Correctly handle SSL Client Authentication requests when connecting...

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
===================================================================
--- net/socket/ssl_client_socket_nss.cc	(revision 65819)
+++ net/socket/ssl_client_socket_nss.cc	(working copy)
@@ -396,7 +396,7 @@
 }  // namespace
 
 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
-                                       const std::string& hostname,
+                                       const HostPortPair& host_and_port,
                                        const SSLConfig& ssl_config,
                                        SSLHostInfo* ssl_host_info,
                                        DnsRRResolver* dnsrr_resolver)
@@ -410,7 +410,7 @@
       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
           this, &SSLClientSocketNSS::OnHandshakeIOComplete)),
       transport_(transport_socket),
-      hostname_(hostname),
+      host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
@@ -479,7 +479,8 @@
   }
   net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START,
                     new NetLogIntegerParameter("type", snap_start_type));
-  LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_;
+  LOG(ERROR) << "Snap Start: " << snap_start_type << " "
+             << host_and_port_.host();
   if (snap_start_type == SSL_SNAP_START_FULL ||
       snap_start_type == SSL_SNAP_START_RESUME) {
     // If we did a successful Snap Start then our information was correct and
@@ -518,7 +519,7 @@
           certs[i]->derCert.len));
   }
 
-  LOG(ERROR) << "Setting Snap Start info " << hostname_;
+  LOG(ERROR) << "Setting Snap Start info " << host_and_port_.host();

[eroman, 2010/11/12 01:12:56]

nit: would it make sense to use the ToString() instead and show the port? (ditto
to other instance in this file).

[Ryan Hamilton, 2010/11/12 16:47:26]

Done.  (Just the logging, not the various method calls)

   ssl_host_info_->Persist();
 }
 
@@ -741,7 +742,8 @@
   rv = SSL_OptionSet(
       nss_fd_, SSL_ENABLE_FALSE_START,
       ssl_config_.false_start_enabled &&
-      !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_));
+      !SSLConfigService::IsKnownFalseStartIncompatibleServer(
+          host_and_port_.host()));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
 #endif
@@ -758,7 +760,7 @@
 #ifdef SSL_ENABLE_RENEGOTIATION
   // Deliberately disable this check for now: http://crbug.com/55410
   if (false &&
-      SSLConfigService::IsKnownStrictTLSServer(hostname_) &&
+      SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) &&
       !ssl_config_.mitm_proxies_allowed) {
     rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
     if (rv != SECSuccess) {
@@ -823,7 +825,7 @@
   }
 
   // Tell SSL the hostname we're trying to connect to.
-  SSL_SetURL(nss_fd_, hostname_.c_str());
+  SSL_SetURL(nss_fd_, host_and_port_.host().c_str());
 
   // Tell SSL we're a client; needed if not letting NSPR do socket I/O
   SSL_ResetHandshake(nss_fd_, 0);
@@ -858,10 +860,7 @@
   // Set the peer ID for session reuse.  This is necessary when we create an
   // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
   // rather than the destination server's address in that case.
-  // TODO(wtc): port in |peer_address| is not the server's port when a proxy is
-  // used.
-  std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(),
-                                           peer_address.GetPort());
+  std::string peer_id = host_and_port_.ToString();
   SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
@@ -1140,7 +1139,7 @@
       ssl_connection_status_ |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
       // Log an informational message if the server does not support secure
       // renegotiation (RFC 5746).
-      VLOG(1) << "The server " << hostname_
+      VLOG(1) << "The server " << host_and_port_.host()

[eroman, 2010/11/12 01:12:56]

ditto on port.

[Ryan Hamilton, 2010/11/12 16:47:26]

Done.

               << " does not support the TLS renegotiation_info extension.";
     }
     UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
@@ -1184,7 +1183,7 @@
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
-  cert_request_info->host_and_port = hostname_;  // TODO(wtc): no port!
+  cert_request_info->host_and_port = host_and_port_.ToString();

[eroman, 2010/11/12 01:12:56]

It may make sense in the future for cert_request_info to simply be a
HostPortPair.

[Ryan Hamilton, 2010/11/12 16:47:26]

agreed.  added a todo.

   cert_request_info->client_certs = client_certs_;
   LeaveFunction(cert_request_info->client_certs.size());
 }
@@ -2158,7 +2157,8 @@
         // prepared for switching the protocol like that so we make up an error
         // and rely on the fact that the request will be retried.
         if (IsNPNProtocolMispredicted()) {
-          LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_;
+          LOG(WARNING) << "Mispredicted NPN protocol for "
+                       << host_and_port_.host();
           net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION;
         } else {
           // Let's verify the certificate.
@@ -2347,16 +2347,9 @@
 }
 
 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
-#if !defined(USE_OPENSSL)
-  if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) {
-    PeerCertificateChain certs(nss_fd_);
-    DoAsyncDNSCertProvenanceVerification(
-        hostname_, dnsrr_resolver_, certs.AsStringPieceVector());
-  }
-#endif
-
   if (ssl_config_.dnssec_enabled) {
-    DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_);
+    DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
+                                             server_cert_nss_);
     if (r == DNSVR_SUCCESS) {
       local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
       server_cert_verify_result_ = &local_server_cert_verify_result_;
@@ -2452,7 +2445,7 @@
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new CertVerifier);
   server_cert_verify_result_ = &local_server_cert_verify_result_;
-  return verifier_->Verify(server_cert_, hostname_, flags,
+  return verifier_->Verify(server_cert_, host_and_port_.host(), flags,
                            &local_server_cert_verify_result_,
                            &handshake_io_callback_);
 }