Clang format slam.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 118 matching lines @@
 
 namespace net {
 
 // State machines are easier to debug if you log state transitions.
 // Enable these if you want to see what's going on.
 #if 1
 #define EnterFunction(x)
 #define LeaveFunction(x)
 #define GotoState(s) next_handshake_state_ = s
 #else
-#define EnterFunction(x)\
-    VLOG(1) << (void *)this << " " << __FUNCTION__ << " enter " << x\
-            << "; next_handshake_state " << next_handshake_state_
-#define LeaveFunction(x)\
-    VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\
-            << "; next_handshake_state " << next_handshake_state_
-#define GotoState(s)\
-    do {\
-      VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\
-      next_handshake_state_ = s;\
-    } while (0)
+#define EnterFunction(x)                                           \
+  VLOG(1) << (void*) this << " " << __FUNCTION__ << " enter " << x \
+          << "; next_handshake_state " << next_handshake_state_
+#define LeaveFunction(x)                                           \
+  VLOG(1) << (void*) this << " " << __FUNCTION__ << " leave " << x \
+          << "; next_handshake_state " << next_handshake_state_
+#define GotoState(s)                                                          \
+  do {                                                                        \
+    VLOG(1) << (void*) this << " " << __FUNCTION__ << " jump to state " << s; \
+    next_handshake_state_ = s;                                                \
+  } while (0)
 #endif
 
 namespace {
 
 // SSL plaintext fragments are shorter than 16KB. Although the record layer
 // overhead is allowed to be 2K + 5 bytes, in practice the overhead is much
 // smaller than 1KB. So a 17KB buffer should be large enough to hold an
 // entire SSL record.
 const int kRecvBufferSize = 17 * 1024;
 const int kSendBufferSize = 17 * 1024;
 
 // Used by SSLClientSocketNSS::Core to indicate there is no read result
 // obtained by a previous operation waiting to be returned to the caller.
 // This constant can be any non-negative/non-zero value (eg: it does not
 // overlap with any value of the net::Error range, including net::OK).
 const int kNoPendingReadResult = 1;
 
 #if defined(OS_WIN)
 // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
 // set on Windows XP without error. There is some overhead from the server
 // sending the OCSP response if it supports the extension, for the subset of
 // XP clients who will request it but be unable to use it, but this is an
 // acceptable trade-off for simplicity of implementation.
 bool IsOCSPStaplingSupported() {
   return true;
 }
 #elif defined(USE_NSS)
-typedef SECStatus
-(*CacheOCSPResponseFromSideChannelFunction)(
-    CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
-    SECItem *encodedResponse, void *pwArg);
+typedef SECStatus (*CacheOCSPResponseFromSideChannelFunction)(
+    CERTCertDBHandle* handle,
+    CERTCertificate* cert,
+    PRTime time,
+    SECItem* encodedResponse,
+    void* pwArg);
 
 // On Linux, we dynamically link against the system version of libnss3.so. In
 // order to continue working on systems without up-to-date versions of NSS we
 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
 
 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
 // runtime symbol resolution that we need.
 class RuntimeLibNSSFunctionPointers {
  public:
   CacheOCSPResponseFromSideChannelFunction
   GetCacheOCSPResponseFromSideChannelFunction() {
     return cache_ocsp_response_from_side_channel_;
   }
 
   static RuntimeLibNSSFunctionPointers* GetInstance() {
     return Singleton<RuntimeLibNSSFunctionPointers>::get();
   }
 
  private:
   friend struct DefaultSingletonTraits<RuntimeLibNSSFunctionPointers>;
 
   RuntimeLibNSSFunctionPointers() {
     cache_ocsp_response_from_side_channel_ =
-        (CacheOCSPResponseFromSideChannelFunction)
-        dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
+        (CacheOCSPResponseFromSideChannelFunction)dlsym(
+            RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
   }
 
   CacheOCSPResponseFromSideChannelFunction
       cache_ocsp_response_from_side_channel_;
 };
 
 CacheOCSPResponseFromSideChannelFunction
 GetCacheOCSPResponseFromSideChannelFunction() {
   return RuntimeLibNSSFunctionPointers::GetInstance()
-    ->GetCacheOCSPResponseFromSideChannelFunction();
+      ->GetCacheOCSPResponseFromSideChannelFunction();
 }
 
 bool IsOCSPStaplingSupported() {
   return GetCacheOCSPResponseFromSideChannelFunction() != NULL;
 }
 #else
 // TODO(agl): Figure out if we can plumb the OCSP response into Mac's system
 // certificate validation functions.
 bool IsOCSPStaplingSupported() {
   return false;
 }
 #endif
 
 #if defined(OS_WIN)
 
 // This callback is intended to be used with CertFindChainInStore. In addition
 // to filtering by extended/enhanced key usage, we do not show expired
 // certificates and require digital signature usage in the key usage
 // extension.
 //
 // This matches our behavior on Mac OS X and that of NSS. It also matches the
 // default behavior of IE8. See http://support.microsoft.com/kb/890326 and
 // http://blogs.msdn.com/b/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx
-BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context,
-                                   void* find_arg) {
+BOOL WINAPI
+ClientCertFindCallback(PCCERT_CONTEXT cert_context, void* find_arg) {
   VLOG(1) << "Calling ClientCertFindCallback from _nss";
   // Verify the certificate's KU is good.
   BYTE key_usage;
-  if (CertGetIntendedKeyUsage(X509_ASN_ENCODING, cert_context->pCertInfo,
-                              &key_usage, 1)) {
+  if (CertGetIntendedKeyUsage(
+          X509_ASN_ENCODING, cert_context->pCertInfo, &key_usage, 1)) {
     if (!(key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE))
       return FALSE;
   } else {
     DWORD err = GetLastError();
     // If |err| is non-zero, it's an actual error. Otherwise the extension
     // just isn't present, and we treat it as if everything was allowed.
     if (err) {
       DLOG(ERROR) << "CertGetIntendedKeyUsage failed: " << err;
       return FALSE;
     }
@@ skipping 37 matching lines @@
 // Helper function to make it easier to call BoundNetLog::AddByteTransferEvent
 // from within the SSLClientSocketNSS::Core.
 // AddByteTransferEvent expects to receive a const char*, which within the
 // Core is backed by an IOBuffer. If the "const char*" is bound via
 // base::Bind and posted to another thread, and the IOBuffer that backs that
 // pointer then goes out of scope on the origin thread, this would result in
 // an invalid read of a stale pointer.
 // Instead, provide a signature that accepts an IOBuffer*, so that a reference
 // to the owning IOBuffer can be bound to the Callback. This ensures that the
 // IOBuffer will stay alive long enough to cross threads if needed.
-void LogByteTransferEvent(
-    const base::WeakPtr<BoundNetLog>& net_log, NetLog::EventType event_type,
-    int len, IOBuffer* buffer) {
+void LogByteTransferEvent(const base::WeakPtr<BoundNetLog>& net_log,
+                          NetLog::EventType event_type,
+                          int len,
+                          IOBuffer* buffer) {
   if (!net_log)
     return;
   net_log->AddByteTransferEvent(event_type, len, buffer->data());
 }
 
 // PeerCertificateChain is a helper object which extracts the certificate
 // chain, as given by the server, from an NSS socket and performs the needed
 // resource management. The first element of the chain is the leaf certificate
 // and the other elements are in the order given by the server.
 class PeerCertificateChain {
@@ skipping 17 matching lines @@
 
   CERTCertificate* operator[](size_t index) const {
     DCHECK_LT(index, certs_.size());
     return certs_[index];
   }
 
  private:
   std::vector<CERTCertificate*> certs_;
 };
 
-PeerCertificateChain::PeerCertificateChain(
-    const PeerCertificateChain& other) {
+PeerCertificateChain::PeerCertificateChain(const PeerCertificateChain& other) {
   *this = other;
 }
 
 PeerCertificateChain::~PeerCertificateChain() {
   Reset(NULL);
 }
 
 PeerCertificateChain& PeerCertificateChain::operator=(
     const PeerCertificateChain& other) {
   if (this == &other)
@@ skipping 14 matching lines @@
 
   if (nss_fd == NULL)
     return;
 
   CERTCertList* list = SSL_PeerCertificateChain(nss_fd);
   // The handshake on |nss_fd| may not have completed.
   if (list == NULL)
     return;
 
   for (CERTCertListNode* node = CERT_LIST_HEAD(list);
-       !CERT_LIST_END(node, list); node = CERT_LIST_NEXT(node)) {
+       !CERT_LIST_END(node, list);
+       node = CERT_LIST_NEXT(node)) {
     certs_.push_back(CERT_DupCertificate(node->cert));
   }
   CERT_DestroyCertList(list);
 }
 
-std::vector<base::StringPiece>
-PeerCertificateChain::AsStringPieceVector() const {
+std::vector<base::StringPiece> PeerCertificateChain::AsStringPieceVector()
+    const {
   std::vector<base::StringPiece> v(certs_.size());
   for (unsigned i = 0; i < certs_.size(); i++) {
     v[i] = base::StringPiece(
         reinterpret_cast<const char*>(certs_[i]->derCert.data),
         certs_[i]->derCert.len);
   }
 
   return v;
 }
 
@@ skipping 274 matching lines @@
   // is verified afterwards.
   // This behaviour is an artifact of the original SSLClientSocketWin
   // implementation, which could not verify the peer's certificate until after
   // the handshake had completed, as well as bugs in NSS that prevent
   // SSL_RestartHandshakeAfterCertReq from working.
   static SECStatus OwnAuthCertHandler(void* arg,
                                       PRFileDesc* socket,
                                       PRBool checksig,
                                       PRBool is_server);
 
-  // Callbacks called by NSS when the peer requests client certificate
-  // authentication.
-  // See the documentation in third_party/nss/ssl/ssl.h for the meanings of
-  // the arguments.
+// Callbacks called by NSS when the peer requests client certificate
+// authentication.
+// See the documentation in third_party/nss/ssl/ssl.h for the meanings of
+// the arguments.
 #if defined(NSS_PLATFORM_CLIENT_AUTH)
   // When NSS has been integrated with awareness of the underlying system
   // cryptographic libraries, this callback allows the caller to supply a
   // native platform certificate and key for use by NSS. At most, one of
   // either (result_certs, result_private_key) or (result_nss_certificate,
   // result_nss_private_key) should be set.
   // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
   static SECStatus PlatformClientAuthHandler(
       void* arg,
       PRFileDesc* socket,
@@ skipping 42 matching lines @@
   int BufferSend();
 
   void OnRecvComplete(int result);
   void OnSendComplete(int result);
 
   void DoConnectCallback(int result);
   void DoReadCallback(int result);
   void DoWriteCallback(int result);
 
