Restrict QUIC session pool when channel ID is present.

net/quic/quic_client_session.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_client_session.h"
 
 #include "base/callback_helpers.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/crypto/quic_server_info.h"
 #include "net/quic/quic_connection_helper.h"
 #include "net/quic/quic_crypto_client_stream_factory.h"
 #include "net/quic/quic_default_packet_writer.h"
 #include "net/quic/quic_server_id.h"
 #include "net/quic/quic_stream_factory.h"
+#include "net/ssl/server_bound_cert_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/udp/datagram_client_socket.h"
 
 namespace net {
 
 namespace {
 
 // The length of time to wait for a 0-RTT handshake to complete
 // before allowing the requests to possibly proceed over TCP.
@@ skipping 92 matching lines @@
   *stream_ = stream;
   ResetAndReturn(&callback_).Run(OK);
 }
 
 void QuicClientSession::StreamRequest::OnRequestCompleteFailure(int rv) {
   session_.reset();
   ResetAndReturn(&callback_).Run(rv);
 }
 
 QuicClientSession::QuicClientSession(
+    const HostPortPair& host_port_pair,
     QuicConnection* connection,
     scoped_ptr<DatagramClientSocket> socket,
     scoped_ptr<QuicDefaultPacketWriter> writer,
     QuicStreamFactory* stream_factory,
     QuicCryptoClientStreamFactory* crypto_client_stream_factory,
     scoped_ptr<QuicServerInfo> server_info,
     const QuicServerId& server_id,
     const QuicConfig& config,
     QuicCryptoClientConfig* crypto_config,
     base::TaskRunner* task_runner,
     NetLog* net_log)
     : QuicClientSessionBase(connection,
                             config),
+      host_port_pair_(host_port_pair),
       require_confirmation_(false),
       stream_factory_(stream_factory),
       socket_(socket.Pass()),
       writer_(writer.Pass()),
       read_buffer_(new IOBufferWithSize(kMaxPacketSize)),
       server_info_(server_info.Pass()),
       read_pending_(false),
       num_total_streams_(0),
       task_runner_(task_runner),
       net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_QUIC_SESSION)),
@@ skipping 314 matching lines @@
 
   callback_ = callback;
   return ERR_IO_PENDING;
 }
 
 int QuicClientSession::GetNumSentClientHellos() const {
   return crypto_stream_->num_sent_client_hellos();
 }
 
 bool QuicClientSession::CanPool(const std::string& hostname) const {
-  // TODO(rch): When QUIC supports channel ID or client certificates, this
-  // logic will need to be revised.
   DCHECK(connection()->connected());
   SSLInfo ssl_info;
-  bool unused = false;
   if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) {
     // We can always pool with insecure QUIC sessions.
     return true;
   }
-  // Only pool secure QUIC sessions if the cert matches the new hostname.
-  return ssl_info.cert->VerifyNameMatch(hostname, &unused);
+
+  bool unused = false;
+  return
+      !ssl_info.client_cert_sent &&
+      (!ssl_info.channel_id_sent ||
+       (ServerBoundCertService::GetDomainForHost(hostname) ==
+        ServerBoundCertService::GetDomainForHost(host_port_pair_.host()))) &&
+      ssl_info.cert->VerifyNameMatch(hostname, &unused);

[wtc, 2014/06/27 23:55:51]

Nit: a comment that summerizes this complicated conditional expression may be a
good idea.

[Ryan Hamilton, 2014/07/01 18:37:17]

Done.  Would you prefer a series of early returns:

if (!ssl_info.cert->VerifyNameMatch(hostname, &unused))
  return false;

if (ssl_info.client_cert_sent)
  return false;

if (ssl_info.channel_id_sent &&
    ServerBoundCertService::GetDomainForHost(hostname) !=
    ServerBoundCertService::GetDomainForHost(host_port_pair_.host()))
  return false;

return true;

[wtc, 2014/07/01 23:00:14]

Yes, I also wanted to suggest that :-) One reason it's hard to parse this code
is the complicated conditional expression.
You need to use curly braces, required by QUIC's local style.

[Ryan Hamilton, 2014/07/01 23:26:19]

Done.
That's only for shared code. Since this is chrome specific, we should adhere to
the network style, I think.

 }
 
 QuicDataStream* QuicClientSession::CreateIncomingDataStream(
     QuicStreamId id) {
   DLOG(ERROR) << "Server push not supported";
   return NULL;
 }
 
 void QuicClientSession::CloseStream(QuicStreamId stream_id) {
   ReliableQuicStream* stream = GetStream(stream_id);
@@ skipping 334 matching lines @@
     return;
 
   // TODO(rch): re-enable this code once beta is cut.
   //  if (stream_factory_)
   //    stream_factory_->OnSessionConnectTimeout(this);
   //  CloseAllStreams(ERR_QUIC_HANDSHAKE_FAILED);
   //  DCHECK_EQ(0u, GetNumOpenStreams());
 }
 
 }  // namespace net