Verify alternative server certificate validity for origin.

net/http/http_stream_factory_impl_job.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_factory_impl_job.h"
 
 #include <algorithm>
 #include <string>
 
 #include "base/bind.h"
@@ skipping 253 matching lines @@
   DCHECK(connection_.get() && connection_->socket());
   SSLClientSocket* ssl_socket =
       static_cast<SSLClientSocket*>(connection_->socket());
   ssl_socket->GetSSLInfo(&ssl_info_);
 }
 
 SpdySessionKey HttpStreamFactoryImpl::Job::GetSpdySessionKey() const {
   // In the case that we're using an HTTPS proxy for an HTTP url,
   // we look for a SPDY session *to* the proxy, instead of to the
   // origin server.
-  PrivacyMode privacy_mode = request_info_.privacy_mode;
   if (IsHttpsProxyAndHttpUrl()) {
     return SpdySessionKey(proxy_info_.proxy_server().host_port_pair(),
-                          ProxyServer::Direct(),
-                          privacy_mode);
+                          ProxyServer::Direct(), PRIVACY_MODE_DISABLED);
   }
+  PrivacyMode privacy_mode = request_info_.privacy_mode;
   return SpdySessionKey(server_, proxy_info_.proxy_server(), privacy_mode);

[Ryan Hamilton, 2015/04/13 18:29:56]

I recommend doing this cleanup in a different CL since it's orthogonal.

[Bence, 2015/04/15 21:07:46]

Done: https://crrev.com/1063873003.

 }
 
 bool HttpStreamFactoryImpl::Job::CanUseExistingSpdySession() const {
   // We need to make sure that if a spdy session was created for
   // https://somehost/ that we don't use that session for http://somehost:443/.
   // The only time we can use an existing session is if the request URL is
   // https (the normal case) or if we're connection to a SPDY proxy.
   // https://crbug.com/133176
   // TODO(ricea): Add "wss" back to this list when SPDY WebSocket support is
   // working.
@@ skipping 238 matching lines @@
                        ptr_factory_.GetWeakPtr()));
       } else {
         DCHECK(stream_.get());
         base::MessageLoop::current()->PostTask(
             FROM_HERE,
             base::Bind(&Job::OnStreamReadyCallback, ptr_factory_.GetWeakPtr()));
       }
       return ERR_IO_PENDING;
 
     default:
+      DCHECK((result != ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN) ||

[Ryan Hamilton, 2015/04/13 18:29:56]

No need for the 2nd set of ()s. Feel free to put IsSpdyAlternate() first if that
helps).  Or do:

if (!SpdyAlternate())
  DCHECK_NE(ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN, result);

[Bence, 2015/04/15 21:07:46]

Done.

+             IsSpdyAlternate());
       if (job_status_ != STATUS_BROKEN) {
         DCHECK_EQ(STATUS_RUNNING, job_status_);
         job_status_ = STATUS_FAILED;
+        // TODO(bnc): If (result == ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN),
+        // then instead of marking alternative service broken, mark (origin,
+        // alternative service) couple as invalid.
         MaybeMarkAlternativeServiceBroken();
       }
       base::MessageLoop::current()->PostTask(
           FROM_HERE,
           base::Bind(&Job::OnStreamFailedCallback, ptr_factory_.GetWeakPtr(),
                      result));
       return ERR_IO_PENDING;
   }
 }
 
@@ skipping 64 matching lines @@
 }
 
 int HttpStreamFactoryImpl::Job::DoStart() {
   if (IsAlternate()) {
     server_ = alternative_service_.host_port_pair();
   } else {
     server_ = HostPortPair::FromURL(request_info_.url);
   }
   origin_url_ =
       stream_factory_->ApplyHostMappingRules(request_info_.url, &server_);
+  valid_spdy_session_pool_.reset(
+      new ValidSpdySessionPool(session_, origin_url_, IsSpdyAlternate()));
 
   net_log_.BeginEvent(
       NetLog::TYPE_HTTP_STREAM_JOB,
       base::Bind(&NetLogHttpStreamJobCallback, &request_info_.url, &origin_url_,
                  &alternative_service_, priority_));
 
