Home | History | Annotate | Download | only in socket
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
      6 // from AuthCertificateCallback() in
      7 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
      8 
      9 /* ***** BEGIN LICENSE BLOCK *****
     10  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
     11  *
     12  * The contents of this file are subject to the Mozilla Public License Version
     13  * 1.1 (the "License"); you may not use this file except in compliance with
     14  * the License. You may obtain a copy of the License at
     15  * http://www.mozilla.org/MPL/
     16  *
     17  * Software distributed under the License is distributed on an "AS IS" basis,
     18  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
     19  * for the specific language governing rights and limitations under the
     20  * License.
     21  *
     22  * The Original Code is the Netscape security libraries.
     23  *
     24  * The Initial Developer of the Original Code is
     25  * Netscape Communications Corporation.
     26  * Portions created by the Initial Developer are Copyright (C) 2000
     27  * the Initial Developer. All Rights Reserved.
     28  *
     29  * Contributor(s):
     30  *   Ian McGreer <mcgreer (at) netscape.com>
     31  *   Javier Delgadillo <javi (at) netscape.com>
     32  *   Kai Engert <kengert (at) redhat.com>
     33  *
     34  * Alternatively, the contents of this file may be used under the terms of
     35  * either the GNU General Public License Version 2 or later (the "GPL"), or
     36  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
     37  * in which case the provisions of the GPL or the LGPL are applicable instead
     38  * of those above. If you wish to allow use of your version of this file only
     39  * under the terms of either the GPL or the LGPL, and not to allow others to
     40  * use your version of this file under the terms of the MPL, indicate your
     41  * decision by deleting the provisions above and replace them with the notice
     42  * and other provisions required by the GPL or the LGPL. If you do not delete
     43  * the provisions above, a recipient may use your version of this file under
     44  * the terms of any one of the MPL, the GPL or the LGPL.
     45  *
     46  * ***** END LICENSE BLOCK ***** */
     47 
     48 #include "net/socket/ssl_client_socket_nss.h"
     49 
     50 #include <certdb.h>
     51 #include <hasht.h>
     52 #include <keyhi.h>
     53 #include <nspr.h>
     54 #include <nss.h>
     55 #include <ocsp.h>
     56 #include <pk11pub.h>
     57 #include <secerr.h>
     58 #include <sechash.h>
     59 #include <ssl.h>
     60 #include <sslerr.h>
     61 #include <sslproto.h>
     62 
     63 #include <algorithm>
     64 #include <limits>
     65 #include <map>
     66 
     67 #include "base/compiler_specific.h"
     68 #include "base/logging.h"
     69 #include "base/memory/singleton.h"
     70 #include "base/metrics/histogram.h"
     71 #include "base/string_number_conversions.h"
     72 #include "base/string_util.h"
     73 #include "base/stringprintf.h"
     74 #include "base/threading/thread_restrictions.h"
     75 #include "base/values.h"
     76 #include "net/base/address_list.h"
     77 #include "net/base/cert_status_flags.h"
     78 #include "net/base/cert_verifier.h"
     79 #include "net/base/connection_type_histograms.h"
     80 #include "net/base/dns_util.h"
     81 #include "net/base/dnsrr_resolver.h"
     82 #include "net/base/dnssec_chain_verifier.h"
     83 #include "net/base/io_buffer.h"
     84 #include "net/base/net_errors.h"
     85 #include "net/base/net_log.h"
     86 #include "net/base/ssl_cert_request_info.h"
     87 #include "net/base/ssl_connection_status_flags.h"
     88 #include "net/base/ssl_info.h"
     89 #include "net/base/sys_addrinfo.h"
     90 #include "net/ocsp/nss_ocsp.h"
     91 #include "net/socket/client_socket_handle.h"
     92 #include "net/socket/dns_cert_provenance_checker.h"
     93 #include "net/socket/nss_ssl_util.h"
     94 #include "net/socket/ssl_error_params.h"
     95 #include "net/socket/ssl_host_info.h"
     96 
     97 #if defined(OS_WIN)
     98 #include <windows.h>
     99 #include <wincrypt.h>
    100 #elif defined(OS_MACOSX)
    101 #include <Security/SecBase.h>
    102 #include <Security/SecCertificate.h>
    103 #include <Security/SecIdentity.h>
    104 #elif defined(USE_NSS)
    105 #include <dlfcn.h>
    106 #endif
    107 
    108 static const int kRecvBufferSize = 4096;
    109 
    110 // kCorkTimeoutMs is the number of milliseconds for which we'll wait for a
    111 // Write to an SSL socket which we're False Starting. Since corking stops the
    112 // Finished message from being sent, the server sees an incomplete handshake
    113 // and some will time out such sockets quite aggressively.
    114 static const int kCorkTimeoutMs = 200;
    115 
    116 #if defined(OS_WIN)
    117 // CERT_OCSP_RESPONSE_PROP_ID is only implemented on Vista+, but it can be
    118 // set on Windows XP without error. There is some overhead from the server
    119 // sending the OCSP response if it supports the extension, for the subset of
    120 // XP clients who will request it but be unable to use it, but this is an
    121 // acceptable trade-off for simplicity of implementation.
    122 static bool IsOCSPStaplingSupported() {
    123   return true;
    124 }
    125 #elif defined(USE_NSS)
    126 typedef SECStatus
    127 (*CacheOCSPResponseFromSideChannelFunction)(
    128     CERTCertDBHandle *handle, CERTCertificate *cert, PRTime time,
    129     SECItem *encodedResponse, void *pwArg);
    130 
    131 // On Linux, we dynamically link against the system version of libnss3.so. In
    132 // order to continue working on systems without up-to-date versions of NSS we
    133 // lookup CERT_CacheOCSPResponseFromSideChannel with dlsym.
    134 
    135 // RuntimeLibNSSFunctionPointers is a singleton which caches the results of any
    136 // runtime symbol resolution that we need.
    137 class RuntimeLibNSSFunctionPointers {
    138  public:
    139   CacheOCSPResponseFromSideChannelFunction
    140   GetCacheOCSPResponseFromSideChannelFunction() {
    141     return cache_ocsp_response_from_side_channel_;
    142   }
    143 
    144   static RuntimeLibNSSFunctionPointers* GetInstance() {
    145     return Singleton<RuntimeLibNSSFunctionPointers>::get();
    146   }
    147 
    148  private:
    149   friend struct DefaultSingletonTraits<RuntimeLibNSSFunctionPointers>;
    150 
    151   RuntimeLibNSSFunctionPointers() {
    152     cache_ocsp_response_from_side_channel_ =
    153         (CacheOCSPResponseFromSideChannelFunction)
    154         dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel");
    155   }
    156 
    157   CacheOCSPResponseFromSideChannelFunction
    158       cache_ocsp_response_from_side_channel_;
    159 };
    160 
    161 static CacheOCSPResponseFromSideChannelFunction
    162 GetCacheOCSPResponseFromSideChannelFunction() {
    163   return RuntimeLibNSSFunctionPointers::GetInstance()
    164     ->GetCacheOCSPResponseFromSideChannelFunction();
    165 }
    166 
    167 static bool IsOCSPStaplingSupported() {
    168   return GetCacheOCSPResponseFromSideChannelFunction() != NULL;
    169 }
    170 #else
    171 // TODO(agl): Figure out if we can plumb the OCSP response into Mac's system
    172 // certificate validation functions.
    173 static bool IsOCSPStaplingSupported() {
    174   return false;
    175 }
    176 #endif
    177 
    178 namespace net {
    179 
    180 // State machines are easier to debug if you log state transitions.
    181 // Enable these if you want to see what's going on.
    182 #if 1
    183 #define EnterFunction(x)
    184 #define LeaveFunction(x)
    185 #define GotoState(s) next_handshake_state_ = s
    186 #define LogData(s, len)
    187 #else
    188 #define EnterFunction(x)\
    189     VLOG(1) << (void *)this << " " << __FUNCTION__ << " enter " << x\
    190             << "; next_handshake_state " << next_handshake_state_
    191 #define LeaveFunction(x)\
    192     VLOG(1) << (void *)this << " " << __FUNCTION__ << " leave " << x\
    193             << "; next_handshake_state " << next_handshake_state_
    194 #define GotoState(s)\
    195     do {\
    196       VLOG(1) << (void *)this << " " << __FUNCTION__ << " jump to state " << s;\
    197       next_handshake_state_ = s;\
    198     } while (0)
    199 #define LogData(s, len)\
    200     VLOG(1) << (void *)this << " " << __FUNCTION__\
    201             << " data [" << std::string(s, len) << "]"
    202 #endif
    203 
    204 namespace {
    205 
    206 #if defined(OS_WIN)
    207 
    208 // This callback is intended to be used with CertFindChainInStore. In addition
    209 // to filtering by extended/enhanced key usage, we do not show expired
    210 // certificates and require digital signature usage in the key usage
    211 // extension.
    212 //
    213 // This matches our behavior on Mac OS X and that of NSS. It also matches the
    214 // default behavior of IE8. See http://support.microsoft.com/kb/890326 and
    215 // http://blogs.msdn.com/b/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx
    216 BOOL WINAPI ClientCertFindCallback(PCCERT_CONTEXT cert_context,
    217                                    void* find_arg) {
    218   VLOG(1) << "Calling ClientCertFindCallback from _nss";
    219   // Verify the certificate's KU is good.
    220   BYTE key_usage;
    221   if (CertGetIntendedKeyUsage(X509_ASN_ENCODING, cert_context->pCertInfo,
    222                               &key_usage, 1)) {
    223     if (!(key_usage & CERT_DIGITAL_SIGNATURE_KEY_USAGE))
    224       return FALSE;
    225   } else {
    226     DWORD err = GetLastError();
    227     // If |err| is non-zero, it's an actual error. Otherwise the extension
    228     // just isn't present, and we treat it as if everything was allowed.
    229     if (err) {
    230       DLOG(ERROR) << "CertGetIntendedKeyUsage failed: " << err;
    231       return FALSE;
    232     }
    233   }
    234 
    235   // Verify the current time is within the certificate's validity period.
    236   if (CertVerifyTimeValidity(NULL, cert_context->pCertInfo) != 0)
    237     return FALSE;
    238 
    239   // Verify private key metadata is associated with this certificate.
    240   DWORD size = 0;
    241   if (!CertGetCertificateContextProperty(
    242           cert_context, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size)) {
    243     return FALSE;
    244   }
    245 
    246   return TRUE;
    247 }
    248 
    249 #endif
    250 
    251 // PeerCertificateChain is a helper object which extracts the certificate
    252 // chain, as given by the server, from an NSS socket and performs the needed
    253 // resource management. The first element of the chain is the leaf certificate
    254 // and the other elements are in the order given by the server.
    255 class PeerCertificateChain {
    256  public:
    257   explicit PeerCertificateChain(PRFileDesc* nss_fd)
    258       : num_certs_(0),
    259         certs_(NULL) {
    260     SECStatus rv = SSL_PeerCertificateChain(nss_fd, NULL, &num_certs_);
    261     DCHECK_EQ(rv, SECSuccess);
    262 
    263     certs_ = new CERTCertificate*[num_certs_];
    264     const unsigned expected_num_certs = num_certs_;
    265     rv = SSL_PeerCertificateChain(nss_fd, certs_, &num_certs_);
    266     DCHECK_EQ(rv, SECSuccess);
    267     DCHECK_EQ(num_certs_, expected_num_certs);
    268   }
    269 
    270   ~PeerCertificateChain() {
    271     for (unsigned i = 0; i < num_certs_; i++)
    272       CERT_DestroyCertificate(certs_[i]);
    273     delete[] certs_;
    274   }
    275 
    276   unsigned size() const { return num_certs_; }
    277 
    278   CERTCertificate* operator[](unsigned i) {
    279     DCHECK_LT(i, num_certs_);
    280     return certs_[i];
    281   }
    282 
    283   std::vector<base::StringPiece> AsStringPieceVector() const {
    284     std::vector<base::StringPiece> v(size());
    285     for (unsigned i = 0; i < size(); i++) {
    286       v[i] = base::StringPiece(
    287           reinterpret_cast<const char*>(certs_[i]->derCert.data),
    288           certs_[i]->derCert.len);
    289     }
    290 
    291     return v;
    292   }
    293 
    294  private:
    295   unsigned num_certs_;
    296   CERTCertificate** certs_;
    297 };
    298 
    299 void DestroyCertificates(CERTCertificate** certs, unsigned len) {
    300   for (unsigned i = 0; i < len; i++)
    301     CERT_DestroyCertificate(certs[i]);
    302 }
    303 
    304 // DNSValidationResult enumerates the possible outcomes from processing a
    305 // set of DNS records.
