Add revocation checking field trial.

We wish to measure the impact of revocation checking on SSL connection times.
This change sets up a 50/50 field trial where members of the trial don't do
revocation checking on sites that we currently have certificate pins for.

BUG=none
TEST=none

http://codereview.chromium.org/7113008/

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@88542 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 2 deletions

diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 3fafd73..b21de5b 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1460,8 +1460,18 @@ int SSLClientSocketNSS::DoVerifyCert(int result) {
   }
 
   int flags = 0;
-  if (ssl_config_.rev_checking_enabled)
-    flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
+  if (ssl_config_.rev_checking_enabled) {
+    const std::string& hostname = host_and_port_.host();
+    // is_pinned is an approximation but is currently accurate. Even if more
+    // pinned sites are added, this errs on the site of caution.
+    bool is_pinned = hostname == "google.com" ||
+                     (hostname.size() > 11 &&
+                      hostname.rfind(".google.com") == hostname.size() - 11);
+    if (!is_pinned ||
+        !SSLConfigService::rev_checking_disabled_for_pinned_sites()) {
+      flags |= X509Certificate::VERIFY_REV_CHECKING_ENABLED;
+    }
+  }
   if (ssl_config_.verify_ev_cert)
     flags |= X509Certificate::VERIFY_EV_CERT;
   verifier_.reset(new SingleRequestCertVerifier(cert_verifier_));