Use NSS for SSL by default on Mac OS X.

To use Mac OS X Secure Transport in Chromium, specify the --use-system-ssl
command-line switch, which also replaced the --use-schannel command-line
switch for Windows.  All other programs are hardcoded to use NSS for SSL.

If SSL client authentication is requested, fall back on Mac OS X Secure
Transport for now.

R=mark,mbelshe
BUG=30689
TEST=none
Review URL: http://codereview.chromium.org/2747002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49489 0039d316-1c4b-4281-b951-d872f2087c98

9 files changed, 114 insertions, 32 deletions

diff --git a/chrome/browser/browser_main.cc b/chrome/browser/browser_main.cc
index 6675bba..fc85d36 100644
--- a/chrome/browser/browser_main.cc
+++ b/chrome/browser/browser_main.cc
@@ -136,6 +136,7 @@
 #include "net/base/net_util.h"
 #include "net/base/sdch_manager.h"
 #include "net/base/winsock_init.h"
+#include "net/socket/ssl_client_socket_nss_factory.h"
 #include "printing/printed_document.h"
 #include "sandbox/src/sandbox.h"
 #endif  // defined(OS_WIN)
@@ -143,11 +144,11 @@
 #if defined(OS_MACOSX)
 #include <Security/Security.h>
 #include "chrome/browser/cocoa/install_from_dmg.h"
+#include "net/socket/ssl_client_socket_mac_factory.h"
 #endif
 
 #if defined(OS_MACOSX) || defined(OS_WIN)
 #include "base/nss_util.h"
-#include "net/socket/ssl_client_socket_nss_factory.h"
 #endif
 
 #if defined(TOOLKIT_VIEWS)
@@ -800,15 +801,21 @@ int BrowserMain(const MainFunctionParams& parameters) {
     }
   }
 
-#if defined(OS_MACOSX) || defined(OS_WIN)
-#if defined(OS_WIN)
-  bool use_nss_for_ssl = !parsed_command_line.HasSwitch(switches::kUseSChannel);
-#else
-  bool use_nss_for_ssl = parsed_command_line.HasSwitch(switches::kUseNSSForSSL);
-#endif
-  if (use_nss_for_ssl ||
-      parsed_command_line.HasSwitch(switches::kUseSpdy) ||
-      is_spdy_trial) {
+  // Use NSS for SSL by default.
+#if defined(OS_MACOSX)
+  // The default client socket factory uses NSS for SSL by default on Mac.
+  if (parsed_command_line.HasSwitch(switches::kUseSystemSSL)) {
+    net::ClientSocketFactory::SetSSLClientSocketFactory(
+        net::SSLClientSocketMacFactory);
+  } else {
+    // We want to be sure to init NSPR on the main thread.
+    base::EnsureNSPRInit();
+  }
+#elif defined(OS_WIN)
+  // Because of a build system issue (http://crbug.com/43461), the default
+  // client socket factory uses SChannel (the system SSL library) for SSL by
+  // default on Windows.
+  if (!parsed_command_line.HasSwitch(switches::kUseSystemSSL)) {
     net::ClientSocketFactory::SetSSLClientSocketFactory(
         net::SSLClientSocketNSSFactory);
     // We want to be sure to init NSPR on the main thread.
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index a4a2ca4..557c1c1 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -913,9 +913,10 @@ const char kStartupManifest[]               = "startup-manifest";
 const char kVertScrollDelta[]               = "vert-scroll-delta";
 #endif
 
-#if defined(OS_WIN)
-// Use SChannel (the system SSL library on Windows) instead of NSS for SSL.
-const char kUseSChannel[]                   = "use-schannel";
+#if defined(OS_MACOSX) || defined(OS_WIN)
+// Use the system SSL library (Secure Transport on Mac, SChannel on Windows)
+// instead of NSS for SSL.
+const char kUseSystemSSL[]                  = "use-system-ssl";
 #endif
 
