Correctly handle SSL Client Authentication requests when connecting...

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 #include <map>
 
 #include "base/compiler_specific.h"
 #include "base/lock.h"
 #include "base/singleton.h"
 #include "base/stl_util-inl.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/connection_type_histograms.h"
+#include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_log.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/ssl_connection_status_flags.h"
 #include "net/base/ssl_info.h"
 #include "net/socket/client_socket_handle.h"
 
 #pragma comment(lib, "secur32.lib")
 
@@ skipping 336 matching lines @@
 //
 // Ciphertext is decrypted one SSL record at a time, so recv_buffer_ needs to
 // have room for a full SSL record, with the header and trailer.  Here is the
 // breakdown of the size:
 //   5: SSL record header
 //   16K: SSL record maximum size
 //   64: >= SSL record trailer (16 or 20 have been observed)
 static const int kRecvBufferSize = (5 + 16*1024 + 64);
 
 SSLClientSocketWin::SSLClientSocketWin(ClientSocketHandle* transport_socket,
-                                       const std::string& hostname,
+                                       const HostPortPair& host_and_port,
                                        const SSLConfig& ssl_config)
     : ALLOW_THIS_IN_INITIALIZER_LIST(
         handshake_io_callback_(this,
                                &SSLClientSocketWin::OnHandshakeIOComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(
         read_callback_(this, &SSLClientSocketWin::OnReadComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(
         write_callback_(this, &SSLClientSocketWin::OnWriteComplete)),
       transport_(transport_socket),
-      hostname_(hostname),
+      host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_read_buf_len_(0),
       user_write_callback_(NULL),
       user_write_buf_len_(0),
       next_state_(STATE_NONE),
       creds_(NULL),
       isc_status_(SEC_E_OK),
       payload_send_buffer_len_(0),
@@ skipping 51 matching lines @@
     // SChannel doesn't support TLS compression, so cipher_info doesn't have
     // any field related to the compression method.
   }
 
   if (ssl_config_.ssl3_fallback)
     ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK;
 }
 
 void SSLClientSocketWin::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
-  cert_request_info->host_and_port = hostname_;  // TODO(wtc): no port!
+  cert_request_info->host_and_port = host_and_port_.ToString();
   cert_request_info->client_certs.clear();
 
   // Get the certificate_authorities field of the CertificateRequest message.
   // Schannel doesn't return the certificate_types field of the
   // CertificateRequest message to us, so we can't filter the client
   // certificates properly. :-(
   SecPkgContext_IssuerListInfoEx issuer_list;
   SECURITY_STATUS status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_ISSUER_LIST_EX, &issuer_list);
   if (status != SEC_E_OK) {
@@ skipping 127 matching lines @@
   buffer_desc.cBuffers = 1;
   buffer_desc.pBuffers = &send_buffer_;
   buffer_desc.ulVersion = SECBUFFER_VERSION;
 
   TimeStamp expiry;
   SECURITY_STATUS status;
 
   status = InitializeSecurityContext(
       creds_,
       NULL,  // NULL on the first call
-      const_cast<wchar_t*>(ASCIIToWide(hostname_).c_str()),
+      const_cast<wchar_t*>(ASCIIToWide(host_and_port_.host()).c_str()),
       flags,
       0,  // Reserved
       0,  // Not used with Schannel.
       NULL,  // NULL on the first call
       0,  // Reserved
       &ctxt_,  // Receives the new context handle
       &buffer_desc,
       &out_flags,
       &expiry);
   if (status != SEC_I_CONTINUE_NEEDED) {
@@ skipping 501 matching lines @@
   next_state_ = STATE_VERIFY_CERT_COMPLETE;
 
   DCHECK(server_cert_);
 
   int flags = 0;
   if (ssl_config_.rev_checking_enabled)
     flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
   if (ssl_config_.verify_ev_cert)
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new CertVerifier);
-  return verifier_->Verify(server_cert_, hostname_, flags,
+  return verifier_->Verify(server_cert_, host_and_port_.host(), flags,
                            &server_cert_verify_result_,
                            &handshake_io_callback_);
 }
 
 int SSLClientSocketWin::DoVerifyCertComplete(int result) {
   DCHECK(verifier_.get());
   verifier_.reset();
 
   // If we have been explicitly told to accept this certificate, override the
   // result of verifier_.Verify.
@@ skipping 372 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net