Sign CertificateVerify messages on a background thread.

net/socket/ssl_client_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // OpenSSL binding for SSLClientSocket. The class layout and general principle
 // of operation is derived from SSLClientSocketNSS.
 
 #include "net/socket/ssl_client_socket_openssl.h"
 
 #include <errno.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/ssl.h>
 #include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/environment.h"
+#include "base/lazy_instance.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/profiler/scoped_tracker.h"
+#include "base/stl_util.h"
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
+#include "base/threading/sequenced_worker_pool.h"
 #include "base/threading/thread_local.h"
 #include "base/values.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_openssl_types.h"
 #include "net/base/ip_address_number.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_policy_enforcer.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_ev_whitelist.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/cert/x509_util_openssl.h"
 #include "net/http/transport_security_state.h"
 #include "net/ssl/scoped_openssl_types.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_client_session_cache_openssl.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_failure_state.h"
 #include "net/ssl/ssl_info.h"
+#include "net/ssl/ssl_private_key.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
 #endif
 
 #if defined(USE_OPENSSL_CERTS)
 #include "net/ssl/openssl_client_key_store.h"
 #else
-#include "net/ssl/openssl_platform_key.h"
+#include "net/ssl/ssl_platform_key.h"
 #endif
 
 namespace net {
 
 namespace {
 
 // Enable this to see logging for state machine state transitions.
 #if 0
 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \
                            " jump to state " << s; \
                            next_handshake_state_ = s; } while (0)
 #else
 #define GotoState(s) next_handshake_state_ = s
 #endif
 
 // This constant can be any non-negative/non-zero value (eg: it does not
 // overlap with any value of the net::Error range, including net::OK).
-const int kNoPendingReadResult = 1;
+const int kNoPendingResult = 1;
 
 // If a client doesn't have a list of protocols that it supports, but
 // the server supports NPN, choosing "http/1.1" is the best answer.
 const char kDefaultSupportedNPNProtocol[] = "http/1.1";
 
 // Default size of the internal BoringSSL buffers.
 const int KDefaultOpenSSLBufferSize = 17 * 1024;
 
 void FreeX509Stack(STACK_OF(X509)* ptr) {
   sk_X509_pop_free(ptr, X509_free);
@@ skipping 56 matching lines @@
     sk_X509_push(stack.get(), x509.release());
   }
   return stack.Pass();
 }
 
 int LogErrorCallback(const char* str, size_t len, void* context) {
   LOG(ERROR) << base::StringPiece(str, len);
   return 1;
 }
 
+bool EVP_MDToPrivateKeyHash(const EVP_MD* md, SSLPrivateKey::Hash* hash) {
+  switch (EVP_MD_type(md)) {
+    case NID_md5_sha1:
+      *hash = SSLPrivateKey::Hash::MD5_SHA1;
+      return true;
+    case NID_md5:
+      *hash = SSLPrivateKey::Hash::MD5;
+      return true;
+    case NID_sha1:
+      *hash = SSLPrivateKey::Hash::SHA1;
+      return true;
+    case NID_sha224:
+      *hash = SSLPrivateKey::Hash::SHA224;

[Ryan Sleevi, 2015/06/23 15:27:28]

There are no plans to ever support this, right? Pretty sure we agreed 224 was
crap that wasn't implemented and with no plans to implement (and aligns with
other platforms)

[davidben, 2015/06/24 21:43:12]

Oh hrm. Yes, you're right. In fact ssl_platform_key_win.cc is missing that hash
function. And I guess it didn't notice because we're not (yet) building clang on
Windows. Hrmf.

Pruned it down to match and added an explicit check since we're not going to get
any compile-time checks for it.

