diff options
author | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-13 06:48:11 +0000 |
---|---|---|
committer | palmer@chromium.org <palmer@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-06-13 06:48:11 +0000 |
commit | b1c988bcd7869765e1bd56e592787af123340516 (patch) | |
tree | 3aafa3d0ddd90d90e059c0a38dd2d7a465fc81c1 | |
parent | 9dcdbbef52460de45070d815eb1ad735d120ae07 (diff) | |
download | chromium_src-b1c988bcd7869765e1bd56e592787af123340516.zip chromium_src-b1c988bcd7869765e1bd56e592787af123340516.tar.gz chromium_src-b1c988bcd7869765e1bd56e592787af123340516.tar.bz2 |
Give more request types a TransportSecurityState.
DCHECK on NULL TransportSecurityState, as a precursor to a real CHECK. It
should be an error to try to connect with an SSL client socket without
having a live TSS.
BUG=246724
Review URL: https://chromiumcodereview.appspot.com/16501002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@206013 0039d316-1c4b-4281-b951-d872f2087c98
33 files changed, 122 insertions, 7 deletions
diff --git a/chrome/browser/chromeos/web_socket_proxy.cc b/chrome/browser/chromeos/web_socket_proxy.cc index 3c4d56b8..743da0a 100644 --- a/chrome/browser/chromeos/web_socket_proxy.cc +++ b/chrome/browser/chromeos/web_socket_proxy.cc @@ -54,6 +54,7 @@ #include "net/base/io_buffer.h" #include "net/base/net_errors.h" #include "net/cert/cert_verifier.h" +#include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/client_socket_handle.h" #include "net/socket/ssl_client_socket.h" @@ -617,6 +618,9 @@ class SSLChan : public base::MessageLoopForIO::Watcher { if (!cert_verifier_.get()) cert_verifier_.reset(net::CertVerifier::CreateDefault()); ssl_context.cert_verifier = cert_verifier_.get(); + if (!transport_security_state_.get()) + transport_security_state_.reset(new net::TransportSecurityState); + ssl_context.transport_security_state = transport_security_state_.get(); socket_.reset(factory->CreateSSLClientSocket( handle, host_port_pair_, ssl_config_, ssl_context)); if (!socket_.get()) { @@ -781,6 +785,7 @@ class SSLChan : public base::MessageLoopForIO::Watcher { scoped_ptr<net::StreamSocket> socket_; net::HostPortPair host_port_pair_; scoped_ptr<net::CertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; net::SSLConfig ssl_config_; IOBufferQueue inbound_stream_; IOBufferQueue outbound_stream_; diff --git a/chrome/browser/net/connection_tester.cc b/chrome/browser/net/connection_tester.cc index 6725699..43755d0 100644 --- a/chrome/browser/net/connection_tester.cc +++ b/chrome/browser/net/connection_tester.cc @@ -25,6 +25,7 @@ #include "net/http/http_cache.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/proxy/dhcp_proxy_script_fetcher_factory.h" #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_script_fetcher_impl.h" @@ -108,6 +109,7 @@ class ExperimentURLRequestContext : public net::URLRequestContext { // The rest of the dependencies are standard, and don't depend on the // experiment being run. storage_.set_cert_verifier(net::CertVerifier::CreateDefault()); + storage_.set_transport_security_state(new net::TransportSecurityState); storage_.set_ssl_config_service(new net::SSLConfigServiceDefaults); storage_.set_http_auth_handler_factory( net::HttpAuthHandlerFactory::CreateDefault(host_resolver())); @@ -116,6 +118,7 @@ class ExperimentURLRequestContext : public net::URLRequestContext { net::HttpNetworkSession::Params session_params; session_params.host_resolver = host_resolver(); session_params.cert_verifier = cert_verifier(); + session_params.transport_security_state = transport_security_state(); session_params.proxy_service = proxy_service(); session_params.ssl_config_service = ssl_config_service(); session_params.http_auth_handler_factory = http_auth_handler_factory(); diff --git a/chrome/browser/net/connection_tester_unittest.cc b/chrome/browser/net/connection_tester_unittest.cc index ac4fa23..5d87aa1 100644 --- a/chrome/browser/net/connection_tester_unittest.cc +++ b/chrome/browser/net/connection_tester_unittest.cc @@ -14,6 +14,7 @@ #include "net/http/http_network_layer.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_service.h" #include "net/ssl/ssl_config_service_defaults.h" @@ -109,6 +110,7 @@ class ConnectionTesterTest : public PlatformTest { ConnectionTesterDelegate test_delegate_; net::MockHostResolver host_resolver_; scoped_ptr<net::CertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; scoped_ptr<net::ProxyService> proxy_service_; scoped_refptr<net::SSLConfigService> ssl_config_service_; scoped_ptr<net::HttpTransactionFactory> http_transaction_factory_; @@ -120,7 +122,10 @@ class ConnectionTesterTest : public PlatformTest { void InitializeRequestContext() { proxy_script_fetcher_context_->set_host_resolver(&host_resolver_); cert_verifier_.reset(new net::MockCertVerifier); + transport_security_state_.reset(new net::TransportSecurityState); proxy_script_fetcher_context_->set_cert_verifier(cert_verifier_.get()); + proxy_script_fetcher_context_->set_transport_security_state( + transport_security_state_.get()); proxy_script_fetcher_context_->set_http_auth_handler_factory( &http_auth_handler_factory_); proxy_service_.reset(net::ProxyService::CreateDirect()); @@ -129,6 +134,7 @@ class ConnectionTesterTest : public PlatformTest { net::HttpNetworkSession::Params session_params; session_params.host_resolver = &host_resolver_; session_params.cert_verifier = cert_verifier_.get(); + session_params.transport_security_state = transport_security_state_.get(); session_params.http_auth_handler_factory = &http_auth_handler_factory_; session_params.ssl_config_service = ssl_config_service_.get(); session_params.proxy_service = proxy_service_.get(); diff --git a/chrome/service/net/service_url_request_context.cc b/chrome/service/net/service_url_request_context.cc index 6484a56..a316dac 100644 --- a/chrome/service/net/service_url_request_context.cc +++ b/chrome/service/net/service_url_request_context.cc @@ -123,6 +123,7 @@ ServiceURLRequestContext::ServiceURLRequestContext( net::HttpNetworkSession::Params session_params; session_params.host_resolver = host_resolver(); session_params.cert_verifier = cert_verifier(); + session_params.transport_security_state = transport_security_state(); session_params.proxy_service = proxy_service(); session_params.ssl_config_service = ssl_config_service(); session_params.http_auth_handler_factory = http_auth_handler_factory(); diff --git a/content/browser/renderer_host/pepper/pepper_message_filter.cc b/content/browser/renderer_host/pepper/pepper_message_filter.cc index 328c4ec..d423a89 100644 --- a/content/browser/renderer_host/pepper/pepper_message_filter.cc +++ b/content/browser/renderer_host/pepper/pepper_message_filter.cc @@ -159,6 +159,13 @@ net::CertVerifier* PepperMessageFilter::GetCertVerifier() { return cert_verifier_.get(); } +net::TransportSecurityState* PepperMessageFilter::GetTransportSecurityState() { + if (!transport_security_state_) + transport_security_state_.reset(new net::TransportSecurityState); + + return transport_security_state_.get(); +} + uint32 PepperMessageFilter::AddAcceptedTCPSocket( int32 routing_id, uint32 plugin_dispatcher_id, diff --git a/content/browser/renderer_host/pepper/pepper_message_filter.h b/content/browser/renderer_host/pepper/pepper_message_filter.h index cb8f0e0..a745768 100644 --- a/content/browser/renderer_host/pepper/pepper_message_filter.h +++ b/content/browser/renderer_host/pepper/pepper_message_filter.h @@ -20,6 +20,7 @@ #include "content/public/common/process_type.h" #include "net/base/net_util.h" #include "net/base/network_change_notifier.h" +#include "net/http/transport_security_state.h" #include "net/socket/stream_socket.h" #include "net/ssl/ssl_config_service.h" #include "ppapi/c/pp_resource.h" @@ -88,6 +89,7 @@ class PepperMessageFilter net::HostResolver* GetHostResolver(); net::CertVerifier* GetCertVerifier(); + net::TransportSecurityState* GetTransportSecurityState(); // Adds already accepted socket to the internal TCP sockets table. Takes // ownership over |socket|. In the case of failure (full socket table) @@ -217,6 +219,9 @@ class PepperMessageFilter net::SSLConfig ssl_config_; // This is lazily created. Users should use GetCertVerifier to retrieve it. scoped_ptr<net::CertVerifier> cert_verifier_; + // This is lazily created. Users should use GetTransportSecurityState to + // retrieve it. + scoped_ptr<net::TransportSecurityState> transport_security_state_; uint32 next_socket_id_; diff --git a/content/browser/renderer_host/pepper/pepper_tcp_socket.cc b/content/browser/renderer_host/pepper/pepper_tcp_socket.cc index 5a7153c..1f58e08 100644 --- a/content/browser/renderer_host/pepper/pepper_tcp_socket.cc +++ b/content/browser/renderer_host/pepper/pepper_tcp_socket.cc @@ -138,6 +138,7 @@ void PepperTCPSocket::SSLHandshake( net::HostPortPair host_port_pair(server_name, server_port); net::SSLClientSocketContext ssl_context; ssl_context.cert_verifier = manager_->GetCertVerifier(); + ssl_context.transport_security_state = manager_->GetTransportSecurityState(); socket_.reset(factory->CreateSSLClientSocket( handle, host_port_pair, manager_->ssl_config(), ssl_context)); if (!socket_) { diff --git a/content/shell/shell_url_request_context_getter.cc b/content/shell/shell_url_request_context_getter.cc index eabc762..7e2719d 100644 --- a/content/shell/shell_url_request_context_getter.cc +++ b/content/shell/shell_url_request_context_getter.cc @@ -24,6 +24,7 @@ #include "net/http/http_cache.