diff options
| author | rch@chromium.org <rch@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-12 19:55:27 +0000 |
|---|---|---|
| committer | rch@chromium.org <rch@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-12 19:55:27 +0000 |
| commit | 4f4de7e6e1393bf1b068337cdf8895e91addfa72 (patch) | |
| tree | 872947e61b717b7ad582a2c5688e2bdb1e0b2b1f /net | |
| parent | f7002808992b52e582dd2fff531863de7b673b9e (diff) | |
| download | chromium_src-4f4de7e6e1393bf1b068337cdf8895e91addfa72.zip chromium_src-4f4de7e6e1393bf1b068337cdf8895e91addfa72.tar.gz chromium_src-4f4de7e6e1393bf1b068337cdf8895e91addfa72.tar.bz2 | |
Correctly handle SSL Client Authentication requests when connecting
to an HTTPS/SPDY proxy. Modify SSLClientSocket classes to correctly set the host_and_port field of the cert_request_info. Modify HttpNetworkTransaction to use this field when populating the SSL client auth cache.
BUG=59292
TEST=HttpProxyClientSocketPoolTest.SslClientAuth
Review URL: http://codereview.chromium.org/4339001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65976 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
31 files changed, 179 insertions, 159 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index c671751..3e1d8d1 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -172,8 +172,8 @@ int HttpNetworkTransaction::RestartWithCertificate( ssl_config_.client_cert = client_cert; if (client_cert) { - session_->ssl_client_auth_cache()->Add(GetHostAndPort(request_->url), - client_cert); + session_->ssl_client_auth_cache()->Add( + response_.cert_request_info->host_and_port, client_cert); } ssl_config_.send_client_cert = true; // Reset the other member variables. @@ -973,8 +973,8 @@ int HttpNetworkTransaction::HandleCertificateRequest(int error) { // If the user selected one of the certificate in client_certs for this // server before, use it automatically. - X509Certificate* client_cert = session_->ssl_client_auth_cache()-> - Lookup(GetHostAndPort(request_->url)); + X509Certificate* client_cert = session_->ssl_client_auth_cache()->Lookup( + response_.cert_request_info->host_and_port); if (client_cert) { const std::vector<scoped_refptr<X509Certificate> >& client_certs = response_.cert_request_info->client_certs; diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc index fd66d8d..881a037 100644 --- a/net/http/http_network_transaction_unittest.cc +++ b/net/http/http_network_transaction_unittest.cc @@ -6664,7 +6664,7 @@ TEST_F(HttpNetworkTransactionTest, session->ssl_config_service()->GetSSLConfig(&ssl_config); ClientSocket* socket = connection->release_socket(); socket = session->socket_factory()->CreateSSLClientSocket( - socket, "" , ssl_config, NULL /* ssl_host_info */); + socket, HostPortPair("" , 443), ssl_config, NULL /* ssl_host_info */); connection->set_socket(socket); EXPECT_EQ(ERR_IO_PENDING, socket->Connect(&callback)); EXPECT_EQ(OK, callback.WaitForResult()); diff --git a/net/http/http_proxy_client_socket_pool.cc b/net/http/http_proxy_client_socket_pool.cc index a5bbb53..e43d02b 100644 --- a/net/http/http_proxy_client_socket_pool.cc +++ b/net/http/http_proxy_client_socket_pool.cc @@ -207,9 +207,11 @@ int HttpProxyConnectJob::DoSSLConnect() { } int HttpProxyConnectJob::DoSSLConnectComplete(int result) { - // TODO(rch): enable support for client auth to the proxy - if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) - return ERR_PROXY_AUTH_UNSUPPORTED; + if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { + error_response_info_ = transport_socket_handle_->ssl_error_response_info(); + DCHECK(error_response_info_.cert_request_info.get()); + return result; + } if (IsCertificateError(result)) { if (params_->ssl_params()->load_flags() & LOAD_IGNORE_ALL_CERT_ERRORS) result = OK; @@ -246,6 +248,13 @@ int HttpProxyConnectJob::DoSSLConnectComplete(int result) { return result; } +void HttpProxyConnectJob::GetAdditionalErrorState(ClientSocketHandle * handle) { + if (error_response_info_.cert_request_info) { + handle->set_ssl_error_response_info(error_response_info_); + handle->set_is_ssl_error(true); + } +} + int HttpProxyConnectJob::DoSpdyProxyCreateStream() { DCHECK(using_spdy_); DCHECK(params_->tunnel()); @@ -256,20 +265,19 @@ int HttpProxyConnectJob::DoSpdyProxyCreateStream() { scoped_refptr<SpdySession> spdy_session; // It's possible that a session to the proxy has recently been created if (spdy_pool->HasSession(pair)) { - if (transport_socket_handle_->socket()) - transport_socket_handle_->socket()->Disconnect(); - transport_socket_handle_->Reset(); + if (transport_socket_handle_.get()) { + if (transport_socket_handle_->socket()) + transport_socket_handle_->socket()->Disconnect(); + transport_socket_handle_->Reset(); + } spdy_session = spdy_pool->Get(pair, params_->spdy_settings(), net_log()); } else { // Create a session direct to the proxy itself int rv = spdy_pool->GetSpdySessionFromSocket( pair, params_->spdy_settings(), transport_socket_handle_.release(), net_log(), OK, &spdy_session, /*using_ssl_*/ true); - if (rv < 0) { - if (transport_socket_handle_->socket()) - transport_socket_handle_->socket()->Disconnect(); + if (rv < 0) return rv; - } } next_state_ = STATE_SPDY_PROXY_CREATE_STREAM_COMPLETE; diff --git