    306 enum DNSValidationResult {
    307   DNSVR_SUCCESS,   // the cert is immediately acceptable.
    308   DNSVR_FAILURE,   // the cert is unconditionally rejected.
    309   DNSVR_CONTINUE,  // perform CA validation as usual.
    310 };
    311 
    312 // VerifyTXTRecords processes the RRDATA for a number of DNS TXT records and
    313 // checks them against the given certificate.
    314 //   dnssec: if true then the TXT records are DNSSEC validated. In this case,
    315 //       DNSVR_SUCCESS may be returned.
    316 //    server_cert_nss: the certificate to validate
    317 //    rrdatas: the TXT records for the current domain.
    318 DNSValidationResult VerifyTXTRecords(
    319     bool dnssec,
    320     CERTCertificate* server_cert_nss,
    321     const std::vector<base::StringPiece>& rrdatas) {
    322   bool found_well_formed_record = false;
    323   bool matched_record = false;
    324 
    325   for (std::vector<base::StringPiece>::const_iterator
    326        i = rrdatas.begin(); i != rrdatas.end(); ++i) {
    327     std::map<std::string, std::string> m(
    328         DNSSECChainVerifier::ParseTLSTXTRecord(*i));
    329     if (m.empty())
    330       continue;
    331 
    332     std::map<std::string, std::string>::const_iterator j;
    333     j = m.find("v");
    334     if (j == m.end() || j->second != "tls1")
    335       continue;
    336 
    337     j = m.find("ha");
    338 
    339     HASH_HashType hash_algorithm;
    340     unsigned hash_length;
    341     if (j == m.end() || j->second == "sha1") {
    342       hash_algorithm = HASH_AlgSHA1;
    343       hash_length = SHA1_LENGTH;
    344     } else if (j->second == "sha256") {
    345       hash_algorithm = HASH_AlgSHA256;
    346       hash_length = SHA256_LENGTH;
    347     } else {
    348       continue;
    349     }
    350 
    351     j = m.find("h");
    352     if (j == m.end())
    353       continue;
    354 
    355     std::vector<uint8> given_hash;
    356     if (!base::HexStringToBytes(j->second, &given_hash))
    357       continue;
    358 
    359     if (given_hash.size() != hash_length)
    360       continue;
    361 
    362     uint8 calculated_hash[SHA256_LENGTH];  // SHA256 is the largest.
    363     SECStatus rv;
    364 
    365     j = m.find("hr");
    366     if (j == m.end() || j->second == "pubkey") {
    367       rv = HASH_HashBuf(hash_algorithm, calculated_hash,
    368                         server_cert_nss->derPublicKey.data,
    369                         server_cert_nss->derPublicKey.len);
    370     } else if (j->second == "cert") {
    371       rv = HASH_HashBuf(hash_algorithm, calculated_hash,
    372                         server_cert_nss->derCert.data,
    373                         server_cert_nss->derCert.len);
    374     } else {
    375       continue;
    376     }
    377 
    378     if (rv != SECSuccess)
    379       NOTREACHED();
    380 
    381     found_well_formed_record = true;
    382 
    383     if (memcmp(calculated_hash, &given_hash[0], hash_length) == 0) {
    384       matched_record = true;
    385       if (dnssec)
    386         return DNSVR_SUCCESS;
    387     }
    388   }
    389 
    390   if (found_well_formed_record && !matched_record)
    391     return DNSVR_FAILURE;
    392 
    393   return DNSVR_CONTINUE;
    394 }
    395 
    396 // CheckDNSSECChain tries to validate a DNSSEC chain embedded in
    397 // |server_cert_nss_|. It returns true iff a chain is found that proves the
    398 // value of a TXT record that contains a valid public key fingerprint.
    399 DNSValidationResult CheckDNSSECChain(
    400     const std::string& hostname,
    401     CERTCertificate* server_cert_nss) {
    402   if (!server_cert_nss)
    403     return DNSVR_CONTINUE;
    404 
    405   // CERT_FindCertExtensionByOID isn't exported so we have to install an OID,
    406   // get a tag for it and find the extension by using that tag.
    407   static SECOidTag dnssec_chain_tag;
    408   static bool dnssec_chain_tag_valid;
    409   if (!dnssec_chain_tag_valid) {
    410     // It's harmless if multiple threads enter this block concurrently.
    411     static const uint8 kDNSSECChainOID[] =
    412         // 1.3.6.1.4.1.11129.2.1.4
    413         // (iso.org.dod.internet.private.enterprises.google.googleSecurity.
    414         //  certificateExtensions.dnssecEmbeddedChain)
    415         {0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x01, 0x04};
    416     SECOidData oid_data;
    417     memset(&oid_data, 0, sizeof(oid_data));
    418     oid_data.oid.data = const_cast<uint8*>(kDNSSECChainOID);
    419     oid_data.oid.len = sizeof(kDNSSECChainOID);
    420     oid_data.desc = "DNSSEC chain";
    421     oid_data.supportedExtension = SUPPORTED_CERT_EXTENSION;
    422     dnssec_chain_tag = SECOID_AddEntry(&oid_data);
    423     DCHECK_NE(SEC_OID_UNKNOWN, dnssec_chain_tag);
    424     dnssec_chain_tag_valid = true;
    425   }
    426 
    427   SECItem dnssec_embedded_chain;
    428   SECStatus rv = CERT_FindCertExtension(server_cert_nss,
    429       dnssec_chain_tag, &dnssec_embedded_chain);
    430   if (rv != SECSuccess)
    431     return DNSVR_CONTINUE;
    432 
    433   base::StringPiece chain(
    434       reinterpret_cast<char*>(dnssec_embedded_chain.data),
    435       dnssec_embedded_chain.len);
    436   std::string dns_hostname;
    437   if (!DNSDomainFromDot(hostname, &dns_hostname))
    438     return DNSVR_CONTINUE;
    439   DNSSECChainVerifier verifier(dns_hostname, chain);
    440   DNSSECChainVerifier::Error err = verifier.Verify();
    441   if (err != DNSSECChainVerifier::OK) {
    442     LOG(ERROR) << "DNSSEC chain verification failed: " << err;
    443     return DNSVR_CONTINUE;
    444   }
    445 
    446   if (verifier.rrtype() != kDNS_TXT)
    447     return DNSVR_CONTINUE;
    448 
    449   DNSValidationResult r = VerifyTXTRecords(
    450       true /* DNSSEC verified */, server_cert_nss, verifier.rrdatas());
    451   SECITEM_FreeItem(&dnssec_embedded_chain, PR_FALSE);
    452   return r;
    453 }
    454 
    455 }  // namespace
    456 
    457 SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket,
    458                                        const HostPortPair& host_and_port,
    459                                        const SSLConfig& ssl_config,
    460                                        SSLHostInfo* ssl_host_info,
    461                                        CertVerifier* cert_verifier,
    462                                        DnsCertProvenanceChecker* dns_ctx)
    463     : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_(
    464           this, &SSLClientSocketNSS::BufferSendComplete)),
    465       ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_(
    466           this, &SSLClientSocketNSS::BufferRecvComplete)),
    467       transport_send_busy_(false),
    468       transport_recv_busy_(false),
    469       corked_(false),
    470       ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_(
    471           this, &SSLClientSocketNSS::OnHandshakeIOComplete)),
    472       transport_(transport_socket),
    473       host_and_port_(host_and_port),
    474       ssl_config_(ssl_config),
    475       user_connect_callback_(NULL),
    476       user_read_callback_(NULL),
    477       user_write_callback_(NULL),
    478       user_read_buf_len_(0),
    479       user_write_buf_len_(0),
    480       server_cert_nss_(NULL),
    481       server_cert_verify_result_(NULL),
    482       ssl_connection_status_(0),
    483       client_auth_cert_needed_(false),
    484       cert_verifier_(cert_verifier),
    485       handshake_callback_called_(false),
    486       completed_handshake_(false),
    487       eset_mitm_detected_(false),
    488       predicted_cert_chain_correct_(false),
    489       peername_initialized_(false),
    490       dnssec_provider_(NULL),
    491       next_handshake_state_(STATE_NONE),
    492       nss_fd_(NULL),
    493       nss_bufs_(NULL),
    494       net_log_(transport_socket->socket()->NetLog()),
    495       ssl_host_info_(ssl_host_info),
    496       dns_cert_checker_(dns_ctx),
    497       valid_thread_id_(base::kInvalidThreadId) {
    498   EnterFunction("");
    499 }
    500 
    501 SSLClientSocketNSS::~SSLClientSocketNSS() {
    502   EnterFunction("");
    503   Disconnect();
    504   LeaveFunction("");
    505 }
    506 
    507 // static
    508 void SSLClientSocketNSS::ClearSessionCache() {
    509   SSL_ClearSessionCache();
    510 }
    511 
    512 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
    513   EnterFunction("");
    514   ssl_info->Reset();
    515 
    516   if (!server_cert_)
    517     return;
    518 
    519   ssl_info->cert_status = server_cert_verify_result_->cert_status;
    520   DCHECK(server_cert_ != NULL);
    521   ssl_info->cert = server_cert_;
    522   ssl_info->connection_status = ssl_connection_status_;
    523   ssl_info->public_key_hashes = server_cert_verify_result_->public_key_hashes;
    524   ssl_info->is_issued_by_known_root =
    525       server_cert_verify_result_->is_issued_by_known_root;
    526 
    527   PRUint16 cipher_suite =
    528       SSLConnectionStatusToCipherSuite(ssl_connection_status_);
    529   SSLCipherSuiteInfo cipher_info;
    530   SECStatus ok = SSL_GetCipherSuiteInfo(cipher_suite,
    531                                         &cipher_info, sizeof(cipher_info));
    532   if (ok == SECSuccess) {
    533     ssl_info->security_bits = cipher_info.effectiveKeyBits;
    534   } else {
    535     ssl_info->security_bits = -1;
    536     LOG(DFATAL) << "SSL_GetCipherSuiteInfo returned " << PR_GetError()
    537                 << " for cipherSuite " << cipher_suite;
    538   }
    539   LeaveFunction("");
    540 }
    541 
    542 void SSLClientSocketNSS::GetSSLCertRequestInfo(
    543     SSLCertRequestInfo* cert_request_info) {
    544   EnterFunction("");
    545   // TODO(rch): switch SSLCertRequestInfo.host_and_port to a HostPortPair
    546   cert_request_info->host_and_port = host_and_port_.ToString();
    547   cert_request_info->client_certs = client_certs_;
    548   LeaveFunction(cert_request_info->client_certs.size());
    549 }
    550 
    551 SSLClientSocket::NextProtoStatus
    552 SSLClientSocketNSS::GetNextProto(std::string* proto) {
    553 #if defined(SSL_NEXT_PROTO_NEGOTIATED)
    554   unsigned char buf[255];
    555   int state;
    556   unsigned len;
    557   SECStatus rv = SSL_GetNextProto(nss_fd_, &state, buf, &len, sizeof(buf));
    558   if (rv != SECSuccess) {
    559     NOTREACHED() << "Error return from SSL_GetNextProto: " << rv;
    560     proto->clear();
    561     return kNextProtoUnsupported;
    562   }
    563   // We don't check for truncation because sizeof(buf) is large enough to hold
    564   // the maximum protocol size.
    565   switch (state) {
    566     case SSL_NEXT_PROTO_NO_SUPPORT:
    567       proto->clear();
    568       return kNextProtoUnsupported;
    569     case SSL_NEXT_PROTO_NEGOTIATED:
    570       *proto = std::string(reinterpret_cast<char*>(buf), len);
    571       return kNextProtoNegotiated;
    572     case SSL_NEXT_PROTO_NO_OVERLAP:
    573       *proto = std::string(reinterpret_cast<char*>(buf), len);
    574       return kNextProtoNoOverlap;
    575     default:
    576       NOTREACHED() << "Unknown status from SSL_GetNextProto: " << state;
    577       proto->clear();
    578       return kNextProtoUnsupported;
    579   }
    580 #else
    581   // No NPN support in the libssl that we are building with.
