diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-22 19:33:18 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-22 19:33:18 +0000 |
| commit | 345c613b60d6f2b4cce28dcc130b37057d94759b (patch) | |
| tree | fa732fc44ec95b03fde762f21ee602c4960f3860 /net/socket | |
| parent | fb4c1c787dcb0b082c5c4a65445df1bf65b71519 (diff) | |
| download | chromium_src-345c613b60d6f2b4cce28dcc130b37057d94759b.zip chromium_src-345c613b60d6f2b4cce28dcc130b37057d94759b.tar.gz chromium_src-345c613b60d6f2b4cce28dcc130b37057d94759b.tar.bz2 | |
Revert "Revert "net: Plumb DnsCertProvenanceChecker around.""
(See r66623 for details.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@66985 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/socket')
21 files changed, 413 insertions, 307 deletions
diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 72afd63..8965630 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -21,7 +21,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; namespace { @@ -30,7 +30,7 @@ SSLClientSocket* DefaultSSLClientSocketFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); @@ -39,10 +39,10 @@ SSLClientSocket* DefaultSSLClientSocketFactory( ssl_config); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #else NOTIMPLEMENTED(); return NULL; @@ -65,9 +65,9 @@ class DefaultClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { return g_ssl_factory(transport_socket, host_and_port, ssl_config, - ssl_host_info, dnsrr_resolver); + ssl_host_info, dns_cert_checker); } }; @@ -93,7 +93,8 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, - ssl_host_info, NULL /* DnsRRResolver */); + ssl_host_info, + NULL /* DnsCertProvenanceChecker */); } } // namespace net diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 196b2ab..0ab370a9 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -16,7 +16,7 @@ namespace net { class AddressList; class ClientSocket; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class HostPortPair; class SSLClientSocket; struct SSLConfig; @@ -28,7 +28,7 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); // An interface used to instantiate ClientSocket objects. Used to facilitate // testing code with mock socket implementations. @@ -48,7 +48,7 @@ class ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) = 0; + DnsCertProvenanceChecker* dns_cert_checker) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. virtual SSLClientSocket* CreateSSLClientSocket( diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 5e7eb7f..d145bdf 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -110,7 +110,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc index 512360b..6c73c36 100644 --- a/net/socket/client_socket_pool_manager.cc +++ b/net/socket/client_socket_pool_manager.cc @@ -56,6 +56,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service) @@ -63,6 +64,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -79,6 +81,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( &ssl_pool_histograms_, host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, socket_factory, tcp_socket_pool_.get(), @@ -228,6 +231,7 @@ HttpProxyClientSocketPool* ClientSocketPoolManager::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, tcp_https_ret.first->second /* https proxy */, @@ -263,6 +267,7 @@ SSLClientSocketPool* ClientSocketPoolManager::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, NULL, /* no tcp pool, we always go through a proxy */ diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h index c6d8f6f..823213e 100644 --- a/net/socket/client_socket_pool_manager.h +++ b/net/socket/client_socket_pool_manager.h @@ -25,6 +25,7 @@ namespace net { class ClientSocketFactory; class ClientSocketPoolHistograms; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -61,6 +62,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service); @@ -105,6 +107,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; const scoped_refptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; diff --git a/net/socket/dns_cert_provenance_check.cc b/net/socket/dns_cert_provenance_check.cc index a478820..d6857dd 100644 --- a/net/socket/dns_cert_provenance_check.cc +++ b/net/socket/dns_cert_provenance_check.cc @@ -1,248 +1 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/socket/dns_cert_provenance_check.h" - -#include <nspr.h> - -#include <hasht.h> -#include <keyhi.h> -#include <pk11pub.h> -#include <sechash.h> - -#include <string> - -#include "base/crypto/encryptor.h" -#include "base/crypto/symmetric_key.h" -#include "base/non_thread_safe.h" -#include "base/pickle.h" -#include "base/scoped_ptr.h" -#include "net/base/completion_callback.h" -#include "net/base/dns_util.h" -#include "net/base/dnsrr_resolver.h" -#include "net/base/net_errors.h" -#include "net/base/net_log.h" - -namespace net { - -namespace { - -// A DER encoded SubjectPublicKeyInfo structure containing the server's public -// key. -const uint8 kServerPublicKey[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, - 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, - 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, - 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, - 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, - 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, -}; - -class DNSCertProvenanceChecker : public NonThreadSafe { - public: - DNSCertProvenanceChecker(const std::string hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) - : hostname_(hostname), - dnsrr_resolver_(dnsrr_resolver), - der_certs_(der_certs.size()), - handle_(DnsRRResolver::kInvalidHandle), - ALLOW_THIS_IN_INITIALIZER_LIST(callback_( - this, &DNSCertProvenanceChecker::ResolutionComplete)) { - for (size_t i = 0; i < der_certs.size(); i++) - der_certs_[i] = der_certs[i].as_string(); - } - - void Start() { - DCHECK(CalledOnValidThread()); - - if (der_certs_.empty()) - return; - - uint8 fingerprint[SHA1_LENGTH]; - SECStatus rv = HASH_HashBuf( - HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), - der_certs_[0].size()); - DCHECK_EQ(SECSuccess, rv); - char fingerprint_hex[SHA1_LENGTH * 2 + 1]; - for (unsigned i = 0; i < sizeof(fingerprint); i++) { - static const char hextable[] = "0123456789abcdef"; - fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; - fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; - } - fingerprint_hex[SHA1_LENGTH * 2] = 0; - - static const char kBaseCertName[] = ".certs.links.org"; - domain_.assign(fingerprint_hex); - domain_.append(kBaseCertName); - - handle_ = dnsrr_resolver_->Resolve( - domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, - 0 /* priority */, BoundNetLog()); - if (handle_ == DnsRRResolver::kInvalidHandle) { - LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; - delete this; - } - } - - private: - void ResolutionComplete(int status) { - DCHECK(CalledOnValidThread()); - - if (status == ERR_NAME_NOT_RESOLVED || - (status == OK && response_.rrdatas.empty())) { - LOG(ERROR) << "FAILED" - << " hostname:" << hostname_ - << " domain:" << domain_; - BuildRecord(); - } else if (status == OK) { - LOG(ERROR) << "GOOD" - << " hostname:" << hostname_ - << " resp:" << response_.rrdatas[0]; - } else { - LOG(ERROR) << "Unknown error " << status << " for " << domain_; - } - - delete this; - } - - // BuildRecord encrypts the certificate chain to a fixed public key and - // returns the encrypted blob. Since this code is reporting a possible HTTPS - // failure, it would seem silly to use HTTPS to protect the uploaded report. - std::string BuildRecord() { - static const int kVersion = 0; - static const unsigned kKeySizeInBytes = 16; // AES-128 - static const unsigned kIVSizeInBytes = 16; // AES's block size - static const unsigned kPadSize = 4096; // we pad up to 4KB, - // This is a DER encoded, ANSI X9.62 CurveParams object which simply - // specifies P256. - static const uint8 kANSIX962CurveParams[] = { - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 - }; - - DCHECK(CalledOnValidThread()); - - Pickle p; - p.WriteString(hostname_); - p.WriteInt(der_certs_.size()); - for (std::vector<std::string>::const_iterator - i = der_certs_.begin(); i != der_certs_.end(); i++) { - p.WriteString(*i); - } - // We pad to eliminate the possibility that someone could see the size of - // an upload and use that information to reduce the anonymity set of the - // certificate chain. - // The "2*sizeof(uint32)" here covers the padding length which we add next - // and Pickle's internal length which it includes at the beginning of the - // data. - unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); - p.WriteUInt32(pad_bytes); - char* padding = new char[pad_bytes]; - memset(padding, 0, pad_bytes); - p.WriteData(padding, pad_bytes); - delete[] padding; - - // We