a/net/http/http_proxy_client_socket_pool.h b/net/http/http_proxy_client_socket_pool.h index a08a573..24dbeaa 100644 --- a/net/http/http_proxy_client_socket_pool.h +++ b/net/http/http_proxy_client_socket_pool.h @@ -14,6 +14,7 @@ #include "base/time.h" #include "net/base/host_port_pair.h" #include "net/http/http_auth.h" +#include "net/http/http_response_info.h" #include "net/socket/client_socket_pool_base.h" #include "net/socket/client_socket_pool_histograms.h" #include "net/socket/client_socket_pool.h" @@ -105,6 +106,8 @@ class HttpProxyConnectJob : public ConnectJob { // ConnectJob methods. virtual LoadState GetLoadState() const; + virtual void GetAdditionalErrorState(ClientSocketHandle* handle); + private: enum State { STATE_TCP_CONNECT, @@ -157,6 +160,8 @@ class HttpProxyConnectJob : public ConnectJob { scoped_ptr<ClientSocket> transport_socket_; bool using_spdy_; + HttpResponseInfo error_response_info_; + scoped_refptr<SpdyStream> spdy_stream_; DISALLOW_COPY_AND_ASSIGN(HttpProxyConnectJob); diff --git a/net/http/http_proxy_client_socket_pool_unittest.cc b/net/http/http_proxy_client_socket_pool_unittest.cc index ae84ecc..f5bc2e7 100644 --- a/net/http/http_proxy_client_socket_pool_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_unittest.cc @@ -53,7 +53,7 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { HostPortPair("proxy", 80), LOWEST, GURL(), false)), ignored_ssl_socket_params_(new SSLSocketParams( ignored_tcp_socket_params_, NULL, NULL, ProxyServer::SCHEME_DIRECT, - "www.google.com", ssl_config_, 0, false, false)), + HostPortPair("www.google.com", 443), ssl_config_, 0, false, false)), tcp_histograms_("MockTCP"), tcp_socket_pool_( kMaxSockets, kMaxSocketsPerGroup, @@ -415,7 +415,7 @@ TEST_P(HttpProxyClientSocketPoolTest, SslClientAuth) { EXPECT_FALSE(handle_.is_initialized()); EXPECT_FALSE(handle_.socket()); - EXPECT_EQ(ERR_PROXY_AUTH_UNSUPPORTED, callback_.WaitForResult()); + EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, callback_.WaitForResult()); EXPECT_FALSE(handle_.is_initialized()); EXPECT_FALSE(handle_.socket()); diff --git a/net/http/http_stream_request.cc b/net/http/http_stream_request.cc index 71bbdda..eaaad16 100644 --- a/net/http/http_stream_request.cc +++ b/net/http/http_stream_request.cc @@ -505,9 +505,9 @@ int HttpStreamRequest::DoInitConnection() { scoped_refptr<SSLSocketParams> ssl_params; if (proxy_info()->is_https()) { // Set ssl_params, and unset proxy_tcp_params - ssl_params = GenerateSslParams(proxy_tcp_params, NULL, NULL, + ssl_params = GenerateSSLParams(proxy_tcp_params, NULL, NULL, ProxyServer::SCHEME_DIRECT, - proxy_host_port->host(), + *proxy_host_port.get(), want_spdy_over_npn); proxy_tcp_params = NULL; } @@ -544,9 +544,9 @@ int HttpStreamRequest::DoInitConnection() { // Deal with SSL - which layers on top of any given proxy. if (using_ssl_) { scoped_refptr<SSLSocketParams> ssl_params = - GenerateSslParams(tcp_params, http_proxy_params, socks_params, + GenerateSSLParams(tcp_params, http_proxy_params, socks_params, proxy_info()->proxy_server().scheme(), - request_info().url.HostNoBrackets(), + HostPortPair::FromURL(request_info().url), want_spdy_over_npn); SSLClientSocketPool* ssl_pool = NULL; if (proxy_info()->is_direct()) @@ -828,12 +828,12 @@ bool HttpStreamRequest::IsHttpsProxyAndHttpUrl() { // Returns a newly create SSLSocketParams, and sets several // fields of ssl_config_. -scoped_refptr<SSLSocketParams> HttpStreamRequest::GenerateSslParams( +scoped_refptr<SSLSocketParams> HttpStreamRequest::GenerateSSLParams( scoped_refptr<TCPSocketParams> tcp_params, scoped_refptr<HttpProxySocketParams> http_proxy_params, scoped_refptr<SOCKSSocketParams> socks_params, ProxyServer::Scheme proxy_scheme, - std::string hostname, + const HostPortPair& host_and_port, bool want_spdy_over_npn) { if (factory_->IsTLSIntolerantServer(request_info().url)) { @@ -859,7 +859,7 @@ scoped_refptr<SSLSocketParams> HttpStreamRequest::GenerateSslParams( scoped_refptr<SSLSocketParams> ssl_params( new SSLSocketParams(tcp_params, socks_params, http_proxy_params, - proxy_scheme, hostname, + proxy_scheme, host_and_port, *ssl_config(), load_flags, force_spdy_always_ && force_spdy_over_ssl_, want_spdy_over_npn)); diff --git a/net/http/http_stream_request.h b/net/http/http_stream_request.h index ec3ce04..d0decb4 100644 --- a/net/http/http_stream_request.h +++ b/net/http/http_stream_request.h @@ -140,12 +140,12 @@ class HttpStreamRequest : public StreamRequest { // Returns a newly create SSLSocketParams, and sets several // fields of ssl_config_. - scoped_refptr<SSLSocketParams> GenerateSslParams( + scoped_refptr<SSLSocketParams> GenerateSSLParams( scoped_refptr<TCPSocketParams> tcp_params, scoped_refptr<HttpProxySocketParams> http_proxy_params, scoped_refptr<SOCKSSocketParams> socks_params, ProxyServer::Scheme proxy_scheme, - std::string hostname, + const HostPortPair& host_and_port, bool want_spdy_over_npn); // AlternateProtocol API diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index f524743..72afd63 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -27,20 +27,21 @@ namespace { SSLClientSocket* DefaultSSLClientSocketFactory( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) - return new