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_service.h" #include "net/ssl/default_server_bound_cert_store.h" #include "net/ssl/server_bound_cert_service.h" @@ -107,6 +108,7 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { net::HostResolver::CreateDefaultResolver(NULL)); storage_->set_cert_verifier(net::CertVerifier::CreateDefault()); + storage_->set_transport_security_state(new net::TransportSecurityState); if (command_line.HasSwitch(switches::kDumpRenderTree)) { storage_->set_proxy_service(net::ProxyService::CreateDirect()); } else { @@ -135,6 +137,8 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() { net::HttpNetworkSession::Params network_session_params; network_session_params.cert_verifier = url_request_context_->cert_verifier(); + network_session_params.transport_security_state = + url_request_context_->transport_security_state(); network_session_params.server_bound_cert_service = url_request_context_->server_bound_cert_service(); network_session_params.proxy_service = diff --git a/jingle/glue/chrome_async_socket_unittest.cc b/jingle/glue/chrome_async_socket_unittest.cc index a6f1487..d493578 100644 --- a/jingle/glue/chrome_async_socket_unittest.cc +++ b/jingle/glue/chrome_async_socket_unittest.cc @@ -16,6 +16,7 @@ #include "net/base/net_errors.h" #include "net/base/net_util.h" #include "net/cert/mock_cert_verifier.h" +#include "net/http/transport_security_state.h" #include "net/socket/socket_test_util.h" #include "net/socket/ssl_client_socket.h" #include "net/ssl/ssl_config_service.h" @@ -107,7 +108,8 @@ class MockXmppClientSocketFactory : public ResolvingClientSocketFactory { const net::AddressList& address_list) : mock_client_socket_factory_(mock_client_socket_factory), address_list_(address_list), - cert_verifier_(new net::MockCertVerifier) { + cert_verifier_(new net::MockCertVerifier), + transport_security_state_(new net::TransportSecurityState) { } // ResolvingClientSocketFactory implementation. @@ -122,6 +124,7 @@ class MockXmppClientSocketFactory : public ResolvingClientSocketFactory { const net::HostPortPair& host_and_port) OVERRIDE { net::SSLClientSocketContext context; context.cert_verifier = cert_verifier_.get(); + context.transport_security_state = transport_security_state_.get(); return mock_client_socket_factory_->CreateSSLClientSocket( transport_socket, host_and_port, ssl_config_, context); } @@ -131,6 +134,7 @@ class MockXmppClientSocketFactory : public ResolvingClientSocketFactory { net::AddressList address_list_; net::SSLConfig ssl_config_; scoped_ptr<net::CertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; }; class ChromeAsyncSocketTest diff --git a/jingle/glue/proxy_resolving_client_socket.cc b/jingle/glue/proxy_resolving_client_socket.cc index 23ad12d..d63411b 100644 --- a/jingle/glue/proxy_resolving_client_socket.cc +++ b/jingle/glue/proxy_resolving_client_socket.cc @@ -54,10 +54,10 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket( session_params.client_socket_factory = socket_factory; session_params.host_resolver = request_context->host_resolver(); session_params.cert_verifier = request_context->cert_verifier(); + session_params.transport_security_state = + request_context->transport_security_state(); // TODO(rkn): This is NULL because ServerBoundCertService is not thread safe. session_params.server_bound_cert_service = NULL; - // transport_security_state is NULL because it's not thread safe. - session_params.transport_security_state = NULL; session_params.proxy_service = request_context->proxy_service(); session_params.ssl_config_service = request_context->ssl_config_service(); session_params.http_auth_handler_factory = diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc index 36598b0..16815c7 100644 --- a/net/http/http_network_layer_unittest.cc +++ b/net/http/http_network_layer_unittest.cc @@ -11,6 +11,7 @@ #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" #include "net/http/http_transaction_unittest.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_service.h" #include "net/socket/socket_test_util.h" #include "net/spdy/spdy_session_pool.h" @@ -32,11 +33,13 @@ class HttpNetworkLayerTest : public PlatformTest { void ConfigureTestDependencies(ProxyService* proxy_service) { cert_verifier_.reset(new MockCertVerifier); + transport_security_state_.reset(new TransportSecurityState); proxy_service_.reset(proxy_service); HttpNetworkSession::Params session_params; session_params.client_socket_factory = &mock_socket_factory_; session_params.host_resolver = &host_resolver_; session_params.cert_verifier = cert_verifier_.get(); + session_params.transport_security_state = transport_security_state_.get(); session_params.proxy_service = proxy_service_.get(); session_params.ssl_config_service = ssl_config_service_.get(); session_params.http_server_properties = &http_server_properties_; @@ -47,6 +50,7 @@ class HttpNetworkLayerTest : public PlatformTest { MockClientSocketFactory mock_socket_factory_; MockHostResolver host_resolver_; scoped_ptr<CertVerifier> cert_verifier_; + scoped_ptr<TransportSecurityState> transport_security_state_; scoped_ptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; scoped_refptr<HttpNetworkSession> network_session_; diff --git a/net/http/http_network_transaction_spdy2_unittest.cc b/net/http/http_network_transaction_spdy2_unittest.cc index 6e03d84..e2976f1 100644 --- a/net/http/http_network_transaction_spdy2_unittest.cc +++ b/net/http/http_network_transaction_spdy2_unittest.cc @@ -8843,6 +8843,8 @@ TEST_F(HttpNetworkTransactionSpdy2Test, scoped_ptr<ClientSocketHandle> ssl_connection(new ClientSocketHandle); SSLClientSocketContext context; context.cert_verifier = session_deps_.cert_verifier.get(); + context.transport_security_state = + session_deps_.transport_security_state.get(); ssl_connection->set_socket( session_deps_.socket_factory->CreateSSLClientSocket( connection.release(), diff --git a/net/http/http_network_transaction_spdy3_unittest.cc b/net/http/http_network_transaction_spdy3_unittest.cc index ee98333..c4055c9 100644 --- a/net/http/http_network_transaction_spdy3_unittest.cc +++ b/net/http/http_network_transaction_spdy3_unittest.cc @@ -8826,6 +8826,8 @@ TEST_F(HttpNetworkTransactionSpdy3Test, scoped_ptr<ClientSocketHandle> ssl_connection(new ClientSocketHandle); SSLClientSocketContext context; context.cert_verifier = session_deps_.cert_verifier.get(); + context.transport_security_state = + session_deps_.transport_security_state.get(); ssl_connection->set_socket( session_deps_.socket_factory->CreateSSLClientSocket( connection.release(), diff --git a/net/http/http_stream_factory_impl_unittest.cc b/net/http/http_stream_factory_impl_unittest.cc index 6f4e6ea..0200b8f 100644 --- a/net/http/http_stream_factory_impl_unittest.cc +++ b/net/http/http_stream_factory_impl_unittest.cc @@ -18,6 +18,7 @@ #include "net/http/http_request_info.h" #include "net/http/http_server_properties_impl.h" #include "net/http/http_stream.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_info.h" #include "net/proxy/proxy_service.h" #include "net/socket/mock_client_socket_pool_manager.h" @@ -131,6 +132,7 @@ struct SessionDependencies { explicit SessionDependencies(ProxyService* proxy_service) : host_resolver(new MockHostResolver), cert_verifier(new MockCertVerifier), + transport_security_state(new TransportSecurityState), proxy_service(proxy_service), ssl_config_service(new SSLConfigServiceDefaults), http_auth_handler_factory( @@ -139,6 +141,7 @@ struct SessionDependencies { scoped_ptr<MockHostResolverBase> host_resolver; scoped_ptr<CertVerifier> cert_verifier; + scoped_ptr<TransportSecurityState> transport_security_state; scoped_ptr<ProxyService> proxy_service; scoped_refptr<SSLConfigService> ssl_config_service; MockClientSocketFactory socket_factory; @@ -151,6 +154,8 @@ HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { HttpNetworkSession::Params params; params.host_resolver = session_deps->host_resolver.get(); params.cert_verifier = session_deps->cert_verifier.get(); + params.transport_security_state = + session_deps->transport_security_state.get(); params.proxy_service = session_deps->proxy_service.get(); params.ssl_config_service = session_deps->ssl_config_service.get(); params.client_socket_factory = &session_deps->socket_factory; diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc index 06d08b51..f7ed7e8 100644 --- a/net/http/transport_security_state.cc +++ b/net/http/transport_security_state.cc @@ -85,6 +85,7 @@ bool AddHash(const char* sha1_hash, TransportSecurityState::TransportSecurityState() : delegate_(NULL) { + DCHECK(CalledOnValidThread()); } TransportSecurityState::Iterator::Iterator(const TransportSecurityState& state) @@ -96,6 +97,7 @@ TransportSecurityState::Iterator::~Iterator() {} void TransportSecurityState::SetDelegate( TransportSecurityState::Delegate* delegate) { + DCHECK(CalledOnValidThread()); delegate_ = delegate; } @@ -198,6 +200,7 @@ bool TransportSecurityState::GetDomainState(const std::string& host, } void TransportSecurityState::ClearDynamicData() { + DCHECK(CalledOnValidThread()); enabled_hosts_.clear(); } @@ -220,7 +223,9 @@ void TransportSecurityState::DeleteAllDynamicDataSince(const base::Time& time) { DirtyNotify(); } -TransportSecurityState::~TransportSecurityState() {} +TransportSecurityState::~TransportSecurityState() { + DCHECK(CalledOnValidThread()); +} void TransportSecurityState::DirtyNotify() { DCHECK(CalledOnValidThread()); @@ -615,6 +620,8 @@ static const struct HSTSPreload* GetHSTSPreload( bool TransportSecurityState::AddHSTSHeader(const std::string& host, const std::string& value) { + DCHECK(CalledOnValidThread()); + base::Time now = base::Time::Now(); base::TimeDelta max_age; TransportSecurityState::DomainState domain_state; @@ -635,6 +642,8 @@ bool TransportSecurityState::AddHSTSHeader(const std::string& host, bool TransportSecurityState::AddHPKPHeader(const std::string& host, const std::string& value, const SSLInfo& ssl_info) { + DCHECK(CalledOnValidThread()); + base::Time now = base::Time::Now(); base::TimeDelta max_age; TransportSecurityState::DomainState domain_state; @@ -653,6 +662,8 @@ bool TransportSecurityState::AddHPKPHeader(const std::string& host, bool TransportSecurityState::AddHSTS(const std::string& host, const base::Time& expiry, bool include_subdomains) { + DCHECK(CalledOnValidThread()); + // Copy-and-modify the existing DomainState for this host (if any). TransportSecurityState::DomainState domain_state; const std::string canonicalized_host = CanonicalizeHost(host); @@ -674,6 +685,8 @@ bool TransportSecurityState::AddHPKP(const std::string& host, const base::Time& expiry, bool include_subdomains, const HashValueVector& hashes) { + DCHECK(CalledOnValidThread()); + // Copy-and-modify the existing DomainState for this host (if any). TransportSecurityState::DomainState domain_state; const std::string canonicalized_host = CanonicalizeHost(host); @@ -778,6 +791,7 @@ bool TransportSecurityState::GetStaticDomainState( void TransportSecurityState::AddOrUpdateEnabledHosts( const std::string& hashed_host, const DomainState& state) { + DCHECK(CalledOnValidThread()); enabled_hosts_[hashed_host] = state; } diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc index b4f1f7a..1c89b3c 100644 --- a/net/proxy/proxy_script_fetcher_impl_unittest.cc +++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc @@ -19,6 +19,7 @@ #include "net/http/http_cache.