   // Client channel ID handler.
-  static SECStatus ClientChannelIDHandler(
-      void* arg,
-      PRFileDesc* socket,
-      SECKEYPublicKey **out_public_key,
-      SECKEYPrivateKey **out_private_key);
+  static SECStatus ClientChannelIDHandler(void* arg,
+                                          PRFileDesc* socket,
+                                          SECKEYPublicKey** out_public_key,
+                                          SECKEYPrivateKey** out_private_key);
 
   // ImportChannelIDKeys is a helper function for turning a DER-encoded cert and
   // key into a SECKEYPublicKey and SECKEYPrivateKey. Returns OK upon success
   // and an error code otherwise.
   // Requires |domain_bound_private_key_| and |domain_bound_cert_| to have been
   // set by a call to ServerBoundCertService->GetDomainBoundCert. The caller
   // takes ownership of the |*cert| and |*key|.
   int ImportChannelIDKeys(SECKEYPublicKey** public_key, SECKEYPrivateKey** key);
 
   // Updates the NSS and platform specific certificates.
@@ skipping 19 matching lines @@
   ////////////////////////////////////////////////////////////////////////////
   int DoBufferRecv(IOBuffer* buffer, int len);
   int DoBufferSend(IOBuffer* buffer, int len);
   int DoGetDomainBoundCert(const std::string& host);
 
   void OnGetDomainBoundCertComplete(int result);
   void OnHandshakeStateUpdated(const HandshakeState& state);
   void OnNSSBufferUpdated(int amount_in_read_buffer);
   void DidNSSRead(int result);
   void DidNSSWrite(int result);
-  void RecordChannelIDSupportOnNetworkTaskRunner(
-      bool negotiated_channel_id,
-      bool channel_id_enabled,
-      bool supports_ecc) const;
+  void RecordChannelIDSupportOnNetworkTaskRunner(bool negotiated_channel_id,
+                                                 bool channel_id_enabled,
+                                                 bool supports_ecc) const;
 
   ////////////////////////////////////////////////////////////////////////////
   // Methods that are called on both the network task runner and the NSS
   // task runner.
   ////////////////////////////////////////////////////////////////////////////
   void OnHandshakeIOComplete(int result);
   void BufferRecvComplete(IOBuffer* buffer, int result);
   void BufferSendComplete(int result);
 
   // PostOrRunCallback is a helper function to ensure that |callback| is
@@ skipping 172 matching lines @@
   DCHECK(!nss_fd_);
   DCHECK(!nss_bufs_);
 
   nss_fd_ = socket;
   nss_bufs_ = buffers;
 
   SECStatus rv = SECSuccess;
 
   if (!ssl_config_.next_protos.empty()) {
     size_t wire_length = 0;
-    for (std::vector<std::string>::const_iterator
-         i = ssl_config_.next_protos.begin();
-         i != ssl_config_.next_protos.end(); ++i) {
+    for (std::vector<std::string>::const_iterator i =
+             ssl_config_.next_protos.begin();
+         i != ssl_config_.next_protos.end();
+         ++i) {
       if (i->size() > 255) {
         LOG(WARNING) << "Ignoring overlong NPN/ALPN protocol: " << *i;
         continue;
       }
       wire_length += i->size();
       wire_length++;
     }
     scoped_ptr<uint8[]> wire_protos(new uint8[wire_length]);
     uint8* dst = wire_protos.get();
-    for (std::vector<std::string>::const_iterator
-         i = ssl_config_.next_protos.begin();
-         i != ssl_config_.next_protos.end(); i++) {
+    for (std::vector<std::string>::const_iterator i =
+             ssl_config_.next_protos.begin();
+         i != ssl_config_.next_protos.end();
+         i++) {
       if (i->size() > 255)
         continue;
       *dst++ = i->size();
       memcpy(dst, i->data(), i->size());
       dst += i->size();
     }
     DCHECK_EQ(dst, wire_protos.get() + wire_length);
     rv = SSL_SetNextProtoNego(nss_fd_, wire_protos.get(), wire_length);
     if (rv != SECSuccess)
       LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);
     if (rv != SECSuccess)
       LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);
     if (rv != SECSuccess)
       LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN");
   }
 
   rv = SSL_AuthCertificateHook(
       nss_fd_, SSLClientSocketNSS::Core::OwnAuthCertHandler, this);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(*weak_net_log_, "SSL_AuthCertificateHook", "");
     return false;
   }
 
 #if defined(NSS_PLATFORM_CLIENT_AUTH)
   rv = SSL_GetPlatformClientAuthDataHook(
-      nss_fd_, SSLClientSocketNSS::Core::PlatformClientAuthHandler,
-      this);
+      nss_fd_, SSLClientSocketNSS::Core::PlatformClientAuthHandler, this);
 #else
   rv = SSL_GetClientAuthDataHook(
       nss_fd_, SSLClientSocketNSS::Core::ClientAuthHandler, this);
 #endif
   if (rv != SECSuccess) {
     LogFailedNSSFunction(*weak_net_log_, "SSL_GetClientAuthDataHook", "");
     return false;
   }
 
   if (IsChannelIDEnabled(ssl_config_, server_bound_cert_service_)) {
@@ skipping 19 matching lines @@
     return false;
   }
 
   return true;
 }
 
 int SSLClientSocketNSS::Core::Connect(const CompletionCallback& callback) {
   if (!OnNSSTaskRunner()) {
     DCHECK(!detached_);
     bool posted = nss_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(IgnoreResult(&Core::Connect), this, callback));
+        FROM_HERE, base::Bind(IgnoreResult(&Core::Connect), this, callback));
     return posted ? ERR_IO_PENDING : ERR_ABORTED;
   }
 
   DCHECK(OnNSSTaskRunner());
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
   DCHECK(user_read_callback_.is_null());
   DCHECK(user_write_callback_.is_null());
   DCHECK(user_connect_callback_.is_null());
   DCHECK(!user_read_buf_.get());
   DCHECK(!user_write_buf_.get());
@@ skipping 18 matching lines @@
 
   detached_ = true;
   transport_ = NULL;
   weak_net_log_factory_.InvalidateWeakPtrs();
 
   network_handshake_state_.Reset();
 
   domain_bound_cert_request_handle_.Cancel();
 }
 
-int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
+int SSLClientSocketNSS::Core::Read(IOBuffer* buf,
+                                   int buf_len,
                                    const CompletionCallback& callback) {
   if (!OnNSSTaskRunner()) {
     DCHECK(OnNetworkTaskRunner());
     DCHECK(!detached_);
     DCHECK(transport_);
     DCHECK(!nss_waiting_read_);
 
     nss_waiting_read_ = true;
-    bool posted = nss_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(IgnoreResult(&Core::Read), this, make_scoped_refptr(buf),
-                   buf_len, callback));
+    bool posted =
+        nss_task_runner_->PostTask(FROM_HERE,
+                                   base::Bind(IgnoreResult(&Core::Read),
+                                              this,
+                                              make_scoped_refptr(buf),
+                                              buf_len,
+                                              callback));
     if (!posted) {
       nss_is_closed_ = true;
       nss_waiting_read_ = false;
     }
     return posted ? ERR_IO_PENDING : ERR_ABORTED;
   }
 
   DCHECK(OnNSSTaskRunner());
   DCHECK(false_started_ || handshake_callback_called_);
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
@@ skipping 24 matching lines @@
         nss_is_closed_ = true;
       } else {
         was_ever_used_ = true;
       }
     }
   }
 
   return rv;
 }
 
-int SSLClientSocketNSS::Core::Write(IOBuffer* buf, int buf_len,
+int SSLClientSocketNSS::Core::Write(IOBuffer* buf,
+                                    int buf_len,
                                     const CompletionCallback& callback) {
   if (!OnNSSTaskRunner()) {
     DCHECK(OnNetworkTaskRunner());
     DCHECK(!detached_);
     DCHECK(transport_);
     DCHECK(!nss_waiting_write_);
 
     nss_waiting_write_ = true;
-    bool posted = nss_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(IgnoreResult(&Core::Write), this, make_scoped_refptr(buf),
-                   buf_len, callback));
+    bool posted =
+        nss_task_runner_->PostTask(FROM_HERE,
+                                   base::Bind(IgnoreResult(&Core::Write),
+                                              this,
+                                              make_scoped_refptr(buf),
+                                              buf_len,
+                                              callback));
     if (!posted) {
       nss_is_closed_ = true;
       nss_waiting_write_ = false;
     }
     return posted ? ERR_IO_PENDING : ERR_ABORTED;
   }
 
   DCHECK(OnNSSTaskRunner());
   DCHECK(false_started_ || handshake_callback_called_);
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
@@ skipping 77 matching lines @@
 
 bool SSLClientSocketNSS::Core::OnNSSTaskRunner() const {
   return nss_task_runner_->RunsTasksOnCurrentThread();
 }
 
 bool SSLClientSocketNSS::Core::OnNetworkTaskRunner() const {
   return network_task_runner_->RunsTasksOnCurrentThread();
 }
 
 // static
-SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
-    void* arg,
-    PRFileDesc* socket,
-    PRBool checksig,
-    PRBool is_server) {
+SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(void* arg,
+                                                       PRFileDesc* socket,
+                                                       PRBool checksig,
+                                                       PRBool is_server) {
   Core* core = reinterpret_cast<Core*>(arg);
   if (core->handshake_callback_called_) {
     // Disallow the server certificate to change in a renegotiation.
     CERTCertificate* old_cert = core->nss_handshake_state_.server_cert_chain[0];
     ScopedCERTCertificate new_cert(SSL_PeerCertificate(socket));
     if (new_cert->derCert.len != old_cert->derCert.len ||
-        memcmp(new_cert->derCert.data, old_cert->derCert.data,
+        memcmp(new_cert->derCert.data,
+               old_cert->derCert.data,
                new_cert->derCert.len) != 0) {
       // NSS doesn't have an error code that indicates the server certificate
       // changed. Borrow SSL_ERROR_WRONG_CERTIFICATE (which NSS isn't using)
       // for this purpose.
       PORT_SetError(SSL_ERROR_WRONG_CERTIFICATE);
       return SECFailure;
     }
   }
 