SSLClientSocketWin(transport_socket, hostname, ssl_config); + return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); #elif defined(USE_OPENSSL) - return new SSLClientSocketOpenSSL(transport_socket, hostname, ssl_config); + return new SSLClientSocketOpenSSL(transport_socket, host_and_port, + ssl_config); #elif defined(USE_NSS) - return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, + return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, shi.release(), dnsrr_resolver); #elif defined(OS_MACOSX) - return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, + return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, shi.release(), dnsrr_resolver); #else NOTIMPLEMENTED(); @@ -61,12 +62,12 @@ class DefaultClientSocketFactory : public ClientSocketFactory { virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { - return g_ssl_factory(transport_socket, hostname, ssl_config, ssl_host_info, - dnsrr_resolver); + return g_ssl_factory(transport_socket, host_and_port, ssl_config, + ssl_host_info, dnsrr_resolver); } }; @@ -86,12 +87,12 @@ void ClientSocketFactory::SetSSLClientSocketFactory( // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocket* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info) { ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); - return CreateSSLClientSocket(socket_handle, hostname, ssl_config, + return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, ssl_host_info, NULL /* DnsRRResolver */); } diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 4814b9c..196b2ab 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -8,6 +8,7 @@ #include <string> +#include "base/basictypes.h" #include "net/base/net_log.h" namespace net { @@ -16,6 +17,7 @@ class AddressList; class ClientSocket; class ClientSocketHandle; class DnsRRResolver; +class HostPortPair; class SSLClientSocket; struct SSLConfig; class SSLHostInfo; @@ -23,7 +25,7 @@ class SSLHostInfo; // Callback function to create new SSLClientSocket objects. typedef SSLClientSocket* (*SSLClientSocketFactory)( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); @@ -43,16 +45,17 @@ class ClientSocketFactory { virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. - virtual SSLClientSocket* CreateSSLClientSocket(ClientSocket* transport_socket, - const std::string& hostname, - const SSLConfig& ssl_config, - SSLHostInfo* ssl_host_info); + virtual SSLClientSocket* CreateSSLClientSocket( + ClientSocket* transport_socket, + const HostPortPair& host_and_port, + const SSLConfig& ssl_config, + SSLHostInfo* ssl_host_info); // Returns the default ClientSocketFactory. static ClientSocketFactory* GetDefaultFactory(); diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 7b83162..5e7eb7f 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -107,7 +107,7 @@ class MockClientSocketFactory : public ClientSocketFactory { virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index 57aef05..8378c1d 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -465,7 +465,7 @@ class MockSSLClientSocket::ConnectCallback MockSSLClientSocket::MockSSLClientSocket( net::ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_port_pair, const net::SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, net::SSLSocketDataProvider* data) @@ -1013,12 +1013,12 @@ ClientSocket* MockClientSocketFactory::CreateTCPClientSocket( SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = - new MockSSLClientSocket(transport_socket, hostname, ssl_config, + new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); ssl_client_sockets_.push_back(socket); return socket; @@ -1063,12 +1063,12 @@ ClientSocket* DeterministicMockClientSocketFactory::CreateTCPClientSocket( SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = - new MockSSLClientSocket(transport_socket, hostname, ssl_config, + new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); ssl_client_sockets_.push_back(socket); return socket; diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index 349013e..ba0b94a 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -532,7 +532,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const NetLog::Source& source); virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); @@ -690,7 +690,7 @@ class MockSSLClientSocket : public MockClientSocket { public: MockSSLClientSocket( net::ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const net::SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, net::SSLSocketDataProvider* socket); @@ -877,7 +877,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const NetLog::Source& source); virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc index 6ef573c..7c5445f 100644 --- a/net/socket/ssl_client_socket_mac.cc +++ b/net/socket/ssl_client_socket_mac.cc @@ -516,7 +516,7 @@ EnabledCipherSuites::EnabledCipherSuites() { //----------------------------------------------------------------------------- SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config) : handshake_io_callback_(this, &SSLClientSocketMac::OnHandshakeIOComplete), transport_read_callback_(this, @@ -524,7 +524,7 @@ SSLClientSocketMac::SSLClientSocketMac(ClientSocketHandle* transport_socket, transport_write_callback_(this, &SSLClientSocketMac::OnTransportWriteComplete), transport_(transport_socket), - hostname_(hostname), + host_and_port_(host_and_port), ssl_config_(ssl_config), user_connect_callback_(NULL), user_read_callback_(NULL), @@ -742,9 +742,11 @@ void SSLClientSocketMac::GetSSLCertRequestInfo( } // Now get the available client certs whose issuers are allowed by the server. - cert_request_info->host_and_port = hostname_; + cert_request_info->host_and_port = host_and_port_.ToString(); cert_request_info->client_certs.clear(); - X509Certificate::GetSSLClientCertificates(hostname_, + // TODO(rch): we should consider passing a host-port pair as the first + // argument to X509Certificate::GetSSLClientCertificates. + X509Certificate::GetSSLClientCertificates(host_and_port_.host(), valid_issuers, &cert_request_info->client_certs); VLOG(1) << "Asking user to choose between " @@ -812,8 +814,8 @@ int SSLClientSocketMac::InitializeSSLContext() { // Passing the domain name enables the server_name TLS extension (SNI). status = SSLSetPeerDomainName(ssl_context_, - hostname_.data(), - hostname_.length()); + host_and_port_.host().data(), + host_and_port_.host().length()); if (status) return NetErrorFromOSStatus(status); @@ -840,10 +842,9 @@ int SSLClientSocketMac::InitializeSSLContext() { if (rv != OK) return rv; const struct addrinfo* ai = address.head(); - std::string peer_id(hostname_); + std::string peer_id(host_and_port_.ToString()); peer_id += std::string(reinterpret_cast<char*>(ai->ai_addr), ai->ai_addrlen); - // SSLSetPeerID() treats peer_id as a binary blob, and makes its // own copy. status = SSLSetPeerID(ssl_context_, peer_id.data(), peer_id.length()); @@ -1063,7 +1064,7 @@ int SSLClientSocketMac::DoVerifyCert() { if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); - return verifier_->Verify(server_cert_, hostname_, flags, + return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &server_cert_verify_result_, &handshake_io_callback_); } diff --git a/net/socket/ssl_client_socket_mac.h b/net/socket/ssl_client_socket_mac.h index 0763fd3..e84bee4 100644 --- a/net/socket/ssl_client_socket_mac.h +++ b/net/socket/ssl_client_socket_mac.h @@ -14,6 +14,7 @@ #include "base/scoped_ptr.h" #include "net/base/cert_verify_result.h" #include "net/base/completion_callback.h" +#include "net/base/host_port_pair.h" #include "net/base/net_log.h" #include "net/base/ssl_config_service.h" #include "net/socket/ssl_client_socket.h" @@ -27,11 +28,13 @@ class ClientSocketHandle; class SSLClientSocketMac : public SSLClientSocket { public: // Takes ownership of the |transport_socket|, which must already be connected. - // The given hostname will be compared with the name(s) in the server's - // certificate during the SSL handshake. ssl_config specifies the SSL - // settings. + // The hostname specified in |host_and_port| will be compared with the name(s) + // in the server's certificate during the SSL handshake. If SSL client + // authentication is requested, the host_and_port field of SSLCertRequestInfo + // will be populated with |host_and_port|. |ssl_config| specifies + // the SSL settings. SSLClientSocketMac(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config); ~SSLClientSocketMac(); @@ -98,7 +101,7 @@ class SSLClientSocketMac : public SSLClientSocket { CompletionCallbackImpl<SSLClientSocketMac> transport_write_callback_; scoped_ptr<ClientSocketHandle> transport_; - std::string hostname_; + HostPortPair host_and_port_; SSLConfig ssl_config_; CompletionCallback* user_connect_callback_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index d10e10d..a4ffb78 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -11,12 +11,12 @@ namespace net { SSLClientSocket* SSLClientSocketMacFactory( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { delete ssl_host_info; - return new SSLClientSocketMac(transport_socket, hostname, ssl_config); + return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); } } // namespace net diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index 6f12883..c8f48ea 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -16,7 +16,7 @@ class SSLHostInfo; // Creates SSLClientSocketMac objects. SSLClientSocket* SSLClientSocketMacFactory( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 917990a..3234320 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -396,7 +396,7 @@ class PeerCertificateChain { } // namespace SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) @@ -410,7 +410,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, ALLOW_THIS_IN_INITIALIZER_LIST(handshake_io_callback_( this, &SSLClientSocketNSS::OnHandshakeIOComplete)), transport_(transport_socket), - hostname_(hostname), + host_and_port_(host_and_port), ssl_config_(ssl_config), user_connect_callback_(NULL), user_read_callback_(NULL), @@ -479,7 +479,8 @@ void SSLClientSocketNSS::SaveSnapStartInfo() { } net_log_.AddEvent(NetLog::TYPE_SSL_SNAP_START, new NetLogIntegerParameter("type", snap_start_type)); - LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_; + LOG(ERROR) << "Snap Start: " << snap_start_type << " " + << host_and_port_.ToString(); if (snap_start_type == SSL_SNAP_START_FULL || snap_start_type == SSL_SNAP_START_RESUME) { // If we did a successful Snap Start then our information was correct and @@ -518,7 +519,7 @@ void