Chromium Code Reviews Chromium Code Reviews
Issue 355293003:
Restrict QUIC session pool when channel ID is present. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/quic/quic_client_session.cc |
| diff --git a/net/quic/quic_client_session.cc b/net/quic/quic_client_session.cc |
| index 24b6db2514f53a949be38ef2d912f8fd3b74312d..3a608fe88b3e18a46a62b4e1087ebf36e066004d 100644 |
| --- a/net/quic/quic_client_session.cc |
| +++ b/net/quic/quic_client_session.cc |
| @@ -20,6 +20,7 @@ |
| #include "net/quic/quic_default_packet_writer.h" |
| #include "net/quic/quic_server_id.h" |
| #include "net/quic/quic_stream_factory.h" |
| +#include "net/ssl/channel_id_service.h" |
| #include "net/ssl/ssl_connection_status_flags.h" |
| #include "net/ssl/ssl_info.h" |
| #include "net/udp/datagram_client_socket.h" |
| @@ -132,6 +133,7 @@ void QuicClientSession::StreamRequest::OnRequestCompleteFailure(int rv) { |
| } |
| QuicClientSession::QuicClientSession( |
| + const HostPortPair& server_host_port, |
| QuicConnection* connection, |
| scoped_ptr<DatagramClientSocket> socket, |
| scoped_ptr<QuicDefaultPacketWriter> writer, |
| @@ -145,6 +147,7 @@ QuicClientSession::QuicClientSession( |
| NetLog* net_log) |
| : QuicClientSessionBase(connection, |
| config), |
| + server_host_port_(server_host_port), |
| require_confirmation_(false), |
| stream_factory_(stream_factory), |
| socket_(socket.Pass()), |
| @@ -424,7 +427,7 @@ bool QuicClientSession::GetSSLInfo(SSLInfo* ssl_info) const { |
| ssl_info->connection_status = ssl_connection_status; |
| ssl_info->client_cert_sent = false; |
| - ssl_info->channel_id_sent = false; |
| + ssl_info->channel_id_sent = crypto_stream_->WasChannelIDSent(); |
| ssl_info->security_bits = security_bits; |
| ssl_info->handshake_type = SSLInfo::HANDSHAKE_FULL; |
| return true; |
| @@ -479,17 +482,24 @@ int QuicClientSession::GetNumSentClientHellos() const { |
| } |
| bool QuicClientSession::CanPool(const std::string& hostname) const { |
| - // TODO(rch): When QUIC supports channel ID or client certificates, this |
| - // logic will need to be revised. |
| DCHECK(connection()->connected()); |
| SSLInfo ssl_info; |
| - bool unused = false; |
| if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) { |
| // We can always pool with insecure QUIC sessions. |
| return true; |
| } |
| - // Only pool secure QUIC sessions if the cert matches the new hostname. |
| - return ssl_info.cert->VerifyNameMatch(hostname, &unused); |
| + |
| + bool unused = false; |
| + // Pooling is prohibited for connections on which client certs were |
| + // sent. It is also prohibited for when channel ID was sent if the |
| + // hosts are from different ETLDs. And of course, it is prohibited |
|
wtc
2014/07/01 23:00:14
ETLDs => eTLDs
Ryan Hamilton
2014/07/01 23:26:19
Done.
|
| + // if the cert is not valid for the new domain. |
|
wtc
2014/07/01 23:00:14
cert => server cert
Ryan Hamilton
2014/07/01 23:26:19
Done.
|
| + return |
| + !ssl_info.client_cert_sent && |
| + (!ssl_info.channel_id_sent || |
| + (ChannelIDService::GetDomainForHost(hostname) == |
| + ChannelIDService::GetDomainForHost(server_host_port_.host()))) && |
| + ssl_info.cert->VerifyNameMatch(hostname, &unused); |
| } |
| QuicDataStream* QuicClientSession::CreateIncomingDataStream( |
| @@ -725,8 +735,6 @@ void QuicClientSession::CloseAllObservers(int net_error) { |
| base::Value* QuicClientSession::GetInfoAsValue( |
| const std::set<HostPortPair>& aliases) { |
| base::DictionaryValue* dict = new base::DictionaryValue(); |
| - // TODO(rch): remove "host_port_pair" when Chrome 34 is stable. |
| - dict->SetString("host_port_pair", aliases.begin()->ToString()); |
| dict->SetString("version", QuicVersionToString(connection()->version())); |
| dict->SetInteger("open_streams", GetNumOpenStreams()); |
| base::ListValue* stream_list = new base::ListValue(); |