+      return true;
+    case NID_sha256:
+      *hash = SSLPrivateKey::Hash::SHA256;
+      return true;
+    case NID_sha384:
+      *hash = SSLPrivateKey::Hash::SHA384;
+      return true;
+    case NID_sha512:
+      *hash = SSLPrivateKey::Hash::SHA512;
+      return true;
+    default:
+      return false;
+  }
+}
+
+#if !defined(USE_OPENSSL_CERTS)
+class PlatformKeyTaskRunner {
+ public:
+  PlatformKeyTaskRunner() {
+    // Serialize all the private key operations on a single background
+    // thread to avoid problems with buggy smartcards.
+    worker_pool_ = new base::SequencedWorkerPool(1, "Platform Key Thread");
+    task_runner_ = worker_pool_->GetSequencedTaskRunnerWithShutdownBehavior(
+        worker_pool_->GetSequenceToken(),
+        base::SequencedWorkerPool::CONTINUE_ON_SHUTDOWN);
+  }
+
+  base::SequencedTaskRunner* task_runner() { return task_runner_.get(); }

[Ryan Sleevi, 2015/06/23 15:27:28]

DANGER: There's a slight 'danger' in this API shape because with other places,
the scoped_refptr<> backing the raw pointer could go out of scope in between the
full statements.

While it's obviously not the case here, in general, it's desirable to return it
using a scoped container. You can avoid any added AddRef costs by using .Pass()
with the thing this is passing to

(This is also why dcheng@ removed a lot of the "implicit" casts)

[davidben, 2015/06/24 21:43:12]

Pass() doesn't work unless we pass parameters in as plain scoped_refptr<T>
rather than const scoped_refptr<T>&. (Which I'm actually all for. I think const
scoped_refptr<T>& is kinda weird. Though I do understand the reasons for it.
Pass() doesn't quiiiite capture all the cases where you might want to avoid the
ref-bouncing.)

Anyway. I did something. Is this what you meant?

[Ryan Sleevi, 2015/06/30 10:18:22]

Yes :)

+
+ private:
+  scoped_refptr<base::SequencedWorkerPool> worker_pool_;
+  scoped_refptr<base::SequencedTaskRunner> task_runner_;
+
+  DISALLOW_COPY_AND_ASSIGN(PlatformKeyTaskRunner);
+};
+
+base::LazyInstance<PlatformKeyTaskRunner>::Leaky g_platform_key_task_runner =
+    LAZY_INSTANCE_INITIALIZER;
+#endif  // !USE_OPENSSL_CERTS
+
 }  // namespace
 
 class SSLClientSocketOpenSSL::SSLContext {
  public:
   static SSLContext* GetInstance() { return Singleton<SSLContext>::get(); }
   SSL_CTX* ssl_ctx() { return ssl_ctx_.get(); }
   SSLClientSessionCacheOpenSSL* session_cache() { return &session_cache_; }
 
   SSLClientSocketOpenSSL* GetClientSocketFromSSL(const SSL* ssl) {
     DCHECK(ssl);
     SSLClientSocketOpenSSL* socket = static_cast<SSLClientSocketOpenSSL*>(
         SSL_get_ex_data(ssl, ssl_socket_data_index_));
     DCHECK(socket);
     return socket;
   }
 
   bool SetClientSocketForSSL(SSL* ssl, SSLClientSocketOpenSSL* socket) {
     return SSL_set_ex_data(ssl, ssl_socket_data_index_, socket) != 0;
   }
 
+  static const SSL_PRIVATE_KEY_METHOD kPrivateKeyMethod;
+
  private:
   friend struct DefaultSingletonTraits<SSLContext>;
 
   SSLContext() : session_cache_(SSLClientSessionCacheOpenSSL::Config()) {
     crypto::EnsureOpenSSLInit();
     ssl_socket_data_index_ = SSL_get_ex_new_index(0, 0, 0, 0, 0);
     DCHECK_NE(ssl_socket_data_index_, -1);
     ssl_ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
     SSL_CTX_set_cert_verify_callback(ssl_ctx_.get(), CertVerifyCallback, NULL);
     SSL_CTX_set_cert_cb(ssl_ctx_.get(), ClientCertRequestCallback, NULL);
@@ skipping 51 matching lines @@
                                      unsigned int inlen, void* arg) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     return socket->SelectNextProtoCallback(out, outlen, in, inlen);
   }
 
   static void InfoCallback(const SSL* ssl, int type, int val) {
     SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
     socket->InfoCallback(type, val);
   }
 