    582   proto->clear();
    583   return kNextProtoUnsupported;
    584 #endif
    585 }
    586 
    587 void SSLClientSocketNSS::UseDNSSEC(DNSSECProvider* provider) {
    588   dnssec_provider_ = provider;
    589 }
    590 
    591 #ifdef ANDROID
    592 // TODO(kristianm): handle the case when wait_for_connect is true
    593 // (sync requests)
    594 #endif
    595 int SSLClientSocketNSS::Connect(CompletionCallback* callback
    596 #ifdef ANDROID
    597                                 , bool wait_for_connect
    598 #endif
    599                                ) {
    600   EnterFunction("");
    601   DCHECK(transport_.get());
    602   DCHECK(next_handshake_state_ == STATE_NONE);
    603   DCHECK(!user_read_callback_);
    604   DCHECK(!user_write_callback_);
    605   DCHECK(!user_connect_callback_);
    606   DCHECK(!user_read_buf_);
    607   DCHECK(!user_write_buf_);
    608 
    609   EnsureThreadIdAssigned();
    610 
    611   net_log_.BeginEvent(NetLog::TYPE_SSL_CONNECT, NULL);
    612 
    613   int rv = Init();
    614   if (rv != OK) {
    615     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
    616     return rv;
    617   }
    618 
    619   rv = InitializeSSLOptions();
    620   if (rv != OK) {
    621     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
    622     return rv;
    623   }
    624 
    625   // Attempt to initialize the peer name.  In the case of TCP FastOpen,
    626   // we don't have the peer yet.
    627   if (!UsingTCPFastOpen()) {
    628     rv = InitializeSSLPeerName();
    629     if (rv != OK) {
    630       net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
    631       return rv;
    632     }
    633   }
    634 
    635   GotoState(STATE_HANDSHAKE);
    636 
    637   rv = DoHandshakeLoop(OK);
    638   if (rv == ERR_IO_PENDING) {
    639     user_connect_callback_ = callback;
    640   } else {
    641     net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_CONNECT, rv);
    642   }
    643 
    644   LeaveFunction("");
    645   return rv > OK ? OK : rv;
    646 }
    647 
    648 void SSLClientSocketNSS::Disconnect() {
    649   EnterFunction("");
    650 
    651   CHECK(CalledOnValidThread());
    652 
    653   // Shut down anything that may call us back (through buffer_send_callback_,
    654   // buffer_recv_callback, or handshake_io_callback_).
    655   verifier_.reset();
    656   transport_->socket()->Disconnect();
    657 
    658   // TODO(wtc): Send SSL close_notify alert.
    659   if (nss_fd_ != NULL) {
    660     PR_Close(nss_fd_);
    661     nss_fd_ = NULL;
    662   }
    663 
    664   // Reset object state
    665   transport_send_busy_   = false;
    666   transport_recv_busy_   = false;
    667   user_connect_callback_ = NULL;
    668   user_read_callback_    = NULL;
    669   user_write_callback_   = NULL;
    670   user_read_buf_         = NULL;
    671   user_read_buf_len_     = 0;
    672   user_write_buf_        = NULL;
    673   user_write_buf_len_    = 0;
    674   server_cert_           = NULL;
    675   if (server_cert_nss_) {
    676     CERT_DestroyCertificate(server_cert_nss_);
    677     server_cert_nss_     = NULL;
    678   }
    679   local_server_cert_verify_result_.Reset();
    680   server_cert_verify_result_ = NULL;
    681   ssl_connection_status_ = 0;
    682   completed_handshake_   = false;
    683   eset_mitm_detected_    = false;
    684   start_cert_verification_time_ = base::TimeTicks();
    685   predicted_cert_chain_correct_ = false;
    686   peername_initialized_  = false;
    687   nss_bufs_              = NULL;
    688   client_certs_.clear();
    689   client_auth_cert_needed_ = false;
    690 
    691   LeaveFunction("");
    692 }
    693 
    694 bool SSLClientSocketNSS::IsConnected() const {
    695   // Ideally, we should also check if we have received the close_notify alert
    696   // message from the server, and return false in that case.  We're not doing
    697   // that, so this function may return a false positive.  Since the upper
    698   // layer (HttpNetworkTransaction) needs to handle a persistent connection
    699   // closed by the server when we send a request anyway, a false positive in
    700   // exchange for simpler code is a good trade-off.
    701   EnterFunction("");
    702   bool ret = completed_handshake_ && transport_->socket()->IsConnected();
    703   LeaveFunction("");
    704   return ret;
    705 }
    706 
    707 bool SSLClientSocketNSS::IsConnectedAndIdle() const {
    708   // Unlike IsConnected, this method doesn't return a false positive.
    709   //
    710   // Strictly speaking, we should check if we have received the close_notify
    711   // alert message from the server, and return false in that case.  Although
    712   // the close_notify alert message means EOF in the SSL layer, it is just
    713   // bytes to the transport layer below, so
    714   // transport_->socket()->IsConnectedAndIdle() returns the desired false
    715   // when we receive close_notify.
    716   EnterFunction("");
    717   bool ret = completed_handshake_ && transport_->socket()->IsConnectedAndIdle();
    718   LeaveFunction("");
    719   return ret;
    720 }
    721 
    722 int SSLClientSocketNSS::GetPeerAddress(AddressList* address) const {
    723   return transport_->socket()->GetPeerAddress(address);
    724 }
    725 
    726 int SSLClientSocketNSS::GetLocalAddress(IPEndPoint* address) const {
    727   return transport_->socket()->GetLocalAddress(address);
    728 }
    729 
    730 const BoundNetLog& SSLClientSocketNSS::NetLog() const {
    731   return net_log_;
    732 }
    733 
    734 void SSLClientSocketNSS::SetSubresourceSpeculation() {
    735   if (transport_.get() && transport_->socket()) {
    736     transport_->socket()->SetSubresourceSpeculation();
    737   } else {
    738     NOTREACHED();
    739   }
    740 }
    741 
    742 void SSLClientSocketNSS::SetOmniboxSpeculation() {
    743   if (transport_.get() && transport_->socket()) {
    744     transport_->socket()->SetOmniboxSpeculation();
    745   } else {
    746     NOTREACHED();
    747   }
    748 }
    749 
    750 bool SSLClientSocketNSS::WasEverUsed() const {
    751   if (transport_.get() && transport_->socket()) {
    752     return transport_->socket()->WasEverUsed();
    753   }
    754   NOTREACHED();
    755   return false;
    756 }
    757 
    758 bool SSLClientSocketNSS::UsingTCPFastOpen() const {
    759   if (transport_.get() && transport_->socket()) {
    760     return transport_->socket()->UsingTCPFastOpen();
    761   }
    762   NOTREACHED();
    763   return false;
    764 }
    765 
    766 int SSLClientSocketNSS::Read(IOBuffer* buf, int buf_len,
    767                              CompletionCallback* callback) {
    768   EnterFunction(buf_len);
    769   DCHECK(completed_handshake_);
    770   DCHECK(next_handshake_state_ == STATE_NONE);
    771   DCHECK(!user_read_callback_);
    772   DCHECK(!user_connect_callback_);
    773   DCHECK(!user_read_buf_);
    774   DCHECK(nss_bufs_);
    775 
    776   user_read_buf_ = buf;
    777   user_read_buf_len_ = buf_len;
    778 
    779   int rv = DoReadLoop(OK);
    780 
    781   if (rv == ERR_IO_PENDING) {
    782     user_read_callback_ = callback;
    783   } else {
    784     user_read_buf_ = NULL;
    785     user_read_buf_len_ = 0;
    786   }
    787   LeaveFunction(rv);
    788   return rv;
    789 }
    790 
    791 int SSLClientSocketNSS::Write(IOBuffer* buf, int buf_len,
    792                               CompletionCallback* callback) {
    793   EnterFunction(buf_len);
    794   DCHECK(completed_handshake_);
    795   DCHECK(next_handshake_state_ == STATE_NONE);
    796   DCHECK(!user_write_callback_);
    797   DCHECK(!user_connect_callback_);
    798   DCHECK(!user_write_buf_);
    799   DCHECK(nss_bufs_);
    800 
    801   user_write_buf_ = buf;
    802   user_write_buf_len_ = buf_len;
    803 
    804   if (corked_) {
    805     corked_ = false;
    806     uncork_timer_.Reset();
    807   }
    808   int rv = DoWriteLoop(OK);
    809 
    810   if (rv == ERR_IO_PENDING) {
    811     user_write_callback_ = callback;
    812   } else {
    813     user_write_buf_ = NULL;
    814     user_write_buf_len_ = 0;
    815   }
    816   LeaveFunction(rv);
    817   return rv;
    818 }
    819 
    820 bool SSLClientSocketNSS::SetReceiveBufferSize(int32 size) {
    821   return transport_->socket()->SetReceiveBufferSize(size);
    822 }
    823 
    824 bool SSLClientSocketNSS::SetSendBufferSize(int32 size) {
    825   return transport_->socket()->SetSendBufferSize(size);
    826 }
    827 
    828 int SSLClientSocketNSS::Init() {
    829   EnterFunction("");
    830   // Initialize the NSS SSL library in a threadsafe way.  This also
    831   // initializes the NSS base library.
    832   EnsureNSSSSLInit();
    833   if (!NSS_IsInitialized())
    834     return ERR_UNEXPECTED;
    835 #if !defined(OS_MACOSX) && !defined(OS_WIN)
    836   // We must call EnsureOCSPInit() here, on the IO thread, to get the IO loop
    837   // by MessageLoopForIO::current().
    838   // X509Certificate::Verify() runs on a worker thread of CertVerifier.
    839   EnsureOCSPInit();
    840 #endif
    841 
    842   LeaveFunction("");
    843   return OK;
    844 }
    845 
    846 int SSLClientSocketNSS::InitializeSSLOptions() {
    847   // Transport connected, now hook it up to nss
    848   // TODO(port): specify rx and tx buffer sizes separately
    849   nss_fd_ = memio_CreateIOLayer(kRecvBufferSize);
    850   if (nss_fd_ == NULL) {
    851     return ERR_OUT_OF_MEMORY;  // TODO(port): map NSPR error code.
    852   }
    853 
    854   // Grab pointer to buffers
    855   nss_bufs_ = memio_GetSecret(nss_fd_);
    856 
    857   /* Create SSL state machine */
    858   /* Push SSL onto our fake I/O socket */
    859   nss_fd_ = SSL_ImportFD(NULL, nss_fd_);
    860   if (nss_fd_ == NULL) {
    861     LogFailedNSSFunction(net_log_, "SSL_ImportFD", "");
    862     return ERR_OUT_OF_MEMORY;  // TODO(port): map NSPR/NSS error code.
    863   }
    864   // TODO(port): set more ssl options!  Check errors!
    865 
    866   int rv;
    867 
    868   rv = SSL_OptionSet(nss_fd_, SSL_SECURITY, PR_TRUE);
    869   if (rv != SECSuccess) {
    870     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_SECURITY");
    871     return ERR_UNEXPECTED;
    872   }
    873 
    874   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL2, PR_FALSE);
    875   if (rv != SECSuccess) {
    876     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL2");
    877     return ERR_UNEXPECTED;
    878   }
    879 
    880   // Don't do V2 compatible hellos because they don't support TLS extensions.
    881   rv = SSL_OptionSet(nss_fd_, SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
    882   if (rv != SECSuccess) {
    883     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_V2_COMPATIBLE_HELLO");
    884     return ERR_UNEXPECTED;
    885   }
    886 
    887   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SSL3, ssl_config_.ssl3_enabled);
    888   if (rv != SECSuccess) {
    889     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_SSL3");
    890     return ERR_UNEXPECTED;
    891   }
    892 
    893   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_TLS, ssl_config_.tls1_enabled);
    894   if (rv != SECSuccess) {
    895     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_TLS");
    896     return ERR_UNEXPECTED;
    897   }
    898 
    899   for (std::vector<uint16>::const_iterator it =
    900            ssl_config_.disabled_cipher_suites.begin();
    901        it != ssl_config_.disabled_cipher_suites.end(); ++it) {
    902     // This will fail if the specified cipher is not implemented by NSS, but
    903     // the failure is harmless.
