Correctly handle SSL Client Authentication requests when connecting...

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 400 matching lines @@
 
  private:
   unsigned num_certs_;
   CERTCertificate** certs_;
 };
 
 }  // namespace
 
 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
                                        const std::string& hostname,
+                                       uint16 port,
                                        const SSLConfig& ssl_config,
                                        SSLHostInfo* ssl_host_info,
                                        DnsRRResolver* dnsrr_resolver)
     : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(
           this, &SSLClientSocketNSS::BufferSendComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(
           this, &SSLClientSocketNSS::BufferRecvComplete)),
       transport_send_busy_(false),
       transport_recv_busy_(false),
       corked_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
           this, &SSLClientSocketNSS::OnHandshakeIOComplete)),
       transport_(transport_socket),
       hostname_(hostname),
+      port_(port),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_write_callback_(NULL),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       server_cert_verify_result_(NULL),
       ssl_connection_status_(0),
       client_auth_cert_needed_(false),
@@ skipping 419 matching lines @@
   // structure has a one-byte length and one-byte address family
   // field at the beginning.  PRNetAddr has a two-byte address
   // family field at the beginning.
   peername.raw.family = ai->ai_addr->sa_family;
 
   memio_SetPeerName(nss_fd_, &peername);
 
   // Set the peer ID for session reuse.  This is necessary when we create an
   // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
   // rather than the destination server's address in that case.
   // TODO(wtc): port in |peer_address| is not the server's port when a proxy is

[wtc, 2010/11/11 01:11:35]

Please fix this TODO by replacing the base::StringPrintf call
on line 878 with HostPortPair(hostname_, port_).ToString().

[Ryan Hamilton, 2010/11/11 18:57:00]

Done.

   // used.
   std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(),
                                            peer_address.GetPort());
   SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
 
   peername_initialized_ = true;
   return OK;
 }
@@ skipping 308 matching lines @@
     ssl_info->security_bits = -1;
     LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()
                 << " for cipherSuite " << cipher_suite;
   }
   LeaveFunction("");
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
-  cert_request_info->host_and_port = hostname_;  // TODO(wtc): no port!
+  cert_request_info->host_and_port = HostPortPair(hostname_, port_).ToString();
   cert_request_info->client_certs = client_certs_;
   LeaveFunction(cert_request_info->client_certs.size());
 }
 
 SSLClientSocket::NextProtoStatus
 SSLClientSocketNSS::GetNextProto(std::string* proto) {
 #if defined(SSL_NEXT_PROTO_NEGOTIATED)
   if (!handshake_callback_called_) {
     DCHECK(pseudo_connected_);
     predicted_npn_proto_used_ = true;
@@ skipping 1094 matching lines @@
   if (verifier.rrtype() != kDNS_TXT)
     return DNSVR_CONTINUE;
 
   DNSValidationResult r = VerifyTXTRecords(
       true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas());
   SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE);
   return r;
 }
 
 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
 #if !defined(USE_OPENSSL)

[wtc, 2010/11/11 01:11:35]

I think we should remove this ifdef.  By definition, if
we use SSLClientSocketNSS, we are not using OpenSSL.

[Ryan Hamilton, 2010/11/11 18:57:00]

Done.

   if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) {
     PeerCertificateChain certs(nss_fd_);
     DoAsyncDNSCertProvenanceVerification(
         hostname_, dnsrr_resolver_, certs.AsStringPieceVector());
   }
 #endif
 
   if (ssl_config_.dnssec_enabled) {
     DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_);
     if (r == DNSVR_SUCCESS) {
@@ skipping 247 matching lines @@
     case SSL_CONNECTION_VERSION_TLS1_1:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
       break;
     case SSL_CONNECTION_VERSION_TLS1_2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
       break;
   };
 }
 
 }  // namespace net