   // Tell NSS to not verify the certificate.
   return SECSuccess;
 }
 
 #if defined(NSS_PLATFORM_CLIENT_AUTH)
 // static
 SECStatus SSLClientSocketNSS::Core::PlatformClientAuthHandler(
     void* arg,
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertList** result_certs,
     void** result_private_key,
     CERTCertificate** result_nss_certificate,
     SECKEYPrivateKey** result_nss_private_key) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
-  core->PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&AddLogEvent, core->weak_net_log_,
-                 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
+  core->PostOrRunCallback(FROM_HERE,
+                          base::Bind(&AddLogEvent,
+                                     core->weak_net_log_,
+                                     NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
 
   core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
 #if defined(OS_WIN)
   if (core->ssl_config_.send_client_cert) {
     if (core->ssl_config_.client_cert) {
       PCCERT_CONTEXT cert_context =
           core->ssl_config_.client_cert->os_cert_handle();
 
       HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov = 0;
       DWORD key_spec = 0;
       BOOL must_free = FALSE;
       DWORD flags = 0;
       if (base::win::GetVersion() >= base::win::VERSION_VISTA)
         flags |= CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
 
       BOOL acquired_key = CryptAcquireCertificatePrivateKey(
           cert_context, flags, NULL, &crypt_prov, &key_spec, &must_free);
 
       if (acquired_key) {
         // Should never get a cached handle back - ownership must always be
         // transferred.
         CHECK_EQ(must_free, TRUE);
 
         SECItem der_cert;
         der_cert.type = siDERCertBuffer;
         der_cert.data = cert_context->pbCertEncoded;
-        der_cert.len  = cert_context->cbCertEncoded;
+        der_cert.len = cert_context->cbCertEncoded;
 
         // TODO(rsleevi): Error checking for NSS allocation errors.
         CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
         CERTCertificate* user_cert = CERT_NewTempCertificate(
             db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
         if (!user_cert) {
           // Importing the certificate can fail for reasons including a serial
           // number collision. See crbug.com/97355.
           core->AddCertProvidedEvent(0);
           return SECFailure;
         }
         CERTCertList* cert_chain = CERT_NewCertList();
         CERT_AddCertToListTail(cert_chain, user_cert);
 
         // Add the intermediates.
         X509Certificate::OSCertHandles intermediates =
             core->ssl_config_.client_cert->GetIntermediateCertificates();
         for (X509Certificate::OSCertHandles::const_iterator it =
-            intermediates.begin(); it != intermediates.end(); ++it) {
+                 intermediates.begin();
+             it != intermediates.end();
+             ++it) {
           der_cert.data = (*it)->pbCertEncoded;
           der_cert.len = (*it)->cbCertEncoded;
 
           CERTCertificate* intermediate = CERT_NewTempCertificate(
               db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
           if (!intermediate) {
             CERT_DestroyCertList(cert_chain);
             core->AddCertProvidedEvent(0);
             return SECFailure;
           }
@@ skipping 19 matching lines @@
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   core->nss_handshake_state_.cert_authorities.clear();
 
   std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
   for (int i = 0; i < ca_names->nnames; ++i) {
     issuer_list[i].cbData = ca_names->names[i].len;
     issuer_list[i].pbData = ca_names->names[i].data;
-    core->nss_handshake_state_.cert_authorities.push_back(std::string(
-        reinterpret_cast<const char*>(ca_names->names[i].data),
-        static_cast<size_t>(ca_names->names[i].len)));
+    core->nss_handshake_state_.cert_authorities.push_back(
+        std::string(reinterpret_cast<const char*>(ca_names->names[i].data),
+                    static_cast<size_t>(ca_names->names[i].len)));
   }
 
   // Update the network task runner's view of the handshake state now that
   // server certificate request has been recorded.
   core->PostOrRunCallback(
-      FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
-                            core->nss_handshake_state_));
+      FROM_HERE,
+      base::Bind(
+          &Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #elif defined(OS_MACOSX)
   if (core->ssl_config_.send_client_cert) {
     if (core->ssl_config_.client_cert.get()) {
       OSStatus os_error = noErr;
       SecIdentityRef identity = NULL;
       SecKeyRef private_key = NULL;
@@ skipping 63 matching lines @@
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   core->nss_handshake_state_.cert_authorities.clear();
 
   // Retrieve the cert issuers accepted by the server.
   std::vector<CertPrincipal> valid_issuers;
   int n = ca_names->nnames;
   for (int i = 0; i < n; i++) {
-    core->nss_handshake_state_.cert_authorities.push_back(std::string(
-        reinterpret_cast<const char*>(ca_names->names[i].data),
-        static_cast<size_t>(ca_names->names[i].len)));
+    core->nss_handshake_state_.cert_authorities.push_back(
+        std::string(reinterpret_cast<const char*>(ca_names->names[i].data),
+                    static_cast<size_t>(ca_names->names[i].len)));
   }
 
   // Update the network task runner's view of the handshake state now that
   // server certificate request has been recorded.
   core->PostOrRunCallback(
-      FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
-                            core->nss_handshake_state_));
+      FROM_HERE,
+      base::Bind(
+          &Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #else
   return SECFailure;
 #endif
 }
 
 #elif defined(OS_IOS)
 
 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
     void* arg,
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
-  core->PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&AddLogEvent, core->weak_net_log_,
-                 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
+  core->PostOrRunCallback(FROM_HERE,
+                          base::Bind(&AddLogEvent,
+                                     core->weak_net_log_,
+                                     NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
 
   // TODO(droger): Support client auth on iOS. See http://crbug.com/145954).
   LOG(WARNING) << "Client auth is not supported";
 
   // Never send a certificate.
   core->AddCertProvidedEvent(0);
   return SECFailure;
 }
 
-#else  // NSS_PLATFORM_CLIENT_AUTH
+#else   // NSS_PLATFORM_CLIENT_AUTH
 
 // static
 // Based on Mozilla's NSS_GetClientAuthData.
 SECStatus SSLClientSocketNSS::Core::ClientAuthHandler(
     void* arg,
     PRFileDesc* socket,
     CERTDistNames* ca_names,
     CERTCertificate** result_certificate,
     SECKEYPrivateKey** result_private_key) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
-  core->PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&AddLogEvent, core->weak_net_log_,
-                 NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
+  core->PostOrRunCallback(FROM_HERE,
+                          base::Bind(&AddLogEvent,
+                                     core->weak_net_log_,
+                                     NetLog::TYPE_SSL_CLIENT_CERT_REQUESTED));
 
   // Regular client certificate requested.
   core->client_auth_cert_needed_ = !core->ssl_config_.send_client_cert;
-  void* wincx  = SSL_RevealPinArg(socket);
+  void* wincx = SSL_RevealPinArg(socket);
 
   if (core->ssl_config_.send_client_cert) {
     // Second pass: a client certificate should have been selected.
     if (core->ssl_config_.client_cert.get()) {
       CERTCertificate* cert =
           CERT_DupCertificate(core->ssl_config_.client_cert->os_cert_handle());
       SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
       if (privkey) {
         // TODO(jsorianopastor): We should wait for server certificate
         // verification before sending our credentials.  See
@@ skipping 12 matching lines @@
     core->AddCertProvidedEvent(0);
     return SECFailure;
   }
 
   // First pass: client certificate is needed.
   core->nss_handshake_state_.cert_authorities.clear();
 
   // Retrieve the DER-encoded DistinguishedName of the cert issuers accepted by
   // the server and save them in |cert_authorities|.
   for (int i = 0; i < ca_names->nnames; i++) {
-    core->nss_handshake_state_.cert_authorities.push_back(std::string(
-        reinterpret_cast<const char*>(ca_names->names[i].data),
-        static_cast<size_t>(ca_names->names[i].len)));
+    core->nss_handshake_state_.cert_authorities.push_back(
+        std::string(reinterpret_cast<const char*>(ca_names->names[i].data),
+                    static_cast<size_t>(ca_names->names[i].len)));
   }
 
   // Update the network task runner's view of the handshake state now that
   // server certificate request has been recorded.
   core->PostOrRunCallback(
-      FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, core,
-                            core->nss_handshake_state_));
+      FROM_HERE,
+      base::Bind(
+          &Core::OnHandshakeStateUpdated, core, core->nss_handshake_state_));
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 }
 #endif  // NSS_PLATFORM_CLIENT_AUTH
 
 // static
 SECStatus SSLClientSocketNSS::Core::CanFalseStartCallback(
     PRFileDesc* socket,
     void* arg,
     PRBool* can_false_start) {
   // If the server doesn't support NPN or ALPN, then we don't do False
   // Start with it.
   PRBool negotiated_extension;
-  SECStatus rv = SSL_HandshakeNegotiatedExtension(socket,
-                                                  ssl_app_layer_protocol_xtn,
-                                                  &negotiated_extension);
+  SECStatus rv = SSL_HandshakeNegotiatedExtension(
+      socket, ssl_app_layer_protocol_xtn, &negotiated_extension);
   if (rv != SECSuccess || !negotiated_extension) {
-    rv = SSL_HandshakeNegotiatedExtension(socket,
-                                          ssl_next_proto_nego_xtn,
-                                          &negotiated_extension);
+    rv = SSL_HandshakeNegotiatedExtension(
+        socket, ssl_next_proto_nego_xtn, &negotiated_extension);
   }
   if (rv != SECSuccess || !negotiated_extension) {
     *can_false_start = PR_FALSE;
     return SECSuccess;
   }
 
   return SSL_RecommendedCanFalseStart(socket, can_false_start);
 }
 
 // static
-void SSLClientSocketNSS::Core::HandshakeCallback(
-    PRFileDesc* socket,
-    void* arg) {
+void SSLClientSocketNSS::Core::HandshakeCallback(PRFileDesc* socket,
+                                                 void* arg) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
   core->handshake_callback_called_ = true;
   if (core->false_started_) {
     core->false_started_ = false;
     // If the connection was False Started, then at the time of this callback,
     // the peer's certificate will have been verified or the caller will have
     // accepted the error.
     // This is guaranteed when using False Start because this callback will
@@ skipping 23 matching lines @@
   RecordChannelIDSupportOnNSSTaskRunner();
   UpdateServerCert();
   UpdateSignedCertTimestamps();
   UpdateStapledOCSPResponse();
   UpdateConnectionStatus();
   UpdateNextProto();
 
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
   PostOrRunCallback(
-      FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
-                            nss_handshake_state_));
+      FROM_HERE,
+      base::Bind(&Core::OnHandshakeStateUpdated, this, nss_handshake_state_));
 }
 
 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error,
                                              bool handshake_error) {
   DCHECK(OnNSSTaskRunner());
 
-  int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error) :
-                                    MapNSSClientError(nss_error);
+  int net_error = handshake_error ? MapNSSClientHandshakeError(nss_error)
+                                  : MapNSSClientError(nss_error);
 
