Implement SSL client authentication for Windows....

net/base/ssl_client_socket_win.cc

-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 
 #include "base/lock.h"
 #include "base/singleton.h"
 #include "base/string_util.h"
@@ skipping 213 matching lines @@
       isc_status_(SEC_E_OK),
       payload_send_buffer_len_(0),
       bytes_sent_(0),
       decrypted_ptr_(NULL),
       bytes_decrypted_(0),
       received_ptr_(NULL),
       bytes_received_(0),
       writing_first_token_(false),
       completed_handshake_(false),
       ignore_ok_result_(false),
-      no_client_cert_(false),
       renegotiating_(false) {
   memset(&stream_sizes_, 0, sizeof(stream_sizes_));
   memset(in_buffers_, 0, sizeof(in_buffers_));
   memset(&send_buffer_, 0, sizeof(send_buffer_));
   memset(&ctxt_, 0, sizeof(ctxt_));
 }
 
 SSLClientSocketWin::~SSLClientSocketWin() {
   Disconnect();
 }
 
 void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) {
   if (!server_cert_)
     return;
 
   ssl_info->cert = server_cert_;
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   SecPkgContext_ConnectionInfo connection_info;
   SECURITY_STATUS status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_CONNECTION_INFO, &connection_info);
   if (status == SEC_E_OK) {
     // TODO(wtc): compute the overall security strength, taking into account
     // dwExchStrength and dwHashStrength.  dwExchStrength needs to be
     // normalized.
     ssl_info->security_bits = connection_info.dwCipherStrength;
   }
 }
 
+void SSLClientSocketWin::GetSSLCertRequestInfo(
+    SSLCertRequestInfo* cert_request_info) {
+  // TODO(wtc): implement this.
+}
+
 int SSLClientSocketWin::Connect(CompletionCallback* callback) {
   DCHECK(transport_.get());
   DCHECK(next_state_ == STATE_NONE);
   DCHECK(!user_callback_);
 
   int ssl_version_mask = 0;
   if (ssl_config_.ssl2_enabled)
     ssl_version_mask |= SSL2;
   if (ssl_config_.ssl3_enabled)
     ssl_version_mask |= SSL3;
@@ skipping 263 matching lines @@
   TimeStamp expiry;
   DWORD out_flags;
 
   DWORD flags = ISC_REQ_SEQUENCE_DETECT |
                 ISC_REQ_REPLAY_DETECT |
                 ISC_REQ_CONFIDENTIALITY |
                 ISC_RET_EXTENDED_ERROR |
                 ISC_REQ_ALLOCATE_MEMORY |
                 ISC_REQ_STREAM;
 
-  // When InitializeSecurityContext returns SEC_I_INCOMPLETE_CREDENTIALS,
-  // John Banes (a Microsoft security developer) said we need to pass in the
-  // ISC_REQ_USE_SUPPLIED_CREDS flag if we skip finding a client certificate
-  // and just call InitializeSecurityContext again.  (See
-  // (http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2004-08/0187.html.)
-  // My testing on XP SP2 and Vista SP1 shows that it still works without
-  // passing in this flag, but I pass it in to be safe.
-  if (no_client_cert_)
+  if (ssl_config_.send_client_cert)
     flags |= ISC_REQ_USE_SUPPLIED_CREDS;
 
   SecBufferDesc in_buffer_desc, out_buffer_desc;
 
   in_buffer_desc.cBuffers = 2;
   in_buffer_desc.pBuffers = in_buffers_;
   in_buffer_desc.ulVersion = SECBUFFER_VERSION;
 
   in_buffers_[0].pvBuffer = recv_buffer_.get();
   in_buffers_[0].cbBuffer = bytes_received_;
@@ skipping 51 matching lines @@
     } else {
       bytes_received_ = 0;
     }
     return DidCompleteHandshake();
   }
 
