Correctly handle SSL Client Authentication requests when connecting...

net/socket/ssl_client_socket_mac.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_mac.h"
 
 #include <CoreServices/CoreServices.h>
 #include <netdb.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 
 #include "base/mac/scoped_cftyperef.h"
 #include "base/singleton.h"
 #include "base/string_util.h"
 #include "net/base/address_list.h"
 #include "net/base/cert_verifier.h"
+#include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/ssl_connection_status_flags.h"
 #include "net/base/ssl_info.h"
 #include "net/socket/client_socket_handle.h"
 
 // Welcome to Mac SSL. We've been waiting for you.
 //
@@ skipping 466 matching lines @@
       ciphers_.push_back(supported_ciphers[i]);
   }
 }
 
 }  // namespace
 
 //-----------------------------------------------------------------------------
 
 SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket,
                                        const std::string& hostname,
+                                       uint16 port,
                                        const SSLConfig& ssl_config)
     : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete),
       transport_read_callback_(this,
                                &SSLClientSocketMac::OnTransportReadComplete),
       transport_write_callback_(this,
                                 &SSLClientSocketMac::OnTransportWriteComplete),
       transport_(transport_socket),
       hostname_(hostname),
+      port_(port),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_write_callback_(NULL),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       next_handshake_state_(STATE_NONE),
       renegotiating_(false),
       client_cert_requested_(false),
       ssl_context_(NULL),
@@ skipping 192 matching lines @@
       CertPrincipal p;
       if (p.ParseDistinguishedName(CFDataGetBytePtr(issuer),
                                    CFDataGetLength(issuer))) {
         valid_issuers.push_back(p);
       }
     }
     CFRelease(valid_issuer_names);
   }
 
   // Now get the available client certs whose issuers are allowed by the server.
-  cert_request_info->host_and_port = hostname_;
+  cert_request_info->host_and_port = HostPortPair(hostname_, port_).ToString();
   cert_request_info->client_certs.clear();
   X509Certificate::GetSSLClientCertificates(hostname_,

[wtc, 2010/11/11 01:11:35]

Please add a TODO comment to note that we should consider
passing a host-port pair as the first argument to
X509Certificate::GetSSLClientCertificates.

[Ryan Hamilton, 2010/11/11 18:57:00]

Done.

                                             valid_issuers,
                                             &cert_request_info->client_certs);
   VLOG(1) << "Asking user to choose between "
           << cert_request_info->client_certs.size() << " client certs...";
 }
 
 SSLClientSocket::NextProtoStatus
 SSLClientSocketMac::GetNextProto(std::string* proto) {
   proto->clear();
   return kNextProtoUnsupported;
@@ skipping 63 matching lines @@
   // Concatenate the hostname and peer address to use as the peer ID. To
   // resume a session, we must connect to the same server on the same port
   // using the same hostname (i.e., localhost and 127.0.0.1 are considered
   // different peers, which puts us through certificate validation again
   // and catches hostname/certificate name mismatches.
   AddressList address;
   int rv = transport_->socket()->GetPeerAddress(&address);
   if (rv != OK)
     return rv;
   const struct addrinfo* ai = address.head();
   std::string peer_id(hostname_);

[wtc, 2010/11/11 01:11:35]

IMPORTANT: we should include 'port_' in peer_id.  See
http://developer.apple.com/library/mac/documentation/Security/Reference/secur...

If you don't have time to do this, just add a TODO comment.

[Ryan Hamilton, 2010/11/11 18:57:00]

Appending port_ into peer_id is pretty trivial, but do I need to do anything to
change consumers of peer id?  I didn't see calls to SSLGetPeerID in net/...

[wtc, 2010/11/12 00:12:55]

No, you don't need to change the consumers of peer id.
The only consumer of peer id is the SSL library (Apple's
Secure Transport library), which treats peer id as an
opaque blob, and the only thing it does with peer ids is
to compare them for equality.

   peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr),
                          ai->ai_addrlen);
 
   // SSLSetPeerID() treats peer_id as a binary blob, and makes its
   // own copy.
   status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length());
   if (status)
     return NetErrorFromOSStatus(status);
 
   return OK;
@@ skipping 453 matching lines @@
   if (rv < 0 && rv != ERR_IO_PENDING) {
     us->write_io_buf_ = NULL;
     return OSStatusFromNetError(rv);
   }
 
   // always lie to our caller
   return noErr;
 }
 
 }  // namespace net