If generating a domain bound cert fails, continue the connection without it.

BUG=125768
TEST=hack ServerBoundCertService::GenerateCert to always fail

Review URL: https://chromiumcodereview.appspot.com/10315008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@135783 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 14 insertions, 4 deletions

diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index 4f6b3ac..d818589 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -159,6 +159,8 @@ int MapNSSError(PRErrorCode err) {
     case PR_NOT_IMPLEMENTED_ERROR:
       return ERR_NOT_IMPLEMENTED;
 
+    case SEC_ERROR_LIBRARY_FAILURE:
+      return ERR_UNEXPECTED;
     case SEC_ERROR_INVALID_ARGS:
       return ERR_INVALID_ARGUMENT;
     case SEC_ERROR_NO_MEMORY:
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 2a824f4..7e56733 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1586,13 +1586,20 @@ int SSLClientSocketNSS::ImportDBCertAndKey(CERTCertificate** cert,
 }
 
 int SSLClientSocketNSS::DoGetDBCertComplete(int result) {
+  SECStatus rv;
   net_log_.EndEventWithNetErrorCode(NetLog::TYPE_SSL_GET_DOMAIN_BOUND_CERT,
                                     result);
   client_auth_cert_needed_ = false;
   domain_bound_cert_request_handle_ = NULL;
 
-  if (result != OK)
-    return result;
+  if (result != OK) {
+    // Failed to get a DBC.  Proceed without.
+    rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, NULL, NULL, NULL);
+    if (rv != SECSuccess)
+      return MapNSSError(PORT_GetError());
+    GotoState(STATE_HANDSHAKE);
+    return OK;
+  }
 
   CERTCertificate* cert;
   SECKEYPrivateKey* key;
@@ -1606,7 +1613,6 @@ int SSLClientSocketNSS::DoGetDBCertComplete(int result) {
   net_log_.AddEvent(NetLog::TYPE_SSL_CLIENT_CERT_PROVIDED,
       make_scoped_refptr(new NetLogIntegerParameter("cert_count",
                                                     cert_chain->len)));
-  SECStatus rv;
   rv = SSL_RestartHandshakeAfterCertReq(nss_fd_, cert, key, cert_chain);
   if (rv != SECSuccess)
     return MapNSSError(PORT_GetError());
diff --git a/net/third_party/nss/patches/restartclientauth.patch b/net/third_party/nss/patches/restartclientauth.patch
index 098e401..df31c37 100644
--- a/net/third_party/nss/patches/restartclientauth.patch
+++ b/net/third_party/nss/patches/restartclientauth.patch
@@ -16,7 +16,7 @@ diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
 --- a/src/net/third_party/nss/ssl/ssl3con.c	2012-02-29 17:49:08.431530583 -0800
 +++ b/src/net/third_party/nss/ssl/ssl3con.c	2012-02-29 18:55:27.038466043 -0800
-@@ -5769,6 +5769,84 @@ done:
+@@ -5769,6 +5769,85 @@ done:
      return rv;
  }
  
@@ -93,6 +93,7 @@ diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s
 +	if (certChain) {
 +	    CERT_DestroyCertificateList(certChain);
 +	}
++	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 +	rv = SECFailure;
 +    }
 +    return rv;
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 5476fa5..55e4901 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -6087,6 +6087,7 @@ ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
 	if (certChain) {
 	    CERT_DestroyCertificateList(certChain);
 	}
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	rv = SECFailure;
     }
     return rv;