https: add support for DNS exclusion and switch to TXT records.

(This code has no effect unless --enable-dnssec-certs is given.)

The existing DNSSEC code will process embeded chains in certificates
and validate CERT records there in. The format of the CERT record was
just something made up as a proof of concept. This change switches
that code to using TXT records which are at least used by some other
code.

Additionally, when --enable-dnssec-certs is given. TXT record lookups
are triggered for each HTTPS connection. If DNSSEC secure, these
lookups can validate a HTTPS certificate. Even without DNSSEC, they
can by used for exclusion: if TLS fingerprints are given, but the
certificate doesn't match any of them, then the certificate is
rejected.

The next step in this series will be to perform the TXT lookup for
some percentage of dev channel users in order to measure the latency
impact. For this experiment, all behavioural changes will be disabled.

BUG=none
TEST=net_unittests

http://codereview.chromium.org/3148037/show

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57787 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 17 insertions, 1 deletions

diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h
index f613fcf..0c8f90f 100644
--- a/net/socket/ssl_client_socket_pool.h
+++ b/net/socket/ssl_client_socket_pool.h
@@ -15,6 +15,7 @@
 #include "net/base/ssl_config_service.h"
 #include "net/http/http_response_info.h"
 #include "net/proxy/proxy_server.h"
+#include "net/socket/ssl_client_socket.h"
 #include "net/socket/client_socket_pool_base.h"
 #include "net/socket/client_socket_pool_histograms.h"
 #include "net/socket/client_socket_pool.h"
@@ -30,10 +31,12 @@ class SOCKSSocketParams;
 class SSLClientSocket;
 class TCPClientSocketPool;
 class TCPSocketParams;
+struct RRResponse;
 
 // SSLSocketParams only needs the socket params for the transport socket
 // that will be used (denoted by |proxy|).
-class SSLSocketParams : public base::RefCounted<SSLSocketParams> {
+class SSLSocketParams : public base::RefCounted<SSLSocketParams>,
+                        public DNSSECProvider {
  public:
   SSLSocketParams(const scoped_refptr<TCPSocketParams>& tcp_params,
                   const scoped_refptr<HttpProxySocketParams>& http_proxy_params,
@@ -58,10 +61,16 @@ class SSLSocketParams : public base::RefCounted<SSLSocketParams> {
   int load_flags() const { return load_flags_; }
   bool force_spdy_over_ssl() const { return force_spdy_over_ssl_; }
   bool want_spdy_over_npn() const { return want_spdy_over_npn_; }
+  // Start to resolve DNSSEC records for the given hostname.
+  void StartDNSSECResolution();
+
+  // DNSSECProvider implementation.
+  virtual int GetDNSSECRecords(RRResponse** out, CompletionCallback* callback);
 
  private:
   friend class base::RefCounted<SSLSocketParams>;
   ~SSLSocketParams();
+  void DNSSECResolutionComplete(int rv);
 
   const scoped_refptr<TCPSocketParams> tcp_params_;
   const scoped_refptr<HttpProxySocketParams> http_proxy_params_;
@@ -73,6 +82,13 @@ class SSLSocketParams : public base::RefCounted<SSLSocketParams> {
   const bool force_spdy_over_ssl_;
   const bool want_spdy_over_npn_;
 
+  // This is true if we have started a DNSSEC resolution.
+  bool dnssec_resolution_attempted_;
+  // This is true if |dnssec_response_| is valid.
+  bool dnssec_resolution_complete_;
+  scoped_ptr<RRResponse> dnssec_response_;
+  CompletionCallback* dnssec_resolution_callback_;
+
   DISALLOW_COPY_AND_ASSIGN(SSLSocketParams);
 };