OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/spdy/spdy_session.h" | 5 #include "net/spdy/spdy_session.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <map> | 8 #include <map> |
9 | 9 |
10 #include "base/basictypes.h" | 10 #include "base/basictypes.h" |
(...skipping 11 matching lines...) Expand all Loading... |
22 #include "base/strings/stringprintf.h" | 22 #include "base/strings/stringprintf.h" |
23 #include "base/strings/utf_string_conversions.h" | 23 #include "base/strings/utf_string_conversions.h" |
24 #include "base/time/time.h" | 24 #include "base/time/time.h" |
25 #include "base/values.h" | 25 #include "base/values.h" |
26 #include "crypto/ec_private_key.h" | 26 #include "crypto/ec_private_key.h" |
27 #include "crypto/ec_signature_creator.h" | 27 #include "crypto/ec_signature_creator.h" |
28 #include "net/base/connection_type_histograms.h" | 28 #include "net/base/connection_type_histograms.h" |
29 #include "net/base/net_log.h" | 29 #include "net/base/net_log.h" |
30 #include "net/base/net_util.h" | 30 #include "net/base/net_util.h" |
31 #include "net/cert/asn1_util.h" | 31 #include "net/cert/asn1_util.h" |
| 32 #include "net/cert/cert_verify_result.h" |
32 #include "net/http/http_log_util.h" | 33 #include "net/http/http_log_util.h" |
33 #include "net/http/http_network_session.h" | 34 #include "net/http/http_network_session.h" |
34 #include "net/http/http_server_properties.h" | 35 #include "net/http/http_server_properties.h" |
35 #include "net/http/http_util.h" | 36 #include "net/http/http_util.h" |
| 37 #include "net/http/transport_security_state.h" |
36 #include "net/spdy/spdy_buffer_producer.h" | 38 #include "net/spdy/spdy_buffer_producer.h" |
37 #include "net/spdy/spdy_frame_builder.h" | 39 #include "net/spdy/spdy_frame_builder.h" |
38 #include "net/spdy/spdy_http_utils.h" | 40 #include "net/spdy/spdy_http_utils.h" |
39 #include "net/spdy/spdy_protocol.h" | 41 #include "net/spdy/spdy_protocol.h" |
40 #include "net/spdy/spdy_session_pool.h" | 42 #include "net/spdy/spdy_session_pool.h" |
41 #include "net/spdy/spdy_stream.h" | 43 #include "net/spdy/spdy_stream.h" |
42 #include "net/ssl/channel_id_service.h" | 44 #include "net/ssl/channel_id_service.h" |
43 #include "net/ssl/ssl_cipher_suite_names.h" | 45 #include "net/ssl/ssl_cipher_suite_names.h" |
44 #include "net/ssl/ssl_connection_status_flags.h" | 46 #include "net/ssl/ssl_connection_status_flags.h" |
45 | 47 |
(...skipping 476 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
522 SpdySession::PushedStreamInfo::PushedStreamInfo() : stream_id(0) {} | 524 SpdySession::PushedStreamInfo::PushedStreamInfo() : stream_id(0) {} |
523 | 525 |
524 SpdySession::PushedStreamInfo::PushedStreamInfo( | 526 SpdySession::PushedStreamInfo::PushedStreamInfo( |
525 SpdyStreamId stream_id, | 527 SpdyStreamId stream_id, |
526 base::TimeTicks creation_time) | 528 base::TimeTicks creation_time) |
527 : stream_id(stream_id), | 529 : stream_id(stream_id), |
528 creation_time(creation_time) {} | 530 creation_time(creation_time) {} |
529 | 531 |
530 SpdySession::PushedStreamInfo::~PushedStreamInfo() {} | 532 SpdySession::PushedStreamInfo::~PushedStreamInfo() {} |
531 | 533 |
| 534 // static |
| 535 bool SpdySession::CanPool(TransportSecurityState* transport_security_state, |
| 536 const SSLInfo& ssl_info, |
| 537 const std::string& old_hostname, |
| 538 const std::string& new_hostname) { |
| 539 // Pooling is prohibited if the server cert is not valid for the new domain, |
| 540 // and for connections on which client certs were sent. It is also prohibited |
| 541 // when channel ID was sent if the hosts are from different eTLDs+1. |
| 542 if (IsCertStatusError(ssl_info.cert_status)) |
| 543 return false; |
| 544 |
| 545 if (ssl_info.client_cert_sent) |
| 546 return false; |
| 547 |
| 548 if (ssl_info.channel_id_sent && |
| 549 ChannelIDService::GetDomainForHost(new_hostname) != |
| 550 ChannelIDService::GetDomainForHost(old_hostname)) { |
| 551 return false; |
| 552 } |
| 553 |
| 554 bool unused = false; |
| 555 if (!ssl_info.cert->VerifyNameMatch(new_hostname, &unused)) |
| 556 return false; |
| 557 |
| 558 std::string pinning_failure_log; |
| 559 if (!transport_security_state->CheckPublicKeyPins( |
| 560 new_hostname, |
| 561 true, /* sni_available */ |
| 562 ssl_info.is_issued_by_known_root, |
| 563 ssl_info.public_key_hashes, |
| 564 &pinning_failure_log)) { |
| 565 return false; |
| 566 } |
| 567 |
| 568 return true; |
| 569 } |
| 570 |
532 SpdySession::SpdySession( | 571 SpdySession::SpdySession( |
