Chromium Code Reviews Chromium Code Reviews
Issue 355293003:
Restrict QUIC session pool when channel ID is present. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/quic_client_session.h" | 5 #include "net/quic/quic_client_session.h" |
| 6 | 6 |
| 7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
| 8 #include "base/message_loop/message_loop.h" | 8 #include "base/message_loop/message_loop.h" |
| 9 #include "base/metrics/histogram.h" | 9 #include "base/metrics/histogram.h" |
| 10 #include "base/metrics/sparse_histogram.h" | 10 #include "base/metrics/sparse_histogram.h" |
| 11 #include "base/stl_util.h" | 11 #include "base/stl_util.h" |
| 12 #include "base/strings/string_number_conversions.h" | 12 #include "base/strings/string_number_conversions.h" |
| 13 #include "base/values.h" | 13 #include "base/values.h" |
| 14 #include "net/base/io_buffer.h" | 14 #include "net/base/io_buffer.h" |
| 15 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
| 16 #include "net/quic/crypto/proof_verifier_chromium.h" | 16 #include "net/quic/crypto/proof_verifier_chromium.h" |
| 17 #include "net/quic/crypto/quic_server_info.h" | 17 #include "net/quic/crypto/quic_server_info.h" |
| 18 #include "net/quic/quic_connection_helper.h" | 18 #include "net/quic/quic_connection_helper.h" |
| 19 #include "net/quic/quic_crypto_client_stream_factory.h" | 19 #include "net/quic/quic_crypto_client_stream_factory.h" |
| 20 #include "net/quic/quic_default_packet_writer.h" | 20 #include "net/quic/quic_default_packet_writer.h" |
| 21 #include "net/quic/quic_server_id.h" | 21 #include "net/quic/quic_server_id.h" |
| 22 #include "net/quic/quic_stream_factory.h" | 22 #include "net/quic/quic_stream_factory.h" |
| 23 #include "net/ssl/server_bound_cert_service.h" | |
| 23 #include "net/ssl/ssl_connection_status_flags.h" | 24 #include "net/ssl/ssl_connection_status_flags.h" |
| 24 #include "net/ssl/ssl_info.h" | 25 #include "net/ssl/ssl_info.h" |
| 25 #include "net/udp/datagram_client_socket.h" | 26 #include "net/udp/datagram_client_socket.h" |
| 26 | 27 |
| 27 namespace net { | 28 namespace net { |
| 28 | 29 |
| 29 namespace { | 30 namespace { |
| 30 | 31 |
| 31 // The length of time to wait for a 0-RTT handshake to complete | 32 // The length of time to wait for a 0-RTT handshake to complete |
| 32 // before allowing the requests to possibly proceed over TCP. | 33 // before allowing the requests to possibly proceed over TCP. |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 138 QuicStreamFactory* stream_factory, | 139 QuicStreamFactory* stream_factory, |
| 139 QuicCryptoClientStreamFactory* crypto_client_stream_factory, | 140 QuicCryptoClientStreamFactory* crypto_client_stream_factory, |
| 140 scoped_ptr<QuicServerInfo> server_info, | 141 scoped_ptr<QuicServerInfo> server_info, |
| 141 const QuicServerId& server_id, | 142 const QuicServerId& server_id, |
| 142 const QuicConfig& config, | 143 const QuicConfig& config, |
| 143 QuicCryptoClientConfig* crypto_config, | 144 QuicCryptoClientConfig* crypto_config, |
| 144 base::TaskRunner* task_runner, | 145 base::TaskRunner* task_runner, |
| 145 NetLog* net_log) | 146 NetLog* net_log) |
| 146 : QuicClientSessionBase(connection, | 147 : QuicClientSessionBase(connection, |
| 147 config), | 148 config), |
| 149 server_host_port_(server_id.host_port_pair()), | |
| 148 require_confirmation_(false), | 150 require_confirmation_(false), |
| 149 stream_factory_(stream_factory), | 151 stream_factory_(stream_factory), |
| 150 socket_(socket.Pass()), | 152 socket_(socket.Pass()), |
| 151 writer_(writer.Pass()), | 153 writer_(writer.Pass()), |
| 152 read_buffer_(new IOBufferWithSize(kMaxPacketSize)), | 154 read_buffer_(new IOBufferWithSize(kMaxPacketSize)), |
| 153 server_info_(server_info.Pass()), | 155 server_info_(server_info.Pass()), |
| 154 read_pending_(false), | 156 read_pending_(false), |
| 155 num_total_streams_(0), | 157 num_total_streams_(0), |
| 156 task_runner_(task_runner), | 158 task_runner_(task_runner), |