   // Don't connect to restricted ports.
   bool is_port_allowed = IsPortAllowedByDefault(server_.port());
   if (request_info_.url.SchemeIs("ftp")) {
     // Never share connection with other jobs for FTP requests.
@@ skipping 154 matching lines @@
       // OK, there's no available QUIC session. Let |waiting_job_| resume
       // if it's paused.
       if (waiting_job_) {
         waiting_job_->Resume(this);
         waiting_job_ = NULL;
       }
     }
     return rv;
   }
 
+  SpdySessionKey spdy_session_key = GetSpdySessionKey();
+
   // Check first if we have a spdy session for this group.  If so, then go
   // straight to using that.
-  SpdySessionKey spdy_session_key = GetSpdySessionKey();
-  base::WeakPtr<SpdySession> spdy_session =
-      session_->spdy_session_pool()->FindAvailableSession(
-          spdy_session_key, net_log_);
-  if (spdy_session && CanUseExistingSpdySession()) {
-    // If we're preconnecting, but we already have a SpdySession, we don't
-    // actually need to preconnect any sockets, so we're done.
-    if (IsPreconnecting())
+  if (CanUseExistingSpdySession()) {
+    bool is_valid;
+    base::WeakPtr<SpdySession> spdy_session =
+        valid_spdy_session_pool_->FindAvailableSession(spdy_session_key,
+                                                       net_log_, &is_valid);
+    if (!is_valid) {
+      return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+    }
+    if (spdy_session) {
+      // If we're preconnecting, but we already have a SpdySession, we don't
+      // actually need to preconnect any sockets, so we're done.
+      if (IsPreconnecting())
+        return OK;
+      using_spdy_ = true;
+      next_state_ = STATE_CREATE_STREAM;
+      existing_spdy_session_ = spdy_session;
       return OK;
-    using_spdy_ = true;
-    next_state_ = STATE_CREATE_STREAM;
-    existing_spdy_session_ = spdy_session;
-    return OK;
-  } else if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
+    }
+  }
+  if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
     // Update the spdy session key for the request that launched this job.
     request_->SetSpdySessionKey(spdy_session_key);
   }
 
   // OK, there's no available SPDY session. Let |waiting_job_| resume if it's
   // paused.
-
   if (waiting_job_) {
     waiting_job_->Resume(this);
     waiting_job_ = NULL;
   }
 
   if (proxy_info_.is_http() || proxy_info_.is_https())
     establishing_tunnel_ = using_ssl_;
 
   // TODO(bnc): s/want_spdy_over_npn/expect_spdy_over_npn/
   bool want_spdy_over_npn = IsAlternate();
@@ skipping 24 matching lines @@
     DCHECK(!stream_factory_->for_websockets_);
     return PreconnectSocketsForHttpRequest(
         GetSocketGroup(), server_, request_info_.extra_headers,
         request_info_.load_flags, priority_, session_, proxy_info_,
         want_spdy_over_npn, server_ssl_config_, proxy_ssl_config_,
         request_info_.privacy_mode, net_log_, num_streams_);
   }
 
   // If we can't use a SPDY session, don't bother checking for one after
   // the hostname is resolved.
-  OnHostResolutionCallback resolution_callback = CanUseExistingSpdySession() ?
-      base::Bind(&Job::OnHostResolution, session_->spdy_session_pool(),
-                 GetSpdySessionKey()) :
-      OnHostResolutionCallback();
+  OnHostResolutionCallback resolution_callback =
+      CanUseExistingSpdySession()
+          ? base::Bind(&Job::OnHostResolution, session_->spdy_session_pool(),
+                       spdy_session_key)
+          : OnHostResolutionCallback();
   if (stream_factory_->for_websockets_) {
     // TODO(ricea): Re-enable NPN when WebSockets over SPDY is supported.
     SSLConfig websocket_server_ssl_config = server_ssl_config_;
     websocket_server_ssl_config.next_protos.clear();
     return InitSocketHandleForWebSocketRequest(
         GetSocketGroup(), server_, request_info_.extra_headers,
         request_info_.load_flags, priority_, session_, proxy_info_,
         want_spdy_over_npn, websocket_server_ssl_config, proxy_ssl_config_,
         request_info_.privacy_mode, net_log_, connection_.get(),
         resolution_callback, io_callback_);
@@ skipping 101 matching lines @@
     // puts the in progress HttpProxy socket into |connection_| in order to
     // complete the auth (or read the response body).  The tunnel restart code
     // is careful to remove it before returning control to the rest of this
     // class.
     connection_.reset(connection_->release_pending_http_proxy_connection());
     return result;
   }
 