 #if defined(OS_WIN)
   // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate
   // os_cert_handle() as an optimization. However, if the certificate
   // private key is stored on a smart card, and the smart card is removed,
   // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again,
   // preventing client certificate authentication. Because the
   // X509Certificate may outlive the individual SSLClientSocketNSS, due to
   // caching in X509Certificate, this failure ends up preventing client
   // certificate authentication with the same certificate for all future
   // attempts, even after the smart card has been re-inserted. By setting
   // the CERT_KEY_PROV_HANDLE_PROP_ID to NULL, the cached HCRYPTPROV will
   // typically be freed. This allows a new HCRYPTPROV to be obtained from
   // the certificate on the next attempt, which should succeed if the smart
   // card has been re-inserted, or will typically prompt the user to
   // re-insert the smart card if not.
   if ((net_error == ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY ||
        net_error == ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED) &&
       ssl_config_.send_client_cert && ssl_config_.client_cert) {
-    CertSetCertificateContextProperty(
-        ssl_config_.client_cert->os_cert_handle(),
-        CERT_KEY_PROV_HANDLE_PROP_ID, 0, NULL);
+    CertSetCertificateContextProperty(ssl_config_.client_cert->os_cert_handle(),
+                                      CERT_KEY_PROV_HANDLE_PROP_ID,
+                                      0,
+                                      NULL);
   }
 #endif
 
   return net_error;
 }
 
 int SSLClientSocketNSS::Core::DoHandshakeLoop(int last_io_result) {
   DCHECK(OnNSSTaskRunner());
 
   int rv = last_io_result;
@@ skipping 33 matching lines @@
   DCHECK(OnNSSTaskRunner());
   DCHECK(false_started_ || handshake_callback_called_);
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
 
   if (result < 0)
     return result;
 
   if (!nss_bufs_) {
     LOG(DFATAL) << "!nss_bufs_";
     int rv = ERR_UNEXPECTED;
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                   NetLog::TYPE_SSL_READ_ERROR,
-                   CreateNetLogSSLErrorCallback(rv, 0)));
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&AddLogEventWithCallback,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_READ_ERROR,
+                                 CreateNetLogSSLErrorCallback(rv, 0)));
     return rv;
   }
 
   bool network_moved;
   int rv;
   do {
     rv = DoPayloadRead();
     network_moved = DoTransportIO();
   } while (rv == ERR_IO_PENDING && network_moved);
 
   return rv;
 }
 
 int SSLClientSocketNSS::Core::DoWriteLoop(int result) {
   DCHECK(OnNSSTaskRunner());
   DCHECK(false_started_ || handshake_callback_called_);
   DCHECK_EQ(STATE_NONE, next_handshake_state_);
 
   if (result < 0)
     return result;
 
   if (!nss_bufs_) {
     LOG(DFATAL) << "!nss_bufs_";
     int rv = ERR_UNEXPECTED;
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                   NetLog::TYPE_SSL_READ_ERROR,
-                   CreateNetLogSSLErrorCallback(rv, 0)));
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&AddLogEventWithCallback,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_READ_ERROR,
+                                 CreateNetLogSSLErrorCallback(rv, 0)));
     return rv;
   }
 
   bool network_moved;
   int rv;
   do {
     rv = DoPayloadWrite();
     network_moved = DoTransportIO();
   } while (rv == ERR_IO_PENDING && network_moved);
 
   LeaveFunction(rv);
   return rv;
 }
 
 int SSLClientSocketNSS::Core::DoHandshake() {
   DCHECK(OnNSSTaskRunner());
 
   int net_error = net::OK;
   SECStatus rv = SSL_ForceHandshake(nss_fd_);
 
   // Note: this function may be called multiple times during the handshake, so
   // even though channel id and client auth are separate else cases, they can
   // both be used during a single SSL handshake.
   if (channel_id_needed_) {
     GotoState(STATE_GET_DOMAIN_BOUND_CERT_COMPLETE);
     net_error = ERR_IO_PENDING;
   } else if (client_auth_cert_needed_) {
     net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                   NetLog::TYPE_SSL_HANDSHAKE_ERROR,
-                   CreateNetLogSSLErrorCallback(net_error, 0)));
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&AddLogEventWithCallback,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_HANDSHAKE_ERROR,
+                                 CreateNetLogSSLErrorCallback(net_error, 0)));
 
     // If the handshake already succeeded (because the server requests but
     // doesn't require a client cert), we need to invalidate the SSL session
     // so that we won't try to resume the non-client-authenticated session in
     // the next handshake.  This will cause the server to ask for a client
     // cert again.
     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess)
       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
   } else if (rv == SECSuccess) {
     if (!handshake_callback_called_) {
@@ skipping 20 matching lines @@
         ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1_1) {
       net_error = ERR_SSL_PROTOCOL_ERROR;
     }
 
     // If not done, stay in this state
     if (net_error == ERR_IO_PENDING) {
       GotoState(STATE_HANDSHAKE);
     } else {
       PostOrRunCallback(
           FROM_HERE,
-          base::Bind(&AddLogEventWithCallback, weak_net_log_,
+          base::Bind(&AddLogEventWithCallback,
+                     weak_net_log_,
                      NetLog::TYPE_SSL_HANDSHAKE_ERROR,
                      CreateNetLogSSLErrorCallback(net_error, prerr)));
     }
   }
 
   return net_error;
 }
 
 int SSLClientSocketNSS::Core::DoGetDBCertComplete(int result) {
   SECStatus rv;
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&BoundNetLog::EndEventWithNetErrorCode, weak_net_log_,
-                 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, result));
+  PostOrRunCallback(FROM_HERE,
+                    base::Bind(&BoundNetLog::EndEventWithNetErrorCode,
+                               weak_net_log_,
+                               NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
+                               result));
 
   channel_id_needed_ = false;
 
   if (result != OK)
     return result;
 
   SECKEYPublicKey* public_key;
   SECKEYPrivateKey* private_key;
   int error = ImportChannelIDKeys(&public_key, &private_key);
   if (error != OK)
@@ skipping 17 matching lines @@
   // If a previous greedy read resulted in an error that was not consumed (eg:
   // due to the caller having read some data successfully), then return that
   // pending error now.
   if (pending_read_result_ != kNoPendingReadResult) {
     rv = pending_read_result_;
     PRErrorCode prerr = pending_read_nss_error_;
     pending_read_result_ = kNoPendingReadResult;
     pending_read_nss_error_ = 0;
 
     if (rv == 0) {
-      PostOrRunCallback(
-          FROM_HERE,
-          base::Bind(&LogByteTransferEvent, weak_net_log_,
-                     NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
-                     scoped_refptr<IOBuffer>(user_read_buf_)));
+      PostOrRunCallback(FROM_HERE,
+                        base::Bind(&LogByteTransferEvent,
+                                   weak_net_log_,
+                                   NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
+                                   rv,
+                                   scoped_refptr<IOBuffer>(user_read_buf_)));
     } else {
-      PostOrRunCallback(
-          FROM_HERE,
-          base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                     NetLog::TYPE_SSL_READ_ERROR,
-                     CreateNetLogSSLErrorCallback(rv, prerr)));
+      PostOrRunCallback(FROM_HERE,
+                        base::Bind(&AddLogEventWithCallback,
+                                   weak_net_log_,
+                                   NetLog::TYPE_SSL_READ_ERROR,
+                                   CreateNetLogSSLErrorCallback(rv, prerr)));
     }
     return rv;
   }
 
   // Perform a greedy read, attempting to read as much as the caller has
   // requested. In the current NSS implementation, PR_Read will return
   // exactly one SSL application data record's worth of data per invocation.
   // The record size is dictated by the server, and may be noticeably smaller
   // than the caller's buffer. This may be as little as a single byte, if the
   // server is performing 1/n-1 record splitting.
   //
   // However, this greedy read may result in renegotiations/re-handshakes
   // happening or may lead to some data being read, followed by an EOF (such as
   // a TLS close-notify). If at least some data was read, then that result
   // should be deferred until the next call to DoPayloadRead(). Otherwise, if no
   // data was read, it's safe to return the error or EOF immediately.
   int total_bytes_read = 0;
   do {
-    rv = PR_Read(nss_fd_, user_read_buf_->data() + total_bytes_read,
+    rv = PR_Read(nss_fd_,
+                 user_read_buf_->data() + total_bytes_read,
                  user_read_buf_len_ - total_bytes_read);
     if (rv > 0)
       total_bytes_read += rv;
   } while (total_bytes_read < user_read_buf_len_ && rv > 0);
   int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
-  PostOrRunCallback(FROM_HERE, base::Bind(&Core::OnNSSBufferUpdated, this,
-                                          amount_in_read_buffer));
+  PostOrRunCallback(
+      FROM_HERE,
+      base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
 
   if (total_bytes_read == user_read_buf_len_) {
     // The caller's entire request was satisfied without error. No further
     // processing needed.
     rv = total_bytes_read;
   } else {
     // Otherwise, an error occurred (rv <= 0). The error needs to be handled
     // immediately, while the NSPR/NSS errors are still available in
     // thread-local storage. However, the handled/remapped error code should
     // only be returned if no application data was already read; if it was, the
@@ skipping 28 matching lines @@
         // if a complete record may now be read.
         pending_read_nss_error_ = 0;
         pending_read_result_ = kNoPendingReadResult;
       }
     }
   }
 
   DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
 
   if (rv >= 0) {
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&LogByteTransferEvent, weak_net_log_,
-                   NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv,
-                   scoped_refptr<IOBuffer>(user_read_buf_)));
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&LogByteTransferEvent,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
+                                 rv,
+                                 scoped_refptr<IOBuffer>(user_read_buf_)));
   } else if (rv != ERR_IO_PENDING) {
     PostOrRunCallback(
         FROM_HERE,
-        base::Bind(&AddLogEventWithCallback, weak_net_log_,
+        base::Bind(&AddLogEventWithCallback,
+                   weak_net_log_,
                    NetLog::TYPE_SSL_READ_ERROR,
                    CreateNetLogSSLErrorCallback(rv, pending_read_nss_error_)));
     pending_read_nss_error_ = 0;
   }
   return rv;
 }
 
 int SSLClientSocketNSS::Core::DoPayloadWrite() {
   DCHECK(OnNSSTaskRunner());
 
