Restrict QUIC session pool when channel ID is present.

net/quic/quic_client_session.cc

Index: net/quic/quic_client_session.cc
diff --git a/net/quic/quic_client_session.cc b/net/quic/quic_client_session.cc
index 24b6db2514f53a949be38ef2d912f8fd3b74312d..39c2e719e7baa4e449a9ac691f63f098ede464fa 100644
--- a/net/quic/quic_client_session.cc
+++ b/net/quic/quic_client_session.cc
@@ -20,6 +20,7 @@
 #include "net/quic/quic_default_packet_writer.h"
 #include "net/quic/quic_server_id.h"
 #include "net/quic/quic_stream_factory.h"
+#include "net/ssl/server_bound_cert_service.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/ssl/ssl_info.h"
 #include "net/udp/datagram_client_socket.h"
@@ -145,6 +146,7 @@ QuicClientSession::QuicClientSession(
     NetLog* net_log)
     : QuicClientSessionBase(connection,
                             config),
+      server_host_port_(server_id.host_port_pair()),
       require_confirmation_(false),
       stream_factory_(stream_factory),
       socket_(socket.Pass()),
@@ -424,7 +426,7 @@ bool QuicClientSession::GetSSLInfo(SSLInfo* ssl_info) const {
 
   ssl_info->connection_status = ssl_connection_status;
   ssl_info->client_cert_sent = false;
-  ssl_info->channel_id_sent = false;
+  ssl_info->channel_id_sent = crypto_stream_->WasChannelIDSent();
   ssl_info->security_bits = security_bits;
   ssl_info->handshake_type = SSLInfo::HANDSHAKE_FULL;
   return true;
@@ -479,17 +481,31 @@ int QuicClientSession::GetNumSentClientHellos() const {
 }
 
 bool QuicClientSession::CanPool(const std::string& hostname) const {
-  // TODO(rch): When QUIC supports channel ID or client certificates, this
-  // logic will need to be revised.
   DCHECK(connection()->connected());
   SSLInfo ssl_info;
-  bool unused = false;
   if (!GetSSLInfo(&ssl_info) || !ssl_info.cert) {
     // We can always pool with insecure QUIC sessions.
     return true;
   }
-  // Only pool secure QUIC sessions if the cert matches the new hostname.
-  return ssl_info.cert->VerifyNameMatch(hostname, &unused);
+
+  bool unused = false;
+  // Pooling is prohibited for connections on which client certs were
+  // sent. It is also prohibited for when channel ID was sent if the
+  // hosts are from different eTLDs. And of course, it is prohibited

[wtc, 2014/07/02 00:47:48]

I just realized one error: this should be "domains" instead of "eTLDs". eTLDs
are "com", "co.uk", etc. But what you have in mind is "google.com",
"google.co.uk", etc.

[Ryan Hamilton, 2014/07/02 19:46:38]

Actually eTLD+1 because it's ok to pool i1.foo.google.com and i2.bar.google.com.
 Fixed in https://codereview.chromium.org/362323005.

+  // if the server cert is not valid for the new domain.

[wtc, 2014/07/02 00:18:54]

Nit: reorder the comments or the three tests so that they match. Right now the
last sentence in the comments describes the first test.

[Ryan Hamilton, 2014/07/02 19:46:38]

Done in https://codereview.chromium.org/362323005.

+  if (!ssl_info.cert->VerifyNameMatch(hostname, &unused))
+    return false;
+
+  if (ssl_info.client_cert_sent)
+    return false;
+
+  if (ssl_info.channel_id_sent &&
+      ServerBoundCertService::GetDomainForHost(hostname) !=
+      ServerBoundCertService::GetDomainForHost(server_host_port_.host())) {
+    return false;
+  }
+
+  return true;
 }
 
 QuicDataStream* QuicClientSession::CreateIncomingDataStream(
@@ -725,8 +741,6 @@ void QuicClientSession::CloseAllObservers(int net_error) {
 base::Value* QuicClientSession::GetInfoAsValue(
     const std::set<HostPortPair>& aliases) {
   base::DictionaryValue* dict = new base::DictionaryValue();
-  // TODO(rch): remove "host_port_pair" when Chrome 34 is stable.
-  dict->SetString("host_port_pair", aliases.begin()->ToString());
   dict->SetString("version", QuicVersionToString(connection()->version()));
   dict->SetInteger("open_streams", GetNumOpenStreams());
   base::ListValue* stream_list = new base::ListValue();