO) << "OCSP create session: host=" << host << " port=" << portnum;
   DCHECK(!MessageLoop::current());
   if (OCSPInitSingleton::url_request_context() == NULL) {
     LOG(ERROR) << "No URLRequestContext for OCSP handler.";
+    // The application failed to call SetURLRequestContextForOCSP, so we
+    // can't create and use URLRequest.  PR_NOT_IMPLEMENTED_ERROR is not an
+    // accurate error code for this error condition, but is close enough.
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
   }
   *pSession = new OCSPServerSession(host, portnum);
   return SECSuccess;
 }
 
 SECStatus OCSPKeepAliveSession(SEC_HTTP_SERVER_SESSION session,
                                PRPollDesc **pPollDesc) {
   LOG(INFO) << "OCSP keep alive";
   DCHECK(!MessageLoop::current());
@@ skipping 57 matching lines @@
   OCSPRequestSession* req = reinterpret_cast<OCSPRequestSession*>(request);
 
   req->AddHeader(http_header_name, http_header_value);
   return SECSuccess;
 }
 
 // Sets response of |req| in the output parameters.
 // It is helper routine for OCSP trySendAndReceiveFcn.
 // |http_response_data_len| could be used as input parameter.  If it has
 // non-zero value, it is considered as maximum size of |http_response_data|.
-bool OCSPSetResponse(OCSPRequestSession* req,
-                     PRUint16* http_response_code,
-                     const char** http_response_content_type,
-                     const char** http_response_headers,
-                     const char** http_response_data,
-                     PRUint32* http_response_data_len) {
+SECStatus OCSPSetResponse(OCSPRequestSession* req,
+                          PRUint16* http_response_code,
+                          const char** http_response_content_type,
+                          const char** http_response_headers,
+                          const char** http_response_data,
+                          PRUint32* http_response_data_len) {
   DCHECK(req->Finished());
   const std::string& data = req->http_response_data();
   if (http_response_data_len && *http_response_data_len) {
     if (*http_response_data_len < data.size()) {
-      LOG(ERROR) << "data size too large: " << *http_response_data_len
+      LOG(ERROR) << "response body too large: " << *http_response_data_len
                  << " < " << data.size();
       *http_response_data_len = data.size();
-      return false;
+      PORT_SetError(SEC_ERROR_BAD_HTTP_RESPONSE);
+      return SECFailure;
     }
   }
   LOG(INFO) << "OCSP response "
             << " response_code=" << req->http_response_code()
             << " content_type=" << req->http_response_content_type()
             << " header=" << req->http_response_headers()
             << " data_len=" << data.size();
   if (http_response_code)
     *http_response_code = req->http_response_code();
   if (http_response_content_type)
     *http_response_content_type = req->http_response_content_type().c_str();
   if (http_response_headers)
     *http_response_headers = req->http_response_headers().c_str();
   if (http_response_data)
     *http_response_data = data.data();
   if (http_response_data_len)
     *http_response_data_len = data.size();
-  return true;
+  return SECSuccess;
 }
 
 SECStatus OCSPTrySendAndReceive(SEC_HTTP_REQUEST_SESSION request,
                                 PRPollDesc** pPollDesc,
                                 PRUint16* http_response_code,
                                 const char** http_response_content_type,
                                 const char** http_response_headers,
                                 const char** http_response_data,
                                 PRUint32* http_response_data_len) {
   LOG(INFO) << "OCSP try send and receive";
@@ skipping 15 matching lines @@
 
   // If the response code is -1, the request failed and there is no response.
   if (req->http_response_code() == static_cast<PRUint16>(-1))
     goto failed;
 
   return OCSPSetResponse(
       req, http_response_code,
       http_response_content_type,
       http_response_headers,
       http_response_data,
-      http_response_data_len) ? SECSuccess : SECFailure;
+      http_response_data_len);
 
  failed:
   if (http_response_data_len) {
     // We must always set an output value, even on failure.  The output value 0
     // means the failure was unrelated to the acceptable response data length.
     *http_response_data_len = 0;
   }
+  PORT_SetError(SEC_ERROR_BAD_HTTP_RESPONSE);  // Simple approximation.
   return SECFailure;
 }
 
 SECStatus OCSPFree(SEC_HTTP_REQUEST_SESSION request) {
   LOG(INFO) << "OCSP free";
   DCHECK(!MessageLoop::current());
   OCSPRequestSession* req = reinterpret_cast<OCSPRequestSession*>(request);
   req->Cancel();
   req->Release();
   return SECSuccess;
@@ skipping 10 matching lines @@
 // This function would be called before NSS initialization.
 void SetURLRequestContextForOCSP(URLRequestContext* request_context) {
   OCSPInitSingleton::set_url_request_context(request_context);
 }
 
 URLRequestContext* GetURLRequestContextForOCSP() {
   return OCSPInitSingleton::url_request_context();
 }
 
 }  // namespace net