Defines SSLServerSocket and implements SSLServerSocketNSS

net/socket/ssl_server_socket_nss.h

+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SOCKET_SSL_SERVER_SOCKET_NSS_H_
+#define NET_SOCKET_SSL_SERVER_SOCKET_NSS_H_
+#pragma once
+
+#include <certt.h>
+#include <keyt.h>
+#include <nspr.h>
+#include <nss.h>
+
+#include "base/scoped_ptr.h"
+#include "net/base/completion_callback.h"
+#include "net/base/host_port_pair.h"
+#include "net/base/net_log.h"
+#include "net/base/nss_memio.h"
+#include "net/base/ssl_config_service.h"
+#include "net/socket/ssl_server_socket.h"
+
+namespace base {
+class RSAPrivateKey;
+}  // namespace base
+
+namespace net {
+
+class IOBuffer;
+class X509Certificate;

[wtc, 2010/12/17 00:16:26]

I believe most of the header inclusions and forward
declarations can be removed because
"net/socket/ssl_server_socket.h" already takes care of them.

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+
+class SSLServerSocketNSS : public SSLServerSocket {
+ public:
+  // This object takes ownership of the parameters given in the constructor.

[wtc, 2010/12/17 00:16:26]

This is not true for |key|; this object copies |key|.

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+  // |socket| is already connected.
+  // |cert| is the certificate to be used by the server.
+  // |key| is the private key used by the server.
+  SSLServerSocketNSS(Socket* socket,

[wtc, 2010/12/17 00:16:26]

The constructor should take a "const SSLConfig& ssl_config"
parameter.

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+                     scoped_refptr<X509Certificate> cert,
+                     base::RSAPrivateKey* key);
+  virtual ~SSLServerSocketNSS() {}
+
+  // SSLServerSocket implementation.
+  virtual int Accept(CompletionCallback* callback);
+  virtual int Read(IOBuffer* buf, int buf_len,
+                   CompletionCallback* callback);
+  virtual int Write(IOBuffer* buf, int buf_len,
+                    CompletionCallback* callback);
+  virtual bool SetReceiveBufferSize(int32 size) { return false; }
+  virtual bool SetSendBufferSize(int32 size) { return false; }
+
+ private:
+  virtual int Init();
+
+  int InitializeSSLOptions();
+
+  void OnSendComplete(int result);
+  void OnRecvComplete(int result);
+  void OnHandshakeIOComplete(int result);
+
+  int BufferSend();
+  void BufferSendComplete(int result);
+  int BufferRecv();
+  void BufferRecvComplete(int result);
+  bool DoTransportIO();
+  int DoPayloadWrite();
+  int DoPayloadRead();
+
+  int DoHandshakeLoop(int last_io_result);
+  int DoReadLoop(int result);
+  int DoWriteLoop(int result);
+  int DoHandshake();
+  void DoAcceptCallback(int result);
+  void DoReadCallback(int result);
+  void DoWriteCallback(int result);
+
+  static SECStatus OwnAuthCertHandler(void* arg,

[wtc, 2010/12/17 00:16:26]

OwnAuthCertHandler is needed only if your server will verify
client certificates.

[Alpha Left Google, 2010/12/17 08:30:43]

Leaving this as a TODO in .cc because in the future we do want to verify client
certificate.

+                               PRFileDesc* socket,
+                               PRBool checksig,
+                               PRBool is_server);
+  static SECStatus PlatformClientAuthHandler(

[wtc, 2010/12/17 00:16:26]

Remove PlatformClientAuthHandler and ClientAuthHandler.

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+    void* arg,
+    PRFileDesc* socket,
+    CERTDistNames* ca_names,
+    CERTCertList** result_certs,
+    void** result_private_key);
+  static SECStatus ClientAuthHandler(
+      void* arg,
+      PRFileDesc* socket,
+      CERTDistNames* ca_names,
+      CERTCertificate** result_certificate,
+      SECKEYPrivateKey** result_private_key);
+  static void HandshakeCallback(PRFileDesc* socket, void* arg);
+
+  // Members used to send and receive buffer.
+  CompletionCallbackImpl<SSLServerSocketNSS> buffer_send_callback_;
+  CompletionCallbackImpl<SSLServerSocketNSS> buffer_recv_callback_;
+  bool transport_send_busy_;
+  bool transport_recv_busy_;
+
+  scoped_refptr<IOBuffer> recv_buffer_;
+
+  BoundNetLog net_log_;
+
+  // Configuration for the SSL server.
+  SSLConfig ssl_config_;
+
+  CompletionCallback* user_accept_callback_;
+  CompletionCallback* user_read_callback_;
+  CompletionCallback* user_write_callback_;
+
+  // Used by Read function.
+  scoped_refptr<IOBuffer> user_read_buf_;
+  int user_read_buf_len_;
+
+  // Used by Write function.
+  scoped_refptr<IOBuffer> user_write_buf_;
+  int user_write_buf_len_;
+
+  // The NSS SSL state machine
+  PRFileDesc* nss_fd_;
+
+  // Buffers for the network end of the SSL state machine
+  memio_Private* nss_bufs_;
+
+  // Socket for sending and receiving data.
+  scoped_ptr<Socket> socket_;

[wtc, 2010/12/17 00:16:26]

Please name this member transport_ or transport_socket_.

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+
+  // Certificate for the server.
+  scoped_refptr<X509Certificate> cert_;
+
+  // Private key used by the server for encryption.

[wtc, 2010/12/17 00:16:26]

Nit: delete "for encryption".  (It's used for key exchange.)

[Alpha Left Google, 2010/12/17 08:30:43]

Done.

+  scoped_ptr<base::RSAPrivateKey> key_;
+
+  enum State {

[wtc, 2010/12/17 00:16:26]

If there is only one state, I wonder if we still need a state
machine...

[Alpha Left Google, 2010/12/17 08:30:43]

Trying to keep this similar to the client code, makes it easier to share code
between them.

+    STATE_NONE,
+    STATE_HANDSHAKE,
+  };
+  State next_handshake_state_;
+  bool completed_handshake_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLServerSocketNSS);
+};
+
+}  // namespace net
+
+#endif  // NET_SOCKET_SSL_SERVER_SOCKET_NSS_H_