+  static int PrivateKeyTypeCallback(SSL* ssl) {
+    SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
+    return socket->PrivateKeyTypeCallback();
+  }
+
+  static int PrivateKeySupportsDigestCallback(SSL* ssl, const EVP_MD* md) {
+    SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
+    return socket->PrivateKeySupportsDigestCallback(md);
+  }
+
+  static size_t PrivateKeyMaxSignatureLenCallback(SSL* ssl) {
+    SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
+    return socket->PrivateKeyMaxSignatureLenCallback();
+  }
+
+  static ssl_private_key_result_t PrivateKeySignCallback(SSL* ssl,
+                                                         uint8_t* out,
+                                                         size_t* out_len,
+                                                         size_t max_out,
+                                                         const EVP_MD* md,
+                                                         const uint8_t* in,
+                                                         size_t in_len) {
+    SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
+    return socket->PrivateKeySignCallback(out, out_len, max_out, md, in,
+                                          in_len);
+  }
+
+  static ssl_private_key_result_t PrivateKeySignCompleteCallback(
+      SSL* ssl,
+      uint8_t* out,
+      size_t* out_len,
+      size_t max_out) {
+    SSLClientSocketOpenSSL* socket = GetInstance()->GetClientSocketFromSSL(ssl);
+    return socket->PrivateKeySignCompleteCallback(out, out_len, max_out);
+  }
+
   // This is the index used with SSL_get_ex_data to retrieve the owner
   // SSLClientSocketOpenSSL object from an SSL instance.
   int ssl_socket_data_index_;
 
   ScopedSSL_CTX ssl_ctx_;
 
   // TODO(davidben): Use a separate cache per URLRequestContext.
   // https://crbug.com/458365
   //
   // TODO(davidben): Sessions should be invalidated on fatal
   // alerts. https://crbug.com/466352
   SSLClientSessionCacheOpenSSL session_cache_;
 };
 
+const SSL_PRIVATE_KEY_METHOD
+    SSLClientSocketOpenSSL::SSLContext::kPrivateKeyMethod = {
+        &SSLClientSocketOpenSSL::SSLContext::PrivateKeyTypeCallback,
+        &SSLClientSocketOpenSSL::SSLContext::PrivateKeySupportsDigestCallback,
+        &SSLClientSocketOpenSSL::SSLContext::PrivateKeyMaxSignatureLenCallback,
+        &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCallback,
+        &SSLClientSocketOpenSSL::SSLContext::PrivateKeySignCompleteCallback,
+};
+
 // PeerCertificateChain is a helper object which extracts the certificate
 // chain, as given by the server, from an OpenSSL socket and performs the needed
 // resource management. The first element of the chain is the leaf certificate
 // and the other elements are in the order given by the server.
 class SSLClientSocketOpenSSL::PeerCertificateChain {
  public:
   explicit PeerCertificateChain(STACK_OF(X509)* chain) { Reset(chain); }
   PeerCertificateChain(const PeerCertificateChain& other) { *this = other; }
   ~PeerCertificateChain() {}
   PeerCertificateChain& operator=(const PeerCertificateChain& other);
@@ skipping 80 matching lines @@
   return SSL_PROTOCOL_VERSION_TLS1_2;
 }
 
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : transport_send_busy_(false),
       transport_recv_busy_(false),
-      pending_read_error_(kNoPendingReadResult),
+      pending_read_error_(kNoPendingResult),
       pending_read_ssl_error_(SSL_ERROR_NONE),
       transport_read_error_(OK),
       transport_write_error_(OK),
       server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_connect_(false),
       was_ever_used_(false),
       cert_verifier_(context.cert_verifier),
       cert_transparency_verifier_(context.cert_transparency_verifier),
       channel_id_service_(context.channel_id_service),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_(transport_socket.Pass()),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       ssl_session_cache_shard_(context.ssl_session_cache_shard),
       next_handshake_state_(STATE_NONE),
       npn_status_(kNextProtoUnsupported),
       channel_id_sent_(false),
       handshake_completed_(false),
       certificate_verified_(false),
       ssl_failure_state_(SSL_FAILURE_NONE),
+      signature_result_(kNoPendingResult),
       transport_security_state_(context.transport_security_state),
       policy_enforcer_(context.cert_policy_enforcer),
       net_log_(transport_->socket()->NetLog()),
       weak_factory_(this) {
   DCHECK(cert_verifier_);
 }
 