    904     SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
    905   }
    906 
    907 #ifdef SSL_ENABLE_SESSION_TICKETS
    908   // Support RFC 5077
    909   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
    910   if (rv != SECSuccess) {
    911     LogFailedNSSFunction(
    912         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
    913   }
    914 #else
    915   #error "You need to install NSS-3.12 or later to build chromium"
    916 #endif
    917 
    918 #ifdef SSL_ENABLE_DEFLATE
    919   // Some web servers have been found to break if TLS is used *or* if DEFLATE
    920   // is advertised. Thus, if TLS is disabled (probably because we are doing
    921   // SSLv3 fallback), we disable DEFLATE also.
    922   // See http://crbug.com/31628
    923   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_DEFLATE, ssl_config_.tls1_enabled);
    924   if (rv != SECSuccess)
    925     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_DEFLATE");
    926 #endif
    927 
    928 #ifdef SSL_ENABLE_FALSE_START
    929   rv = SSL_OptionSet(
    930       nss_fd_, SSL_ENABLE_FALSE_START,
    931       ssl_config_.false_start_enabled &&
    932       !SSLConfigService::IsKnownFalseStartIncompatibleServer(
    933           host_and_port_.host()));
    934   if (rv != SECSuccess)
    935     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
    936 #endif
    937 
    938 #ifdef SSL_ENABLE_RENEGOTIATION
    939   // We allow servers to request renegotiation. Since we're a client,
    940   // prohibiting this is rather a waste of time. Only servers are in a
    941   // position to prevent renegotiation attacks.
    942   // http://extendedsubset.com/?p=8
    943 
    944   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
    945                      SSL_RENEGOTIATE_TRANSITIONAL);
    946   if (rv != SECSuccess) {
    947     LogFailedNSSFunction(
    948         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
    949   }
    950 #endif  // SSL_ENABLE_RENEGOTIATION
    951 
    952 #ifdef SSL_NEXT_PROTO_NEGOTIATED
    953   if (!ssl_config_.next_protos.empty()) {
    954     rv = SSL_SetNextProtoNego(
    955        nss_fd_,
    956        reinterpret_cast<const unsigned char *>(ssl_config_.next_protos.data()),
    957        ssl_config_.next_protos.size());
    958     if (rv != SECSuccess)
    959       LogFailedNSSFunction(net_log_, "SSL_SetNextProtoNego", "");
    960   }
    961 #endif
    962 
    963 #ifdef SSL_ENABLE_OCSP_STAPLING
    964   if (IsOCSPStaplingSupported()) {
    965     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    966     if (rv != SECSuccess)
    967       LogFailedNSSFunction(net_log_, "SSL_OptionSet (OCSP stapling)", "");
    968   }
    969 #endif
    970 
    971   rv = SSL_OptionSet(nss_fd_, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE);
    972   if (rv != SECSuccess) {
    973     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_HANDSHAKE_AS_CLIENT");
    974     return ERR_UNEXPECTED;
    975   }
    976 
    977   rv = SSL_AuthCertificateHook(nss_fd_, OwnAuthCertHandler, this);
    978   if (rv != SECSuccess) {
    979     LogFailedNSSFunction(net_log_, "SSL_AuthCertificateHook", "");
    980     return ERR_UNEXPECTED;
    981   }
    982 
    983 #if defined(NSS_PLATFORM_CLIENT_AUTH)
    984   rv = SSL_GetPlatformClientAuthDataHook(nss_fd_, PlatformClientAuthHandler,
    985                                          this);
    986 #else
    987   rv = SSL_GetClientAuthDataHook(nss_fd_, ClientAuthHandler, this);
    988 #endif
    989   if (rv != SECSuccess) {
    990     LogFailedNSSFunction(net_log_, "SSL_GetClientAuthDataHook", "");
    991     return ERR_UNEXPECTED;
    992   }
    993 
    994   rv = SSL_HandshakeCallback(nss_fd_, HandshakeCallback, this);
    995   if (rv != SECSuccess) {
    996     LogFailedNSSFunction(net_log_, "SSL_HandshakeCallback", "");
    997     return ERR_UNEXPECTED;
    998   }
    999 
   1000   // Tell SSL the hostname we're trying to connect to.
   1001   SSL_SetURL(nss_fd_, host_and_port_.host().c_str());
   1002 
   1003   // Tell SSL we're a client; needed if not letting NSPR do socket I/O
   1004   SSL_ResetHandshake(nss_fd_, 0);
   1005 
   1006   return OK;
   1007 }
   1008 
   1009 int SSLClientSocketNSS::InitializeSSLPeerName() {
   1010   // Tell NSS who we're connected to
   1011   AddressList peer_address;
   1012   int err = transport_->socket()->GetPeerAddress(&peer_address);
   1013   if (err != OK)
   1014     return err;
   1015 
   1016   const struct addrinfo* ai = peer_address.head();
   1017 
   1018   PRNetAddr peername;
   1019   memset(&peername, 0, sizeof(peername));
   1020   DCHECK_LE(ai->ai_addrlen, sizeof(peername));
   1021   size_t len = std::min(static_cast<size_t>(ai->ai_addrlen),
   1022                         sizeof(peername));
   1023   memcpy(&peername, ai->ai_addr, len);
   1024 
   1025   // Adjust the address family field for BSD, whose sockaddr
   1026   // structure has a one-byte length and one-byte address family
   1027   // field at the beginning.  PRNetAddr has a two-byte address
   1028   // family field at the beginning.
   1029   peername.raw.family = ai->ai_addr->sa_family;
   1030 
   1031   memio_SetPeerName(nss_fd_, &peername);
   1032 
   1033   // Set the peer ID for session reuse.  This is necessary when we create an
   1034   // SSL tunnel through a proxy -- GetPeerName returns the proxy's address
   1035   // rather than the destination server's address in that case.
   1036   std::string peer_id = host_and_port_.ToString();
   1037   SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str()));
   1038   if (rv != SECSuccess)
   1039     LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str());
   1040 
   1041   peername_initialized_ = true;
   1042   return OK;
   1043 }
   1044 
   1045 
   1046 // Sets server_cert_ and server_cert_nss_ if not yet set.
   1047 // Returns server_cert_.
   1048 X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
   1049   // We set the server_cert_ from HandshakeCallback().
   1050   if (server_cert_ == NULL) {
   1051     server_cert_nss_ = SSL_PeerCertificate(nss_fd_);
   1052     if (server_cert_nss_) {
   1053       PeerCertificateChain certs(nss_fd_);
   1054       server_cert_ = X509Certificate::CreateFromDERCertChain(
   1055           certs.AsStringPieceVector());
   1056     }
   1057   }
   1058   return server_cert_;
   1059 }
   1060 
   1061 // Sets ssl_connection_status_.
   1062 void SSLClientSocketNSS::UpdateConnectionStatus() {
   1063   SSLChannelInfo channel_info;
   1064   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
   1065                                     &channel_info, sizeof(channel_info));
   1066   if (ok == SECSuccess &&
   1067       channel_info.length == sizeof(channel_info) &&
   1068       channel_info.cipherSuite) {
   1069     ssl_connection_status_ |=
   1070         (static_cast<int>(channel_info.cipherSuite) &
   1071          SSL_CONNECTION_CIPHERSUITE_MASK) <<
   1072         SSL_CONNECTION_CIPHERSUITE_SHIFT;
   1073 
   1074     ssl_connection_status_ |=
   1075         (static_cast<int>(channel_info.compressionMethod) &
   1076          SSL_CONNECTION_COMPRESSION_MASK) <<
   1077         SSL_CONNECTION_COMPRESSION_SHIFT;
   1078 
   1079     // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS
   1080     // doesn't support them yet), so we use 0x0302 and 0x0303 directly.
   1081     int version = SSL_CONNECTION_VERSION_UNKNOWN;
   1082     if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
   1083       // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
   1084       // version 2.
   1085       version = SSL_CONNECTION_VERSION_SSL2;
   1086     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_0) {
   1087       version = SSL_CONNECTION_VERSION_SSL3;
   1088     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
   1089       version = SSL_CONNECTION_VERSION_TLS1;
   1090     } else if (channel_info.protocolVersion == 0x0302) {
   1091       version = SSL_CONNECTION_VERSION_TLS1_1;
   1092     } else if (channel_info.protocolVersion == 0x0303) {
   1093       version = SSL_CONNECTION_VERSION_TLS1_2;
   1094     }
   1095     ssl_connection_status_ |=
   1096         (version & SSL_CONNECTION_VERSION_MASK) <<
   1097         SSL_CONNECTION_VERSION_SHIFT;
   1098   }
   1099 
   1100   // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
   1101   // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
   1102   // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
   1103 #if defined(SSL_MAX_EXTENSIONS)
   1104   PRBool peer_supports_renego_ext;
   1105   ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
   1106                                         &peer_supports_renego_ext);
   1107   if (ok == SECSuccess) {
   1108     if (!peer_supports_renego_ext) {
   1109       ssl_connection_status_ |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION;
   1110       // Log an informational message if the server does not support secure
   1111       // renegotiation (RFC 5746).
   1112       VLOG(1) << "The server " << host_and_port_.ToString()
   1113               << " does not support the TLS renegotiation_info extension.";
   1114     }
   1115     UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported",
   1116                               peer_supports_renego_ext, 2);
   1117   }
   1118 #endif
   1119 
   1120   if (ssl_config_.ssl3_fallback)
   1121     ssl_connection_status_ |= SSL_CONNECTION_SSL3_FALLBACK;
   1122 }
   1123 
   1124 void SSLClientSocketNSS::DoReadCallback(int rv) {
   1125   EnterFunction(rv);
   1126   DCHECK(rv != ERR_IO_PENDING);
   1127   DCHECK(user_read_callback_);
   1128 
   1129   // Since Run may result in Read being called, clear |user_read_callback_|
   1130   // up front.
   1131   CompletionCallback* c = user_read_callback_;
   1132   user_read_callback_ = NULL;
   1133   user_read_buf_ = NULL;
   1134   user_read_buf_len_ = 0;
   1135   c->Run(rv);
   1136   LeaveFunction("");
   1137 }
   1138 
   1139 void SSLClientSocketNSS::DoWriteCallback(int rv) {
   1140   EnterFunction(rv);
   1141   DCHECK(rv != ERR_IO_PENDING);
   1142   DCHECK(user_write_callback_);
   1143 
   1144   // Since Run may result in Write being called, clear |user_write_callback_|
   1145   // up front.
   1146   CompletionCallback* c = user_write_callback_;
   1147   user_write_callback_ = NULL;
   1148   user_write_buf_ = NULL;
   1149   user_write_buf_len_ = 0;
   1150   c->Run(rv);
   1151   LeaveFunction("");
   1152 }
   1153 
   1154 // As part of Connect(), the SSLClientSocketNSS object performs an SSL
   1155 // handshake. This requires network IO, which in turn calls
   1156 // BufferRecvComplete() with a non-zero byte count. This byte count eventually
   1157 // winds its way through the state machine and ends up being passed to the
   1158 // callback. For Read() and Write(), that's what we want. But for Connect(),
   1159 // the caller expects OK (i.e. 0) for success.
   1160 //
   1161 void SSLClientSocketNSS::DoConnectCallback(int rv) {
   1162   EnterFunction(rv);
   1163   DCHECK_NE(rv, ERR_IO_PENDING);
   1164   DCHECK(user_connect_callback_);
   1165 
   1166   CompletionCallback* c = user_connect_callback_;
   1167   user_connect_callback_ = NULL;
   1168   c->Run(rv > OK ? OK : rv);
   1169   LeaveFunction("");
   1170 }
   1171 
   1172 void SSLClientSocketNSS::OnHandshakeIOComplete(int result) {
   1173   EnterFunction(result);
   1174   int rv = DoHandshakeLoop(result);
   1175   if (rv != ERR_IO_PENDING) {
   1176     net_log_.EndEventWithNetErrorCode(net::NetLog::TYPE_SSL_CONNECT, rv);
   1177     DoConnectCallback(rv);
   1178   }
   1179   LeaveFunction("");
   1180 }
   1181 
   1182 void SSLClientSocketNSS::OnSendComplete(int result) {
   1183   EnterFunction(result);
   1184   if (next_handshake_state_ == STATE_HANDSHAKE) {
   1185     // In handshake phase.
