Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(19)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_stream_factory_impl_job.cc

Issue 1074193003: Verify alternative server certificate validity for origin. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressing comments. Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/http_stream_factory_impl_job.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_stream_factory_impl_job.cc
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 78f4eedb1a19300346cca7428e756a73c41d2279..de7ca7242e0b506969d5049e4f10396009dfc492 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -292,6 +292,18 @@ bool HttpStreamFactoryImpl::Job::CanUseExistingSpdySession() const {
proxy_info_.proxy_server().is_https() || IsSpdyAlternate();
}
+bool HttpStreamFactoryImpl::Job::IsAlternativeCertificateValidForOrigin(
+ base::WeakPtr<SpdySession> spdy_session) {
+ if (!IsSpdyAlternate()) {
+ return true;
+ }
+ if (origin_url_.host() == spdy_session->host_port_pair().host()) {
+ return true;
+ }
+ DCHECK(spdy_session);
Ryan Hamilton 2015/04/11 02:40:41 I think it made more sense to do the DCHECK at the
Bence 2015/04/13 17:52:40 I moved the spdy_session == nullptr case to this m
+ return spdy_session->VerifyDomainAuthentication(origin_url_.host());
+}
+
void HttpStreamFactoryImpl::Job::OnStreamReadyCallback() {
DCHECK(stream_.get());
DCHECK(!IsPreconnecting());
@@ -535,6 +547,20 @@ int HttpStreamFactoryImpl::Job::RunLoop(int result) {
}
return ERR_IO_PENDING;
+ case ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN:
+ DCHECK(IsSpdyAlternate());
+ if (job_status_ != STATUS_BROKEN) {
+ DCHECK_EQ(STATUS_RUNNING, job_status_);
+ job_status_ = STATUS_FAILED;
+ // TODO(bnc): Instead of marking alternative service broken, mark
+ // (origin, alternative service) couple as invalid.
+ MaybeMarkAlternativeServiceBroken();
+ }
+ base::MessageLoop::current()->PostTask(
+ FROM_HERE, base::Bind(&Job::OnStreamFailedCallback,
+ ptr_factory_.GetWeakPtr(), result));
+ return ERR_IO_PENDING;
+
default:
if (job_status_ != STATUS_BROKEN) {
DCHECK_EQ(STATUS_RUNNING, job_status_);
@@ -804,6 +830,9 @@ int HttpStreamFactoryImpl::Job::DoInitConnection() {
session_->spdy_session_pool()->FindAvailableSession(
spdy_session_key, net_log_);
if (spdy_session && CanUseExistingSpdySession()) {
+ if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+ return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+ }
// If we're preconnecting, but we already have a SpdySession, we don't
// actually need to preconnect any sockets, so we're done.
if (IsPreconnecting())
@@ -812,14 +841,14 @@ int HttpStreamFactoryImpl::Job::DoInitConnection() {
next_state_ = STATE_CREATE_STREAM;
existing_spdy_session_ = spdy_session;
return OK;
- } else if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
+ }
+ if (request_ && !request_->HasSpdySessionKey() && using_ssl_) {
// Update the spdy session key for the request that launched this job.
request_->SetSpdySessionKey(spdy_session_key);
}
// OK, there's no available SPDY session. Let |waiting_job_| resume if it's
// paused.
-
if (waiting_job_) {
waiting_job_->Resume(this);
waiting_job_ = NULL;
@@ -989,6 +1018,9 @@ int HttpStreamFactoryImpl::Job::DoInitConnectionComplete(int result) {
if (!ssl_started && result < 0 && IsAlternate()) {
job_status_ = STATUS_BROKEN;
+ // TODO(bnc): if (result == ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN), then
+ // instead of marking alternative service broken, mark (origin, alternative
+ // service) couple as invalid.
MaybeMarkAlternativeServiceBroken();
return result;
}
@@ -1131,6 +1163,9 @@ int HttpStreamFactoryImpl::Job::DoCreateStream() {
spdy_pool->FindAvailableSession(spdy_session_key, net_log_);
if (spdy_session) {
+ if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+ return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+ }
return SetSpdyHttpStream(spdy_session, direct);
}
@@ -1146,6 +1181,10 @@ int HttpStreamFactoryImpl::Job::DoCreateStream() {
return ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY;
}
+ if (!IsAlternativeCertificateValidForOrigin(spdy_session)) {
+ return ERR_ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN;
+ }
+
new_spdy_session_ = spdy_session;
spdy_session_direct_ = direct;
const HostPortPair& host_port_pair = spdy_session_key.host_port_pair();
« no previous file with comments | « net/http/http_stream_factory_impl_job.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698