Remove client_auth_cert_needed_ from SSLClientSocketOpenSSL.

That state isn't needed. When an operation fails in OpenSSL, SSL_get_error tells you exactly what event it was waiting for. BUG=none Review URL: https://codereview.chromium.org/1136813002 Cr-Commit-Position: refs/heads/master@{#329491}

Remove client_auth_cert_needed_ from SSLClientSocketOpenSSL.
That state isn't needed. When an operation fails in OpenSSL, SSL_get_error tells you exactly what event it was waiting for. BUG=none Review URL: https://codereview.chromium.org/1136813002 Cr-Commit-Position: refs/heads/master@{#329491}
ced4aa9b · davidben · Commit bot · c5965213 · ced4aa9b · ced4aa9b
Commit ced4aa9b authored May 12, 2015 by davidben Committed by Commit bot May 12, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 14 deletions

net/socket/ssl_client_socket_openssl.cc net/socket/ssl_client_socket_openssl.cc +10 -11

net/socket/ssl_client_socket_openssl.h net/socket/ssl_client_socket_openssl.h +0 -3

No files found.
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -357,7 +357,6 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
      server_cert_chain_(new PeerCertificateChain(NULL)),
      completed_connect_(false),
      was_ever_used_(false),
-      client_auth_cert_needed_(false),
      cert_verifier_(context.cert_verifier),
      cert_transparency_verifier_(context.cert_transparency_verifier),
      channel_id_service_(context.channel_id_service),
@@ -501,7 +500,6 @@ void SSLClientSocketOpenSSL::Disconnect() {

  cert_authorities_.clear();
  cert_key_types_.clear();
-  client_auth_cert_needed_ = false;

  start_cert_verification_time_ = base::TimeTicks();

@@ -962,17 +960,17 @@ int SSLClientSocketOpenSSL::DoHandshake() {
    UpdateServerCert();
    GotoState(STATE_VERIFY_CERT);
  } else {
-    if (client_auth_cert_needed_)
-      return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
-
    int ssl_error = SSL_get_error(ssl_, rv);
-
    if (ssl_error == SSL_ERROR_WANT_CHANNEL_ID_LOOKUP) {
      // The server supports channel ID. Stop to look one up before returning to
      // the handshake.
      GotoState(STATE_CHANNEL_ID_LOOKUP);
      return OK;
    }
+    if (ssl_error == SSL_ERROR_WANT_X509_LOOKUP &&
+        !ssl_config_.send_client_cert) {
+      return ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
+    }

    OpenSSLErrorInfo error_info;
    net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, &error_info);
@@ -1390,9 +1388,7 @@ int SSLClientSocketOpenSSL::DoPayloadRead() {
  // Although only the final SSL_read call may have failed, the failure needs to
  // processed immediately, while the information still available in OpenSSL's
  // error queue.
-  if (client_auth_cert_needed_) {
-    pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
-  } else if (ssl_ret <= 0) {
+  if (ssl_ret <= 0) {
    // A zero return from SSL_read may mean any of:
    // - The underlying BIO_read returned 0.
    // - The peer sent a close_notify.
@@ -1404,6 +1400,9 @@ int SSLClientSocketOpenSSL::DoPayloadRead() {
    pending_read_ssl_error_ = SSL_get_error(ssl_, ssl_ret);
    if (pending_read_ssl_error_ == SSL_ERROR_ZERO_RETURN) {
      pending_read_error_ = 0;
+    } else if (pending_read_ssl_error_ == SSL_ERROR_WANT_X509_LOOKUP &&
+               !ssl_config_.send_client_cert) {
+      pending_read_error_ = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
    } else {
      pending_read_error_ = MapOpenSSLErrorWithDetails(
          pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
@@ -1615,7 +1614,6 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
  if (!ssl_config_.send_client_cert) {
    // First pass: we know that a client certificate is needed, but we do not
    // have one at hand.
-    client_auth_cert_needed_ = true;
    STACK_OF(X509_NAME) *authorities = SSL_get_client_CA_list(ssl);
    for (size_t i = 0; i < sk_X509_NAME_num(authorities); i++) {
      X509_NAME *ca_name = (X509_NAME *)sk_X509_NAME_value(authorities, i);
@@ -1635,7 +1633,8 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl) {
          static_cast<SSLClientCertType>(client_cert_types[i]));
    }

-    return -1;  // Suspends handshake.
+    // Suspends handshake. SSL_get_error will return SSL_ERROR_WANT_X509_LOOKUP.
+    return -1;
  }

  // Second pass: a client certificate should have been selected.

--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -246,9 +246,6 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
  // network.
  bool was_ever_used_;

-  // Stores client authentication information between ClientAuthHandler and
-  // GetSSLCertRequestInfo calls.
-  bool client_auth_cert_needed_;
  // List of DER-encoded X.509 DistinguishedName of certificate authorities
  // allowed by the server.
  std::vector<std::string> cert_authorities_;