   1186     OnHandshakeIOComplete(result);
   1187     LeaveFunction("");
   1188     return;
   1189   }
   1190 
   1191   // OnSendComplete may need to call DoPayloadRead while the renegotiation
   1192   // handshake is in progress.
   1193   int rv_read = ERR_IO_PENDING;
   1194   int rv_write = ERR_IO_PENDING;
   1195   bool network_moved;
   1196   do {
   1197       if (user_read_buf_)
   1198           rv_read = DoPayloadRead();
   1199       if (user_write_buf_)
   1200           rv_write = DoPayloadWrite();
   1201       network_moved = DoTransportIO();
   1202   } while (rv_read == ERR_IO_PENDING &&
   1203            rv_write == ERR_IO_PENDING &&
   1204            network_moved);
   1205 
   1206   if (user_read_buf_ && rv_read != ERR_IO_PENDING)
   1207       DoReadCallback(rv_read);
   1208   if (user_write_buf_ && rv_write != ERR_IO_PENDING)
   1209       DoWriteCallback(rv_write);
   1210 
   1211   LeaveFunction("");
   1212 }
   1213 
   1214 void SSLClientSocketNSS::OnRecvComplete(int result) {
   1215   EnterFunction(result);
   1216   if (next_handshake_state_ == STATE_HANDSHAKE) {
   1217     // In handshake phase.
   1218     OnHandshakeIOComplete(result);
   1219     LeaveFunction("");
   1220     return;
   1221   }
   1222 
   1223   // Network layer received some data, check if client requested to read
   1224   // decrypted data.
   1225   if (!user_read_buf_) {
   1226     LeaveFunction("");
   1227     return;
   1228   }
   1229 
   1230   int rv = DoReadLoop(result);
   1231   if (rv != ERR_IO_PENDING)
   1232     DoReadCallback(rv);
   1233   LeaveFunction("");
   1234 }
   1235 
   1236 int SSLClientSocketNSS::DoHandshakeLoop(int last_io_result) {
   1237   EnterFunction(last_io_result);
   1238   bool network_moved;
   1239   int rv = last_io_result;
   1240   do {
   1241     // Default to STATE_NONE for next state.
   1242     // (This is a quirk carried over from the windows
   1243     // implementation.  It makes reading the logs a bit harder.)
   1244     // State handlers can and often do call GotoState just
   1245     // to stay in the current state.
   1246     State state = next_handshake_state_;
   1247     GotoState(STATE_NONE);
   1248     switch (state) {
   1249       case STATE_NONE:
   1250         // we're just pumping data between the buffer and the network
   1251         break;
   1252       case STATE_HANDSHAKE:
   1253         rv = DoHandshake();
   1254         break;
   1255       case STATE_VERIFY_DNSSEC:
   1256         rv = DoVerifyDNSSEC(rv);
   1257         break;
   1258       case STATE_VERIFY_DNSSEC_COMPLETE:
   1259         rv = DoVerifyDNSSECComplete(rv);
   1260         break;
   1261       case STATE_VERIFY_CERT:
   1262         DCHECK(rv == OK);
   1263         rv = DoVerifyCert(rv);
   1264         break;
   1265       case STATE_VERIFY_CERT_COMPLETE:
   1266         rv = DoVerifyCertComplete(rv);
   1267         break;
   1268       default:
   1269         rv = ERR_UNEXPECTED;
   1270         LOG(DFATAL) << "unexpected state " << state;
   1271         break;
   1272     }
   1273 
   1274     // Do the actual network I/O
   1275     network_moved = DoTransportIO();
   1276   } while ((rv != ERR_IO_PENDING || network_moved) &&
   1277            next_handshake_state_ != STATE_NONE);
   1278   LeaveFunction("");
   1279   return rv;
   1280 }
   1281 
   1282 int SSLClientSocketNSS::DoReadLoop(int result) {
   1283   EnterFunction("");
   1284   DCHECK(completed_handshake_);
   1285   DCHECK(next_handshake_state_ == STATE_NONE);
   1286 
   1287   if (result < 0)
   1288     return result;
   1289 
   1290   if (!nss_bufs_) {
   1291     LOG(DFATAL) << "!nss_bufs_";
   1292     int rv = ERR_UNEXPECTED;
   1293     net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR,
   1294                       make_scoped_refptr(new SSLErrorParams(rv, 0)));
   1295     return rv;
   1296   }
   1297 
   1298   bool network_moved;
   1299   int rv;
   1300   do {
   1301     rv = DoPayloadRead();
   1302     network_moved = DoTransportIO();
   1303   } while (rv == ERR_IO_PENDING && network_moved);
   1304 
   1305   LeaveFunction("");
   1306   return rv;
   1307 }
   1308 
   1309 int SSLClientSocketNSS::DoWriteLoop(int result) {
   1310   EnterFunction("");
   1311   DCHECK(completed_handshake_);
   1312   DCHECK(next_handshake_state_ == STATE_NONE);
   1313 
   1314   if (result < 0)
   1315     return result;
   1316 
   1317   if (!nss_bufs_) {
   1318     LOG(DFATAL) << "!nss_bufs_";
   1319     int rv = ERR_UNEXPECTED;
   1320     net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR,
   1321                       make_scoped_refptr(new SSLErrorParams(rv, 0)));
   1322     return rv;
   1323   }
   1324 
   1325   bool network_moved;
   1326   int rv;
   1327   do {
   1328     rv = DoPayloadWrite();
   1329     network_moved = DoTransportIO();
   1330   } while (rv == ERR_IO_PENDING && network_moved);
   1331 
   1332   LeaveFunction("");
   1333   return rv;
   1334 }
   1335 
   1336 int SSLClientSocketNSS::DoHandshake() {
   1337   EnterFunction("");
   1338   int net_error = net::OK;
   1339   SECStatus rv = SSL_ForceHandshake(nss_fd_);
   1340 
   1341   if (client_auth_cert_needed_) {
   1342     net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
   1343     net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR,
   1344                       make_scoped_refptr(new SSLErrorParams(net_error, 0)));
   1345     // If the handshake already succeeded (because the server requests but
   1346     // doesn't require a client cert), we need to invalidate the SSL session
   1347     // so that we won't try to resume the non-client-authenticated session in
   1348     // the next handshake.  This will cause the server to ask for a client
   1349     // cert again.
   1350     if (rv == SECSuccess && SSL_InvalidateSession(nss_fd_) != SECSuccess) {
   1351       LOG(WARNING) << "Couldn't invalidate SSL session: " << PR_GetError();
   1352     }
   1353   } else if (rv == SECSuccess) {
   1354     if (handshake_callback_called_) {
   1355       if (eset_mitm_detected_) {
   1356         net_error = ERR_ESET_ANTI_VIRUS_SSL_INTERCEPTION;
   1357       } else {
   1358         // We need to see if the predicted certificate chain (in
   1359         // |ssl_host_info_->state().certs) matches the actual certificate chain
   1360         // before we try to save it before we update |ssl_host_info_|.
   1361         if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty()) {
   1362           PeerCertificateChain certs(nss_fd_);
   1363           const SSLHostInfo::State& state = ssl_host_info_->state();
   1364           predicted_cert_chain_correct_ = certs.size() == state.certs.size();
   1365           if (predicted_cert_chain_correct_) {
   1366             for (unsigned i = 0; i < certs.size(); i++) {
   1367               if (certs[i]->derCert.len != state.certs[i].size() ||
   1368                   memcmp(certs[i]->derCert.data, state.certs[i].data(),
   1369                          certs[i]->derCert.len) != 0) {
   1370                 predicted_cert_chain_correct_ = false;
   1371                 break;
   1372               }
   1373             }
   1374           }
   1375         }
   1376 
   1377 #if defined(SSL_ENABLE_OCSP_STAPLING)
   1378         // TODO(agl): figure out how to plumb an OCSP response into the Mac
   1379         // system library and update IsOCSPStaplingSupported for Mac.
   1380         if (!predicted_cert_chain_correct_ && IsOCSPStaplingSupported()) {
   1381           unsigned int len = 0;
   1382           SSL_GetStapledOCSPResponse(nss_fd_, NULL, &len);
   1383           if (len) {
   1384             const unsigned int orig_len = len;
   1385             scoped_array<uint8> ocsp_response(new uint8[orig_len]);
   1386             SSL_GetStapledOCSPResponse(nss_fd_, ocsp_response.get(), &len);
   1387             DCHECK_EQ(orig_len, len);
   1388 
   1389 #if defined(OS_WIN)
   1390             CRYPT_DATA_BLOB ocsp_response_blob;
   1391             ocsp_response_blob.cbData = len;
   1392             ocsp_response_blob.pbData = ocsp_response.get();
   1393             BOOL ok = CertSetCertificateContextProperty(
   1394                 server_cert_->os_cert_handle(),
   1395                 CERT_OCSP_RESPONSE_PROP_ID,
   1396                 CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG,
   1397                 &ocsp_response_blob);
   1398             if (!ok) {
   1399               VLOG(1) << "Failed to set OCSP response property: "
   1400                       << GetLastError();
   1401             }
   1402 #elif defined(USE_NSS)
   1403             CacheOCSPResponseFromSideChannelFunction cache_ocsp_response =
   1404                 GetCacheOCSPResponseFromSideChannelFunction();
   1405             SECItem ocsp_response_item;
   1406             ocsp_response_item.type = siBuffer;
   1407             ocsp_response_item.data = ocsp_response.get();
   1408             ocsp_response_item.len = len;
   1409 
   1410             cache_ocsp_response(
   1411                 CERT_GetDefaultCertDB(), server_cert_nss_, PR_Now(),
   1412                 &ocsp_response_item, NULL);
   1413 #endif
   1414           }
   1415         }
   1416 #endif
   1417 
   1418         SaveSSLHostInfo();
   1419         // SSL handshake is completed. Let's verify the certificate.
   1420         GotoState(STATE_VERIFY_DNSSEC);
   1421       }
   1422       // Done!
   1423     } else {
   1424       // Workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=562434 -
   1425       // SSL_ForceHandshake returned SECSuccess prematurely.
   1426       rv = SECFailure;
   1427       net_error = ERR_SSL_PROTOCOL_ERROR;
   1428       net_log_.AddEvent(NetLog::TYPE_SSL_HANDSHAKE_ERROR,
   1429                         make_scoped_refptr(new SSLErrorParams(net_error, 0)));
   1430     }
   1431   } else {
   1432     PRErrorCode prerr = PR_GetError();
   1433     net_error = HandleNSSError(prerr, true);
   1434 
   1435     // If not done, stay in this state
   1436     if (net_error == ERR_IO_PENDING) {
   1437       GotoState(STATE_HANDSHAKE);
   1438     } else {
   1439       LOG(ERROR) << "handshake failed; NSS error code " << prerr
   1440                  << ", net_error " << net_error;
   1441       net_log_.AddEvent(
   1442           NetLog::TYPE_SSL_HANDSHAKE_ERROR,
   1443           make_scoped_refptr(new SSLErrorParams(net_error, prerr)));
   1444     }
   1445   }
   1446 
   1447   LeaveFunction("");
   1448   return net_error;
   1449 }
   1450 
   1451 int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
   1452   if (ssl_config_.dns_cert_provenance_checking_enabled &&
   1453       dns_cert_checker_) {
   1454     PeerCertificateChain certs(nss_fd_);
   1455     dns_cert_checker_->DoAsyncVerification(
   1456         host_and_port_.host(), certs.AsStringPieceVector());
   1457   }
   1458 
   1459   if (ssl_config_.dnssec_enabled) {
   1460     DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(),
   1461                                              server_cert_nss_);
   1462     if (r == DNSVR_SUCCESS) {
   1463       local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
   1464       server_cert_verify_result_ = &local_server_cert_verify_result_;
   1465       GotoState(STATE_VERIFY_CERT_COMPLETE);
   1466       return OK;
   1467     }
   1468   }
   1469 
   1470   if (dnssec_provider_ == NULL) {
   1471     GotoState(STATE_VERIFY_CERT);
   1472     return OK;
   1473   }
   1474 
   1475   GotoState(STATE_VERIFY_DNSSEC_COMPLETE);
   1476   RRResponse* response;
   1477   dnssec_wait_start_time_ = base::Time::Now();
   1478   return dnssec_provider_->GetDNSSECRecords(&response, &handshake_io_callback_);
   1479 }
   1480 
   1481 int SSLClientSocketNSS::DoVerifyDNSSECComplete(int result) {
   1482   RRResponse* response;
   1483   int err = dnssec_provider_->GetDNSSECRecords(&response, NULL);
   1484   DCHECK_EQ(err, OK);
   1485 
   1486   const base::TimeDelta elapsed = base::Time::Now() - dnssec_wait_start_time_;
   1487   HISTOGRAM_TIMES("Net.DNSSECWaitTime", elapsed);
   1488 
   1489   GotoState(STATE_VERIFY_CERT);
   1490   if (!response || response->rrdatas.empty())
   1491     return OK;
   1492 
   1493   std::vector<base::StringPiece> records;
   1494   records.resize(response->rrdatas.size());
   1495   for (unsigned i = 0; i < response->rrdatas.size(); i++)
   1496     records[i] = base::StringPiece(response->rrdatas[i]);
   1497   DNSValidationResult r =
   1498       VerifyTXTRecords(response->dnssec, server_cert_nss_, records);
   1499 
   1500   if (!ssl_config_.dnssec_enabled) {
   1501     // If DNSSEC is not enabled we don't take any action based on the result,
   1502     // except to record the latency, above.
