Restrict QUIC session pool when channel ID is present.

net/quic/quic_client_session.cc

Index: net/quic/quic_client_session.cc
diff --git a/net/quic/quic_client_session.cc b/net/quic/quic_client_session.cc
index 24b6db2514f53a949be38ef2d912f8fd3b74312d..0e2ec585c5280976529c6cc55e1071b80bb6efa1 100644
--- a/net/quic/quic_client_session.cc
+++ b/net/quic/quic_client_session.cc
@@ -20,6 +20,7 @@
 #include "net/quic/quic_default_packet_writer.h"
 #include "net/quic/quic_server_id.h"
 #include "net/quic/quic_stream_factory.h"
+#include "net/ssl/server_bound_cert_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/udp/datagram_client_socket.h"
@@ -132,6 +133,7 @@ void QuicClientSession::StreamRequest::OnRequestCompleteFailure(int rv) {
 }
 
 QuicClientSession::QuicClientSession(
+    const HostPortPair& host_port_pair,
     QuicConnection* connection,
     scoped_ptr<DatagramClientSocket> socket,
     scoped_ptr<QuicDefaultPacketWriter> writer,
@@ -145,6 +147,7 @@ QuicClientSession::QuicClientSession(
     NetLog* net_log)
     : QuicClientSessionBase(connection,
                             config),
+      host_port_pair_(host_port_pair),
       require_confirmation_(false),
       stream_factory_(stream_factory),
       socket_(socket.Pass()),
@@ -479,17 +482,20 @@ int QuicClientSession::GetNumSentClientHellos() const {
 }
 
 bool QuicClientSession::CanPool(const std::string& hostname) const {
-  // TODO(rch): When QUIC supports channel ID or client certificates, this
-  // logic will need to be revised.
   DCHECK(connection()->connected());
   SSLInfo ssl_info;
-  bool unused = false;
   if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) {
     // We can always pool with insecure QUIC sessions.
     return true;
   }
-  // Only pool secure QUIC sessions if the cert matches the new hostname.
-  return ssl_info.cert->VerifyNameMatch(hostname, &unused);
+
+  bool unused = false;
+  return
+      !ssl_info.client_cert_sent &&
+      (!ssl_info.channel_id_sent ||
+       (ServerBoundCertService::GetDomainForHost(hostname) ==
+        ServerBoundCertService::GetDomainForHost(host_port_pair_.host()))) &&
+      ssl_info.cert->VerifyNameMatch(hostname, &unused);

[wtc, 2014/06/27 23:55:51]

Nit: a comment that summerizes this complicated conditional expression may be a
good idea.

[Ryan Hamilton, 2014/07/01 18:37:17]

Done.  Would you prefer a series of early returns:

if (!ssl_info.cert->VerifyNameMatch(hostname, &unused))
  return false;

if (ssl_info.client_cert_sent)
  return false;

if (ssl_info.channel_id_sent &&
    ServerBoundCertService::GetDomainForHost(hostname) !=
    ServerBoundCertService::GetDomainForHost(host_port_pair_.host()))
  return false;

return true;

[wtc, 2014/07/01 23:00:14]

Yes, I also wanted to suggest that :-) One reason it's hard to parse this code
is the complicated conditional expression.
You need to use curly braces, required by QUIC's local style.

[Ryan Hamilton, 2014/07/01 23:26:19]

Done.
That's only for shared code. Since this is chrome specific, we should adhere to
the network style, I think.

 }
 
 QuicDataStream* QuicClientSession::CreateIncomingDataStream(