SSLClientSocketNSS::SaveSnapStartInfo() { certs[i]->derCert.len)); } - LOG(ERROR) << "Setting Snap Start info " << hostname_; + LOG(ERROR) << "Setting Snap Start info " << host_and_port_.ToString(); ssl_host_info_->Persist(); } @@ -741,7 +742,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() { rv = SSL_OptionSet( nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled && - !SSLConfigService::IsKnownFalseStartIncompatibleServer(hostname_)); + !SSLConfigService::IsKnownFalseStartIncompatibleServer( + host_and_port_.host())); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); #endif @@ -758,7 +760,7 @@ int SSLClientSocketNSS::InitializeSSLOptions() { #ifdef SSL_ENABLE_RENEGOTIATION // Deliberately disable this check for now: http://crbug.com/55410 if (false && - SSLConfigService::IsKnownStrictTLSServer(hostname_) && + SSLConfigService::IsKnownStrictTLSServer(host_and_port_.host()) && !ssl_config_.mitm_proxies_allowed) { rv = SSL_OptionSet(nss_fd_, SSL_REQUIRE_SAFE_NEGOTIATION, PR_TRUE); if (rv != SECSuccess) { @@ -823,7 +825,7 @@ int SSLClientSocketNSS::InitializeSSLOptions() { } // Tell SSL the hostname we're trying to connect to. - SSL_SetURL(nss_fd_, hostname_.c_str()); + SSL_SetURL(nss_fd_, host_and_port_.host().c_str()); // Tell SSL we're a client; needed if not letting NSPR do socket I/O SSL_ResetHandshake(nss_fd_, 0); @@ -858,10 +860,7 @@ int SSLClientSocketNSS::InitializeSSLPeerName() { // Set the peer ID for session reuse. This is necessary when we create an // SSL tunnel through a proxy -- GetPeerName returns the proxy's address // rather than the destination server's address in that case. - // TODO(wtc): port in |peer_address| is not the server's port when a proxy is - // used. - std::string peer_id = base::StringPrintf("%s:%d", hostname_.c_str(), - peer_address.GetPort()); + std::string peer_id = host_and_port_.ToString(); SECStatus rv = SSL_SetSockPeerID(nss_fd_, const_cast<char*>(peer_id.c_str())); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_SetSockPeerID", peer_id.c_str()); @@ -1140,7 +1139,7 @@ void SSLClientSocketNSS::UpdateConnectionStatus() { ssl_connection_status_ |= SSL_CONNECTION_NO_RENEGOTIATION_EXTENSION; // Log an informational message if the server does not support secure // renegotiation (RFC 5746). - VLOG(1) << "The server " << hostname_ + VLOG(1) << "The server " << host_and_port_.ToString() << " does not support the TLS renegotiation_info extension."; } UMA_HISTOGRAM_ENUMERATION("Net.RenegotiationExtensionSupported", @@ -1184,7 +1183,8 @@ void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) { void SSLClientSocketNSS::GetSSLCertRequestInfo( SSLCertRequestInfo* cert_request_info) { EnterFunction(""); - cert_request_info->host_and_port = hostname_; // TODO(wtc): no port! + // TODO(rch): switch SSLCertRequestInfo.host_and_port to a HostPortPair + cert_request_info->host_and_port = host_and_port_.ToString(); cert_request_info->client_certs = client_certs_; LeaveFunction(cert_request_info->client_certs.size()); } @@ -1943,7 +1943,7 @@ SECStatus SSLClientSocketNSS::PlatformClientAuthHandler( } // Now get the available client certs whose issuers are allowed by the server. - X509Certificate::GetSSLClientCertificates(that->hostname_, + X509Certificate::GetSSLClientCertificates(that->host_and_port_.host(), valid_issuers, &that->client_certs_); @@ -2158,7 +2158,8 @@ int SSLClientSocketNSS::DoHandshake() { // prepared for switching the protocol like that so we make up an error // and rely on the fact that the request will be retried. if (IsNPNProtocolMispredicted()) { - LOG(WARNING) << "Mispredicted NPN protocol for " << hostname_; + LOG(WARNING) << "Mispredicted NPN protocol for " + << host_and_port_.ToString(); net_error = ERR_SSL_SNAP_START_NPN_MISPREDICTION; } else { // Let's verify the certificate. @@ -2347,16 +2348,9 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { -#if !defined(USE_OPENSSL) - if (ssl_config_.dns_cert_provenance_checking_enabled && dnsrr_resolver_) { - PeerCertificateChain certs(nss_fd_); - DoAsyncDNSCertProvenanceVerification( - hostname_, dnsrr_resolver_, certs.AsStringPieceVector()); - } -#endif - if (ssl_config_.dnssec_enabled) { - DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_); + DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), + server_cert_nss_); if (r == DNSVR_SUCCESS) { local_server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC; server_cert_verify_result_ = &local_server_cert_verify_result_; @@ -2452,7 +2446,7 @@ int SSLClientSocketNSS::DoVerifyCert(int result) { flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); server_cert_verify_result_ = &local_server_cert_verify_result_; - return verifier_->Verify(server_cert_, hostname_, flags, + return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &local_server_cert_verify_result_, &handshake_io_callback_); } diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index d1a0a0d..b2725f6 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -19,6 +19,7 @@ #include "base/timer.h" #include "net/base/cert_verify_result.h" #include "net/base/completion_callback.h" +#include "net/base/host_port_pair.h" #include "net/base/net_log.h" #include "net/base/nss_memio.h" #include "net/base/ssl_config_service.h" @@ -38,11 +39,13 @@ class X509Certificate; class