   if (FAILED(isc_status_)) {
     int result = MapSecurityError(isc_status_);
     // We told Schannel to not verify the server certificate
     // (SCH_CRED_MANUAL_CRED_VALIDATION), so any certificate error returned by
-    // InitializeSecurityContext must be referring to the (missing) client
-    // certificate.
+    // InitializeSecurityContext must be referring to the bad or missing
+    // client certificate.
     if (IsCertificateError(result)) {
-      // TODO(wtc): When we support SSL client authentication, we will need to
-      // add new error codes for client certificate errors reported by the
-      // server using SSL/TLS alert messages.  See http://crbug.com/318.  See
-      // also the MSDN page "Schannel Error Codes for TLS and SSL Alerts",
-      // which maps TLS alert messages to Windows error codes:
+      // TODO(wtc): Add new error codes for client certificate errors reported
+      // by the server using SSL/TLS alert messages.  See the MSDN page
+      // "Schannel Error Codes for TLS and SSL Alerts", which maps TLS alert
+      // messages to Windows error codes:
       // http://msdn.microsoft.com/en-us/library/dd721886%28VS.85%29.aspx
-      return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
+      return ERR_BAD_SSL_CLIENT_AUTH_CERT;
     }
     return result;
   }
 
-  if (isc_status_ == SEC_I_INCOMPLETE_CREDENTIALS) {
-    // We don't support SSL client authentication yet.  For now we just set
-    // no_client_cert_ to true and call InitializeSecurityContext again.
-    no_client_cert_ = true;
-    next_state_ = STATE_HANDSHAKE_READ_COMPLETE;
-    ignore_ok_result_ = true;  // OK doesn't mean EOF.
-    return OK;
-  }
+  if (isc_status_ == SEC_I_INCOMPLETE_CREDENTIALS)
+    return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
 
   DCHECK(isc_status_ == SEC_I_CONTINUE_NEEDED);
   if (in_buffers_[1].BufferType == SECBUFFER_EXTRA) {
     memmove(recv_buffer_.get(),
             recv_buffer_.get() + (bytes_received_ - in_buffers_[1].cbBuffer),
             in_buffers_[1].cbBuffer);
     bytes_received_ = in_buffers_[1].cbBuffer;
     next_state_ = STATE_HANDSHAKE_READ_COMPLETE;
     ignore_ok_result_ = true;  // OK doesn't mean EOF.
     return OK;
@@ skipping 324 matching lines @@
 
   // Send the remaining bytes.
   next_state_ = STATE_PAYLOAD_WRITE;
   return OK;
 }
 
 int SSLClientSocketWin::DidCompleteHandshake() {
   SECURITY_STATUS status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_STREAM_SIZES, &stream_sizes_);
   if (status != SEC_E_OK) {
-    DLOG(ERROR) << "QueryContextAttributes failed: " << status;
+    DLOG(ERROR) << "QueryContextAttributes (stream sizes) failed: " << status;
     return MapSecurityError(status);
   }
   DCHECK(!server_cert_ || renegotiating_);
   PCCERT_CONTEXT server_cert_handle = NULL;
   status = QueryContextAttributes(
       &ctxt_, SECPKG_ATTR_REMOTE_CERT_CONTEXT, &server_cert_handle);
   if (status != SEC_E_OK) {
-    DLOG(ERROR) << "QueryContextAttributes failed: " << status;
+    DLOG(ERROR) << "QueryContextAttributes (remote cert) failed: " << status;
     return MapSecurityError(status);
   }
   if (renegotiating_ &&
       SameCert(server_cert_->os_cert_handle(), server_cert_handle)) {
     // We already verified the server certificate.  Either it is good or the
     // user has accepted the certificate error.
     CertFreeCertificateContext(server_cert_handle);
     DidCompleteRenegotiation(OK);
   } else {
     server_cert_ = X509Certificate::CreateFromHandle(
@@ skipping 37 matching lines @@
   }
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net