Verify alternative server certificate validity for origin.

net/http/http_stream_factory_impl_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_factory_impl_job.h"
 
 #include <algorithm>
 #include <string>
 
 #include "base/bind.h"
@@ skipping 274 matching lines @@
   // https://somehost/ that we don't use that session for http://somehost:443/.
   // The only time we can use an existing session is if the request URL is
   // https (the normal case) or if we're connection to a SPDY proxy.
   // https://crbug.com/133176
   // TODO(ricea): Add "wss" back to this list when SPDY WebSocket support is
   // working.
   return origin_url_.SchemeIs("https") ||
          proxy_info_.proxy_server().is_https() || IsSpdyAlternate();
 }
 
+bool HttpStreamFactoryImpl::Job::IsAlternativeCertificateValidForOrigin(
+    base::WeakPtr<SpdySession> spdy_session) {
+  if (!IsSpdyAlternate()) {
+    return true;
+  }
+  if (origin_url_.host() == spdy_session->host_port_pair().host()) {
+    return true;
+  }
+  DCHECK(spdy_session);

[Ryan Hamilton, 2015/04/11 02:40:41]

I think it made more sense to do the DCHECK at the top, since the idea is that
this method should only be called with a real session. Alternatively, you could
make this explicit by taking a "const SpdySession&" instead.

[Bence, 2015/04/13 17:52:40]

I moved the spdy_session == nullptr case to this method too, so now it's part of
the if.  Do I need a better name for the  method?

+  return spdy_session->VerifyDomainAuthentication(origin_url_.host());
+}
+
 void HttpStreamFactoryImpl::Job::OnStreamReadyCallback() {
   DCHECK(stream_.get());
   DCHECK(!IsPreconnecting());
   DCHECK(!stream_factory_->for_websockets_);
   if (IsOrphaned()) {
     stream_factory_->OnOrphanedJobComplete(this);
   } else {
     request_->Complete(was_npn_negotiated(),
                        protocol_negotiated(),
                        using_spdy(),
@@ skipping 223 matching lines @@
             base::Bind(&Job::OnWebSocketHandshakeStreamReadyCallback,
                        ptr_factory_.GetWeakPtr()));
       } else {
         DCHECK(stream_.get());
         base::MessageLoop::current()->PostTask(
             FROM_HERE,
             base::Bind(&Job::OnStreamReadyCallback, ptr_factory_.GetWeakPtr()));
       }
       return ERR_IO_PENDING;
 
+    case ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN:
+      DCHECK(IsSpdyAlternate());
+      if (job_status_ != STATUS_BROKEN) {
+        DCHECK_EQ(STATUS_RUNNING, job_status_);
+        job_status_ = STATUS_FAILED;
+        // TODO(bnc): Instead of marking alternative service broken, mark
+        // (origin, alternative service) couple as invalid.
+        MaybeMarkAlternativeServiceBroken();
+      }
+      base::MessageLoop::current()->PostTask(
+          FROM_HERE, base::Bind(&Job::OnStreamFailedCallback,
+                                ptr_factory_.GetWeakPtr(), result));
+      return ERR_IO_PENDING;
+
     default:
       if (job_status_ != STATUS_BROKEN) {
         DCHECK_EQ(STATUS_RUNNING, job_status_);
         job_status_ = STATUS_FAILED;
         MaybeMarkAlternativeServiceBroken();
       }
       base::MessageLoop::current()->PostTask(
           FROM_HERE,
           base::Bind(&Job::OnStreamFailedCallback, ptr_factory_.GetWeakPtr(),
                      result));
@@ skipping 249 matching lines @@
     return rv;
   }
 
   // Check first if we have a spdy session for this group.  If so, then go
   // straight to using that.
   SpdySessionKey spdy_session_key = GetSpdySessionKey();
   base::WeakPtr<SpdySession> spdy_session =
       session_->spdy_session_pool()->FindAvailableSession(
           spdy_session_key, net_log_);
   if (spdy_session && CanUseExistingSpdySession()) {
+    if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+      return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+    }
     // If we're preconnecting, but we already have a SpdySession, we don't
     // actually need to preconnect any sockets, so we're done.
     if (IsPreconnecting())
       return OK;
     using_spdy_ = true;
     next_state_ = STATE_CREATE_STREAM;
     existing_spdy_session_ = spdy_session;
     return OK;
-  } else if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
+  }
+  if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
     // Update the spdy session key for the request that launched this job.
     request_->SetSpdySessionKey(spdy_session_key);
   }
 
   // OK, there's no available SPDY session. Let |waiting_job_| resume if it's
   // paused.
-
   if (waiting_job_) {
     waiting_job_->Resume(this);
     waiting_job_ = NULL;
   }
 
   if (proxy_info_.is_http() || proxy_info_.is_https())
     establishing_tunnel_ = using_ssl_;
 
   // TODO(bnc): s/want_spdy_over_npn/expect_spdy_over_npn/
   bool want_spdy_over_npn = IsAlternate();
@@ skipping 149 matching lines @@
     // puts the in progress HttpProxy socket into |connection_| in order to
     // complete the auth (or read the response body).  The tunnel restart code
     // is careful to remove it before returning control to the rest of this
     // class.
     connection_.reset(connection_->release_pending_http_proxy_connection());
     return result;
   }
 
   if (!ssl_started && result < 0 && IsAlternate()) {
     job_status_ = STATUS_BROKEN;
+    // TODO(bnc): if (result == ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN), then
+    // instead of marking alternative service broken, mark (origin, alternative
+    // service) couple as invalid.
     MaybeMarkAlternativeServiceBroken();
     return result;
   }
 
   if (using_quic_) {
     if (result < 0) {
       job_status_ = STATUS_BROKEN;
       MaybeMarkAlternativeServiceBroken();
       return result;
     }
@@ skipping 122 matching lines @@
     spdy_session_key = SpdySessionKey(proxy_server.host_port_pair(),
                                       ProxyServer::Direct(),
                                       PRIVACY_MODE_DISABLED);
   }
 
   SpdySessionPool* spdy_pool = session_->spdy_session_pool();
   base::WeakPtr<SpdySession> spdy_session =
       spdy_pool->FindAvailableSession(spdy_session_key, net_log_);
 
   if (spdy_session) {
+    if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+      return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+    }
     return SetSpdyHttpStream(spdy_session, direct);
   }
 
   spdy_session =
       spdy_pool->CreateAvailableSessionFromSocket(spdy_session_key,
                                                   connection_.Pass(),
                                                   net_log_,
                                                   spdy_certificate_error_,
                                                   using_ssl_);
   if (!spdy_session->HasAcceptableTransportSecurity()) {
     spdy_session->CloseSessionOnError(
         ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY, "");
     return ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY;
   }
 
+  if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+    return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+  }
+
   new_spdy_session_ = spdy_session;
   spdy_session_direct_ = direct;
   const HostPortPair& host_port_pair = spdy_session_key.host_port_pair();
   base::WeakPtr<HttpServerProperties> http_server_properties =
       session_->http_server_properties();
   if (http_server_properties)
     http_server_properties->SetSupportsSpdy(host_port_pair, true);
 
   // Create a SpdyHttpStream attached to the session;
   // OnNewSpdySessionReadyCallback is not called until an event loop
@@ skipping 322 matching lines @@
   if (scheme == "https" || scheme == "wss" || IsSpdyAlternate())
     return ClientSocketPoolManager::SSL_GROUP;
 
   if (scheme == "ftp")
     return ClientSocketPoolManager::FTP_GROUP;
 
   return ClientSocketPoolManager::NORMAL_GROUP;
 }
 
 }  // namespace net