 #if defined(OS_POSIX)
@@ -940,10 +941,6 @@ const char kEnableSandboxLogging[]          = "enable-sandbox-logging";
 // Temporary flag to prevent Flash from negotiating the Core Animation drawing
 // model. This will be removed once the last issues have been resolved.
 const char kDisableFlashCoreAnimation[]     = "disable-flash-core-animation";
-
-// Use NSS instead of the system SSL library for SSL.
-// This is a temporary testing flag.
-const char kUseNSSForSSL[]                  = "use-nss-for-ssl";
 #else
 // Enable Kiosk mode.
 const char kKioskMode[]                     = "kiosk";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index c0e3d3e..fb4b5d1 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -264,8 +264,8 @@ extern const char kStartupManifest[];
 extern const char kVertScrollDelta[];
 #endif
 
-#if defined(OS_WIN)
-extern const char kUseSChannel[];
+#if defined(OS_MACOSX) || defined(OS_WIN)
+extern const char kUseSystemSSL[];
 #endif
 
 #if defined(OS_POSIX)
@@ -276,7 +276,6 @@ extern const char kNoProcessSingletonDialog[];
 #if defined(OS_MACOSX)
 extern const char kDisableFlashCoreAnimation[];
 extern const char kEnableSandboxLogging[];
-extern const char kUseNSSForSSL[];
 #else
 extern const char kKioskMode[];
 #endif
diff --git a/net/net.gyp b/net/net.gyp
index eb6686a..3dc5b4a 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -446,10 +446,12 @@
         'socket/ssl_client_socket.h',
         'socket/ssl_client_socket_mac.cc',
         'socket/ssl_client_socket_mac.h',
-        'socket/ssl_client_socket_nss_factory.cc',
-        'socket/ssl_client_socket_nss_factory.h',
+        'socket/ssl_client_socket_mac_factory.cc',
+        'socket/ssl_client_socket_mac_factory.h',
         'socket/ssl_client_socket_nss.cc',
         'socket/ssl_client_socket_nss.h',
+        'socket/ssl_client_socket_nss_factory.cc',
+        'socket/ssl_client_socket_nss_factory.h',
         'socket/ssl_client_socket_win.cc',
         'socket/ssl_client_socket_win.h',
         'socket/tcp_client_socket.h',
@@ -552,10 +554,6 @@
           ],
         }],
         [ 'OS == "linux" or OS == "freebsd" or OS == "openbsd"', {
-            'sources!': [
-              'socket/ssl_client_socket_nss_factory.cc',
-              'socket/ssl_client_socket_nss_factory.h',
-            ],
             'dependencies': [
               '../build/linux/system.gyp:gconf',
               '../build/linux/system.gyp:gdk',
@@ -588,6 +586,8 @@
           {  # else: OS != "win"
             'sources!': [
               'proxy/proxy_resolver_winhttp.cc',
+              'socket/ssl_client_socket_nss_factory.cc',
+              'socket/ssl_client_socket_nss_factory.h',
             ],
           },
         ],
@@ -603,6 +603,12 @@
               ]
             },
           },
+          {  # else: OS != "mac"
+            'sources!': [
+              'socket/ssl_client_socket_mac_factory.cc',
+              'socket/ssl_client_socket_mac_factory.h',
+            ],
+          },
         ],
       ],
     },
diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc
index 24d9e39..db819db 100644
--- a/net/socket/client_socket_factory.cc
+++ b/net/socket/client_socket_factory.cc
@@ -12,6 +12,7 @@
 #include "net/socket/ssl_client_socket_nss.h"
 #elif defined(OS_MACOSX)
 #include "net/socket/ssl_client_socket_mac.h"
+#include "net/socket/ssl_client_socket_nss.h"
 #endif
 #include "net/socket/tcp_client_socket.h"
 
