Restrict QUIC session pool when channel ID is present.

net/quic/quic_client_session.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_client_session.h"
 
 #include "base/callback_helpers.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/sparse_histogram.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/crypto/quic_server_info.h"
 #include "net/quic/quic_connection_helper.h"
 #include "net/quic/quic_crypto_client_stream_factory.h"
 #include "net/quic/quic_default_packet_writer.h"
 #include "net/quic/quic_server_id.h"
 #include "net/quic/quic_stream_factory.h"
+#include "net/ssl/channel_id_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/udp/datagram_client_socket.h"
 
 namespace net {
 
 namespace {
 
 // The length of time to wait for a 0-RTT handshake to complete
 // before allowing the requests to possibly proceed over TCP.
@@ skipping 92 matching lines @@
   *stream_ = stream;
   ResetAndReturn(&callback_).Run(OK);
 }
 
 void QuicClientSession::StreamRequest::OnRequestCompleteFailure(int rv) {
   session_.reset();
   ResetAndReturn(&callback_).Run(rv);
 }
 
 QuicClientSession::QuicClientSession(
+    const HostPortPair& server_host_port,
     QuicConnection* connection,
     scoped_ptr<DatagramClientSocket> socket,
     scoped_ptr<QuicDefaultPacketWriter> writer,
     QuicStreamFactory* stream_factory,
     QuicCryptoClientStreamFactory* crypto_client_stream_factory,
     scoped_ptr<QuicServerInfo> server_info,
     const QuicServerId& server_id,
     const QuicConfig& config,
     QuicCryptoClientConfig* crypto_config,
     base::TaskRunner* task_runner,
     NetLog* net_log)
     : QuicClientSessionBase(connection,
                             config),
+      server_host_port_(server_host_port),
       require_confirmation_(false),
       stream_factory_(stream_factory),
       socket_(socket.Pass()),
       writer_(writer.Pass()),
       read_buffer_(new IOBufferWithSize(kMaxPacketSize)),
       server_info_(server_info.Pass()),
       read_pending_(false),
       num_total_streams_(0),
       task_runner_(task_runner),
       net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_QUIC_SESSION)),
@@ skipping 259 matching lines @@
   ssl_connection_status |=
       (SSL_CONNECTION_VERSION_QUIC & SSL_CONNECTION_VERSION_MASK) <<
        SSL_CONNECTION_VERSION_SHIFT;
 
   ssl_info->public_key_hashes = cert_verify_result_->public_key_hashes;
   ssl_info->is_issued_by_known_root =
       cert_verify_result_->is_issued_by_known_root;
 
   ssl_info->connection_status = ssl_connection_status;
   ssl_info->client_cert_sent = false;
-  ssl_info->channel_id_sent = false;
+  ssl_info->channel_id_sent = crypto_stream_->WasChannelIDSent();
   ssl_info->security_bits = security_bits;
   ssl_info->handshake_type = SSLInfo::HANDSHAKE_FULL;
   return true;
 }
 
 int QuicClientSession::CryptoConnect(bool require_confirmation,
                                      const CompletionCallback& callback) {
   require_confirmation_ = require_confirmation;
   handshake_start_ = base::TimeTicks::Now();
   RecordHandshakeState(STATE_STARTED);
@@ skipping 34 matching lines @@
 
   callback_ = callback;
   return ERR_IO_PENDING;
 }
 
 int QuicClientSession::GetNumSentClientHellos() const {
   return crypto_stream_->num_sent_client_hellos();
 }
 
 bool QuicClientSession::CanPool(const std::string& hostname) const {
-  // TODO(rch): When QUIC supports channel ID or client certificates, this
-  // logic will need to be revised.
   DCHECK(connection()->connected());
   SSLInfo ssl_info;
-  bool unused = false;
   if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) {
     // We can always pool with insecure QUIC sessions.
     return true;
   }
-  // Only pool secure QUIC sessions if the cert matches the new hostname.
-  return ssl_info.cert->VerifyNameMatch(hostname, &unused);
+
+  bool unused = false;
+  // Pooling is prohibited for connections on which client certs were
+  // sent. It is also prohibited for when channel ID was sent if the
+  // hosts are from different ETLDs. And of course, it is prohibited

[wtc, 2014/07/01 23:00:14]

ETLDs => eTLDs

[Ryan Hamilton, 2014/07/01 23:26:19]

Done.

+  // if the cert is not valid for the new domain.

[wtc, 2014/07/01 23:00:14]

cert => server cert

[Ryan Hamilton, 2014/07/01 23:26:19]

Done.

+  return
+      !ssl_info.client_cert_sent &&
+      (!ssl_info.channel_id_sent ||
+       (ChannelIDService::GetDomainForHost(hostname) ==
+        ChannelIDService::GetDomainForHost(server_host_port_.host()))) &&
+      ssl_info.cert->VerifyNameMatch(hostname, &unused);
 }
 
 QuicDataStream* QuicClientSession::CreateIncomingDataStream(
     QuicStreamId id) {
   DLOG(ERROR) << "Server push not supported";
   return NULL;
 }
 
 void QuicClientSession::CloseStream(QuicStreamId stream_id) {
   ReliableQuicStream* stream = GetStream(stream_id);
@@ skipping 215 matching lines @@
   while (!observers_.empty()) {
     Observer* observer = *observers_.begin();
     observers_.erase(observer);
     observer->OnSessionClosed(net_error);
   }
 }
 
 base::Value* QuicClientSession::GetInfoAsValue(
     const std::set<HostPortPair>& aliases) {
   base::DictionaryValue* dict = new base::DictionaryValue();
-  // TODO(rch): remove "host_port_pair" when Chrome 34 is stable.
-  dict->SetString("host_port_pair", aliases.begin()->ToString());
   dict->SetString("version", QuicVersionToString(connection()->version()));
   dict->SetInteger("open_streams", GetNumOpenStreams());
   base::ListValue* stream_list = new base::ListValue();
   for (base::hash_map<QuicStreamId, QuicDataStream*>::const_iterator it
            = streams()->begin();
        it != streams()->end();
        ++it) {
     stream_list->Append(new base::StringValue(
         base::Uint64ToString(it->second->id())));
   }
@@ skipping 97 matching lines @@
     return;
 
   // TODO(rch): re-enable this code once beta is cut.
   //  if (stream_factory_)
   //    stream_factory_->OnSessionConnectTimeout(this);
   //  CloseAllStreams(ERR_QUIC_HANDSHAKE_FAILED);
   //  DCHECK_EQ(0u, GetNumOpenStreams());
 }
 
 }  // namespace net