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/ssl/ssl_config_service_defaults.h" #include "net/test/spawned_test_server/spawned_test_server.h" #include "net/url_request/file_protocol_handler.h" @@ -52,6 +53,7 @@ class RequestContext : public URLRequestContext { ProxyConfig no_proxy; storage_.set_host_resolver(scoped_ptr<HostResolver>(new MockHostResolver)); storage_.set_cert_verifier(new MockCertVerifier); + storage_.set_transport_security_state(new TransportSecurityState); storage_.set_proxy_service(ProxyService::CreateFixed(no_proxy)); storage_.set_ssl_config_service(new SSLConfigServiceDefaults); storage_.set_http_server_properties(new HttpServerPropertiesImpl); @@ -59,6 +61,7 @@ class RequestContext : public URLRequestContext { HttpNetworkSession::Params params; params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); + params.transport_security_state = transport_security_state(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); params.http_server_properties = http_server_properties(); diff --git a/net/quic/quic_network_transaction_unittest.cc b/net/quic/quic_network_transaction_unittest.cc index 72fa6ce..d93032c 100644 --- a/net/quic/quic_network_transaction_unittest.cc +++ b/net/quic/quic_network_transaction_unittest.cc @@ -18,6 +18,7 @@ #include "net/http/http_stream.h" #include "net/http/http_stream_factory.h" #include "net/http/http_transaction_unittest.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_resolver.h" #include "net/proxy/proxy_service.h" @@ -225,6 +226,7 @@ class QuicNetworkTransactionTest : public PlatformTest { params_.quic_crypto_client_stream_factory = &crypto_client_stream_factory_; params_.host_resolver = &host_resolver_; params_.cert_verifier = &cert_verifier_; + params_.transport_security_state = &transport_security_state_; params_.proxy_service = proxy_service_.get(); params_.ssl_config_service = ssl_config_service_.get(); params_.http_auth_handler_factory = auth_handler_factory_.get(); @@ -315,6 +317,7 @@ class QuicNetworkTransactionTest : public PlatformTest { MockClock* clock_; // Owned by QuicStreamFactory after CreateSession. MockHostResolver host_resolver_; MockCertVerifier cert_verifier_; + TransportSecurityState transport_security_state_; scoped_refptr<SSLConfigServiceDefaults> ssl_config_service_; scoped_ptr<ProxyService> proxy_service_; scoped_ptr<QuicSpdyCompressor> compressor_; diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index c37d690..54758e2 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -2935,6 +2935,9 @@ SSLClientSocketNSS::GetNextProto(std::string* proto, int SSLClientSocketNSS::Connect(const CompletionCallback& callback) { EnterFunction(""); DCHECK(transport_.get()); + // It is an error to create an SSLClientSocket whose context has no + // TransportSecurityState. + DCHECK(transport_security_state_); DCHECK_EQ(STATE_NONE, next_handshake_state_); DCHECK(user_connect_callback_.is_null()); DCHECK(!callback.is_null()); diff --git a/net/socket/ssl_client_socket_openssl_unittest.cc b/net/socket/ssl_client_socket_openssl_unittest.cc index 80f7a8f..7a37cdc 100644 --- a/net/socket/ssl_client_socket_openssl_unittest.cc +++ b/net/socket/ssl_client_socket_openssl_unittest.cc @@ -29,6 +29,7 @@ #include "net/cert/mock_cert_verifier.h" #include "net/cert/test_root_certs.h" #include "net/dns/host_resolver.h" +#include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/client_socket_handle.h" #include "net/socket/socket_test_util.h" @@ -93,9 +94,11 @@ class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { public: SSLClientSocketOpenSSLClientAuthTest() : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()), - cert_verifier_(new net::MockCertVerifier) { + cert_verifier_(new net::MockCertVerifier), + transport_security_state_(new net::TransportSecurityState) { cert_verifier_->set_default_result(net::OK); context_.cert_verifier = cert_verifier_.get(); + context_.transport_security_state = transport_security_state_.get(); key_store_ = net::OpenSSLClientKeyStore::GetInstance(); } @@ -185,6 +188,7 @@ class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { ClientSocketFactory* socket_factory_; scoped_ptr<MockCertVerifier> cert_verifier_; + scoped_ptr<TransportSecurityState> transport_security_state_; SSLClientSocketContext context_; OpenSSLClientKeyStore* key_store_; scoped_ptr<SpawnedTestServer> test_server_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index 1801d3c..db37ebd 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -181,6 +181,7 @@ class SSLClientSocketPoolTest : public testing::Test { HttpNetworkSession::Params params; params.host_resolver = &host_resolver_; params.cert_verifier = cert_verifier_.get(); + params.transport_security_state = transport_security_state_.get(); params.proxy_service = proxy_service_.get(); params.client_socket_factory = &socket_factory_; params.ssl_config_service = ssl_config_service_.get(); @@ -195,6 +196,7 @@ class SSLClientSocketPoolTest : public testing::Test { MockClientSocketFactory socket_factory_; MockCachingHostResolver host_resolver_; scoped_ptr<CertVerifier> cert_verifier_; + scoped_ptr<TransportSecurityState> transport_security_state_; const scoped_ptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; const scoped_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_; diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index 1f1ab72..7042113 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -16,6 +16,7 @@ #include "net/cert/mock_cert_verifier.h" #include "net/cert/test_root_certs.h" #include "net/dns/host_resolver.h" +#include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/client_socket_handle.h" #include "net/socket/socket_test_util.h" @@ -505,9 +506,11 @@ class SSLClientSocketTest : public PlatformTest { public: SSLClientSocketTest() : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()), - cert_verifier_(new net::MockCertVerifier) { + cert_verifier_(new net::MockCertVerifier), + transport_security_state_(new net::TransportSecurityState) { cert_verifier_->set_default_result(net::OK); context_.cert_verifier = cert_verifier_.get(); + context_.transport_security_state = transport_security_state_.get(); } protected: @@ -523,6 +526,7 @@ class SSLClientSocketTest : public PlatformTest { net::ClientSocketFactory* socket_factory_; scoped_ptr<net::MockCertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; net::SSLClientSocketContext context_; }; diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc index da388b9..959d6b3 100644 --- a/net/socket/ssl_server_socket_unittest.cc +++ b/net/socket/ssl_server_socket_unittest.cc @@ -37,6 +37,7 @@ #include "net/cert/cert_status_flags.h" #include "net/cert/mock_cert_verifier.h" #include "net/cert/x509_certificate.h" +#include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/socket_test_util.h" #include "net/socket/ssl_client_socket.h" @@ -296,7 +297,8 @@ class SSLServerSocketTest : public PlatformTest { public: SSLServerSocketTest() : socket_factory_(net::ClientSocketFactory::GetDefaultFactory()), - cert_verifier_(new MockCertVerifier()) { + cert_verifier_(new MockCertVerifier()), + transport_security_state_(new TransportSecurityState) { cert_verifier_->set_default_result(net::CERT_STATUS_AUTHORITY_INVALID); } @@ -341,6 +343,7 @@ class SSLServerSocketTest : public PlatformTest { net::HostPortPair host_and_pair("unittest", 0); net::SSLClientSocketContext context; context.cert_verifier = cert_verifier_.get(); + context.transport_security_state = transport_security_state_.get(); client_socket_.reset( socket_factory_->CreateSSLClientSocket( fake_client_socket, host_and_pair, ssl_config, context)); @@ -354,6 +357,7 @@ class SSLServerSocketTest : public PlatformTest { scoped_ptr<net::SSLServerSocket> server_socket_; net::ClientSocketFactory* socket_factory_; scoped_ptr<net::MockCertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; }; // SSLServerSocket is only implemented using NSS. diff --git a/net/socket_stream/socket_stream.cc b/net/socket_stream/socket_stream.cc index 098621e..5053900 100644 --- a/net/socket_stream/socket_stream.cc +++ b/net/socket_stream/socket_stream.cc @@ -989,6 +989,7 @@ int SocketStream::DoSecureProxyConnect() { DCHECK(factory_); SSLClientSocketContext ssl_context; ssl_context.cert_verifier = context_->cert_verifier(); + ssl_context.transport_security_state = context_->transport_security_state(); ssl_context.server_bound_cert_service = context_->server_bound_cert_service(); socket_.reset(factory_->CreateSSLClientSocket( socket_.release(), @@ -1042,6 +1043,7 @@ int SocketStream::DoSSLConnect() { DCHECK(factory_); SSLClientSocketContext ssl_context; ssl_context.cert_verifier = context_->cert_verifier(); + ssl_context.transport_security_state = context_->transport_security_state(); ssl_context.server_bound_cert_service = context_->server_bound_cert_service(); socket_.reset(factory_->CreateSSLClientSocket(socket_.release(), HostPortPair::FromURL(url_), diff --git a/net/socket_stream/socket_stream.h b/net/socket_stream/socket_stream.h index 003c2f7..9a21c6e 100644 --- a/net/socket_stream/socket_stream.h +++ b/net/socket_stream/socket_stream.h @@ -37,6 +37,7 @@ class ServerBoundCertService; class SingleRequestHostResolver; class StreamSocket; class SocketStreamMetrics; +class TransportSecurityState; class URLRequestContext; // SocketStream is used to implement Web Sockets. diff --git a/net/spdy/spdy_test_util_common.cc b/net/spdy/spdy_test_util_common.cc index ccd9fa6..8ad49cc 100644 --- a/net/spdy/spdy_test_util_common.cc +++ b/net/spdy/spdy_test_util_common.cc @@ -330,6 +330,7 @@ crypto::ECSignatureCreator* MockECSignatureCreatorFactory::Create( SpdySessionDependencies::SpdySessionDependencies(NextProto protocol) : host_resolver(new