Support for client certs in ssl_server_socket.

net/socket/nss_ssl_util.cc

Index: net/socket/nss_ssl_util.cc
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index 554bd273c77cb1dfef4730b9a817cb59538eb0dd..9555c8bcf53cc91a7a48fe61f4d3c653eb20eebf 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -24,6 +24,8 @@
 #include "net/base/net_errors.h"
 #include "net/base/nss_memio.h"
 #include "net/log/net_log.h"
+#include "net/ssl/ssl_config.h"
+#include "net/ssl/ssl_connection_status_flags.h"
 
 #if defined(OS_WIN)
 #include "base/win/windows_version.h"
@@ -358,6 +360,8 @@ int MapNSSError(PRErrorCode err) {
     // was used earlier.
     case SSL_ERROR_WRONG_CERTIFICATE:
       return ERR_SSL_SERVER_CERT_CHANGED;
+    case SSL_ERROR_NO_CERTIFICATE:
+      return ERR_BAD_SSL_CLIENT_AUTH_CERT;
     case SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT:
       return ERR_SSL_INAPPROPRIATE_FALLBACK;
 
@@ -409,4 +413,54 @@ NetLog::ParametersCallback CreateNetLogSSLErrorCallback(int net_error,
   return base::Bind(&NetLogSSLErrorCallback, net_error, ssl_lib_error);
 }
 
+void UpdateSSLConnectionStatus(PRFileDesc* nss_fd,
+                               const SSLConfig& ssl_config,
+                               int* ssl_connection_status) {
+  SSLChannelInfo channel_info;
+  SECStatus ok =
+      SSL_GetChannelInfo(nss_fd, &channel_info, sizeof(channel_info));
+  if (ok == SECSuccess && channel_info.length == sizeof(channel_info) &&
+      channel_info.cipherSuite) {
+    (*ssl_connection_status) |= static_cast<int>(channel_info.cipherSuite) &
+                                SSL_CONNECTION_CIPHERSUITE_MASK;
+
+    (*ssl_connection_status) |=
+        (static_cast<int>(channel_info.compressionMethod) &
+         SSL_CONNECTION_COMPRESSION_MASK)
+        << SSL_CONNECTION_COMPRESSION_SHIFT;
+
+    // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
+    // support it yet), so use 0x0303 directly.
+    int version = SSL_CONNECTION_VERSION_UNKNOWN;
+    if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
+      // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
+      // version 2.
+      version = SSL_CONNECTION_VERSION_SSL2;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
+      version = SSL_CONNECTION_VERSION_SSL3;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
+      version = SSL_CONNECTION_VERSION_TLS1;
+    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
+      version = SSL_CONNECTION_VERSION_TLS1_1;
+    } else if (channel_info.protocolVersion == 0x0303) {
+      version = SSL_CONNECTION_VERSION_TLS1_2;
+    }
+    (*ssl_connection_status) |= (version & SSL_CONNECTION_VERSION_MASK)
+                                << SSL_CONNECTION_VERSION_SHIFT;
+  }
+
+  PRBool peer_supports_renego_ext;
+  ok = SSL_HandshakeNegotiatedExtension(nss_fd, ssl_renegotiation_info_xtn,
+                                        &peer_supports_renego_ext);
+  if (ok == SECSuccess) {
+    if (!peer_supports_renego_ext) {
+      (*ssl_connection_status) |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
+    }
+  }
+
+  if (ssl_config.version_fallback) {
+    (*ssl_connection_status) |= SSL_CONNECTION_VERSION_FALLBACK;
+  }
+}
+
 }  // namespace net