 SSLClientSocketOpenSSL::~SSLClientSocketOpenSSL() {
   Disconnect();
 }
@@ skipping 101 matching lines @@
   recv_buffer_ = NULL;
 
   user_connect_callback_.Reset();
   user_read_callback_.Reset();
   user_write_callback_.Reset();
   user_read_buf_         = NULL;
   user_read_buf_len_     = 0;
   user_write_buf_        = NULL;
   user_write_buf_len_    = 0;
 
-  pending_read_error_ = kNoPendingReadResult;
+  pending_read_error_ = kNoPendingResult;
   pending_read_ssl_error_ = SSL_ERROR_NONE;
   pending_read_error_info_ = OpenSSLErrorInfo();
 
   transport_read_error_ = OK;
   transport_write_error_ = OK;
 
   server_cert_verify_result_.Reset();
   completed_connect_ = false;
 
   cert_authorities_.clear();
   cert_key_types_.clear();
 
   start_cert_verification_time_ = base::TimeTicks();
 
   npn_status_ = kNextProtoUnsupported;
   npn_proto_.clear();
 
   channel_id_sent_ = false;
   handshake_completed_ = false;
   certificate_verified_ = false;
   channel_id_request_.Cancel();
   ssl_failure_state_ = SSL_FAILURE_NONE;
+
+  private_key_.reset();
+  signature_result_ = kNoPendingResult;
+  signature_.clear();
 }
 
 bool SSLClientSocketOpenSSL::IsConnected() const {
   // If the handshake has not yet completed.
   if (!completed_connect_)
     return false;
   // If an asynchronous operation is still pending.
   if (user_read_buf_.get() || user_write_buf_.get())
     return true;
 
@@ skipping 401 matching lines @@
     if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
       // The server supports channel ID. Stop to look one up before returning to
       // the handshake.
       GotoState(STATE_CHANNEL_ID_LOOKUP);
       return OK;
     }
     if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP &&
         !ssl_config_.send_client_cert) {
       return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
     }
+    if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
+      DCHECK(private_key_);
+      DCHECK_NE(kNoPendingResult, signature_result_);
+      GotoState(STATE_HANDSHAKE);
+      return ERR_IO_PENDING;
+    }
 
     OpenSSLErrorInfo error_info;
     net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
     if (net_error == ERR_IO_PENDING) {
       // If not done, stay in this state
       GotoState(STATE_HANDSHAKE);
       return ERR_IO_PENDING;
     }
 
     LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
@@ skipping 308 matching lines @@
   }
 }
 
 void SSLClientSocketOpenSSL::OnSendComplete(int result) {
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     // In handshake phase.
     OnHandshakeIOComplete(result);
     return;
   }
 
-  // OnSendComplete may need to call DoPayloadRead while the renegotiation
-  // handshake is in progress.
-  int rv_read = ERR_IO_PENDING;
-  int rv_write = ERR_IO_PENDING;
-  bool network_moved;
-  do {
-    if (user_read_buf_.get())
-      rv_read = DoPayloadRead();
-    if (user_write_buf_.get())
-      rv_write = DoPayloadWrite();
-    network_moved = DoTransportIO();
-  } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
-           (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
-
-  // Performing the Read callback may cause |this| to be deleted. If this
-  // happens, the Write callback should not be invoked. Guard against this by
-  // holding a WeakPtr to |this| and ensuring it's still valid.
-  base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
-  if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
-    DoReadCallback(rv_read);
-
-  if (!guard.get())
-    return;
-
-  if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
-    DoWriteCallback(rv_write);
+  // OnSendComplete may need to run the Read state machine while a
+  // renegotiation handshake is in progress.
+  RunReadWriteLoops();
 }
 
 void SSLClientSocketOpenSSL::OnRecvComplete(int result) {
   if (next_handshake_state_ == STATE_HANDSHAKE) {
     // In handshake phase.
     OnHandshakeIOComplete(result);
     return;
   }
 