| 157 net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_QUIC_SESSION)), | 159 net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_QUIC_SESSION)), |
| (...skipping 259 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 417 ssl_connection_status |= | 419 ssl_connection_status |= |
| 418 (SSL_CONNECTION_VERSION_QUIC & SSL_CONNECTION_VERSION_MASK) << | 420 (SSL_CONNECTION_VERSION_QUIC & SSL_CONNECTION_VERSION_MASK) << |
| 419 SSL_CONNECTION_VERSION_SHIFT; | 421 SSL_CONNECTION_VERSION_SHIFT; |
| 420 | 422 |
| 421 ssl_info->public_key_hashes = cert_verify_result_->public_key_hashes; | 423 ssl_info->public_key_hashes = cert_verify_result_->public_key_hashes; |
| 422 ssl_info->is_issued_by_known_root = | 424 ssl_info->is_issued_by_known_root = |
| 423 cert_verify_result_->is_issued_by_known_root; | 425 cert_verify_result_->is_issued_by_known_root; |
| 424 | 426 |
| 425 ssl_info->connection_status = ssl_connection_status; | 427 ssl_info->connection_status = ssl_connection_status; |
| 426 ssl_info->client_cert_sent = false; | 428 ssl_info->client_cert_sent = false; |
| 427 ssl_info->channel_id_sent = false; | 429 ssl_info->channel_id_sent = crypto_stream_->WasChannelIDSent(); |
| 428 ssl_info->security_bits = security_bits; | 430 ssl_info->security_bits = security_bits; |
| 429 ssl_info->handshake_type = SSLInfo::HANDSHAKE_FULL; | 431 ssl_info->handshake_type = SSLInfo::HANDSHAKE_FULL; |
| 430 return true; | 432 return true; |
| 431 } | 433 } |
| 432 | 434 |
| 433 int QuicClientSession::CryptoConnect(bool require_confirmation, | 435 int QuicClientSession::CryptoConnect(bool require_confirmation, |
| 434 const CompletionCallback& callback) { | 436 const CompletionCallback& callback) { |
| 435 require_confirmation_ = require_confirmation; | 437 require_confirmation_ = require_confirmation; |
| 436 handshake_start_ = base::TimeTicks::Now(); | 438 handshake_start_ = base::TimeTicks::Now(); |
| 437 RecordHandshakeState(STATE_STARTED); | 439 RecordHandshakeState(STATE_STARTED); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 472 | 474 |
| 473 callback_ = callback; | 475 callback_ = callback; |
| 474 return ERR_IO_PENDING; | 476 return ERR_IO_PENDING; |
| 475 } | 477 } |
| 476 | 478 |
| 477 int QuicClientSession::GetNumSentClientHellos() const { | 479 int QuicClientSession::GetNumSentClientHellos() const { |
| 478 return crypto_stream_->num_sent_client_hellos(); | 480 return crypto_stream_->num_sent_client_hellos(); |
| 479 } | 481 } |
| 480 | 482 |
| 481 bool QuicClientSession::CanPool(const std::string& hostname) const { | 483 bool QuicClientSession::CanPool(const std::string& hostname) const { |
| 482 // TODO(rch): When QUIC supports channel ID or client certificates, this | |
| 483 // logic will need to be revised. | |
| 484 DCHECK(connection()->connected()); | 484 DCHECK(connection()->connected()); |
| 485 SSLInfo ssl_info; | 485 SSLInfo ssl_info; |
| 486 bool unused = false; | |
| 487 if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) { | 486 if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) { |
| 488 // We can always pool with insecure QUIC sessions. | 487 // We can always pool with insecure QUIC sessions. |
| 489 return true; | 488 return true; |
| 490 } | 489 } |
| 491 // Only pool secure QUIC sessions if the cert matches the new hostname. | 490 |
| 492 return ssl_info.cert->VerifyNameMatch(hostname, &unused); | 491 bool unused = false; |
| 492 // Pooling is prohibited for connections on which client certs were | |
| 493 // sent. It is also prohibited for when channel ID was sent if the | |
| 494 // hosts are from different eTLDs. And of course, it is prohibited | |
|
wtc
2014/07/02 00:47:48
I just realized one error: this should be "domains
Ryan Hamilton
2014/07/02 19:46:38
Actually eTLD+1 because it's ok to pool i1.foo.goo
| |
| 495 // if the server cert is not valid for the new domain. | |
|
wtc
2014/07/02 00:18:54
Nit: reorder the comments or the three tests so th
Ryan Hamilton
2014/07/02 19:46:38
Done in https://codereview.chromium.org/362323005.