   1503     return OK;
   1504   }
   1505 
   1506   switch (r) {
   1507     case DNSVR_FAILURE:
   1508       GotoState(STATE_VERIFY_CERT_COMPLETE);
   1509       local_server_cert_verify_result_.cert_status |= CERT_STATUS_NOT_IN_DNS;
   1510       server_cert_verify_result_ = &local_server_cert_verify_result_;
   1511       return ERR_CERT_NOT_IN_DNS;
   1512     case DNSVR_CONTINUE:
   1513       GotoState(STATE_VERIFY_CERT);
   1514       break;
   1515     case DNSVR_SUCCESS:
   1516       local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
   1517       server_cert_verify_result_ = &local_server_cert_verify_result_;
   1518       GotoState(STATE_VERIFY_CERT_COMPLETE);
   1519       break;
   1520     default:
   1521       NOTREACHED();
   1522       GotoState(STATE_VERIFY_CERT);
   1523   }
   1524 
   1525   return OK;
   1526 }
   1527 
   1528 int SSLClientSocketNSS::DoVerifyCert(int result) {
   1529   DCHECK(server_cert_);
   1530 
   1531   GotoState(STATE_VERIFY_CERT_COMPLETE);
   1532   start_cert_verification_time_ = base::TimeTicks::Now();
   1533 
   1534   if (ssl_host_info_.get() && !ssl_host_info_->state().certs.empty() &&
   1535       predicted_cert_chain_correct_) {
   1536     // If the SSLHostInfo had a prediction for the certificate chain of this
   1537     // server then it will have optimistically started a verification of that
   1538     // chain. So, if the prediction was correct, we should wait for that
   1539     // verification to finish rather than start our own.
   1540     net_log_.AddEvent(NetLog::TYPE_SSL_VERIFICATION_MERGED, NULL);
   1541     UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 1 /* true */, 2);
   1542     base::TimeTicks end_time = ssl_host_info_->verification_end_time();
   1543     if (end_time.is_null())
   1544       end_time = base::TimeTicks::Now();
   1545     UMA_HISTOGRAM_TIMES("Net.SSLVerificationMergedMsSaved",
   1546                         end_time - ssl_host_info_->verification_start_time());
   1547     server_cert_verify_result_ = &ssl_host_info_->cert_verify_result();
   1548     return ssl_host_info_->WaitForCertVerification(&handshake_io_callback_);
   1549   } else {
   1550     UMA_HISTOGRAM_ENUMERATION("Net.SSLVerificationMerged", 0 /* false */, 2);
   1551   }
   1552 
   1553   int flags = 0;
   1554   if (ssl_config_.rev_checking_enabled)
   1555     flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
   1556   if (ssl_config_.verify_ev_cert)
   1557     flags |= X509Certificate::VERIFY_EV_CERT;
   1558   verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));
   1559   server_cert_verify_result_ = &local_server_cert_verify_result_;
   1560   return verifier_->Verify(server_cert_, host_and_port_.host(), flags,
   1561                            &local_server_cert_verify_result_,
   1562                            &handshake_io_callback_);
   1563 }
   1564 
   1565 // Derived from AuthCertificateCallback() in
   1566 // mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
   1567 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   1568   verifier_.reset();
   1569 
   1570   if (!start_cert_verification_time_.is_null()) {
   1571     base::TimeDelta verify_time =
   1572         base::TimeTicks::Now() - start_cert_verification_time_;
   1573     if (result == OK)
   1574         UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTime", verify_time);
   1575     else
   1576         UMA_HISTOGRAM_TIMES("Net.SSLCertVerificationTimeError", verify_time);
   1577   }
   1578 
   1579   // We used to remember the intermediate CA certs in the NSS database
   1580   // persistently.  However, NSS opens a connection to the SQLite database
   1581   // during NSS initialization and doesn't close the connection until NSS
   1582   // shuts down.  If the file system where the database resides is gone,
   1583   // the database connection goes bad.  What's worse, the connection won't
   1584   // recover when the file system comes back.  Until this NSS or SQLite bug
   1585   // is fixed, we need to  avoid using the NSS database for non-essential
   1586   // purposes.  See https://bugzilla.mozilla.org/show_bug.cgi?id=508081 and
   1587   // http://crbug.com/15630 for more info.
   1588 
   1589   // If we have been explicitly told to accept this certificate, override the
   1590   // result of verifier_.Verify.
   1591   // Eventually, we should cache the cert verification results so that we don't
   1592   // need to call verifier_.Verify repeatedly.  But for now we need to do this.
   1593   // Alternatively, we could use the cert's status that we stored along with
   1594   // the cert in the allowed_bad_certs vector.
   1595   if (IsCertificateError(result) &&
   1596       ssl_config_.IsAllowedBadCert(server_cert_)) {
   1597     VLOG(1) << "accepting bad SSL certificate, as user told us to";
   1598     result = OK;
   1599   }
   1600 
   1601   if (result == OK)
   1602     LogConnectionTypeMetrics();
   1603 
   1604   completed_handshake_ = true;
   1605 
   1606   if (user_read_callback_) {
   1607     int rv = DoReadLoop(OK);
   1608     if (rv != ERR_IO_PENDING)
   1609       DoReadCallback(rv);
   1610   }
   1611 
   1612   // Exit DoHandshakeLoop and return the result to the caller to Connect.
   1613   DCHECK(next_handshake_state_ == STATE_NONE);
   1614   return result;
   1615 }
   1616 
   1617 int SSLClientSocketNSS::DoPayloadRead() {
   1618   EnterFunction(user_read_buf_len_);
   1619   DCHECK(user_read_buf_);
   1620   DCHECK_GT(user_read_buf_len_, 0);
   1621   int rv = PR_Read(nss_fd_, user_read_buf_->data(), user_read_buf_len_);
   1622   if (client_auth_cert_needed_) {
   1623     // We don't need to invalidate the non-client-authenticated SSL session
   1624     // because the server will renegotiate anyway.
   1625     LeaveFunction("");
   1626     rv = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
   1627     net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR,
   1628                       make_scoped_refptr(new SSLErrorParams(rv, 0)));
   1629     return rv;
   1630   }
   1631   if (rv >= 0) {
   1632     LogData(user_read_buf_->data(), rv);
   1633     LeaveFunction("");
   1634     return rv;
   1635   }
   1636   PRErrorCode prerr = PR_GetError();
   1637   if (prerr == PR_WOULD_BLOCK_ERROR) {
   1638     LeaveFunction("");
   1639     return ERR_IO_PENDING;
   1640   }
   1641   LeaveFunction("");
   1642   rv = HandleNSSError(prerr, false);
   1643   net_log_.AddEvent(NetLog::TYPE_SSL_READ_ERROR,
   1644                     make_scoped_refptr(new SSLErrorParams(rv, prerr)));
   1645   return rv;
   1646 }
   1647 
   1648 int SSLClientSocketNSS::DoPayloadWrite() {
   1649   EnterFunction(user_write_buf_len_);
   1650   DCHECK(user_write_buf_);
   1651   int rv = PR_Write(nss_fd_, user_write_buf_->data(), user_write_buf_len_);
   1652   if (rv >= 0) {
   1653     LogData(user_write_buf_->data(), rv);
   1654     LeaveFunction("");
   1655     return rv;
   1656   }
   1657   PRErrorCode prerr = PR_GetError();
   1658   if (prerr == PR_WOULD_BLOCK_ERROR) {
   1659     LeaveFunction("");
   1660     return ERR_IO_PENDING;
   1661   }
   1662   LeaveFunction("");
   1663   rv = HandleNSSError(prerr, false);
   1664   net_log_.AddEvent(NetLog::TYPE_SSL_WRITE_ERROR,
   1665                     make_scoped_refptr(new SSLErrorParams(rv, prerr)));
   1666   return rv;
   1667 }
   1668 
   1669 void SSLClientSocketNSS::LogConnectionTypeMetrics() const {
   1670   UpdateConnectionTypeHistograms(CONNECTION_SSL);
   1671   if (server_cert_verify_result_->has_md5)
   1672     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5);
   1673   if (server_cert_verify_result_->has_md2)
   1674     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2);
   1675   if (server_cert_verify_result_->has_md4)
   1676     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD4);
   1677   if (server_cert_verify_result_->has_md5_ca)
   1678     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD5_CA);
   1679   if (server_cert_verify_result_->has_md2_ca)
   1680     UpdateConnectionTypeHistograms(CONNECTION_SSL_MD2_CA);
   1681   int ssl_version = SSLConnectionStatusToVersion(ssl_connection_status_);
   1682   switch (ssl_version) {
   1683     case SSL_CONNECTION_VERSION_SSL2:
   1684       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL2);
   1685       break;
   1686     case SSL_CONNECTION_VERSION_SSL3:
   1687       UpdateConnectionTypeHistograms(CONNECTION_SSL_SSL3);
   1688       break;
   1689     case SSL_CONNECTION_VERSION_TLS1:
   1690       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1);
   1691       break;
   1692     case SSL_CONNECTION_VERSION_TLS1_1:
   1693       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_1);
   1694       break;
   1695     case SSL_CONNECTION_VERSION_TLS1_2:
   1696       UpdateConnectionTypeHistograms(CONNECTION_SSL_TLS1_2);
   1697       break;
   1698   };
   1699 }
   1700 
   1701 // SaveSSLHostInfo saves the certificate chain of the connection so that we can
   1702 // start verification faster in the future.
   1703 void SSLClientSocketNSS::SaveSSLHostInfo() {
   1704   if (!ssl_host_info_.get())
   1705     return;
   1706 
   1707   // If the SSLHostInfo hasn't managed to load from disk yet then we can't save
   1708   // anything.
   1709   if (ssl_host_info_->WaitForDataReady(NULL) != OK)
   1710     return;
   1711 
   1712   SSLHostInfo::State* state = ssl_host_info_->mutable_state();
   1713 
   1714   state->certs.clear();
   1715   PeerCertificateChain certs(nss_fd_);
   1716   for (unsigned i = 0; i < certs.size(); i++) {
   1717     if (certs[i]->derCert.len > std::numeric_limits<uint16>::max())
   1718       return;
   1719 
   1720     state->certs.push_back(std::string(
   1721           reinterpret_cast<char*>(certs[i]->derCert.data),
   1722           certs[i]->derCert.len));
   1723   }
   1724 
   1725   ssl_host_info_->Persist();
   1726 }
   1727 
   1728 void SSLClientSocketNSS::UncorkAfterTimeout() {
   1729   corked_ = false;
   1730   int nsent;
   1731   do {
   1732     nsent = BufferSend();
   1733   } while (nsent > 0);
   1734 }
   1735 
   1736 // Do network I/O between the given buffer and the given socket.