   // Network layer received some data, check if client requested to read
@@ skipping 77 matching lines @@
   return rv;
 }
 
 int SSLClientSocketOpenSSL::DoPayloadRead() {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   DCHECK_LT(0, user_read_buf_len_);
   DCHECK(user_read_buf_.get());
 
   int rv;
-  if (pending_read_error_ != kNoPendingReadResult) {
+  if (pending_read_error_ != kNoPendingResult) {
     rv = pending_read_error_;
-    pending_read_error_ = kNoPendingReadResult;
+    pending_read_error_ = kNoPendingResult;
     if (rv == 0) {
       net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
                                     rv, user_read_buf_->data());
     } else {
       net_log_.AddEvent(
           NetLog::TYPE_SSL_READ_ERROR,
           CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
                                            pending_read_error_info_));
     }
     pending_read_ssl_error_ = SSL_ERROR_NONE;
@@ skipping 21 matching lines @@
     //
     // TransportReadComplete converts the first to an ERR_CONNECTION_CLOSED
     // error, so it does not occur. The second and third are distinguished by
     // SSL_ERROR_ZERO_RETURN.
     pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret);
     if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
       pending_read_error_ = 0;
     } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
                !ssl_config_.send_client_cert) {
       pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
+    } else if (pending_read_ssl_error_ ==
+               SSL_ERROR_WANT_PRIVATE_KEY_OPERATION) {
+      DCHECK(private_key_);
+      DCHECK_NE(kNoPendingResult, signature_result_);
+      pending_read_error_ = ERR_IO_PENDING;
     } else {
       pending_read_error_ = MapOpenSSLErrorWithDetails(
           pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
     }
 
     // Many servers do not reliably send a close_notify alert when shutting down
     // a connection, and instead terminate the TCP connection. This is reported
     // as ERR_CONNECTION_CLOSED. Because of this, map the unclean shutdown to a
     // graceful EOF, instead of treating it as an error as it should be.
     if (pending_read_error_ == ERR_CONNECTION_CLOSED)
       pending_read_error_ = 0;
   }
 
   if (total_bytes_read > 0) {
     // Return any bytes read to the caller. The error will be deferred to the
     // next call of DoPayloadRead.
     rv = total_bytes_read;
 
     // Do not treat insufficient data as an error to return in the next call to
     // DoPayloadRead() - instead, let the call fall through to check SSL_read()
     // again. This is because DoTransportIO() may complete in between the next
     // call to DoPayloadRead(), and thus it is important to check SSL_read() on
     // subsequent invocations to see if a complete record may now be read.
     if (pending_read_error_ == ERR_IO_PENDING)
-      pending_read_error_ = kNoPendingReadResult;
+      pending_read_error_ = kNoPendingResult;
   } else {
     // No bytes were returned. Return the pending read error immediately.
-    DCHECK_NE(kNoPendingReadResult, pending_read_error_);
+    DCHECK_NE(kNoPendingResult, pending_read_error_);
     rv = pending_read_error_;
-    pending_read_error_ = kNoPendingReadResult;
+    pending_read_error_ = kNoPendingResult;
   }
 
   if (rv >= 0) {
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
                                   user_read_buf_->data());
   } else if (rv != ERR_IO_PENDING) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_READ_ERROR,
         CreateNetLogOpenSSLErrorCallback(rv, pending_read_ssl_error_,
                                          pending_read_error_info_));
     pending_read_ssl_error_ = SSL_ERROR_NONE;
     pending_read_error_info_ = OpenSSLErrorInfo();
   }
   return rv;
 }
 
 int SSLClientSocketOpenSSL::DoPayloadWrite() {
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
   int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_);
 
   if (rv >= 0) {
     net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
                                   user_write_buf_->data());
     return rv;
   }
 
   int ssl_error = SSL_get_error(ssl_, rv);
+  if (ssl_error == SSL_ERROR_WANT_PRIVATE_KEY_OPERATION)
+    return ERR_IO_PENDING;
   OpenSSLErrorInfo error_info;
   int net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer,
                                              &error_info);
 
   if (net_error != ERR_IO_PENDING) {
     net_log_.AddEvent(
         NetLog::TYPE_SSL_WRITE_ERROR,
         CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, error_info));
   }
   return net_error;
 }
 