   DCHECK(user_write_buf_.get());
 
   int old_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
   int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_);
   int new_amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
   // PR_Write could potentially consume the unhandled data in the memio read
   // buffer if a renegotiation is in progress. If the buffer is consumed,
   // notify the latest buffer size to NetworkRunner.
   if (old_amount_in_read_buffer != new_amount_in_read_buffer) {
     PostOrRunCallback(
         FROM_HERE,
         base::Bind(&Core::OnNSSBufferUpdated, this, new_amount_in_read_buffer));
   }
   if (rv >= 0) {
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&LogByteTransferEvent, weak_net_log_,
-                   NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv,
-                   scoped_refptr<IOBuffer>(user_write_buf_)));
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&LogByteTransferEvent,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_SOCKET_BYTES_SENT,
+                                 rv,
+                                 scoped_refptr<IOBuffer>(user_write_buf_)));
     return rv;
   }
   PRErrorCode prerr = PR_GetError();
   if (prerr == PR_WOULD_BLOCK_ERROR)
     return ERR_IO_PENDING;
 
   rv = HandleNSSError(prerr, false);
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                 NetLog::TYPE_SSL_WRITE_ERROR,
-                 CreateNetLogSSLErrorCallback(rv, prerr)));
+  PostOrRunCallback(FROM_HERE,
+                    base::Bind(&AddLogEventWithCallback,
+                               weak_net_log_,
+                               NetLog::TYPE_SSL_WRITE_ERROR,
+                               CreateNetLogSSLErrorCallback(rv, prerr)));
   return rv;
 }
 
 // Do as much network I/O as possible between the buffer and the
 // transport socket. Return true if some I/O performed, false
 // otherwise (error or ERR_IO_PENDING).
 bool SSLClientSocketNSS::Core::DoTransportIO() {
   DCHECK(OnNSSTaskRunner());
 
   bool network_moved = false;
@@ skipping 35 matching lines @@
   if (!nb) {
     // buffer too full to read into, so no I/O possible at moment
     rv = ERR_IO_PENDING;
   } else {
     scoped_refptr<IOBuffer> read_buffer(new IOBuffer(nb));
     if (OnNetworkTaskRunner()) {
       rv = DoBufferRecv(read_buffer.get(), nb);
     } else {
       bool posted = network_task_runner_->PostTask(
           FROM_HERE,
-          base::Bind(IgnoreResult(&Core::DoBufferRecv), this, read_buffer,
-                     nb));
+          base::Bind(IgnoreResult(&Core::DoBufferRecv), this, read_buffer, nb));
       rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
     }
 
     if (rv == ERR_IO_PENDING) {
       transport_recv_busy_ = true;
     } else {
       if (rv > 0) {
         memcpy(buf, read_buffer->data(), rv);
       } else if (rv == 0) {
         transport_recv_eof_ = true;
@@ skipping 23 matching lines @@
   if (len) {
     scoped_refptr<IOBuffer> send_buffer(new IOBuffer(len));
     memcpy(send_buffer->data(), buf1, len1);
     memcpy(send_buffer->data() + len1, buf2, len2);
 
     if (OnNetworkTaskRunner()) {
       rv = DoBufferSend(send_buffer.get(), len);
     } else {
       bool posted = network_task_runner_->PostTask(
           FROM_HERE,
-          base::Bind(IgnoreResult(&Core::DoBufferSend), this, send_buffer,
-                     len));
+          base::Bind(
+              IgnoreResult(&Core::DoBufferSend), this, send_buffer, len));
       rv = posted ? ERR_IO_PENDING : ERR_ABORTED;
     }
 
     if (rv == ERR_IO_PENDING) {
       transport_send_busy_ = true;
     } else {
       memio_PutWriteResult(nss_bufs_, MapErrorToNSS(rv));
     }
   }
 
@@ skipping 60 matching lines @@
 // handshake. This requires network IO, which in turn calls
 // BufferRecvComplete() with a non-zero byte count. This byte count eventually
 // winds its way through the state machine and ends up being passed to the
 // callback. For Read() and Write(), that's what we want. But for Connect(),
 // the caller expects OK (i.e. 0) for success.
 void SSLClientSocketNSS::Core::DoConnectCallback(int rv) {
   DCHECK(OnNSSTaskRunner());
   DCHECK_NE(rv, ERR_IO_PENDING);
   DCHECK(!user_connect_callback_.is_null());
 
-  base::Closure c = base::Bind(
-      base::ResetAndReturn(&user_connect_callback_),
-      rv > OK ? OK : rv);
+  base::Closure c = base::Bind(base::ResetAndReturn(&user_connect_callback_),
+                               rv > OK ? OK : rv);
   PostOrRunCallback(FROM_HERE, c);
 }
 
 void SSLClientSocketNSS::Core::DoReadCallback(int rv) {
   DCHECK(OnNSSTaskRunner());
   DCHECK_NE(ERR_IO_PENDING, rv);
   DCHECK(!user_read_callback_.is_null());
 
   user_read_buf_ = NULL;
   user_read_buf_len_ = 0;
   int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
   // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
   // the network task runner.
   PostOrRunCallback(
       FROM_HERE,
       base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&Core::DidNSSRead, this, rv));
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(base::ResetAndReturn(&user_read_callback_), rv));
+  PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSRead, this, rv));
+  PostOrRunCallback(FROM_HERE,
+                    base::Bind(base::ResetAndReturn(&user_read_callback_), rv));
 }
 
 void SSLClientSocketNSS::Core::DoWriteCallback(int rv) {
   DCHECK(OnNSSTaskRunner());
   DCHECK_NE(ERR_IO_PENDING, rv);
   DCHECK(!user_write_callback_.is_null());
 
   // Since Run may result in Write being called, clear |user_write_callback_|
   // up front.
   user_write_buf_ = NULL;
   user_write_buf_len_ = 0;
   // Update buffer status because DoWriteLoop called DoTransportIO which may
   // perform read operations.
   int amount_in_read_buffer = memio_GetReadableBufferSize(nss_bufs_);
   // This is used to curry the |amount_int_read_buffer| and |user_cb| back to
   // the network task runner.
   PostOrRunCallback(
       FROM_HERE,
       base::Bind(&Core::OnNSSBufferUpdated, this, amount_in_read_buffer));
+  PostOrRunCallback(FROM_HERE, base::Bind(&Core::DidNSSWrite, this, rv));
   PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&Core::DidNSSWrite, this, rv));
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(base::ResetAndReturn(&user_write_callback_), rv));
+      FROM_HERE, base::Bind(base::ResetAndReturn(&user_write_callback_), rv));
 }
 
 SECStatus SSLClientSocketNSS::Core::ClientChannelIDHandler(
     void* arg,
     PRFileDesc* socket,
-    SECKEYPublicKey **out_public_key,
-    SECKEYPrivateKey **out_private_key) {
+    SECKEYPublicKey** out_public_key,
+    SECKEYPrivateKey** out_private_key) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
-  core->PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&AddLogEvent, core->weak_net_log_,
-                 NetLog::TYPE_SSL_CHANNEL_ID_REQUESTED));
+  core->PostOrRunCallback(FROM_HERE,
+                          base::Bind(&AddLogEvent,
+                                     core->weak_net_log_,
+                                     NetLog::TYPE_SSL_CHANNEL_ID_REQUESTED));
 
   // We have negotiated the TLS channel ID extension.
   core->channel_id_xtn_negotiated_ = true;
   std::string host = core->host_and_port_.host();
   int error = ERR_UNEXPECTED;
   if (core->OnNetworkTaskRunner()) {
     error = core->DoGetDomainBoundCert(host);
   } else {
     bool posted = core->network_task_runner_->PostTask(
         FROM_HERE,
-        base::Bind(
-            IgnoreResult(&Core::DoGetDomainBoundCert),
-            core, host));
+        base::Bind(IgnoreResult(&Core::DoGetDomainBoundCert), core, host));
     error = posted ? ERR_IO_PENDING : ERR_ABORTED;
   }
 
   if (error == ERR_IO_PENDING) {
     // Asynchronous case.
     core->channel_id_needed_ = true;
     return SECWouldBlock;
   }
 
-  core->PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&BoundNetLog::EndEventWithNetErrorCode, core->weak_net_log_,
-                 NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT, error));
+  core->PostOrRunCallback(FROM_HERE,
+                          base::Bind(&BoundNetLog::EndEventWithNetErrorCode,
+                                     core->weak_net_log_,
+                                     NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
+                                     error));
   SECStatus rv = SECSuccess;
   if (error == OK) {
     // Synchronous success.
     int result = core->ImportChannelIDKeys(out_public_key, out_private_key);
     if (result == OK)
       core->SetChannelIDProvided();
     else
       rv = SECFailure;
   } else {
     rv = SECFailure;
   }
 
   return rv;
 }
 
 int SSLClientSocketNSS::Core::ImportChannelIDKeys(SECKEYPublicKey** public_key,
                                                   SECKEYPrivateKey** key) {
   // Set the certificate.
   SECItem cert_item;
-  cert_item.data = (unsigned char*) domain_bound_cert_.data();
+  cert_item.data = (unsigned char*)domain_bound_cert_.data();
   cert_item.len = domain_bound_cert_.size();
-  ScopedCERTCertificate cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
-                                                     &cert_item,
-                                                     NULL,
-                                                     PR_FALSE,
-                                                     PR_TRUE));
+  ScopedCERTCertificate cert(CERT_NewTempCertificate(
+      CERT_GetDefaultCertDB(), &cert_item, NULL, PR_FALSE, PR_TRUE));
   if (cert == NULL)
     return MapNSSError(PORT_GetError());
 
   crypto::ScopedPK11Slot slot(PK11_GetInternalSlot());
   // Set the private key.
   if (!crypto::ECPrivateKey::ImportFromEncryptedPrivateKeyInfo(
           slot.get(),
           ServerBoundCertService::kEPKIPassword,
           reinterpret_cast<const unsigned char*>(
               domain_bound_private_key_.data()),
@@ skipping 10 matching lines @@
   return OK;
 }
 
 void SSLClientSocketNSS::Core::UpdateServerCert() {
   nss_handshake_state_.server_cert_chain.Reset(nss_fd_);
   nss_handshake_state_.server_cert = X509Certificate::CreateFromDERCertChain(
       nss_handshake_state_.server_cert_chain.AsStringPieceVector());
   if (nss_handshake_state_.server_cert.get()) {
     // Since this will be called asynchronously on another thread, it needs to
     // own a reference to the certificate.
-    NetLog::ParametersCallback net_log_callback =
-        base::Bind(&NetLogX509CertificateCallback,
-                   nss_handshake_state_.server_cert);
-    PostOrRunCallback(
-        FROM_HERE,
-        base::Bind(&AddLogEventWithCallback, weak_net_log_,
-                   NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
-                   net_log_callback));
+    NetLog::ParametersCallback net_log_callback = base::Bind(
+        &NetLogX509CertificateCallback, nss_handshake_state_.server_cert);
+    PostOrRunCallback(FROM_HERE,
+                      base::Bind(&AddLogEventWithCallback,
+                                 weak_net_log_,
+                                 NetLog::TYPE_SSL_CERTIFICATES_RECEIVED,
+                                 net_log_callback));
   }
 }
 
 void SSLClientSocketNSS::Core::UpdateSignedCertTimestamps() {
-  const SECItem* signed_cert_timestamps =
-      SSL_PeerSignedCertTimestamps(nss_fd_);
+  const SECItem* signed_cert_timestamps = SSL_PeerSignedCertTimestamps(nss_fd_);
 
   if (!signed_cert_timestamps || !signed_cert_timestamps->len)
     return;
 