   if (!ssl_started && result < 0 && IsAlternate()) {
     job_status_ = STATUS_BROKEN;
+    // TODO(bnc): if (result == ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN), then
+    // instead of marking alternative service broken, mark (origin, alternative
+    // service) couple as invalid.
     MaybeMarkAlternativeServiceBroken();
     return result;
   }
 
   if (using_quic_) {
     if (result < 0) {
       job_status_ = STATUS_BROKEN;
       MaybeMarkAlternativeServiceBroken();
       return result;
     }
@@ skipping 90 matching lines @@
           request_->websocket_handshake_stream_create_helper()
               ->CreateBasicStream(connection_.Pass(), using_proxy));
     } else {
       stream_.reset(new HttpBasicStream(connection_.release(), using_proxy));
     }
     return OK;
   }
 
   CHECK(!stream_.get());
 
-  bool direct = true;
-  const ProxyServer& proxy_server = proxy_info_.proxy_server();
-  PrivacyMode privacy_mode = request_info_.privacy_mode;
-  if (IsHttpsProxyAndHttpUrl())
-    direct = false;
-
+  bool direct = !IsHttpsProxyAndHttpUrl();
   if (existing_spdy_session_.get()) {
     // We picked up an existing session, so we don't need our socket.
     if (connection_->socket())
       connection_->socket()->Disconnect();
     connection_->Reset();
 
     int set_result = SetSpdyHttpStream(existing_spdy_session_, direct);
     existing_spdy_session_.reset();
     return set_result;
   }
 
-  SpdySessionKey spdy_session_key(server_, proxy_server, privacy_mode);
-  if (IsHttpsProxyAndHttpUrl()) {
-    // If we don't have a direct SPDY session, and we're using an HTTPS
-    // proxy, then we might have a SPDY session to the proxy.
-    // We never use privacy mode for connection to proxy server.
-    spdy_session_key = SpdySessionKey(proxy_server.host_port_pair(),
-                                      ProxyServer::Direct(),
-                                      PRIVACY_MODE_DISABLED);
+  SpdySessionKey spdy_session_key = GetSpdySessionKey();
+  bool is_valid;
+  base::WeakPtr<SpdySession> spdy_session =
+      valid_spdy_session_pool_->FindAvailableSession(spdy_session_key, net_log_,
+                                                     &is_valid);
+  if (!is_valid) {

[Ryan Hamilton, 2015/04/13 18:29:56]

Hm. I'm not in love with this API. Instead, I would make the ValidPool methods
return int and make the session an out param. That way the logic of your new
NAME_NOT_VALID error would go in the pool

[Bence, 2015/04/15 21:07:46]

Done.

+    return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
   }
-
-  SpdySessionPool* spdy_pool = session_->spdy_session_pool();
-  base::WeakPtr<SpdySession> spdy_session =
-      spdy_pool->FindAvailableSession(spdy_session_key, net_log_);
-
   if (spdy_session) {
     return SetSpdyHttpStream(spdy_session, direct);
   }
 
-  spdy_session =
-      spdy_pool->CreateAvailableSessionFromSocket(spdy_session_key,
-                                                  connection_.Pass(),
-                                                  net_log_,
-                                                  spdy_certificate_error_,
-                                                  using_ssl_);
+  spdy_session = valid_spdy_session_pool_->CreateAvailableSessionFromSocket(
+      spdy_session_key, connection_.Pass(), net_log_, spdy_certificate_error_,
+      using_ssl_, &is_valid);
+  if (!is_valid) {
+    return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+  }
+
   if (!spdy_session->HasAcceptableTransportSecurity()) {
     spdy_session->CloseSessionOnError(
         ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY, "");
     return ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY;
   }
 