SSLClientSocketNSS : public SSLClientSocket { public: // Takes ownership of the |transport_socket|, which must already be connected. - // The given hostname will be compared with the name(s) in the server's - // certificate during the SSL handshake. ssl_config specifies the SSL - // settings. + // The hostname specified in |host_and_port| will be compared with the name(s) + // in the server's certificate during the SSL handshake. If SSL client + // authentication is requested, the host_and_port field of SSLCertRequestInfo + // will be populated with |host_and_port|. |ssl_config| specifies + // the SSL settings. SSLClientSocketNSS(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); @@ -158,7 +161,7 @@ class SSLClientSocketNSS : public SSLClientSocket { CompletionCallbackImpl<SSLClientSocketNSS> handshake_io_callback_; scoped_ptr<ClientSocketHandle> transport_; - std::string hostname_; + HostPortPair host_and_port_; SSLConfig ssl_config_; CompletionCallback* user_connect_callback_; diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index f4e8215..f7fc435 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -16,12 +16,12 @@ namespace net { SSLClientSocket* SSLClientSocketNSSFactory( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); - return new SSLClientSocketNSS(transport_socket, hostname, ssl_config, + return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, shi.release(), dnsrr_resolver); } diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index 29f9af4..c51b5be 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -16,7 +16,7 @@ class SSLHostInfo; // Creates SSLClientSocketNSS objects. SSLClientSocket* SSLClientSocketNSSFactory( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver); diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc index 3aae457..936b346 100644 --- a/net/socket/ssl_client_socket_openssl.cc +++ b/net/socket/ssl_client_socket_openssl.cc @@ -63,6 +63,7 @@ int MapOpenSSLError(int err) { SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( ClientSocketHandle* transport_socket, const std::string& hostname, + uint16 port, const SSLConfig& ssl_config) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketOpenSSL::BufferSendComplete)), @@ -80,6 +81,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( transport_bio_(NULL), transport_(transport_socket), hostname_(hostname), + port_(port), ssl_config_(ssl_config), completed_handshake_(false), net_log_(transport_socket->socket()->NetLog()) { diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h index 31d5c1c..da55017 100644 --- a/net/socket/ssl_client_socket_openssl.h +++ b/net/socket/ssl_client_socket_openssl.h @@ -33,6 +33,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { // settings. SSLClientSocketOpenSSL(ClientSocketHandle* transport_socket, const std::string& hostname, + uint16 port, const SSLConfig& ssl_config); ~SSLClientSocketOpenSSL(); @@ -126,6 +127,7 @@ class SSLClientSocketOpenSSL : public SSLClientSocket { scoped_ptr<ClientSocketHandle> transport_; std::string hostname_; + uint16 port_; SSLConfig ssl_config_; bool completed_handshake_; diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index a7eea3a..785faab 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -7,6 +7,7 @@ #include "base/metrics/histogram.h" #include "base/values.h" #include "net/base/net_errors.h" +#include "net/base/host_port_pair.h" #include "net/base/ssl_cert_request_info.h" #include "net/http/http_proxy_client_socket.h" #include "net/http/http_proxy_client_socket_pool.h" @@ -24,7 +25,7 @@ SSLSocketParams::SSLSocketParams( const scoped_refptr<SOCKSSocketParams>& socks_params, const scoped_refptr<HttpProxySocketParams>& http_proxy_params, ProxyServer::Scheme proxy, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, int load_flags, bool force_spdy_over_ssl, @@ -33,7 +34,7 @@ SSLSocketParams::SSLSocketParams( http_proxy_params_(http_proxy_params), socks_params_(socks_params), proxy_(proxy), - hostname_(hostname), + host_and_port_(host_and_port), ssl_config_(ssl_config), load_flags_(load_flags), force_spdy_over_ssl_(force_spdy_over_ssl), @@ -193,7 +194,7 @@ int SSLConnectJob::DoTCPConnect() { if (ssl_host_info_factory_ && SSLConfigService::snap_start_enabled()) { ssl_host_info_.reset( - ssl_host_info_factory_->GetForHost(params_->hostname(), + ssl_host_info_factory_->GetForHost(params_->host_and_port().host(), params_->ssl_config())); } if (ssl_host_info_.get()) { @@ -248,16 +249,17 @@ int SSLConnectJob::DoTunnelConnect() { } int SSLConnectJob::DoTunnelConnectComplete(int result) { - ClientSocket* socket = transport_socket_handle_->socket(); - HttpProxyClientSocket* tunnel_socket = - static_cast<HttpProxyClientSocket*>(socket); - - // Extract the information needed to prompt for the proxy authentication. - // so that when ClientSocketPoolBaseHelper calls |GetAdditionalErrorState|, - // we can easily set the state. - if (result == ERR_PROXY_AUTH_REQUESTED) + // Extract the information needed to prompt for appropriate proxy + // authentication so that when ClientSocketPoolBaseHelper calls + // |GetAdditionalErrorState|, we can easily set the state. + if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) { + error_response_info_ = transport_socket_handle_->ssl_error_response_info(); + } else if (result == ERR_PROXY_AUTH_REQUESTED) { + ClientSocket* socket = transport_socket_handle_->socket(); + HttpProxyClientSocket* tunnel_socket = + static_cast<HttpProxyClientSocket*>(socket); error_response_info_ = *tunnel_socket->GetResponseInfo(); - + } if (result < 0) return result; @@ -284,9 +286,8 @@ int SSLConnectJob::DoSSLConnect() { ssl_connect_start_time_ = base::TimeTicks::Now(); ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( - transport_socket_handle_.release(), params_->hostname(), - params_->ssl_config(), ssl_host_info_.release(), - dnsrr_resolver_)); + transport_socket_handle_.release(), params_->host_and_port(), + params_->ssl_config(), ssl_host_info_.release(), dnsrr_resolver_)); return ssl_socket_->Connect(&callback_); } diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 1711722..11cf250 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -25,6 +25,7 @@ namespace net { class ClientSocketFactory; class ConnectJobFactory; class DnsRRResolver; +class HostPortPair; class HttpProxyClientSocketPool; class HttpProxySocketParams; class SOCKSClientSocketPool; @@ -43,7 +44,7 @@ class SSLSocketParams : public base::RefCounted<SSLSocketParams> { const scoped_refptr<SOCKSSocketParams>& socks_params, const scoped_refptr<HttpProxySocketParams>& http_proxy_params, ProxyServer::Scheme proxy, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, int load_flags, bool force_spdy_over_ssl, @@ -57,7 +58,7 @@ class SSLSocketParams : public base::RefCounted<SSLSocketParams> { return socks_params_; } ProxyServer::Scheme proxy() const { return proxy_; } - const std::string& hostname() const { return hostname_; } + const HostPortPair& host_and_port() const { return host_and_port_; } const SSLConfig& ssl_config() const { return ssl_config_; } int load_flags() const { return load_flags_; } bool force_spdy_over_ssl() const { return force_spdy_over_ssl_; } @@ -71,7 +72,7 @@ class SSLSocketParams : public base::RefCounted<SSLSocketParams> { const scoped_refptr<HttpProxySocketParams> http_proxy_params_; const scoped_refptr<SOCKSSocketParams> socks_params_; const ProxyServer::Scheme proxy_; - const std::string hostname_; + const HostPortPair host_and_port_; const SSLConfig ssl_config_; const int load_flags_; const bool force_spdy_over_ssl_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index 3ee9394..f58a762 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -113,7 +113,7 @@ class SSLClientSocketPoolTest : public testing::Test { proxy == ProxyServer::SCHEME_SOCKS5 ? socks_socket_params_ : NULL, proxy == ProxyServer::SCHEME_HTTP ? http_proxy_socket_params_ : NULL, proxy, - "host", + HostPortPair("host", 443), ssl_config_, 0, false, diff --git a/net/socket/ssl_client_socket_snapstart_unittest.cc b/net/socket/ssl_client_socket_snapstart_unittest.cc index 25c2b1f..b3fb07e 100644 --- a/net/socket/ssl_client_socket_snapstart_unittest.cc +++ b/net/socket/ssl_client_socket_snapstart_unittest.cc @@ -192,8 +192,9 @@ class SSLClientSocketSnapStartTest : public PlatformTest { transport->AdoptSocket(client_); scoped_ptr<SSLClientSocket> sock( - socket_factory_->CreateSSLClientSocket(transport, - "example.com", ssl_config_, new TestSSLHostInfo())); + socket_factory_->CreateSSLClientSocket( + transport, HostPortPair("example.com", 443), ssl_config_, + new TestSSLHostInfo())); TestCompletionCallback callback; int rv = sock->Connect(&callback); diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index 3a1bd5ba..e736d5b 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -67,8 +67,7 @@ TEST_F(SSLClientSocketTest, Connect) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); EXPECT_FALSE(sock->IsConnected()); @@ -105,8 +104,7 @@ TEST_F(SSLClientSocketTest, ConnectExpired) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); EXPECT_FALSE(sock->IsConnected()); @@ -145,8 +143,7 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); EXPECT_FALSE(sock->IsConnected()); @@ -189,8 +186,7 @@ TEST_F(SSLClientSocketTest, FLAKY_ConnectClientAuthCertRequested) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); EXPECT_FALSE(sock->IsConnected()); @@ -232,8 +228,7 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), ssl_config, - NULL)); + transport, test_server.host_port_pair(), ssl_config, NULL)); EXPECT_FALSE(sock->IsConnected()); @@ -275,8 +270,7 @@ TEST_F(SSLClientSocketTest, Read) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -331,8 +325,7 @@ TEST_F(SSLClientSocketTest, Read_FullDuplex) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -386,8 +379,7 @@ TEST_F(SSLClientSocketTest, Read_SmallChunks) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -437,8 +429,7 @@ TEST_F(SSLClientSocketTest, Read_Interrupted) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); rv = sock->Connect(&callback); if (rv == net::ERR_IO_PENDING) @@ -508,8 +499,7 @@ TEST_F(SSLClientSocketTest, PrematureApplicationData) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), kDefaultSSLConfig, - NULL)); + transport, test_server.host_port_pair(), kDefaultSSLConfig, NULL)); rv = sock->Connect(&callback); EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); @@ -558,8 +548,7 @@ TEST_F(SSLClientSocketTest, MAYBE_CipherSuiteDisables) { scoped_ptr<net::SSLClientSocket> sock( socket_factory_->CreateSSLClientSocket( - transport, test_server.host_port_pair().host(), - ssl_config, NULL)); + transport, test_server.host_port_pair(), ssl_config, NULL)); EXPECT_FALSE(sock->IsConnected()); diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc index eead7ed..1faeb7a 100644 --- a/net/socket/ssl_client_socket_win.cc +++ b/net/socket/ssl_client_socket_win.cc @@ -15,6 +15,7 @@ #include "base/utf_string_conversions.h" #include "net/base/cert_verifier.h" #include "net/base/connection_type_histograms.h" +#include "net/base/host_port_pair.h" #include "net/base/io_buffer.h" #include "net/base/net_log.h" #include "net/base/net_errors.h" @@ -371,7 +372,7 @@ class ClientCertStore { static const int kRecvBufferSize = (5 + 16*1024 + 64); SSLClientSocketWin::SSLClientSocketWin(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config) : ALLOW_THIS_IN_INITIALIZER_LIST( handshake_io_callback_(this, @@ -381,7 +382,7 @@ SSLClientSocketWin::SSLClientSocketWin(ClientSocketHandle* transport_socket, ALLOW_THIS_IN_INITIALIZER_LIST( write_callback_(this, &SSLClientSocketWin::OnWriteComplete)), transport_(transport_socket), - hostname_(hostname), + host_and_port_(host_and_port), ssl_config_(ssl_config), user_connect_callback_(NULL), user_read_callback_(NULL), @@ -453,7 +454,7 @@ void SSLClientSocketWin::GetSSLInfo(SSLInfo* ssl_info) { void SSLClientSocketWin::GetSSLCertRequestInfo( SSLCertRequestInfo* cert_request_info) { - cert_request_info->host_and_port = hostname_; // TODO(wtc): no port! + cert_request_info->host_and_port = host_and_port_.ToString(); cert_request_info->client_certs.clear(); // Get the certificate_authorities field of the CertificateRequest message. @@ -601,7 +602,7 @@ int SSLClientSocketWin::InitializeSSLContext() { status = InitializeSecurityContext( creds_, NULL, // NULL on the first call - const_cast<wchar_t*>(ASCIIToWide(hostname_).c_str()), + const_cast<wchar_t*>(ASCIIToWide(host_and_port_.host()).c_str()), flags, 0, // Reserved 0, // Not used with Schannel. @@ -1123,7 +1124,7 @@ int SSLClientSocketWin::DoVerifyCert() { if (ssl_config_.verify_ev_cert) flags |= X509Certificate::VERIFY_EV_CERT; verifier_.reset(new CertVerifier); - return verifier_->Verify(server_cert_, hostname_, flags, + return verifier_->Verify(server_cert_, host_and_port_.host(), flags, &server_cert_verify_result_, &handshake_io_callback_); } diff --git a/net/socket/ssl_client_socket_win.h b/net/socket/ssl_client_socket_win.h index 4f96e80..61c67f0 100644 --- a/net/socket/ssl_client_socket_win.h +++ b/net/socket/ssl_client_socket_win.h @@ -17,25 +17,29 @@ #include "base/scoped_ptr.h" #include "net/base/cert_verify_result.h" #include "net/base/completion_callback.h" +#include "net/base/host_port_pair.h" #include "net/base/net_log.h" #include "net/base/ssl_config_service.h" #include "net/socket/ssl_client_socket.h" namespace net { +class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class BoundNetLog; +class HostPortPair; // An SSL client socket implemented with the Windows Schannel. class SSLClientSocketWin : public SSLClientSocket { public: // Takes ownership of the |transport_socket|, which must already be connected. - // The given hostname will be compared with the name(s) in the server's - // certificate during the SSL handshake. ssl_config specifies the SSL - // settings. + // The hostname specified in |host_and_port| will be compared with the name(s) + // in the server's certificate during the SSL handshake. If SSL client + // authentication is requested, the host_and_port field of SSLCertRequestInfo + // will be populated with |host_and_port|. |ssl_config| specifies + // the SSL settings. SSLClientSocketWin(ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config); ~SSLClientSocketWin(); @@ -103,7 +107,7 @@ class SSLClientSocketWin : public SSLClientSocket { CompletionCallbackImpl<SSLClientSocketWin> write_callback_; scoped_ptr<ClientSocketHandle> transport_; - std::string hostname_; + HostPortPair host_and_port_; SSLConfig ssl_config_; // User function to callback when the Connect() completes. diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index e53e264..215b9ba 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -248,7 +248,7 @@ class MockClientSocketFactory : public ClientSocketFactory { virtual SSLClientSocket* CreateSSLClientSocket( ClientSocketHandle* transport_socket, - const std::string& hostname, + const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, DnsRRResolver* dnsrr_resolver) { diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index 6d6efbe..4075e02 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -797,9 +797,10 @@ int SocketStream::DoSOCKSConnectComplete(int result) { int SocketStream::DoSSLConnect() { DCHECK(factory_); // TODO(agl): look into plumbing SSLHostInfo here. - socket_.reset(factory_->CreateSSLClientSocket( - socket_.release(), url_.HostNoBrackets(), ssl_config_, - NULL /* ssl_host_info */)); + socket_.reset(factory_->CreateSSLClientSocket(socket_.release(), + HostPortPair::FromURL(url_), + ssl_config_, + NULL /* ssl_host_info */)); next_state_ = STATE_SSL_CONNECT_COMPLETE; metrics_->OnSSLConnection(); return socket_->Connect(&io_callback_); |