@@ -28,7 +29,13 @@ SSLClientSocket* DefaultSSLClientSocketFactory(
 #elif defined(USE_NSS)
   return new SSLClientSocketNSS(transport_socket, hostname, ssl_config);
 #elif defined(OS_MACOSX)
-  return new SSLClientSocketMac(transport_socket, hostname, ssl_config);
+  // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using
+  // Mac OS X CDSA/CSSM yet (http://crbug.com/45369), so fall back on
+  // SSLClientSocketMac.
+  if (ssl_config.client_cert)
+    return new SSLClientSocketMac(transport_socket, hostname, ssl_config);
+
+  return new SSLClientSocketNSS(transport_socket, hostname, ssl_config);
 #else
   NOTIMPLEMENTED();
   return NULL;
diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc
new file mode 100644
index 0000000..f2884e9
--- /dev/null
+++ b/net/socket/ssl_client_socket_mac_factory.cc
@@ -0,0 +1,18 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/socket/client_socket_factory.h"
+
+#include "net/socket/ssl_client_socket_mac.h"
+
+namespace net {
+
+SSLClientSocket* SSLClientSocketMacFactory(
+    ClientSocket* transport_socket,
+    const std::string& hostname,
+    const SSLConfig& ssl_config) {
+  return new SSLClientSocketMac(transport_socket, hostname, ssl_config);
+}
+
+}  // namespace net
diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h
new file mode 100644
index 0000000..8a0fe0c
--- /dev/null
+++ b/net/socket/ssl_client_socket_mac_factory.h
@@ -0,0 +1,20 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_
+#define NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_
+
+#include "net/socket/client_socket_factory.h"
+
+namespace net {
+
+// Creates SSLClientSocketMac objects.
+SSLClientSocket* SSLClientSocketMacFactory(
+    ClientSocket* transport_socket,
+    const std::string& hostname,
+    const SSLConfig& ssl_config);
+
+}  // namespace net
+
+#endif  // NET_SOCKET_SSL_CLIENT_SOCKET_MAC_FACTORY_H_
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 085e52c..44aa579 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1268,10 +1268,36 @@ SECStatus SSLClientSocketNSS::ClientAuthHandler(
   // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
   return SECWouldBlock;
 #elif defined(OS_MACOSX)
-  // TODO(wtc): see http://crbug.com/45369.
-  // Not implemented.  Send no client certificate.
-  PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-  return SECFailure;
+  if (that->ssl_config_.send_client_cert) {
+    // TODO(wtc): SSLClientSocketNSS can't do SSL client authentication using
+    // CDSA/CSSM yet (http://crbug.com/45369), so client_cert must be NULL.
+    DCHECK(!that->ssl_config_.client_cert);
+    // Send no client certificate.
+    return SECFailure;
+  }
+
+  that->client_certs_.clear();
+
+  // First, get the cert issuer names allowed by the server.
+  std::vector<CertPrincipal> valid_issuers;
+  int n = ca_names->nnames;
+  for (int i = 0; i < n; i++) {
+    // Parse each name into a CertPrincipal object.
+    CertPrincipal p;
+    if (p.ParseDistinguishedName(ca_names->names[i].data,
+                                 ca_names->names[i].len)) {
+      valid_issuers.push_back(p);
+    }
+  }
+
+  // Now get the available client certs whose issuers are allowed by the server.
+  X509Certificate::GetSSLClientCertificates(that->hostname_,
+                                            valid_issuers,
+                                            &that->client_certs_);
+
+  // Tell NSS to suspend the client authentication.  We will then abort the
+  // handshake by returning ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
+  return SECWouldBlock;
 #else
   CERTCertificate* cert = NULL;
   SECKEYPrivateKey* privkey = NULL;
diff --git a/webkit/tools/test_shell/simple_resource_loader_bridge.cc b/webkit/tools/test_shell/simple_resource_loader_bridge.cc
index d76a5fe..858391a 100644
--- a/webkit/tools/test_shell/simple_resource_loader_bridge.cc
+++ b/webkit/tools/test_shell/simple_resource_loader_bridge.cc
@@ -34,7 +34,7 @@
 
 #include "base/file_path.h"
 #include "base/message_loop.h"
-#if defined(OS_WIN)
+#if defined(OS_MACOSX) || defined(OS_WIN)
 #include "base/nss_util.h"
 #endif
 #include "base/ref_counted.h"
@@ -789,6 +789,8 @@ bool SimpleResourceLoaderBridge::EnsureIOThread() {
   // inside DefaultClientSocketFactory::CreateSSLClientSocket.
   net::ClientSocketFactory::SetSSLClientSocketFactory(
       net::SSLClientSocketNSSFactory);
+#endif
+#if defined(OS_MACOSX) || defined(OS_WIN)
   // We want to be sure to init NSPR on the main thread.
   base::EnsureNSPRInit();
 #endif