Correctly handle SSL Client Authentication requests when connecting...

net/http/http_network_transaction.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include <set>
 #include <vector>
 
 #include "base/compiler_specific.h"
@@ skipping 154 matching lines @@
     X509Certificate* client_cert,
     CompletionCallback* callback) {
   // In HandleCertificateRequest(), we always tear down existing stream
   // requests to force a new connection.  So we shouldn't have one here.
   DCHECK(!stream_request_.get());
   DCHECK(!stream_.get());
   DCHECK_EQ(STATE_NONE, next_state_);
 
   ssl_config_.client_cert = client_cert;
   if (client_cert) {
-    session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url),
-                                           client_cert);
+    session_->ssl_client_auth_cache()->Add(

[wtc, 2010/11/11 01:11:35]

Please DCHECK that response_.cert_request_info->host_and_port
and GetHostAndPort(request_->url) are equal.  Also at line
982 below.

[Ryan Hamilton, 2010/11/11 18:57:00]

I don't think this would be correct.  In the case of an HTTPS proxy, the
response_.cert_request_info->host_and_port would match the host and port of the
proxy, not of the request url.   I could DCHECK that it is either of those two
conditions though?

[wtc, 2010/11/12 00:12:55]

I see.  No need to add any DCHECK then.

+        response_.cert_request_info->host_and_port, client_cert);
   }
   ssl_config_.send_client_cert = true;
   // Reset the other member variables.
   // Note: this is necessary only with SSL renegotiation.
   ResetStateForRestart();
   next_state_ = STATE_CREATE_STREAM;
   int rv = DoLoop(OK);
   if (rv == ERR_IO_PENDING)
     user_callback_ = callback;
   return rv;
@@ skipping 785 matching lines @@
     stream_->Close(true);
     stream_.reset();
   }
 
   // The server is asking for a client certificate during the initial
   // handshake.
   stream_request_.reset();
 
   // If the user selected one of the certificate in client_certs for this
   // server before, use it automatically.
-  X509Certificate* client_cert = session_->ssl_client_auth_cache()->
-                                 Lookup(GetHostAndPort(request_->url));
+  X509Certificate* client_cert = session_->ssl_client_auth_cache()->Lookup(
+      response_.cert_request_info->host_and_port);
   if (client_cert) {
     const std::vector<scoped_refptr<X509Certificate> >& client_certs =
         response_.cert_request_info->client_certs;
     for (size_t i = 0; i < client_certs.size(); ++i) {
       if (client_cert->fingerprint().Equals(client_certs[i]->fingerprint())) {
         // TODO(davidben): Add a unit test which covers this path; we need to be
         // able to send a legitimate certificate and also bypass/clear the
         // SSL session cache.
         ssl_config_.client_cert = client_cert;
         ssl_config_.send_client_cert = true;
@@ skipping 172 matching lines @@
     default:
       return priority;
   }
 }
 
 
 
 #undef STATE_CASE
 
 }  // namespace net