Support for client certs in ssl_server_socket.

net/socket/nss_ssl_util.cc

Index: net/socket/nss_ssl_util.cc
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index a238a25d2d4be95623fead070880556aa2c7aa64..73487c06bd18552056488d2c7f2cf27b541cf4f2 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -24,6 +24,8 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/nss_memio.h"
+#include "net/ssl/ssl_config.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
@@ -363,6 +365,8 @@ int MapNSSError(PRErrorCode err) {
     // was used earlier.
     case SSL_ERROR_WRONG_CERTIFICATE:
       return ERR_SSL_SERVER_CERT_CHANGED;
+    case SSL_ERROR_NO_CERTIFICATE:
+      return ERR_BAD_SSL_CLIENT_AUTH_CERT;
     case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
       return ERR_SSL_INAPPROPRIATE_FALLBACK;
 
@@ -414,4 +418,54 @@ NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error,
   return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error);
 }
 
+void UpdateSSLConnectionStatus(PRFileDesc* nss_fd,
+                               const SSLConfig& ssl_config,
+                               int* ssl_connection_status) {

[Ryan Sleevi, 2015/03/19 04:38:24]

This method fails to properly wipe |ssl_connection_status| between calls.

It'd be cleaner just to use a stack temp and assign, and then let the compiler
optimize as it's permitted to.

+  SSLChannelInfo channel_info;
+  SECStatus ok =
+      SSL_GetChannelInfo(nss_fd, &channel_info, sizeof(channel_info));
+  if (ok == SECSuccess && channel_info.length == sizeof(channel_info) &&
+      channel_info.cipherSuite) {
+    (*ssl_connection_status) |= static_cast<int>(channel_info.cipherSuite) &
+                                SSL_CONNECTION_CIPHERSUITE_MASK;
+
+    (*ssl_connection_status) |=
+        (static_cast<int>(channel_info.compressionMethod) &
+         SSL_CONNECTION_COMPRESSION_MASK)
+        << SSL_CONNECTION_COMPRESSION_SHIFT;
+
+    // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
+    // support it yet), so use 0x0303 directly.
+    int version = SSL_CONNECTION_VERSION_UNKNOWN;
+    if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
+      // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
+      // version 2.
+      version = SSL_CONNECTION_VERSION_SSL2;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
+      version = SSL_CONNECTION_VERSION_SSL3;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
+      version = SSL_CONNECTION_VERSION_TLS1;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
+      version = SSL_CONNECTION_VERSION_TLS1_1;
+    } else if (channel_info.protocolVersion == 0x0303) {
+      version = SSL_CONNECTION_VERSION_TLS1_2;
+    }
+    (*ssl_connection_status) |= (version & SSL_CONNECTION_VERSION_MASK)
+                                << SSL_CONNECTION_VERSION_SHIFT;
+  }
+
+  PRBool peer_supports_renego_ext;
+  ok = SSL_HandshakeNegotiatedExtension(nss_fd, ssl_renegotiation_info_xtn,
+                                        &peer_supports_renego_ext);
+  if (ok == SECSuccess) {
+    if (!peer_supports_renego_ext) {
+      (*ssl_connection_status) |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
+    }
+  }
+
+  if (ssl_config.version_fallback) {
+    (*ssl_connection_status) |= SSL_CONNECTION_VERSION_FALLBACK;
+  }
+}
+
 }  // namespace net