MockCachingHostResolver), cert_verifier(new MockCertVerifier), + transport_security_state(new TransportSecurityState), proxy_service(ProxyService::CreateDirect()), ssl_config_service(new SSLConfigServiceDefaults), socket_factory(new MockClientSocketFactory), @@ -359,6 +360,7 @@ SpdySessionDependencies::SpdySessionDependencies( NextProto protocol, ProxyService* proxy_service) : host_resolver(new MockHostResolver), cert_verifier(new MockCertVerifier), + transport_security_state(new TransportSecurityState), proxy_service(proxy_service), ssl_config_service(new SSLConfigServiceDefaults), socket_factory(new MockClientSocketFactory), @@ -410,6 +412,8 @@ net::HttpNetworkSession::Params SpdySessionDependencies::CreateSessionParams( net::HttpNetworkSession::Params params; params.host_resolver = session_deps->host_resolver.get(); params.cert_verifier = session_deps->cert_verifier.get(); + params.transport_security_state = + session_deps->transport_security_state.get(); params.proxy_service = session_deps->proxy_service.get(); params.ssl_config_service = session_deps->ssl_config_service.get(); params.http_auth_handler_factory = @@ -434,6 +438,7 @@ SpdyURLRequestContext::SpdyURLRequestContext(NextProto protocol) storage_.set_host_resolver(scoped_ptr<HostResolver>(new MockHostResolver)); storage_.set_cert_verifier(new MockCertVerifier); + storage_.set_transport_security_state(new TransportSecurityState); storage_.set_proxy_service(ProxyService::CreateDirect()); storage_.set_ssl_config_service(new SSLConfigServiceDefaults); storage_.set_http_auth_handler_factory(HttpAuthHandlerFactory::CreateDefault( @@ -443,6 +448,7 @@ SpdyURLRequestContext::SpdyURLRequestContext(NextProto protocol) params.client_socket_factory = &socket_factory_; params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); + params.transport_security_state = transport_security_state(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); params.http_auth_handler_factory = http_auth_handler_factory(); diff --git a/net/spdy/spdy_test_util_common.h b/net/spdy/spdy_test_util_common.h index 785e710..5595d9c 100644 --- a/net/spdy/spdy_test_util_common.h +++ b/net/spdy/spdy_test_util_common.h @@ -17,6 +17,7 @@ #include "net/http/http_auth_handler_factory.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_service.h" #include "net/socket/next_proto.h" #include "net/socket/socket_test_util.h" @@ -193,6 +194,7 @@ struct SpdySessionDependencies { // NOTE: host_resolver must be ordered before http_auth_handler_factory. scoped_ptr<MockHostResolverBase> host_resolver; scoped_ptr<CertVerifier> cert_verifier; + scoped_ptr<TransportSecurityState> transport_security_state; scoped_ptr<ProxyService> proxy_service; scoped_refptr<SSLConfigService> ssl_config_service; scoped_ptr<MockClientSocketFactory> socket_factory; diff --git a/net/tools/fetch/fetch_client.cc b/net/tools/fetch/fetch_client.cc index 58a7522..a3c826e 100644 --- a/net/tools/fetch/fetch_client.cc +++ b/net/tools/fetch/fetch_client.cc @@ -26,6 +26,7 @@ #include "net/http/http_request_info.h" #include "net/http/http_server_properties_impl.h" #include "net/http/http_transaction.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_service.h" #include "net/ssl/ssl_config_service_defaults.h" @@ -146,6 +147,8 @@ int main(int argc, char** argv) { net::HostResolver::CreateDefaultResolver(NULL)); scoped_ptr<net::CertVerifier> cert_verifier( net::CertVerifier::CreateDefault()); + scoped_ptr<net::TransportSecurityState> transport_security_state( + new net::TransportSecurityState); scoped_ptr<net::ProxyService> proxy_service( net::ProxyService::CreateDirect()); scoped_refptr<net::SSLConfigService> ssl_config_service( @@ -158,6 +161,7 @@ int main(int argc, char** argv) { net::HttpNetworkSession::Params session_params; session_params.host_resolver = host_resolver.get(); session_params.cert_verifier = cert_verifier.get(); + session_params.transport_security_state = transport_security_state.get(); session_params.proxy_service = proxy_service.get(); session_params.http_auth_handler_factory = http_auth_handler_factory.get(); session_params.http_server_properties = &http_server_properties; diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc index 95964fe..68b3404 100644 --- a/net/url_request/url_request_test_util.cc +++ b/net/url_request/url_request_test_util.cc @@ -14,6 +14,7 @@ #include "net/dns/mock_host_resolver.