-  nss_handshake_state_.sct_list_from_tls_extension = std::string(
-      reinterpret_cast<char*>(signed_cert_timestamps->data),
-      signed_cert_timestamps->len);
+  nss_handshake_state_.sct_list_from_tls_extension =
+      std::string(reinterpret_cast<char*>(signed_cert_timestamps->data),
+                  signed_cert_timestamps->len);
 }
 
 void SSLClientSocketNSS::Core::UpdateStapledOCSPResponse() {
   PRBool ocsp_requested = PR_FALSE;
   SSL_OptionGet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, &ocsp_requested);
-  const SECItemArray* ocsp_responses =
-      SSL_PeerStapledOCSPResponses(nss_fd_);
+  const SECItemArray* ocsp_responses = SSL_PeerStapledOCSPResponses(nss_fd_);
   bool ocsp_responses_present = ocsp_responses && ocsp_responses->len;
   if (ocsp_requested)
     UMA_HISTOGRAM_BOOLEAN("Net.OCSPResponseStapled", ocsp_responses_present);
   if (!ocsp_responses_present)
     return;
 
-  nss_handshake_state_.stapled_ocsp_response = std::string(
-      reinterpret_cast<char*>(ocsp_responses->items[0].data),
-      ocsp_responses->items[0].len);
+  nss_handshake_state_.stapled_ocsp_response =
+      std::string(reinterpret_cast<char*>(ocsp_responses->items[0].data),
+                  ocsp_responses->items[0].len);
 
   // TODO(agl): figure out how to plumb an OCSP response into the Mac
   // system library and update IsOCSPStaplingSupported for Mac.
   if (IsOCSPStaplingSupported()) {
-  #if defined(OS_WIN)
+#if defined(OS_WIN)
     if (nss_handshake_state_.server_cert) {
       CRYPT_DATA_BLOB ocsp_response_blob;
       ocsp_response_blob.cbData = ocsp_responses->items[0].len;
       ocsp_response_blob.pbData = ocsp_responses->items[0].data;
       BOOL ok = CertSetCertificateContextProperty(
           nss_handshake_state_.server_cert->os_cert_handle(),
           CERT_OCSP_RESPONSE_PROP_ID,
           CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
           &ocsp_response_blob);
       if (!ok) {
-        VLOG(1) << "Failed to set OCSP response property: "
-                << GetLastError();
+        VLOG(1) << "Failed to set OCSP response property: " << GetLastError();
       }
     }
-  #elif defined(USE_NSS)
+#elif defined(USE_NSS)
     CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
         GetCacheOCSPResponseFromSideChannelFunction();
 
-    cache_ocsp_response(
-        CERT_GetDefaultCertDB(),
-        nss_handshake_state_.server_cert_chain[0], PR_Now(),
-        &ocsp_responses->items[0], NULL);
-  #endif
+    cache_ocsp_response(CERT_GetDefaultCertDB(),
+                        nss_handshake_state_.server_cert_chain[0],
+                        PR_Now(),
+                        &ocsp_responses->items[0],
+                        NULL);
+#endif
   }  // IsOCSPStaplingSupported()
 }
 
 void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
   SSLChannelInfo channel_info;
-  SECStatus ok = SSL_GetChannelInfo(nss_fd_,
-                                    &channel_info, sizeof(channel_info));
-  if (ok == SECSuccess &&
-      channel_info.length == sizeof(channel_info) &&
+  SECStatus ok =
+      SSL_GetChannelInfo(nss_fd_, &channel_info, sizeof(channel_info));
+  if (ok == SECSuccess && channel_info.length == sizeof(channel_info) &&
       channel_info.cipherSuite) {
     nss_handshake_state_.ssl_connection_status |=
         (static_cast<int>(channel_info.cipherSuite) &
-         SSL_CONNECTION_CIPHERSUITE_MASK) <<
-        SSL_CONNECTION_CIPHERSUITE_SHIFT;
+         SSL_CONNECTION_CIPHERSUITE_MASK)
+        << SSL_CONNECTION_CIPHERSUITE_SHIFT;
 
     nss_handshake_state_.ssl_connection_status |=
         (static_cast<int>(channel_info.compressionMethod) &
-         SSL_CONNECTION_COMPRESSION_MASK) <<
-        SSL_CONNECTION_COMPRESSION_SHIFT;
+         SSL_CONNECTION_COMPRESSION_MASK)
+        << SSL_CONNECTION_COMPRESSION_SHIFT;
 
     // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
     // support it yet), so use 0x0303 directly.
     int version = SSL_CONNECTION_VERSION_UNKNOWN;
     if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
       // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
       // version 2.
       version = SSL_CONNECTION_VERSION_SSL2;
     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
       version = SSL_CONNECTION_VERSION_SSL3;
     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
       version = SSL_CONNECTION_VERSION_TLS1;
     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
       version = SSL_CONNECTION_VERSION_TLS1_1;
     } else if (channel_info.protocolVersion == 0x0303) {
       version = SSL_CONNECTION_VERSION_TLS1_2;
     }
     nss_handshake_state_.ssl_connection_status |=
-        (version & SSL_CONNECTION_VERSION_MASK) <<
-        SSL_CONNECTION_VERSION_SHIFT;
+        (version & SSL_CONNECTION_VERSION_MASK) << SSL_CONNECTION_VERSION_SHIFT;
   }
 
   PRBool peer_supports_renego_ext;
-  ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
-                                        &peer_supports_renego_ext);
+  ok = SSL_HandshakeNegotiatedExtension(
+      nss_fd_, ssl_renegotiation_info_xtn, &peer_supports_renego_ext);
   if (ok == SECSuccess) {
     if (!peer_supports_renego_ext) {
       nss_handshake_state_.ssl_connection_status |=
           SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
       // Log an informational message if the server does not support secure
       // renegotiation (RFC 5746).
       VLOG(1) << "The server " << host_and_port_.ToString()
               << " does not support the TLS renegotiation_info extension.";
     }
-    UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
-                              peer_supports_renego_ext, 2);
+    UMA_HISTOGRAM_ENUMERATION(
+        "Net.RenegotiationExtensionSupported", peer_supports_renego_ext, 2);
 
     // We would like to eliminate fallback to SSLv3 for non-buggy servers
     // because of security concerns. For example, Google offers forward
     // secrecy with ECDHE but that requires TLS 1.0. An attacker can block
     // TLSv1 connections and force us to downgrade to SSLv3 and remove forward
     // secrecy.
     //
     // Yngve from Opera has suggested using the renegotiation extension as an
     // indicator that SSLv3 fallback was mistaken:
     // tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 .
@@ skipping 42 matching lines @@
 }
 
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
   DCHECK(OnNSSTaskRunner());
   if (nss_handshake_state_.resumed_handshake)
     return;
 
   // Copy the NSS task runner-only state to the network task runner and
   // log histograms from there, since the histograms also need access to the
   // network task runner state.
-  PostOrRunCallback(
-      FROM_HERE,
-      base::Bind(&Core::RecordChannelIDSupportOnNetworkTaskRunner,
-                 this,
-                 channel_id_xtn_negotiated_,
-                 ssl_config_.channel_id_enabled,
-                 crypto::ECPrivateKey::IsSupported()));
+  PostOrRunCallback(FROM_HERE,
+                    base::Bind(&Core::RecordChannelIDSupportOnNetworkTaskRunner,
+                               this,
+                               channel_id_xtn_negotiated_,
+                               ssl_config_.channel_id_enabled,
+                               crypto::ECPrivateKey::IsSupported()));
 }
 
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNetworkTaskRunner(
     bool negotiated_channel_id,
     bool channel_id_enabled,
     bool supports_ecc) const {
   DCHECK(OnNetworkTaskRunner());
 
   RecordChannelIDSupport(server_bound_cert_service_,
                          negotiated_channel_id,
                          channel_id_enabled,
                          supports_ecc);
 }
 
 int SSLClientSocketNSS::Core::DoBufferRecv(IOBuffer* read_buffer, int len) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK_GT(len, 0);
 
   if (detached_)
     return ERR_ABORTED;
 
   int rv = transport_->socket()->Read(
-      read_buffer, len,
-      base::Bind(&Core::BufferRecvComplete, base::Unretained(this),
+      read_buffer,
+      len,
+      base::Bind(&Core::BufferRecvComplete,
+                 base::Unretained(this),
                  scoped_refptr<IOBuffer>(read_buffer)));
 
   if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
-    nss_task_runner_->PostTask(
-        FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
-                              scoped_refptr<IOBuffer>(read_buffer), rv));
+    nss_task_runner_->PostTask(FROM_HERE,
+                               base::Bind(&Core::BufferRecvComplete,
+                                          this,
+                                          scoped_refptr<IOBuffer>(read_buffer),
+                                          rv));
     return rv;
   }
 
   return rv;
 }
 
 int SSLClientSocketNSS::Core::DoBufferSend(IOBuffer* send_buffer, int len) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK_GT(len, 0);
 
   if (detached_)
     return ERR_ABORTED;
 
   int rv = transport_->socket()->Write(
-      send_buffer, len,
-      base::Bind(&Core::BufferSendComplete,
-                 base::Unretained(this)));
+      send_buffer,
+      len,
+      base::Bind(&Core::BufferSendComplete, base::Unretained(this)));
 
   if (!OnNSSTaskRunner() && rv != ERR_IO_PENDING) {
-    nss_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(&Core::BufferSendComplete, this, rv));
+    nss_task_runner_->PostTask(FROM_HERE,
+                               base::Bind(&Core::BufferSendComplete, this, rv));
     return rv;
   }
 
   return rv;
 }
 
 int SSLClientSocketNSS::Core::DoGetDomainBoundCert(const std::string& host) {
   DCHECK(OnNetworkTaskRunner());
 
   if (detached_)
     return ERR_FAILED;
 
   weak_net_log_->BeginEvent(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT);
 
   int rv = server_bound_cert_service_->GetOrCreateDomainBoundCert(
       host,
       &domain_bound_private_key_,
       &domain_bound_cert_,
       base::Bind(&Core::OnGetDomainBoundCertComplete, base::Unretained(this)),
       &domain_bound_cert_request_handle_);
 
   if (rv != ERR_IO_PENDING && !OnNSSTaskRunner()) {
     nss_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(&Core::OnHandshakeIOComplete, this, rv));
+        FROM_HERE, base::Bind(&Core::OnHandshakeIOComplete, this, rv));
     return ERR_IO_PENDING;
   }
 
   return rv;
 }
 
 void SSLClientSocketNSS::Core::OnHandshakeStateUpdated(
     const HandshakeState& state) {
   DCHECK(OnNetworkTaskRunner());
   network_handshake_state_ = state;
@@ skipping 60 matching lines @@
     DoConnectCallback(rv);
 }
 
 void SSLClientSocketNSS::Core::OnGetDomainBoundCertComplete(int result) {
   DVLOG(1) << __FUNCTION__ << " " << result;
   DCHECK(OnNetworkTaskRunner());
 
