Use Separate SSL Session Cache in OTR Mode

net/socket/ssl_client_socket_win.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket_win.h"
 
 #include <schnlsp.h>
 
 #include "base/compiler_specific.h"
 #include "base/lock.h"
@@ skipping 53 matching lines @@
       return OK;
     default:
       LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
       return ERR_FAILED;
   }
 }
 
 //-----------------------------------------------------------------------------
 
 // A bitmask consisting of these bit flags encodes which versions of the SSL
-// protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled.
+// protocol (SSL 2.0, SSL 3.0, and TLS 1.0) are enabled and whether OTR mode
+// is enabled (this permits a separate session id cache for OTR mode).
 enum {
   SSL2 = 1 << 0,
   SSL3 = 1 << 1,
   TLS1 = 1 << 2,
-  SSL_VERSION_MASKS = 1 << 3  // The number of SSL version bitmasks.
+  OTR_MODE = 1 << 3,

[davidben, 2010/07/26 21:31:33]

OTR_MODE doesn't make much sense as a member of SSL version mask.

It looks like your bit only ends up being useful as a uniquifier for the
CredHandle maps in CredHandleTable. I think it would be cleaner just to key by
something else there. The optimization in anonymous_creds_ can probably be
preserved by making CredHandleTable not a singleton and putting the name lookup
at a higher level. (And I believe we now use NSS for sockets without client
certs on all platforms anyway.)

+  SSL_VERSION_MASKS = 1 << 4  // The number of SSL version bitmasks.
 };
 
 // CredHandleClass simply gives a default constructor and a destructor to
 // SSPI's CredHandle type (a C struct).
 class CredHandleClass : public CredHandle {
  public:
   CredHandleClass() {
     dwLower = 0;
     dwUpper = 0;
   }
@@ skipping 367 matching lines @@
 }
 
 int SSLClientSocketWin::InitializeSSLContext() {
   int ssl_version_mask = 0;
   if (ssl_config_.ssl2_enabled)
     ssl_version_mask |= SSL2;
   if (ssl_config_.ssl3_enabled)
     ssl_version_mask |= SSL3;
   if (ssl_config_.tls1_enabled)
     ssl_version_mask |= TLS1;
+  if (ssl_config_.otr_mode)
+    ssl_version_mask |= OTR_MODE;
   // If we pass 0 to GetCredHandle, we will let Schannel select the protocols,
   // rather than enabling no protocols.  So we have to fail here.
   if (ssl_version_mask == 0)
     return ERR_NO_SSL_VERSIONS_ENABLED;
   PCCERT_CONTEXT cert_context = NULL;
   if (ssl_config_.client_cert)
     cert_context = ssl_config_.client_cert->os_cert_handle();
   creds_ = GetCredHandle(cert_context, ssl_version_mask);
 
   memset(&ctxt_, 0, sizeof(ctxt_));
@@ skipping 866 matching lines @@
     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
 }
 
 void SSLClientSocketWin::FreeSendBuffer() {
   SECURITY_STATUS status = FreeContextBuffer(send_buffer_.pvBuffer);
   DCHECK(status == SEC_E_OK);
   memset(&send_buffer_, 0, sizeof(send_buffer_));
 }
 
 }  // namespace net