| |
| 496 if (!ssl_info.cert->VerifyNameMatch(hostname, &unused)) | |
| 497 return false; | |
| 498 | |
| 499 if (ssl_info.client_cert_sent) | |
| 500 return false; | |
| 501 | |
| 502 if (ssl_info.channel_id_sent && | |
| 503 ServerBoundCertService::GetDomainForHost(hostname) != | |
| 504 ServerBoundCertService::GetDomainForHost(server_host_port_.host())) { | |
| 505 return false; | |
| 506 } | |
| 507 | |
| 508 return true; | |
| 493 } | 509 } |
| 494 | 510 |
| 495 QuicDataStream* QuicClientSession::CreateIncomingDataStream( | 511 QuicDataStream* QuicClientSession::CreateIncomingDataStream( |
| 496 QuicStreamId id) { | 512 QuicStreamId id) { |
| 497 DLOG(ERROR) << "Server push not supported"; | 513 DLOG(ERROR) << "Server push not supported"; |
| 498 return NULL; | 514 return NULL; |
| 499 } | 515 } |
| 500 | 516 |
| 501 void QuicClientSession::CloseStream(QuicStreamId stream_id) { | 517 void QuicClientSession::CloseStream(QuicStreamId stream_id) { |
| 502 ReliableQuicStream* stream = GetStream(stream_id); | 518 ReliableQuicStream* stream = GetStream(stream_id); |
| (...skipping 215 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 718 while (!observers_.empty()) { | 734 while (!observers_.empty()) { |
| 719 Observer* observer = *observers_.begin(); | 735 Observer* observer = *observers_.begin(); |
| 720 observers_.erase(observer); | 736 observers_.erase(observer); |
| 721 observer->OnSessionClosed(net_error); | 737 observer->OnSessionClosed(net_error); |
| 722 } | 738 } |
| 723 } | 739 } |
| 724 | 740 |
| 725 base::Value* QuicClientSession::GetInfoAsValue( | 741 base::Value* QuicClientSession::GetInfoAsValue( |
| 726 const std::set<HostPortPair>& aliases) { | 742 const std::set<HostPortPair>& aliases) { |
| 727 base::DictionaryValue* dict = new base::DictionaryValue(); | 743 base::DictionaryValue* dict = new base::DictionaryValue(); |
| 728 // TODO(rch): remove "host_port_pair" when Chrome 34 is stable. | |
| 729 dict->SetString("host_port_pair", aliases.begin()->ToString()); | |
| 730 dict->SetString("version", QuicVersionToString(connection()->version())); | 744 dict->SetString("version", QuicVersionToString(connection()->version())); |
| 731 dict->SetInteger("open_streams", GetNumOpenStreams()); | 745 dict->SetInteger("open_streams", GetNumOpenStreams()); |
| 732 base::ListValue* stream_list = new base::ListValue(); | 746 base::ListValue* stream_list = new base::ListValue(); |
| 733 for (base::hash_map<QuicStreamId, QuicDataStream*>::const_iterator it | 747 for (base::hash_map<QuicStreamId, QuicDataStream*>::const_iterator it |
| 734 = streams()->begin(); | 748 = streams()->begin(); |
| 735 it != streams()->end(); | 749 it != streams()->end(); |
| 736 ++it) { | 750 ++it) { |
| 737 stream_list->Append(new base::StringValue( | 751 stream_list->Append(new base::StringValue( |
| 738 base::Uint64ToString(it->second->id()))); | 752 base::Uint64ToString(it->second->id()))); |
| 739 } | 753 } |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 837 return; | 851 return; |
| 838 | 852 |
| 839 // TODO(rch): re-enable this code once beta is cut. | 853 // TODO(rch): re-enable this code once beta is cut. |
| 840 // if (stream_factory_) | 854 // if (stream_factory_) |
| 841 // stream_factory_->OnSessionConnectTimeout(this); | 855 // stream_factory_->OnSessionConnectTimeout(this); |
| 842 // CloseAllStreams(ERR_QUIC_HANDSHAKE_FAILED); | 856 // CloseAllStreams(ERR_QUIC_HANDSHAKE_FAILED); |
| 843 // DCHECK_EQ(0u, GetNumOpenStreams()); | 857 // DCHECK_EQ(0u, GetNumOpenStreams()); |
| 844 } | 858 } |
| 845 | 859 |
| 846 } // namespace net | 860 } // namespace net |
| OLD | NEW |