   1737 // Return true if some I/O performed, false otherwise (error or ERR_IO_PENDING)
   1738 bool SSLClientSocketNSS::DoTransportIO() {
   1739   EnterFunction("");
   1740   bool network_moved = false;
   1741   if (nss_bufs_ != NULL) {
   1742     int nsent = BufferSend();
   1743     int nreceived = BufferRecv();
   1744     network_moved = (nsent > 0 || nreceived >= 0);
   1745   }
   1746   LeaveFunction(network_moved);
   1747   return network_moved;
   1748 }
   1749 
   1750 // Return 0 for EOF,
   1751 // > 0 for bytes transferred immediately,
   1752 // < 0 for error (or the non-error ERR_IO_PENDING).
   1753 int SSLClientSocketNSS::BufferSend(void) {
   1754   if (transport_send_busy_)
   1755     return ERR_IO_PENDING;
   1756 
   1757   EnterFunction("");
   1758   const char* buf1;
   1759   const char* buf2;
   1760   unsigned int len1, len2;
   1761   memio_GetWriteParams(nss_bufs_, &buf1, &len1, &buf2, &len2);
   1762   const unsigned int len = len1 + len2;
   1763 
   1764   if (corked_ && len < kRecvBufferSize / 2)
   1765     return 0;
   1766 
   1767   int rv = 0;
   1768   if (len) {
   1769     scoped_refptr<IOBuffer> send_buffer(new IOBuffer(len));
   1770     memcpy(send_buffer->data(), buf1, len1);
   1771     memcpy(send_buffer->data() + len1, buf2, len2);
   1772     rv = transport_->socket()->Write(send_buffer, len,
   1773                                      &buffer_send_callback_);
   1774     if (rv == ERR_IO_PENDING) {
   1775       transport_send_busy_ = true;
   1776     } else {
   1777       memio_PutWriteResult(nss_bufs_, MapErrorToNSS(rv));
   1778     }
   1779   }
   1780 
   1781   LeaveFunction(rv);
   1782   return rv;
   1783 }
   1784 
   1785 void SSLClientSocketNSS::BufferSendComplete(int result) {
   1786   EnterFunction(result);
   1787 
   1788   // In the case of TCP FastOpen, connect is now finished.
   1789   if (!peername_initialized_ && UsingTCPFastOpen())
   1790     InitializeSSLPeerName();
   1791 
   1792   memio_PutWriteResult(nss_bufs_, MapErrorToNSS(result));
   1793   transport_send_busy_ = false;
   1794   OnSendComplete(result);
   1795   LeaveFunction("");
   1796 }
   1797 
   1798 int SSLClientSocketNSS::BufferRecv(void) {
   1799   if (transport_recv_busy_) return ERR_IO_PENDING;
   1800 
   1801   char *buf;
   1802   int nb = memio_GetReadParams(nss_bufs_, &buf);
   1803   EnterFunction(nb);
   1804   int rv;
   1805   if (!nb) {
   1806     // buffer too full to read into, so no I/O possible at moment
   1807     rv = ERR_IO_PENDING;
   1808   } else {
   1809     recv_buffer_ = new IOBuffer(nb);
   1810     rv = transport_->socket()->Read(recv_buffer_, nb, &buffer_recv_callback_);
   1811     if (rv == ERR_IO_PENDING) {
   1812       transport_recv_busy_ = true;
   1813     } else {
   1814       if (rv > 0)
   1815         memcpy(buf, recv_buffer_->data(), rv);
   1816       memio_PutReadResult(nss_bufs_, MapErrorToNSS(rv));
   1817       recv_buffer_ = NULL;
   1818     }
   1819   }
   1820   LeaveFunction(rv);
   1821   return rv;
   1822 }
   1823 
   1824 void SSLClientSocketNSS::BufferRecvComplete(int result) {
   1825   EnterFunction(result);
   1826   if (result > 0) {
   1827     char *buf;
   1828     memio_GetReadParams(nss_bufs_, &buf);
   1829     memcpy(buf, recv_buffer_->data(), result);
   1830   }
   1831   recv_buffer_ = NULL;
   1832   memio_PutReadResult(nss_bufs_, MapErrorToNSS(result));
   1833   transport_recv_busy_ = false;
   1834   OnRecvComplete(result);
   1835   LeaveFunction("");
   1836 }
   1837 
   1838 int SSLClientSocketNSS::HandleNSSError(PRErrorCode nss_error,
   1839                                        bool handshake_error) {
   1840   int net_error = handshake_error ? MapNSSHandshakeError(nss_error) :
   1841                                     MapNSSError(nss_error);
   1842 
   1843 #if defined(OS_WIN)
   1844   // On Windows, a handle to the HCRYPTPROV is cached in the X509Certificate
   1845   // os_cert_handle() as an optimization. However, if the certificate
   1846   // private key is stored on a smart card, and the smart card is removed,
   1847   // the cached HCRYPTPROV will not be able to obtain the HCRYPTKEY again,
   1848   // preventing client certificate authentication. Because the
   1849   // X509Certificate may outlive the individual SSLClientSocketNSS, due to
   1850   // caching in X509Certificate, this failure ends up preventing client
   1851   // certificate authentication with the same certificate for all future
   1852   // attempts, even after the smart card has been re-inserted. By setting
   1853   // the CERT_KEY_PROV_HANDLE_PROP_ID to NULL, the cached HCRYPTPROV will
   1854   // typically be freed. This allows a new HCRYPTPROV to be obtained from
   1855   // the certificate on the next attempt, which should succeed if the smart
   1856   // card has been re-inserted, or will typically prompt the user to
   1857   // re-insert the smart card if not.
   1858   if ((net_error == ERR_SSL_CLIENT_AUTH_CERT_NO_PRIVATE_KEY ||
   1859        net_error == ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED) &&
   1860       ssl_config_.send_client_cert && ssl_config_.client_cert) {
   1861     CertSetCertificateContextProperty(
   1862         ssl_config_.client_cert->os_cert_handle(),
   1863         CERT_KEY_PROV_HANDLE_PROP_ID, 0, NULL);
   1864   }
   1865 #endif
   1866 
   1867   return net_error;
   1868 }
   1869 
   1870 // static
   1871 // NSS calls this if an incoming certificate needs to be verified.
   1872 // Do nothing but return SECSuccess.
   1873 // This is called only in full handshake mode.
   1874 // Peer certificate is retrieved in HandshakeCallback() later, which is called
   1875 // in full handshake mode or in resumption handshake mode.
   1876 SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
   1877                                                  PRFileDesc* socket,
   1878                                                  PRBool checksig,
   1879                                                  PRBool is_server) {
   1880 #ifdef SSL_ENABLE_FALSE_START
   1881   // In the event that we are False Starting this connection, we wish to send
   1882   // out the Finished message and first application data record in the same
   1883   // packet. This prevents non-determinism when talking to False Start
   1884   // intolerant servers which, otherwise, might see the two messages in
   1885   // different reads or not, depending on network conditions.
   1886   PRBool false_start = 0;
   1887   SECStatus rv = SSL_OptionGet(socket, SSL_ENABLE_FALSE_START, &false_start);
   1888   DCHECK_EQ(SECSuccess, rv);
   1889 
   1890   if (false_start) {
   1891     SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
   1892 
   1893     // ESET anti-virus is capable of intercepting HTTPS connections on Windows.
   1894     // However, it is False Start intolerant and causes the connections to hang
   1895     // forever. We detect ESET by the issuer of the leaf certificate and set a
   1896     // flag to return a specific error, giving the user instructions for
   1897     // reconfiguring ESET.
   1898     CERTCertificate* cert = SSL_PeerCertificate(that->nss_fd_);
   1899     if (cert) {
   1900       char* common_name = CERT_GetCommonName(&cert->issuer);
   1901       if (common_name) {
   1902         if (strcmp(common_name, "ESET_RootSslCert") == 0)
   1903           that->eset_mitm_detected_ = true;
   1904         if (strcmp(common_name,
   1905                    "ContentWatch Root Certificate Authority") == 0) {
   1906           // This is NetNanny. NetNanny are updating their product so we
   1907           // silently disable False Start for now.
   1908           rv = SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
   1909           DCHECK_EQ(SECSuccess, rv);
   1910           false_start = 0;
   1911         }
   1912         PORT_Free(common_name);
   1913       }
   1914       CERT_DestroyCertificate(cert);
   1915     }
   1916 
   1917     if (false_start && !that->handshake_callback_called_) {
   1918       that->corked_ = true;
   1919       that->uncork_timer_.Start(
   1920           base::TimeDelta::FromMilliseconds(kCorkTimeoutMs),
   1921           that, &SSLClientSocketNSS::UncorkAfterTimeout);
   1922     }
   1923   }
   1924 #endif
   1925 
   1926   // Tell NSS to not verify the certificate.
   1927   return SECSuccess;
   1928 }
   1929 
   1930 #if defined(NSS_PLATFORM_CLIENT_AUTH)
   1931 // static
   1932 // NSS calls this if a client certificate is needed.
   1933 SECStatus SSLClientSocketNSS::PlatformClientAuthHandler(
   1934     void* arg,
   1935     PRFileDesc* socket,
   1936     CERTDistNames* ca_names,
   1937     CERTCertList** result_certs,
   1938     void** result_private_key) {
   1939   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
   1940 
   1941   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
   1942 #if defined(OS_WIN)
   1943   if (that->ssl_config_.send_client_cert) {
   1944     if (that->ssl_config_.client_cert) {
   1945       PCCERT_CONTEXT cert_context =
   1946           that->ssl_config_.client_cert->os_cert_handle();
   1947       PCERT_KEY_CONTEXT key_context = reinterpret_cast<PCERT_KEY_CONTEXT>(
   1948           PORT_ZAlloc(sizeof(CERT_KEY_CONTEXT)));
   1949       if (!key_context)
   1950         return SECFailure;
   1951       key_context->cbSize = sizeof(*key_context);
   1952 
   1953       BOOL must_free = FALSE;
   1954       BOOL acquired_key = CryptAcquireCertificatePrivateKey(
   1955           cert_context, CRYPT_ACQUIRE_CACHE_FLAG, NULL,
   1956           &key_context->hCryptProv, &key_context->dwKeySpec, &must_free);
   1957       if (acquired_key && key_context->hCryptProv) {
   1958         DCHECK_NE(key_context->dwKeySpec, CERT_NCRYPT_KEY_SPEC);
   1959 
   1960         // The certificate cache may have been updated/used, in which case,
   1961         // duplicate the existing handle, since NSS will free it when no
   1962         // longer in use.
   1963         if (!must_free)
   1964           CryptContextAddRef(key_context->hCryptProv, NULL, 0);
   1965 
   1966         SECItem der_cert;
   1967         der_cert.type = siDERCertBuffer;
   1968         der_cert.data = cert_context->pbCertEncoded;
   1969         der_cert.len  = cert_context->cbCertEncoded;
   1970 
   1971         // TODO(rsleevi): Error checking for NSS allocation errors.
   1972         *result_certs = CERT_NewCertList();
   1973         CERTCertDBHandle* db_handle = CERT_GetDefaultCertDB();
   1974         CERTCertificate* user_cert = CERT_NewTempCertificate(
   1975             db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
   1976         CERT_AddCertToListTail(*result_certs, user_cert);
   1977 
   1978         // Add the intermediates.
   1979         X509Certificate::OSCertHandles intermediates =
   1980             that->ssl_config_.client_cert->GetIntermediateCertificates();
   1981         for (X509Certificate::OSCertHandles::const_iterator it =
   1982             intermediates.begin(); it != intermediates.end(); ++it) {
   1983           der_cert.data = (*it)->pbCertEncoded;
   1984           der_cert.len = (*it)->cbCertEncoded;
   1985 
   1986           CERTCertificate* intermediate = CERT_NewTempCertificate(
   1987               db_handle, &der_cert, NULL, PR_FALSE, PR_TRUE);
   1988           CERT_AddCertToListTail(*result_certs, intermediate);
   1989         }
   1990         *result_private_key = key_context;
   1991         return SECSuccess;
   1992       }
   1993       PORT_Free(key_context);
   1994       LOG(WARNING) << "Client cert found without private key";
   1995     }
   1996     // Send no client certificate.
   1997     return SECFailure;
   1998   }
   1999 
   2000   that->client_certs_.clear();
   2001 
   2002   std::vector<CERT_NAME_BLOB> issuer_list(ca_names->nnames);
   2003   for (int i = 0; i < ca_names->nnames; ++i) {
   2004     issuer_list[i].cbData = ca_names->names[i].len;
   2005     issuer_list[i].pbData = ca_names->names[i].data;
   2006   }
   2007 
   2008   // Client certificates of the user are in the "MY" system certificate store.