   OnHandshakeIOComplete(result);
 }
 
-void SSLClientSocketNSS::Core::BufferRecvComplete(
-    IOBuffer* read_buffer,
-    int result) {
+void SSLClientSocketNSS::Core::BufferRecvComplete(IOBuffer* read_buffer,
+                                                  int result) {
   DCHECK(read_buffer);
 
   if (!OnNSSTaskRunner()) {
     if (detached_)
       return;
 
-    nss_task_runner_->PostTask(
-        FROM_HERE, base::Bind(&Core::BufferRecvComplete, this,
-                              scoped_refptr<IOBuffer>(read_buffer), result));
+    nss_task_runner_->PostTask(FROM_HERE,
+                               base::Bind(&Core::BufferRecvComplete,
+                                          this,
+                                          scoped_refptr<IOBuffer>(read_buffer),
+                                          result));
     return;
   }
 
   DCHECK(OnNSSTaskRunner());
 
   if (result > 0) {
     char* buf;
     int nb = memio_GetReadParams(nss_bufs_, &buf);
     CHECK_GE(nb, result);
     memcpy(buf, read_buffer->data(), result);
   } else if (result == 0) {
     transport_recv_eof_ = true;
   }
 
   memio_PutReadResult(nss_bufs_, MapErrorToNSS(result));
   transport_recv_busy_ = false;
   OnRecvComplete(result);
 }
 
 void SSLClientSocketNSS::Core::PostOrRunCallback(
     const tracked_objects::Location& location,
     const base::Closure& task) {
   if (!OnNetworkTaskRunner()) {
     network_task_runner_->PostTask(
-        FROM_HERE,
-        base::Bind(&Core::PostOrRunCallback, this, location, task));
+        FROM_HERE, base::Bind(&Core::PostOrRunCallback, this, location, task));
     return;
   }
 
   if (detached_ || task.is_null())
     return;
   task.Run();
 }
 
 void SSLClientSocketNSS::Core::AddCertProvidedEvent(int cert_count) {
   PostOrRunCallback(
       FROM_HERE,
-      base::Bind(&AddLogEventWithCallback, weak_net_log_,
+      base::Bind(&AddLogEventWithCallback,
+                 weak_net_log_,
                  NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
                  NetLog::IntegerCallback("cert_count", cert_count)));
 }
 
 void SSLClientSocketNSS::Core::SetChannelIDProvided() {
   PostOrRunCallback(
-      FROM_HERE, base::Bind(&AddLogEvent, weak_net_log_,
-                            NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
+      FROM_HERE,
+      base::Bind(
+          &AddLogEvent, weak_net_log_, NetLog::TYPE_SSL_CHANNEL_ID_PROVIDED));
   nss_handshake_state_.channel_id_sent = true;
   // Update the network task runner's view of the handshake state now that
   // channel id has been sent.
   PostOrRunCallback(
-      FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
-                            nss_handshake_state_));
+      FROM_HERE,
+      base::Bind(&Core::OnHandshakeStateUpdated, this, nss_handshake_state_));
 }
 
 SSLClientSocketNSS::SSLClientSocketNSS(
     base::SequencedTaskRunner* nss_task_runner,
     scoped_ptr<ClientSocketHandle> transport_socket,
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     const SSLClientSocketContext& context)
     : nss_task_runner_(nss_task_runner),
       transport_(transport_socket.Pass()),
@@ skipping 36 matching lines @@
   if (core_->state().server_cert_chain.empty() ||
       !core_->state().server_cert_chain[0]) {
     return false;
   }
 
   ssl_info->cert_status = server_cert_verify_result_.cert_status;
   ssl_info->cert = server_cert_verify_result_.verified_cert;
 
   AddSCTInfoToSSLInfo(ssl_info);
 
-  ssl_info->connection_status =
-      core_->state().ssl_connection_status;
+  ssl_info->connection_status = core_->state().ssl_connection_status;
   ssl_info->public_key_hashes = server_cert_verify_result_.public_key_hashes;
   ssl_info->is_issued_by_known_root =
       server_cert_verify_result_.is_issued_by_known_root;
   ssl_info->client_cert_sent =
       ssl_config_.send_client_cert && ssl_config_.client_cert.get();
   ssl_info->channel_id_sent = WasChannelIDSent();
   ssl_info->pinning_failure_log = pinning_failure_log_;
 
-  PRUint16 cipher_suite = SSLConnectionStatusToCipherSuite(
-      core_->state().ssl_connection_status);
+  PRUint16 cipher_suite =
+      SSLConnectionStatusToCipherSuite(core_->state().ssl_connection_status);
   SSLCipherSuiteInfo cipher_info;
-  SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
-                                        &cipher_info, sizeof(cipher_info));
+  SECStatus ok =
+      SSL_GetCipherSuiteInfo(cipher_suite, &cipher_info, sizeof(cipher_info));
   if (ok == SECSuccess) {
     ssl_info->security_bits = cipher_info.effectiveKeyBits;
   } else {
     ssl_info->security_bits = -1;
     LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()
                 << " for cipherSuite " << cipher_suite;
   }
 
-  ssl_info->handshake_type = core_->state().resumed_handshake ?
-      SSLInfo::HANDSHAKE_RESUME : SSLInfo::HANDSHAKE_FULL;
+  ssl_info->handshake_type = core_->state().resumed_handshake
+                                 ? SSLInfo::HANDSHAKE_RESUME
+                                 : SSLInfo::HANDSHAKE_FULL;
 
   LeaveFunction("");
   return true;
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
   cert_request_info->host_and_port = host_and_port_;
   cert_request_info->cert_authorities = core_->state().cert_authorities;
   LeaveFunction("");
 }
 
 int SSLClientSocketNSS::ExportKeyingMaterial(const base::StringPiece& label,
                                              bool has_context,
                                              const base::StringPiece& context,
                                              unsigned char* out,
                                              unsigned int outlen) {
   if (!IsConnected())
     return ERR_SOCKET_NOT_CONNECTED;
 
   // SSL_ExportKeyingMaterial may block the current thread if |core_| is in
   // the midst of a handshake.
   SECStatus result = SSL_ExportKeyingMaterial(
-      nss_fd_, label.data(), label.size(), has_context,
+      nss_fd_,
+      label.data(),
+      label.size(),
+      has_context,
       reinterpret_cast<const unsigned char*>(context.data()),
-      context.length(), out, outlen);
+      context.length(),
+      out,
+      outlen);
   if (result != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_ExportKeyingMaterial", "");
     return MapNSSError(PORT_GetError());
   }
   return OK;
 }
 
 int SSLClientSocketNSS::GetTLSUniqueChannelBinding(std::string* out) {
   if (!IsConnected())
     return ERR_SOCKET_NOT_CONNECTED;
   unsigned char buf[64];
   unsigned int len;
-  SECStatus result = SSL_GetChannelBinding(nss_fd_,
-                                           SSL_CHANNEL_BINDING_TLS_UNIQUE,
-                                           buf, &len, arraysize(buf));
+  SECStatus result = SSL_GetChannelBinding(
+      nss_fd_, SSL_CHANNEL_BINDING_TLS_UNIQUE, buf, &len, arraysize(buf));
   if (result != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_GetChannelBinding", "");
     return MapNSSError(PORT_GetError());
   }
   out->assign(reinterpret_cast<char*>(buf), len);
   return OK;
 }
 
-SSLClientSocket::NextProtoStatus
-SSLClientSocketNSS::GetNextProto(std::string* proto,
-                                 std::string* server_protos) {
+SSLClientSocket::NextProtoStatus SSLClientSocketNSS::GetNextProto(
+    std::string* proto,
+    std::string* server_protos) {
   *proto = core_->state().next_proto;
   *server_protos = core_->state().server_protos;
   return core_->state().next_proto_status;
 }
 
 int SSLClientSocketNSS::Connect(const CompletionCallback& callback) {
   EnterFunction("");
   DCHECK(transport_.get());
   // It is an error to create an SSLClientSocket whose context has no
   // TransportSecurityState.
@@ skipping 43 matching lines @@
   CHECK(CalledOnValidThread());
 
   // Shut down anything that may call us back.
   core_->Detach();
   verifier_.reset();
   transport_->socket()->Disconnect();
 
   // Reset object state.
   user_connect_callback_.Reset();
   server_cert_verify_result_.Reset();
-  completed_handshake_   = false;
+  completed_handshake_ = false;
   start_cert_verification_time_ = base::TimeTicks();
   InitCore();
 
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
   EnterFunction("");
   bool ret = completed_handshake_ &&
              (core_->HasPendingAsyncOperation() ||
               (core_->IsConnected() && core_->HasUnhandledReceivedData()) ||
               transport_->socket()->IsConnected());
   LeaveFunction("");
   return ret;
 }
 
 bool SSLClientSocketNSS::IsConnectedAndIdle() const {
   EnterFunction("");
-  bool ret = completed_handshake_ &&
-             !core_->HasPendingAsyncOperation() &&
+  bool ret = completed_handshake_ && !core_->HasPendingAsyncOperation() &&
              !(core_->IsConnected() && core_->HasUnhandledReceivedData()) &&
              transport_->socket()->IsConnectedAndIdle();
   LeaveFunction("");
   return ret;
 }
 
 int SSLClientSocketNSS::GetPeerAddress(IPEndPoint* address) const {
   return transport_->socket()->GetPeerAddress(address);
 }
 
