Pass both hostname and port into SSLClientSocket

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 302 matching lines @@
 #endif
 
 }  // namespace
 
 #if defined(OS_WIN)
 // static
 HCERTSTORE SSLClientSocketNSS::cert_store_ = NULL;
 #endif
 
 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
-                                       const std::string& hostname,
+                                       const HostPortPair& host_port_pair,
                                        const SSLConfig& ssl_config)
     : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(
           this, &SSLClientSocketNSS::BufferSendComplete)),
       ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(
           this, &SSLClientSocketNSS::BufferRecvComplete)),
       transport_send_busy_(false),
       transport_recv_busy_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
           this, &SSLClientSocketNSS::OnHandshakeIOComplete)),
       transport_(transport_socket),
-      hostname_(hostname),
+      host_port_pair_(host_port_pair),
       ssl_config_(ssl_config),
       user_connect_callback_(NULL),
       user_read_callback_(NULL),
       user_write_callback_(NULL),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       server_cert_nss_(NULL),
       client_auth_cert_needed_(false),
       handshake_callback_called_(false),
       completed_handshake_(false),
@@ skipping 152 matching lines @@
      LOG(INFO) << "SSL_ENABLE_DEFLATE failed.  Old system nss?";
 #endif
 
 #ifdef SSL_ENABLE_FALSE_START
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, PR_TRUE);
   if (rv != SECSuccess)
      LOG(INFO) << "SSL_ENABLE_FALSE_START failed.  Old system nss?";
 #endif
 
 #ifdef SSL_ENABLE_RENEGOTIATION
-  if (SSLConfigService::IsKnownStrictTLSServer(hostname_)) {
+  if (SSLConfigService::IsKnownStrictTLSServer(host_port_pair_.host())) {
     rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE);
     if (rv != SECSuccess)
        LOG(INFO) << "SSL_REQUIRE_SAFE_NEGOTIATION failed.";
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
                        SSL_RENEGOTIATE_REQUIRES_XTN);
   } else {
     // We allow servers to request renegotiation. Since we're a client,
     // prohibiting this is rather a waste of time. Only servers are in a
     // position to prevent renegotiation attacks.
     // http://extendedsubset.com/?p=8
@@ skipping 26 matching lines @@
 
   rv = SSL_GetClientAuthDataHook(nss_fd_, ClientAuthHandler, this);
   if (rv != SECSuccess)
      return ERR_UNEXPECTED;
 
   rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this);
   if (rv != SECSuccess)
     return ERR_UNEXPECTED;
 
   // Tell SSL the hostname we're trying to connect to.
-  SSL_SetURL(nss_fd_, hostname_.c_str());
+  SSL_SetURL(nss_fd_, host_port_pair_.host().c_str());
 
   // Set the peer ID for session reuse.  This is necessary when we create an
   // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
   // rather than the destination server's address in that case.
-  // TODO(wtc): port in |peer_address| is not the server's port when a proxy is
-  // used.
-  std::string peer_id = StringPrintf("%s:%d", hostname_.c_str(),
-                                     peer_address.GetPort());
+  std::string peer_id = host_port_pair_.ToString();
   rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   if (rv != SECSuccess)
     LOG(INFO) << "SSL_SetSockPeerID failed: peer_id=" << peer_id;
 
   // Tell SSL we're a client; needed if not letting NSPR do socket I/O
   SSL_ResetHandshake(nss_fd_, 0);
 
   return OK;
 }
 
@@ skipping 218 matching lines @@
 // renegotiation (RFC 5746).
 void SSLClientSocketNSS::CheckSecureRenegotiation() const {
   // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
   // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
   // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
 #if defined(SSL_MAX_EXTENSIONS)
   PRBool received_renego_info;
   if (SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
                                        &received_renego_info) == SECSuccess &&
       !received_renego_info) {
-    LOG(INFO) << "The server " << hostname_
+    LOG(INFO) << "The server " << host_port_pair_.ToString()
               << " does not support the TLS renegotiation_info extension.";
   }
 #endif
 }
 
 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   EnterFunction("");
   ssl_info->Reset();
   // A temporary CHECK for tracking down http://crbug.com/49862.
   CHECK(server_cert_);
@@ skipping 43 matching lines @@
 
   if (ssl_config_.ssl3_fallback)
     ssl_info->connection_status |= SSL_CONNECTION_SSL3_FALLBACK;
 
   LeaveFunction("");
 }
 
 void SSLClientSocketNSS::GetSSLCertRequestInfo(
     SSLCertRequestInfo* cert_request_info) {
   EnterFunction("");
-  cert_request_info->host_and_port = hostname_;  // TODO(wtc): no port!
+  cert_request_info->host_and_port = host_port_pair_.ToString();
   cert_request_info->client_certs = client_certs_;
   LeaveFunction(cert_request_info->client_certs.size());
 }
 
 SSLClientSocket::NextProtoStatus
 SSLClientSocketNSS::GetNextProto(std::string* proto) {
 #if defined(SSL_NEXT_PROTO_NEGOTIATED)
   unsigned char buf[255];
   int state;
   unsigned len;
@@ skipping 486 matching lines @@
   for (int i = 0; i < n; i++) {
     // Parse each name into a CertPrincipal object.
     CertPrincipal p;
     if (p.ParseDistinguishedName(ca_names->names[i].data,
                                  ca_names->names[i].len)) {
       valid_issuers.push_back(p);
     }
   }
 
   // Now get the available client certs whose issuers are allowed by the server.
-  X509Certificate::GetSSLClientCertificates(that->hostname_,
+  X509Certificate::GetSSLClientCertificates(that->host_port_pair_.host(),
                                             valid_issuers,
                                             &that->client_certs_);
 
   // Tell NSS to suspend the client authentication.  We will then abort the
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #else
   CERTCertificate* cert = NULL;
   SECKEYPrivateKey* privkey = NULL;
   void* wincx  = SSL_RevealPinArg(socket);
@@ skipping 113 matching lines @@
 int SSLClientSocketNSS::DoVerifyCert(int result) {
   DCHECK(server_cert_);
   GotoState(STATE_VERIFY_CERT_COMPLETE);
   int flags = 0;
 
   if (ssl_config_.rev_checking_enabled)
     flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
   if (ssl_config_.verify_ev_cert)
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new CertVerifier);
-  return verifier_->Verify(server_cert_, hostname_, flags,
+  return verifier_->Verify(server_cert_, host_port_pair_.host(), flags,
                            &server_cert_verify_result_,
                            &handshake_io_callback_);
 }
 
 // Derived from AuthCertificateCallback() in
 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   DCHECK(verifier_.get());
   verifier_.reset();
 
@@ skipping 91 matching lines @@
   PRErrorCode prerr = PR_GetError();
   if (prerr == PR_WOULD_BLOCK_ERROR) {
     LeaveFunction("");
     return ERR_IO_PENDING;
   }
   LeaveFunction("");
   return MapNSPRError(prerr);
 }
 
 }  // namespace net