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/ssl/default_server_bound_cert_store.h" #include "net/ssl/server_bound_cert_service.h" #include "net/url_request/static_http_user_agent_settings.h" @@ -72,6 +73,8 @@ void TestURLRequestContext::Init() { context_storage_.set_proxy_service(ProxyService::CreateDirect()); if (!cert_verifier()) context_storage_.set_cert_verifier(CertVerifier::CreateDefault()); + if (!transport_security_state()) + context_storage_.set_transport_security_state(new TransportSecurityState); if (!ssl_config_service()) context_storage_.set_ssl_config_service(new SSLConfigServiceDefaults); if (!http_auth_handler_factory()) { @@ -94,6 +97,7 @@ void TestURLRequestContext::Init() { params.client_socket_factory = client_socket_factory(); params.host_resolver = host_resolver(); params.cert_verifier = cert_verifier(); + params.transport_security_state = transport_security_state(); params.proxy_service = proxy_service(); params.ssl_config_service = ssl_config_service(); params.http_auth_handler_factory = http_auth_handler_factory(); diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index a22423d..aae296f 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -5093,6 +5093,7 @@ TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) { HttpNetworkSession::Params params; params.host_resolver = default_context_.host_resolver(); params.cert_verifier = default_context_.cert_verifier(); + params.transport_security_state = default_context_.transport_security_state(); params.proxy_service = default_context_.proxy_service(); params.ssl_config_service = default_context_.ssl_config_service(); params.http_auth_handler_factory = diff --git a/remoting/host/url_request_context.cc b/remoting/host/url_request_context.cc index c3240fe..aec661f 100644 --- a/remoting/host/url_request_context.cc +++ b/remoting/host/url_request_context.cc @@ -96,6 +96,7 @@ URLRequestContext::URLRequestContext( net::HttpNetworkSession::Params session_params; session_params.host_resolver = host_resolver(); session_params.cert_verifier = cert_verifier(); + session_params.transport_security_state = transport_security_state(); session_params.proxy_service = proxy_service(); session_params.ssl_config_service = ssl_config_service(); session_params.http_auth_handler_factory = http_auth_handler_factory(); diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.cc b/remoting/protocol/ssl_hmac_channel_authenticator.cc index 587d71a..93249bd 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator.cc +++ b/remoting/protocol/ssl_hmac_channel_authenticator.cc @@ -12,6 +12,7 @@ #include "net/base/net_errors.h" #include "net/cert/cert_verifier.h" #include "net/cert/x509_certificate.h" +#include "net/http/transport_security_state.h" #include "net/socket/client_socket_factory.h" #include "net/socket/ssl_client_socket.h" #include "net/socket/ssl_server_socket.h" @@ -83,6 +84,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( &SslHmacChannelAuthenticator::OnConnected, base::Unretained(this))); } else { cert_verifier_.reset(net::CertVerifier::CreateDefault()); + transport_security_state_.reset(new net::TransportSecurityState); net::SSLConfig::CertAndStatus cert_and_status; cert_and_status.cert_status = net::CERT_STATUS_AUTHORITY_INVALID; @@ -100,6 +102,7 @@ void SslHmacChannelAuthenticator::SecureAndAuthenticate( net::HostPortPair host_and_port(kSslFakeHostName, 0); net::SSLClientSocketContext context; context.cert_verifier = cert_verifier_.get(); + context.transport_security_state = transport_security_state_.get(); socket_.reset( net::ClientSocketFactory::GetDefaultFactory()->CreateSSLClientSocket( socket.release(), host_and_port, ssl_config, context)); diff --git a/remoting/protocol/ssl_hmac_channel_authenticator.h b/remoting/protocol/ssl_hmac_channel_authenticator.h index 6f7440c..320466c 100644 --- a/remoting/protocol/ssl_hmac_channel_authenticator.h +++ b/remoting/protocol/ssl_hmac_channel_authenticator.h @@ -18,6 +18,7 @@ class CertVerifier; class DrainableIOBuffer; class GrowableIOBuffer; class SSLSocket; +class TransportSecurityState; } // namespace net namespace remoting { @@ -89,6 +90,7 @@ class SslHmacChannelAuthenticator : public ChannelAuthenticator, // Used in the CLIENT mode only. std::string remote_cert_; scoped_ptr<net::CertVerifier> cert_verifier_; + scoped_ptr<net::TransportSecurityState> transport_security_state_; scoped_ptr<net::SSLSocket> socket_; DoneCallback done_callback_; diff --git a/webkit/support/test_shell_request_context.cc b/webkit/support/test_shell_request_context.cc index edd005a..a7801de 100644 --- a/webkit/support/test_shell_request_context.cc +++ b/webkit/support/test_shell_request_context.cc @@ -16,6 +16,7 @@ #include "net/http/http_auth_handler_factory.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties_impl.h" +#include "net/http/transport_security_state.h" #include "net/proxy/proxy_config_service.h" #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_service.h" @@ -84,6 +85,7 @@ void TestShellRequestContext::Init( storage_.set_host_resolver(net::HostResolver::CreateDefaultResolver(NULL)); storage_.set_cert_verifier(net::CertVerifier::CreateDefault()); + storage_.set_transport_security_state(new net::TransportSecurityState); storage_.set_proxy_service(net::ProxyService::CreateUsingSystemProxyResolver( proxy_config_service.release(), 0, NULL)); storage_.set_ssl_config_service( @@ -104,6 +106,7 @@ void TestShellRequestContext::Init( net::HttpNetworkSession::Params network_session_params; network_session_params.host_resolver = host_resolver(); network_session_params.cert_verifier = cert_verifier(); + network_session_params.transport_security_state = transport_security_state(); network_session_params.server_bound_cert_service = server_bound_cert_service(); network_session_params.proxy_service = proxy_service(); |