533 const SpdySessionKey& spdy_session_key, | 572 const SpdySessionKey& spdy_session_key, |
534 const base::WeakPtr<HttpServerProperties>& http_server_properties, | 573 const base::WeakPtr<HttpServerProperties>& http_server_properties, |
| 574 TransportSecurityState* transport_security_state, |
535 bool verify_domain_authentication, | 575 bool verify_domain_authentication, |
536 bool enable_sending_initial_data, | 576 bool enable_sending_initial_data, |
537 bool enable_compression, | 577 bool enable_compression, |
538 bool enable_ping_based_connection_checking, | 578 bool enable_ping_based_connection_checking, |
539 NextProto default_protocol, | 579 NextProto default_protocol, |
540 size_t stream_initial_recv_window_size, | 580 size_t stream_initial_recv_window_size, |
541 size_t initial_max_concurrent_streams, | 581 size_t initial_max_concurrent_streams, |
542 size_t max_concurrent_streams_limit, | 582 size_t max_concurrent_streams_limit, |
543 TimeFunc time_func, | 583 TimeFunc time_func, |
544 const HostPortPair& trusted_spdy_proxy, | 584 const HostPortPair& trusted_spdy_proxy, |
545 NetLog* net_log) | 585 NetLog* net_log) |
546 : in_io_loop_(false), | 586 : in_io_loop_(false), |
547 spdy_session_key_(spdy_session_key), | 587 spdy_session_key_(spdy_session_key), |
548 pool_(NULL), | 588 pool_(NULL), |
549 http_server_properties_(http_server_properties), | 589 http_server_properties_(http_server_properties), |
| 590 transport_security_state_(transport_security_state), |
550 read_buffer_(new IOBuffer(kReadBufferSize)), | 591 read_buffer_(new IOBuffer(kReadBufferSize)), |
551 stream_hi_water_mark_(kFirstStreamId), | 592 stream_hi_water_mark_(kFirstStreamId), |
552 num_pushed_streams_(0u), | 593 num_pushed_streams_(0u), |
553 num_active_pushed_streams_(0u), | 594 num_active_pushed_streams_(0u), |
554 in_flight_write_frame_type_(DATA), | 595 in_flight_write_frame_type_(DATA), |
555 in_flight_write_frame_size_(0), | 596 in_flight_write_frame_size_(0), |
556 is_secure_(false), | 597 is_secure_(false), |
557 certificate_error_code_(OK), | 598 certificate_error_code_(OK), |
558 availability_state_(STATE_AVAILABLE), | 599 availability_state_(STATE_AVAILABLE), |
559 read_state_(READ_STATE_DO_READ), | 600 read_state_(READ_STATE_DO_READ), |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
707 | 748 |
708 if (availability_state_ == STATE_DRAINING) | 749 if (availability_state_ == STATE_DRAINING) |
709 return false; | 750 return false; |
710 | 751 |
711 SSLInfo ssl_info; | 752 SSLInfo ssl_info; |
712 bool was_npn_negotiated; | 753 bool was_npn_negotiated; |
713 NextProto protocol_negotiated = kProtoUnknown; | 754 NextProto protocol_negotiated = kProtoUnknown; |
714 if (!GetSSLInfo(&ssl_info, &was_npn_negotiated, &protocol_negotiated)) | 755 if (!GetSSLInfo(&ssl_info, &was_npn_negotiated, &protocol_negotiated)) |
715 return true; // This is not a secure session, so all domains are okay. | 756 return true; // This is not a secure session, so all domains are okay. |
716 | 757 |
717 // Disable pooling for secure sessions. | 758 return CanPool(transport_security_state_, ssl_info, |
718 // TODO(rch): re-enable this. | 759 host_port_pair().host(), domain); |
719 return false; | |
720 #if 0 | |
721 bool unused = false; | |
722 return | |
723 !ssl_info.client_cert_sent && | |
724 (!ssl_info.channel_id_sent || | |
725 (ChannelIDService::GetDomainForHost(domain) == | |
726 ChannelIDService::GetDomainForHost(host_port_pair().host()))) && | |
727 ssl_info.cert->VerifyNameMatch(domain, &unused); | |
728 #endif | |
729 } | 760 } |
730 | 761 |
731 int SpdySession::GetPushStream( | 762 int SpdySession::GetPushStream( |
732 const GURL& url, | 763 const GURL& url, |
733 base::WeakPtr<SpdyStream>* stream, | 764 base::WeakPtr<SpdyStream>* stream, |
734 const BoundNetLog& stream_net_log) { | 765 const BoundNetLog& stream_net_log) { |
735 CHECK(!in_io_loop_); | 766 CHECK(!in_io_loop_); |
736 | 767 |
737 stream->reset(); | 768 stream->reset(); |
738 | 769 |
(...skipping 2425 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3164 if (!queue->empty()) { | 3195 if (!queue->empty()) { |
3165 SpdyStreamId stream_id = queue->front(); | 3196 SpdyStreamId stream_id = queue->front(); |
3166 queue->pop_front(); | 3197 queue->pop_front(); |
3167 return stream_id; | 3198 return stream_id; |
3168 } | 3199 } |
3169 } | 3200 } |
3170 return 0; | 3201 return 0; |
3171 } | 3202 } |
3172 | 3203 |
3173 } // namespace net | 3204 } // namespace net |
OLD | NEW |