   2009   HCERTSTORE my_cert_store = CertOpenSystemStore(NULL, L"MY");
   2010   if (!my_cert_store) {
   2011     LOG(ERROR) << "Could not open the \"MY\" system certificate store: "
   2012                << GetLastError();
   2013     return SECFailure;
   2014   }
   2015 
   2016   // Enumerate the client certificates.
   2017   CERT_CHAIN_FIND_BY_ISSUER_PARA find_by_issuer_para;
   2018   memset(&find_by_issuer_para, 0, sizeof(find_by_issuer_para));
   2019   find_by_issuer_para.cbSize = sizeof(find_by_issuer_para);
   2020   find_by_issuer_para.pszUsageIdentifier = szOID_PKIX_KP_CLIENT_AUTH;
   2021   find_by_issuer_para.cIssuer = ca_names->nnames;
   2022   find_by_issuer_para.rgIssuer = ca_names->nnames ? &issuer_list[0] : NULL;
   2023   find_by_issuer_para.pfnFindCallback = ClientCertFindCallback;
   2024 
   2025   PCCERT_CHAIN_CONTEXT chain_context = NULL;
   2026 
   2027   for (;;) {
   2028     // Find a certificate chain.
   2029     chain_context = CertFindChainInStore(my_cert_store,
   2030                                          X509_ASN_ENCODING,
   2031                                          0,
   2032                                          CERT_CHAIN_FIND_BY_ISSUER,
   2033                                          &find_by_issuer_para,
   2034                                          chain_context);
   2035     if (!chain_context) {
   2036       DWORD err = GetLastError();
   2037       if (err != CRYPT_E_NOT_FOUND)
   2038         DLOG(ERROR) << "CertFindChainInStore failed: " << err;
   2039       break;
   2040     }
   2041 
   2042     // Get the leaf certificate.
   2043     PCCERT_CONTEXT cert_context =
   2044         chain_context->rgpChain[0]->rgpElement[0]->pCertContext;
   2045     // Copy it to our own certificate store, so that we can close the "MY"
   2046     // certificate store before returning from this function.
   2047     PCCERT_CONTEXT cert_context2;
   2048     BOOL ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
   2049                                                cert_context,
   2050                                                CERT_STORE_ADD_USE_EXISTING,
   2051                                                &cert_context2);
   2052     if (!ok) {
   2053       NOTREACHED();
   2054       continue;
   2055     }
   2056 
   2057     // Copy the rest of the chain to our own store as well. Copying the chain
   2058     // stops gracefully if an error is encountered, with the partial chain
   2059     // being used as the intermediates, rather than failing to consider the
   2060     // client certificate.
   2061     net::X509Certificate::OSCertHandles intermediates;
   2062     for (DWORD i = 1; i < chain_context->rgpChain[0]->cElement; i++) {
   2063       PCCERT_CONTEXT intermediate_copy;
   2064       ok = CertAddCertificateContextToStore(X509Certificate::cert_store(),
   2065           chain_context->rgpChain[0]->rgpElement[i]->pCertContext,
   2066           CERT_STORE_ADD_USE_EXISTING, &intermediate_copy);
   2067       if (!ok) {
   2068         NOTREACHED();
   2069         break;
   2070       }
   2071       intermediates.push_back(intermediate_copy);
   2072     }
   2073 
   2074     scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
   2075         cert_context2, X509Certificate::SOURCE_LONE_CERT_IMPORT,
   2076         intermediates);
   2077     that->client_certs_.push_back(cert);
   2078 
   2079     X509Certificate::FreeOSCertHandle(cert_context2);
   2080     for (net::X509Certificate::OSCertHandles::iterator it =
   2081         intermediates.begin(); it != intermediates.end(); ++it) {
   2082       net::X509Certificate::FreeOSCertHandle(*it);
   2083     }
   2084   }
   2085 
   2086   BOOL ok = CertCloseStore(my_cert_store, CERT_CLOSE_STORE_CHECK_FLAG);
   2087   DCHECK(ok);
   2088 
   2089   // Tell NSS to suspend the client authentication.  We will then abort the
   2090   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   2091   return SECWouldBlock;
   2092 #elif defined(OS_MACOSX)
   2093   if (that->ssl_config_.send_client_cert) {
   2094     if (that->ssl_config_.client_cert) {
   2095       OSStatus os_error = noErr;
   2096       SecIdentityRef identity = NULL;
   2097       SecKeyRef private_key = NULL;
   2098       CFArrayRef chain =
   2099           that->ssl_config_.client_cert->CreateClientCertificateChain();
   2100       if (chain) {
   2101         identity = reinterpret_cast<SecIdentityRef>(
   2102             const_cast<void*>(CFArrayGetValueAtIndex(chain, 0)));
   2103       }
   2104       if (identity)
   2105         os_error = SecIdentityCopyPrivateKey(identity, &private_key);
   2106 
   2107       if (chain && identity && os_error == noErr) {
   2108         // TODO(rsleevi): Error checking for NSS allocation errors.
   2109         *result_certs = CERT_NewCertList();
   2110         *result_private_key = private_key;
   2111 
   2112         for (CFIndex i = 0; i < CFArrayGetCount(chain); ++i) {
   2113           CSSM_DATA cert_data;
   2114           SecCertificateRef cert_ref;
   2115           if (i == 0) {
   2116             cert_ref = that->ssl_config_.client_cert->os_cert_handle();
   2117           } else {
   2118             cert_ref = reinterpret_cast<SecCertificateRef>(
   2119                 const_cast<void*>(CFArrayGetValueAtIndex(chain, i)));
   2120           }
   2121           os_error = SecCertificateGetData(cert_ref, &cert_data);
   2122           if (os_error != noErr)
   2123             break;
   2124 
   2125           SECItem der_cert;
   2126           der_cert.type = siDERCertBuffer;
   2127           der_cert.data = cert_data.Data;
   2128           der_cert.len = cert_data.Length;
   2129           CERTCertificate* nss_cert = CERT_NewTempCertificate(
   2130               CERT_GetDefaultCertDB(), &der_cert, NULL, PR_FALSE, PR_TRUE);
   2131           CERT_AddCertToListTail(*result_certs, nss_cert);
   2132         }
   2133       }
   2134       if (os_error == noErr) {
   2135         CFRelease(chain);
   2136         return SECSuccess;
   2137       }
   2138       LOG(WARNING) << "Client cert found, but could not be used: "
   2139                    << os_error;
   2140       if (*result_certs) {
   2141         CERT_DestroyCertList(*result_certs);
   2142         *result_certs = NULL;
   2143       }
   2144       if (*result_private_key)
   2145         *result_private_key = NULL;
   2146       if (private_key)
   2147         CFRelease(private_key);
   2148       if (chain)
   2149         CFRelease(chain);
   2150     }
   2151     // Send no client certificate.
   2152     return SECFailure;
   2153   }
   2154 
   2155   that->client_certs_.clear();
   2156 
   2157   // First, get the cert issuer names allowed by the server.
   2158   std::vector<CertPrincipal> valid_issuers;
   2159   int n = ca_names->nnames;
   2160   for (int i = 0; i < n; i++) {
   2161     // Parse each name into a CertPrincipal object.
   2162     CertPrincipal p;
   2163     if (p.ParseDistinguishedName(ca_names->names[i].data,
   2164                                  ca_names->names[i].len)) {
   2165       valid_issuers.push_back(p);
   2166     }
   2167   }
   2168 
   2169   // Now get the available client certs whose issuers are allowed by the server.
   2170   X509Certificate::GetSSLClientCertificates(that->host_and_port_.host(),
   2171                                             valid_issuers,
   2172                                             &that->client_certs_);
   2173 
   2174   // Tell NSS to suspend the client authentication.  We will then abort the
   2175   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   2176   return SECWouldBlock;
   2177 #else
   2178   return SECFailure;
   2179 #endif
   2180 }
   2181 
   2182 #else  // NSS_PLATFORM_CLIENT_AUTH
   2183 
   2184 // static
   2185 // NSS calls this if a client certificate is needed.
   2186 // Based on Mozilla's NSS_GetClientAuthData.
   2187 SECStatus SSLClientSocketNSS::ClientAuthHandler(
   2188     void* arg,
   2189     PRFileDesc* socket,
   2190     CERTDistNames* ca_names,
   2191     CERTCertificate** result_certificate,
   2192     SECKEYPrivateKey** result_private_key) {
   2193   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
   2194 
   2195   that->client_auth_cert_needed_ = !that->ssl_config_.send_client_cert;
   2196   void* wincx  = SSL_RevealPinArg(socket);
   2197 
   2198   // Second pass: a client certificate should have been selected.
   2199   if (that->ssl_config_.send_client_cert) {
   2200     if (that->ssl_config_.client_cert) {
   2201       CERTCertificate* cert = CERT_DupCertificate(
   2202           that->ssl_config_.client_cert->os_cert_handle());
   2203       SECKEYPrivateKey* privkey = PK11_FindKeyByAnyCert(cert, wincx);
   2204       if (privkey) {
   2205         // TODO(jsorianopastor): We should wait for server certificate
   2206         // verification before sending our credentials.  See
   2207         // http://crbug.com/13934.
   2208         *result_certificate = cert;
   2209         *result_private_key = privkey;
   2210         return SECSuccess;
   2211       }
   2212       LOG(WARNING) << "Client cert found without private key";
   2213     }
   2214     // Send no client certificate.
   2215     return SECFailure;
   2216   }
   2217 
   2218   // Iterate over all client certificates.
   2219   CERTCertList* client_certs = CERT_FindUserCertsByUsage(
   2220       CERT_GetDefaultCertDB(), certUsageSSLClient,
   2221       PR_FALSE, PR_FALSE, wincx);
   2222   if (client_certs) {
   2223     for (CERTCertListNode* node = CERT_LIST_HEAD(client_certs);
   2224          !CERT_LIST_END(node, client_certs);
   2225          node = CERT_LIST_NEXT(node)) {
   2226       // Only offer unexpired certificates.
   2227       if (CERT_CheckCertValidTimes(node->cert, PR_Now(), PR_TRUE) !=
   2228           secCertTimeValid)
   2229         continue;
   2230       // Filter by issuer.
   2231       //
   2232       // TODO(davidben): This does a binary comparison of the DER-encoded
   2233       // issuers. We should match according to RFC 5280 sec. 7.1. We should find
   2234       // an appropriate NSS function or add one if needbe.
   2235       if (ca_names->nnames &&
   2236           NSS_CmpCertChainWCANames(node->cert, ca_names) != SECSuccess)
   2237         continue;
   2238       X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
   2239           node->cert, X509Certificate::SOURCE_LONE_CERT_IMPORT,
   2240           net::X509Certificate::OSCertHandles());
   2241       that->client_certs_.push_back(x509_cert);
   2242     }
   2243     CERT_DestroyCertList(client_certs);
   2244   }
   2245 
   2246   // Tell NSS to suspend the client authentication.  We will then abort the
   2247   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   2248   return SECWouldBlock;
   2249 }
   2250 #endif  // NSS_PLATFORM_CLIENT_AUTH
   2251 
   2252 // static
   2253 // NSS calls this when handshake is completed.
   2254 // After the SSL handshake is finished, use CertVerifier to verify
   2255 // the saved server certificate.
   2256 void SSLClientSocketNSS::HandshakeCallback(PRFileDesc* socket,
   2257                                            void* arg) {
   2258   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
   2259 
   2260   that->handshake_callback_called_ = true;
   2261 
   2262   that->UpdateServerCert();
   2263   that->UpdateConnectionStatus();
   2264 }
   2265 
   2266 void SSLClientSocketNSS::EnsureThreadIdAssigned() const {
   2267   base::AutoLock auto_lock(lock_);
   2268   if (valid_thread_id_ != base::kInvalidThreadId)
   2269     return;
   2270   valid_thread_id_ = base::PlatformThread::CurrentId();
   2271 }
   2272 
   2273 bool SSLClientSocketNSS::CalledOnValidThread() const {
   2274   EnsureThreadIdAssigned();
   2275   base::AutoLock auto_lock(lock_);
   2276   return valid_thread_id_ == base::PlatformThread::CurrentId();
   2277 }
   2278 
   2279 }  // namespace net
   2280