+void SSLClientSocketOpenSSL::RunReadWriteLoops() {
+  int rv_read = ERR_IO_PENDING;
+  int rv_write = ERR_IO_PENDING;
+  bool network_moved;
+  do {
+    if (user_read_buf_.get())
+      rv_read = DoPayloadRead();
+    if (user_write_buf_.get())
+      rv_write = DoPayloadWrite();
+    network_moved = DoTransportIO();
+  } while (rv_read == ERR_IO_PENDING && rv_write == ERR_IO_PENDING &&
+           (user_read_buf_.get() || user_write_buf_.get()) && network_moved);
+
+  // Performing the Read callback may cause |this| to be deleted. If this
+  // happens, the Write callback should not be invoked. Guard against this by
+  // holding a WeakPtr to |this| and ensuring it's still valid.
+  base::WeakPtr<SSLClientSocketOpenSSL> guard(weak_factory_.GetWeakPtr());
+  if (user_read_buf_.get() && rv_read != ERR_IO_PENDING)
+    DoReadCallback(rv_read);
+
+  if (!guard.get())
+    return;
+
+  if (user_write_buf_.get() && rv_write != ERR_IO_PENDING)
+    DoWriteCallback(rv_write);
+}
+
 int SSLClientSocketOpenSSL::BufferSend(void) {
   if (transport_send_busy_)
     return ERR_IO_PENDING;
 
   size_t buffer_read_offset;
   uint8_t* read_buf;
   size_t max_read;
   int status = BIO_zero_copy_get_read_buf(transport_bio_, &read_buf,
                                           &buffer_read_offset, &max_read);
   DCHECK_EQ(status, 1);  // Should never fail.
@@ skipping 163 matching lines @@
     }
 
     ScopedX509Stack chain = OSCertHandlesToOpenSSL(
         ssl_config_.client_cert->GetIntermediateCertificates());
     if (!chain) {
       LOG(WARNING) << "Failed to import intermediate certificates";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT);
       return -1;
     }
 
-    // TODO(davidben): With Linux client auth support, this should be
-    // conditioned on OS_ANDROID and then, with https://crbug.com/394131,
-    // removed altogether. OpenSSLClientKeyStore is mostly an artifact of the
-    // net/ client auth API lacking a private key handle.
+    if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
+        !SSL_set1_chain(ssl_, chain.get())) {
+      LOG(WARNING) << "Failed to set client certificate";
+      return -1;
+    }
+
 #if defined(USE_OPENSSL_CERTS)
     crypto::ScopedEVP_PKEY privkey =
         OpenSSLClientKeyStore::GetInstance()->FetchClientCertPrivateKey(
             ssl_config_.client_cert.get());
-#else  // !defined(USE_OPENSSL_CERTS)
-    crypto::ScopedEVP_PKEY privkey =
-        FetchClientCertPrivateKey(ssl_config_.client_cert.get());
-#endif  // defined(USE_OPENSSL_CERTS)
     if (!privkey) {
       // Could not find the private key. Fail the handshake and surface an
       // appropriate error to the caller.
       LOG(WARNING) << "Client cert found without private key";
       OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
       return -1;
     }
+    if (!SSL_use_PrivateKey(ssl_, privkey.get())) {
+      LOG(WARNING) << "Failed to set private key";
+      return -1;
+    }
+#else   // !USE_OPENSSL_CERTS
+    // TODO(davidben): Move Android to the SSLPrivateKey codepath and disable
+    // client auth on NaCl altogether.

[Ryan Sleevi, 2015/06/23 15:27:28]

Does this TODO really belong here, or on line 1820?

[davidben, 2015/06/24 21:43:12]

Done.

+    //
+    // TODO(davidben): Lift this call up to the embedder so we can actually test
+    // this code. https://crbug.com/394131
+    private_key_ = FetchClientCertPrivateKey(
+        ssl_config_.client_cert.get(),
+        g_platform_key_task_runner.Get().task_runner());
+    if (!private_key_) {
+      // Could not find the private key. Fail the handshake and surface an
+      // appropriate error to the caller.
+      LOG(WARNING) << "Client cert found without private key";
+      OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY);
+      return -1;
+    }
 
-    if (!SSL_use_certificate(ssl_, leaf_x509.get()) ||
-        !SSL_use_PrivateKey(ssl_, privkey.get()) ||
-        !SSL_set1_chain(ssl_, chain.get())) {
-      LOG(WARNING) << "Failed to set client certificate";
-      return -1;
-    }
+    SSL_set_private_key_method(ssl_, &SSLContext::kPrivateKeyMethod);
+#endif  // USE_OPENSSL_CERTS
 
     int cert_count = 1 + sk_X509_num(chain.get());
     net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
                       NetLog::IntegerCallback("cert_count", cert_count));
     return 1;
   }
 #endif  // defined(OS_IOS)
 