@@ skipping 28 matching lines @@
 }
 
 bool SSLClientSocketNSS::UsingTCPFastOpen() const {
   if (transport_.get() && transport_->socket()) {
     return transport_->socket()->UsingTCPFastOpen();
   }
   NOTREACHED();
   return false;
 }
 
-int SSLClientSocketNSS::Read(IOBuffer* buf, int buf_len,
+int SSLClientSocketNSS::Read(IOBuffer* buf,
+                             int buf_len,
                              const CompletionCallback& callback) {
   DCHECK(core_.get());
   DCHECK(!callback.is_null());
 
   EnterFunction(buf_len);
   int rv = core_->Read(buf, buf_len, callback);
   LeaveFunction(rv);
 
   return rv;
 }
 
-int SSLClientSocketNSS::Write(IOBuffer* buf, int buf_len,
+int SSLClientSocketNSS::Write(IOBuffer* buf,
+                              int buf_len,
                               const CompletionCallback& callback) {
   DCHECK(core_.get());
   DCHECK(!callback.is_null());
 
   EnterFunction(buf_len);
   int rv = core_->Write(buf, buf_len, callback);
   LeaveFunction(rv);
 
   return rv;
 }
@@ skipping 89 matching lines @@
   if (ssl_config_.version_fallback) {
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
     if (rv != SECSuccess) {
       LogFailedNSSFunction(
           net_log_, "SSL_OptionSet", "SSL_ENABLE_FALLBACK_SCSV");
     }
   }
 
   for (std::vector<uint16>::const_iterator it =
            ssl_config_.disabled_cipher_suites.begin();
-       it != ssl_config_.disabled_cipher_suites.end(); ++it) {
+       it != ssl_config_.disabled_cipher_suites.end();
+       ++it) {
     // This will fail if the specified cipher is not implemented by NSS, but
     // the failure is harmless.
     SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
   }
 
   // Support RFC 5077
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
 
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
-                     ssl_config_.false_start_enabled);
+  rv = SSL_OptionSet(
+      nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
 
   // We allow servers to request renegotiation. Since we're a client,
   // prohibiting this is rather a waste of time. Only servers are in a
   // position to prevent renegotiation attacks.
   // http://extendedsubset.com/?p=8
 
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
-                     SSL_RENEGOTIATE_TRANSITIONAL);
+  rv = SSL_OptionSet(
+      nss_fd_, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_TRANSITIONAL);
   if (rv != SECSuccess) {
-    LogFailedNSSFunction(
-        net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
+    LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
 #ifdef SSL_ENABLE_OCSP_STAPLING
   // Request OCSP stapling even on platforms that don't support it, in
   // order to extract Certificate Transparency information.
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING,
+  rv = SSL_OptionSet(nss_fd_,
+                     SSL_ENABLE_OCSP_STAPLING,
                      (IsOCSPStaplingSupported() ||
                       ssl_config_.signed_cert_timestamps_enabled));
   if (rv != SECSuccess) {
-    LogFailedNSSFunction(net_log_, "SSL_OptionSet",
-                         "SSL_ENABLE_OCSP_STAPLING");
+    LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OCSP_STAPLING");
   }
 #endif
 
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
+  rv = SSL_OptionSet(nss_fd_,
+                     SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
                      ssl_config_.signed_cert_timestamps_enabled);
   if (rv != SECSuccess) {
-    LogFailedNSSFunction(net_log_, "SSL_OptionSet",
-                         "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
+    LogFailedNSSFunction(
+        net_log_, "SSL_OptionSet", "SSL_ENABLE_SIGNED_CERT_TIMESTAMPS");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
     return ERR_UNEXPECTED;
   }
 
   if (!core_->Init(nss_fd_, nss_bufs))
     return ERR_UNEXPECTED;
@@ skipping 14 matching lines @@
   if (err != OK)
     return err;
 
   SockaddrStorage storage;
   if (!peer_address.ToSockAddr(storage.addr, &storage.addr_len))
     return ERR_ADDRESS_INVALID;
 
   PRNetAddr peername;
   memset(&peername, 0, sizeof(peername));
   DCHECK_LE(static_cast<size_t>(storage.addr_len), sizeof(peername));
-  size_t len = std::min(static_cast<size_t>(storage.addr_len),
-                        sizeof(peername));
+  size_t len =
+      std::min(static_cast<size_t>(storage.addr_len), sizeof(peername));
   memcpy(&peername, storage.addr, len);
 
   // Adjust the address family field for BSD, whose sockaddr
   // structure has a one-byte length and one-byte address family
   // field at the beginning.  PRNetAddr has a two-byte address
   // family field at the beginning.
   peername.raw.family = storage.addr->sa_family;
 
   memio_SetPeerName(nss_fd_, &peername);
 
@@ skipping 65 matching lines @@
         LOG(DFATAL) << "unexpected state " << state;
         break;
     }
   } while (rv != ERR_IO_PENDING && next_handshake_state_ != STATE_NONE);
   LeaveFunction("");
   return rv;
 }
 
 int SSLClientSocketNSS::DoHandshake() {
   EnterFunction("");
-  int rv = core_->Connect(
-      base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
-                 base::Unretained(this)));
+  int rv = core_->Connect(base::Bind(&SSLClientSocketNSS::OnHandshakeIOComplete,
+                                     base::Unretained(this)));
   GotoState(STATE_HANDSHAKE_COMPLETE);
 
   LeaveFunction(rv);
   return rv;
 }
 
 int SSLClientSocketNSS::DoHandshakeComplete(int result) {
   EnterFunction(result);
 
   if (result == OK) {
@@ skipping 66 matching lines @@
 
 // Derived from AuthCertificateCallback() in
 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   verifier_.reset();
 
   if (!start_cert_verification_time_.is_null()) {
     base::TimeDelta verify_time =
         base::TimeTicks::Now() - start_cert_verification_time_;
     if (result == OK)
-        UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
+      UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
     else
-        UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
+      UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
   }
 
   // We used to remember the intermediate CA certs in the NSS database
   // persistently.  However, NSS opens a connection to the SQLite database
   // during NSS initialization and doesn't close the connection until NSS
   // shuts down.  If the file system where the database resides is gone,
   // the database connection goes bad.  What's worse, the connection won't
   // recover when the file system comes back.  Until this NSS or SQLite bug
   // is fixed, we need to  avoid using the NSS database for non-essential
   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
@@ skipping 24 matching lines @@
   //   user-installed trust anchor); and
   // * the build is recent (very old builds should fail open so that users
   //   have some chance to recover).
   //
   const CertStatus cert_status = server_cert_verify_result_.cert_status;
   if (transport_security_state_ &&
       (result == OK ||
        (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) &&
       server_cert_verify_result_.is_issued_by_known_root &&
       TransportSecurityState::IsBuildTimely()) {
-    bool sni_available =
-        ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
-        ssl_config_.version_fallback;
+    bool sni_available = ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 ||
+                         ssl_config_.version_fallback;
     const std::string& host = host_and_port_.host();
 
     TransportSecurityState::DomainState domain_state;
-    if (transport_security_state_->GetDomainState(host, sni_available,
-                                                  &domain_state) &&
+    if (transport_security_state_->GetDomainState(
+            host, sni_available, &domain_state) &&
         domain_state.HasPublicKeyPins()) {
       if (!domain_state.CheckPublicKeyPins(
               server_cert_verify_result_.public_key_hashes,
               &pinning_failure_log_)) {
         LOG(ERROR) << pinning_failure_log_;
         result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
         UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);
         TransportSecurityState::ReportUMAOnPinFailure(host);
       } else {
         UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true);
@@ skipping 36 matching lines @@
 
   VLOG(1) << "CT Verification complete: result " << result
           << " Invalid scts: " << ct_verify_result_.invalid_scts.size()
           << " Verified scts: " << ct_verify_result_.verified_scts.size()
           << " scts from unknown logs: "
           << ct_verify_result_.unknown_logs_scts.size();
 }
 
 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
   UpdateConnectionTypeHistograms(CONNECTION_SSL);
-  int ssl_version = SSLConnectionStatusToVersion(
-      core_->state().ssl_connection_status);
+  int ssl_version =
+      SSLConnectionStatusToVersion(core_->state().ssl_connection_status);
   switch (ssl_version) {
     case SSL_CONNECTION_VERSION_SSL2:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);
       break;
     case SSL_CONNECTION_VERSION_SSL3:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3);
       break;
     case SSL_CONNECTION_VERSION_TLS1:
       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1);
       break;
@@ skipping 14 matching lines @@
 }
 
 bool SSLClientSocketNSS::CalledOnValidThread() const {
   EnsureThreadIdAssigned();
   base::AutoLock auto_lock(lock_);
   return valid_thread_id_ == base::PlatformThread::CurrentId();
 }
 
 void SSLClientSocketNSS::AddSCTInfoToSSLInfo(SSLInfo* ssl_info) const {
   for (ct::SCTList::const_iterator iter =
-       ct_verify_result_.verified_scts.begin();
-       iter != ct_verify_result_.verified_scts.end(); ++iter) {
+           ct_verify_result_.verified_scts.begin();
+       iter != ct_verify_result_.verified_scts.end();
+       ++iter) {
     ssl_info->signed_certificate_timestamps.push_back(
         SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_OK));
   }
   for (ct::SCTList::const_iterator iter =
-       ct_verify_result_.invalid_scts.begin();
-       iter != ct_verify_result_.invalid_scts.end(); ++iter) {
+           ct_verify_result_.invalid_scts.begin();
+       iter != ct_verify_result_.invalid_scts.end();
+       ++iter) {
     ssl_info->signed_certificate_timestamps.push_back(
         SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_INVALID));
   }
   for (ct::SCTList::const_iterator iter =
-       ct_verify_result_.unknown_logs_scts.begin();
-       iter != ct_verify_result_.unknown_logs_scts.end(); ++iter) {
+           ct_verify_result_.unknown_logs_scts.begin();
+       iter != ct_verify_result_.unknown_logs_scts.end();
+       ++iter) {
     ssl_info->signed_certificate_timestamps.push_back(
-        SignedCertificateTimestampAndStatus(*iter,
-                                            ct::SCT_STATUS_LOG_UNKNOWN));
+        SignedCertificateTimestampAndStatus(*iter, ct::SCT_STATUS_LOG_UNKNOWN));
   }
 }
 
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ServerBoundCertService* SSLClientSocketNSS::GetServerBoundCertService() const {
   return server_bound_cert_service_;
 }
 
 }  // namespace net