   new_spdy_session_ = spdy_session;
   spdy_session_direct_ = direct;
   const HostPortPair& host_port_pair = spdy_session_key.host_port_pair();
   base::WeakPtr<HttpServerProperties> http_server_properties =
@@ skipping 315 matching lines @@
   }
 
   if (job_status_ == STATUS_SUCCEEDED && other_job_status_ == STATUS_BROKEN) {
     HistogramBrokenAlternateProtocolLocation(
         BROKEN_ALTERNATE_PROTOCOL_LOCATION_HTTP_STREAM_FACTORY_IMPL_JOB_MAIN);
     session_->http_server_properties()->MarkAlternativeServiceBroken(
         other_job_alternative_service_);
   }
 }
 
+HttpStreamFactoryImpl::Job::ValidSpdySessionPool::ValidSpdySessionPool(
+    HttpNetworkSession* session,

[Ryan Hamilton, 2015/04/13 18:29:56]

Looks like you can just take the Pool instead of session_, so you don't have to
do session_->spdy_session_pool()

[Bence, 2015/04/15 21:07:46]

Done.

+    GURL& origin_url,
+    bool is_spdy_alternate)
+    : session_(session),
+      origin_url_(origin_url),
+      is_spdy_alternate_(is_spdy_alternate) {
+}
+
+base::WeakPtr<SpdySession>
+HttpStreamFactoryImpl::Job::ValidSpdySessionPool::FindAvailableSession(
+    const SpdySessionKey& key,
+    const BoundNetLog& net_log,
+    bool* is_valid) {
+  base::WeakPtr<SpdySession> spdy_session =
+      session_->spdy_session_pool()->FindAvailableSession(key, net_log);
+  *is_valid = IsAlternativeCertificateValidForOrigin(spdy_session);
+  return spdy_session;
+}
+
+base::WeakPtr<SpdySession> HttpStreamFactoryImpl::Job::ValidSpdySessionPool::
+    CreateAvailableSessionFromSocket(const SpdySessionKey& key,
+                                     scoped_ptr<ClientSocketHandle> connection,
+                                     const BoundNetLog& net_log,
+                                     int certificate_error_code,
+                                     bool is_secure,
+                                     bool* is_valid) {
+  base::WeakPtr<SpdySession> spdy_session =
+      session_->spdy_session_pool()->CreateAvailableSessionFromSocket(
+          key, connection.Pass(), net_log, certificate_error_code, is_secure);
+  *is_valid = IsAlternativeCertificateValidForOrigin(spdy_session);
+  return spdy_session;
+}
+
+bool HttpStreamFactoryImpl::Job::ValidSpdySessionPool::
+    IsAlternativeCertificateValidForOrigin(
+        base::WeakPtr<SpdySession> spdy_session) {
+  return !is_spdy_alternate_ || !spdy_session ||

[Ryan Hamilton, 2015/04/13 18:29:56]

It seems like is_spdy_alternate_ is not adding any value here since it seems
like it's basically the same thing (effectively) as checking the hostname?

[Bence, 2015/04/15 21:07:46]

Per your other comment, I removed hostname checking.  Hostname checking was more
restrictive, since almost every unittest uses the same hostname (as changing
hostnames is not implemented yet, this very CL will enable it).

[Ryan Hamilton, 2015/04/15 21:24:34]

Can you add a comment about why you don't need to call
VerifyDomainAuthentication here when it's not a SPDY alt-svc job? (It's obvious
if you're familiar with the code, but not otherwise).

[Bence, 2015/04/23 17:17:07]

Done.

+         (origin_url_.host() == spdy_session->host_port_pair().host()) ||
+         spdy_session->VerifyDomainAuthentication(origin_url_.host());
+}
+
 ClientSocketPoolManager::SocketGroupType
 HttpStreamFactoryImpl::Job::GetSocketGroup() const {
   std::string scheme = origin_url_.scheme();
   if (scheme == "https" || scheme == "wss" || IsSpdyAlternate())
     return ClientSocketPoolManager::SSL_GROUP;
 
   if (scheme == "ftp")
     return ClientSocketPoolManager::FTP_GROUP;
 
   return ClientSocketPoolManager::NORMAL_GROUP;
 }
 
 }  // namespace net