   // Send no client certificate.
   net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
@@ skipping 201 matching lines @@
     return ssl_config_.renego_allowed_default;
 
   NextProto next_proto = NextProtoFromString(npn_proto_);
   for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
     if (next_proto == allowed)
       return true;
   }
   return false;
 }
 
+int SSLClientSocketOpenSSL::PrivateKeyTypeCallback() {
+  switch (private_key_->GetType()) {
+    case SSLPrivateKey::Type::RSA:
+      return EVP_PKEY_RSA;
+    case SSLPrivateKey::Type::ECDSA:
+      return EVP_PKEY_EC;
+  }
+  NOTREACHED();
+  return EVP_PKEY_NONE;
+}
+
+int SSLClientSocketOpenSSL::PrivateKeySupportsDigestCallback(const EVP_MD* md) {
+  SSLPrivateKey::Hash hash;
+  return EVP_MDToPrivateKeyHash(md, &hash) && private_key_->SupportsHash(hash);
+}
+
+size_t SSLClientSocketOpenSSL::PrivateKeyMaxSignatureLenCallback() {
+  return private_key_->GetMaxSignatureLength();
+}
+
+ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCallback(
+    uint8_t* out,
+    size_t* out_len,
+    size_t max_out,
+    const EVP_MD* md,
+    const uint8_t* in,
+    size_t in_len) {
+  DCHECK_EQ(kNoPendingResult, signature_result_);
+  DCHECK(signature_.empty());
+  DCHECK(private_key_);
+
+  net_log_.BeginEvent(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION);
+
+  SSLPrivateKey::Hash hash;
+  if (!EVP_MDToPrivateKeyHash(md, &hash)) {
+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
+    return ssl_private_key_failure;
+  }
+
+  signature_result_ = ERR_IO_PENDING;
+  private_key_->SignDigest(
+      hash, base::StringPiece(reinterpret_cast<const char*>(in), in_len),
+      base::Bind(&SSLClientSocketOpenSSL::OnPrivateKeySignComplete,
+                 weak_factory_.GetWeakPtr()));
+  return ssl_private_key_retry;
+}
+
+ssl_private_key_result_t SSLClientSocketOpenSSL::PrivateKeySignCompleteCallback(
+    uint8_t* out,
+    size_t* out_len,
+    size_t max_out) {
+  DCHECK_NE(kNoPendingResult, signature_result_);
+  DCHECK(private_key_);
+
+  if (signature_result_ == ERR_IO_PENDING)
+    return ssl_private_key_retry;
+  if (signature_result_ != OK) {
+    OpenSSLPutNetError(FROM_HERE, signature_result_);
+    return ssl_private_key_failure;
+  }
+  if (signature_.size() > max_out) {
+    LOG(ERROR) << "Buffer too small";

[Ryan Sleevi, 2015/06/23 15:27:28]

Is the message necessary? I generally grump about production LOG() messages and
wanting to understand what diagnostic purpose they serve, and whether it belongs
elsewhere (such as the net_log_)

[davidben, 2015/06/24 21:43:12]

Removed.

+    OpenSSLPutNetError(FROM_HERE, ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED);
+    return ssl_private_key_failure;
+  }
+  memcpy(out, vector_as_array(&signature_), signature_.size());
+  *out_len = signature_.size();
+  signature_.clear();
+  return ssl_private_key_success;
+}
+
+void SSLClientSocketOpenSSL::OnPrivateKeySignComplete(
+    Error error,
+    const std::vector<uint8_t>& signature) {
+  DCHECK_EQ(ERR_IO_PENDING, signature_result_);
+  DCHECK(signature_.empty());
+  DCHECK(private_key_);
+
+  net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_PRIVATE_KEY_OPERATION,
+                                    error);
+
+  signature_result_ = error;
+  if (signature_result_ == OK)
+    signature_ = signature;
+
+  if (next_handshake_state_ == STATE_HANDSHAKE) {
+    OnHandshakeIOComplete(signature_result_);
+    return;
+  }
+
+  // Either Read or Write may be blocked on an asynchronous private
+  // key operation during a renegotiation.
+  RunReadWriteLoops();
+}
+
 }  // namespace net