generate a random public value and perform a DH key agreement with - // the server's fixed value. - SECKEYPublicKey* pub_key = NULL; - SECKEYPrivateKey* priv_key = NULL; - SECItem ec_der_params; - memset(&ec_der_params, 0, sizeof(ec_der_params)); - ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); - ec_der_params.len = sizeof(kANSIX962CurveParams); - priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); - SECKEYPublicKey* server_pub_key = GetServerPubKey(); - - // This extracts the big-endian, x value of the shared point. - // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS - // 3.12.8's lib/ssl/ssl3ecc.c - PK11SymKey* pms = PK11_PubDeriveWithKDF( - priv_key, server_pub_key, PR_FALSE /* is sender */, - NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, - CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); - SECKEY_DestroyPublicKey(server_pub_key); - SECStatus rv = PK11_ExtractKeyValue(pms); - DCHECK_EQ(SECSuccess, rv); - SECItem* x_data = PK11_GetKeyData(pms); - - // The key and IV are 128-bits and generated from a SHA256 hash of the x - // value. - char key_data[SHA256_LENGTH]; - HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), - x_data->data, x_data->len); - PK11_FreeSymKey(pms); - - DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); - std::string raw_key(key_data, kKeySizeInBytes); - - scoped_ptr<base::SymmetricKey> symkey( - base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); - std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); - - base::Encryptor encryptor; - bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); - CHECK(r); - - std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); - std::string ciphertext; - encryptor.Encrypt(plaintext, &ciphertext); - - // We use another Pickle object to serialise the 'outer' wrapping of the - // plaintext. - Pickle outer; - outer.WriteInt(kVersion); - - SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); - outer.WriteString( - std::string(reinterpret_cast<char*>(pub_key_serialized->data), - pub_key_serialized->len)); - SECITEM_FreeItem(pub_key_serialized, PR_TRUE); - - outer.WriteString(ciphertext); - - SECKEY_DestroyPublicKey(pub_key); - SECKEY_DestroyPrivateKey(priv_key); - - return std::string(reinterpret_cast<const char*>(outer.data()), - outer.size()); - } - - SECKEYPublicKey* GetServerPubKey() { - DCHECK(CalledOnValidThread()); - - SECItem der; - memset(&der, 0, sizeof(der)); - der.data = const_cast<uint8*>(kServerPublicKey); - der.len = sizeof(kServerPublicKey); - - CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); - SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); - SECKEY_DestroySubjectPublicKeyInfo(spki); - - return public_key; - } - - const std::string hostname_; - std::string domain_; - DnsRRResolver* const dnsrr_resolver_; - std::vector<std::string> der_certs_; - RRResponse response_; - DnsRRResolver::Handle handle_; - CompletionCallbackImpl<DNSCertProvenanceChecker> callback_; -}; - -} // anonymous namespace - -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) { - DNSCertProvenanceChecker* c(new DNSCertProvenanceChecker( - hostname, dnsrr_resolver, der_certs)); - c->Start(); -} - -} // namespace net +// placeholder for try servers diff --git a/net/socket/dns_cert_provenance_check.h b/net/socket/dns_cert_provenance_check.h index 289cccf..d6857dd 100644 --- a/net/socket/dns_cert_provenance_check.h +++ b/net/socket/dns_cert_provenance_check.h @@ -1,26 +1 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H -#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H - -#include <string> -#include <vector> - -#include "base/string_piece.h" - -namespace net { - -class DnsRRResolver; - -// DoAsyncDNSCertProvenanceVerification starts an asynchronous check for the -// given certificate chain. It must be run on the network thread. -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs); - -} // namespace net - -#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H +// placeholder for try servers diff --git a/net/socket/dns_cert_provenance_checker.cc b/net/socket/dns_cert_provenance_checker.cc new file mode 100644 index 0000000..97265f1 --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.cc @@ -0,0 +1,288 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/dns_cert_provenance_checker.h" + +#if !defined(USE_OPENSSL) + +#include <nspr.h> + +#include <hasht.h> +#include <keyhi.h> +#include <pk11pub.h> +#include <sechash.h> + +#include <string> + +#include "base/basictypes.h" +#include "base/crypto/encryptor.h" +#include "base/crypto/symmetric_key.h" +#include "base/non_thread_safe.h" +#include "base/pickle.h" +#include "base/scoped_ptr.h" +#include "net/base/completion_callback.h" +#include "net/base/dns_util.h" +#include "net/base/dnsrr_resolver.h" +#include "net/base/net_errors.h" +#include "net/base/net_log.h" + +namespace net { + +namespace { + +// A DER encoded SubjectPublicKeyInfo structure containing the server's public +// key. +const uint8 kServerPublicKey[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, + 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, + 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, + 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, + 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, +}; + +// DnsCertProvenanceCheck performs the DNS lookup of the certificate. This +// class is self-deleting. +class DnsCertProvenanceCheck : public NonThreadSafe { + public: + DnsCertProvenanceCheck( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker::Delegate* delegate, + const std::vector<base::StringPiece>& der_certs) + : hostname_(hostname), + dnsrr_resolver_(dnsrr_resolver), + delegate_(delegate), + der_certs_(der_certs.size()), + handle_(DnsRRResolver::kInvalidHandle), + ALLOW_THIS_IN_INITIALIZER_LIST(callback_( + this, &DnsCertProvenanceCheck::ResolutionComplete)) { + for (size_t i = 0; i < der_certs.size(); i++) + der_certs_[i] = der_certs[i].as_string(); + } + + void Start() { + DCHECK(CalledOnValidThread()); + + if (der_certs_.empty()) + return; + + uint8 fingerprint[SHA1_LENGTH]; + SECStatus rv = HASH_HashBuf( + HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), + der_certs_[0].size()); + DCHECK_EQ(SECSuccess, rv); + char fingerprint_hex[SHA1_LENGTH * 2 + 1]; + for (unsigned i = 0; i < sizeof(fingerprint); i++) { + static const char hextable[] = "0123456789abcdef"; + fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; + fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; + } + fingerprint_hex[SHA1_LENGTH * 2] = 0; + + static const char kBaseCertName[] = ".certs.links.org"; + domain_.assign(fingerprint_hex); + domain_.append(kBaseCertName); + + handle_ = dnsrr_resolver_->Resolve( + domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, + 0 /* priority */, BoundNetLog()); + if (handle_ == DnsRRResolver::kInvalidHandle) { + LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; + delete this; + } + } + + private: + void ResolutionComplete(int status) { + DCHECK(CalledOnValidThread()); + + if (status == ERR_NAME_NOT_RESOLVED || + (status == OK && response_.rrdatas.empty())) { + LOG(ERROR) << "FAILED" + << " hostname:" << hostname_ + << " domain:" << domain_; + delegate_->OnDnsCertLookupFailed(hostname_, der_certs_); + } else if (status == OK) { + LOG(ERROR) << "GOOD" + << " hostname:" << hostname_ + << " resp:" << response_.rrdatas[0]; + } else { + LOG(ERROR) << "Unknown error " << status << " for " << domain_; + } + + delete this; + } + + + const std::string hostname_; + std::string domain_; + DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker::Delegate* const delegate_; + std::vector<std::string> der_certs_; + RRResponse response_; + DnsRRResolver::Handle handle_; + CompletionCallbackImpl<DnsCertProvenanceCheck> callback_; +}; + +SECKEYPublicKey* GetServerPubKey() { + SECItem der; + memset(&der, 0, sizeof(der)); + der.data = const_cast<uint8*>(kServerPublicKey); + der.len = sizeof(kServerPublicKey); + + CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); + SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); + SECKEY_DestroySubjectPublicKeyInfo(spki); + + return public_key; +} + +} // namespace + +// static +std::string DnsCertProvenanceChecker::BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs) { + static const int kVersion = 0; + static const unsigned kKeySizeInBytes = 16; // AES-128 + static const unsigned kIVSizeInBytes = 16; // AES's block size + static const unsigned kPadSize = 4096; // we pad up to 4KB, + // This is a DER encoded, ANSI X9.62 CurveParams object which simply + // specifies P256. + static const uint8 kANSIX962CurveParams[] = { + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; + + Pickle p; + p.WriteString(hostname); + p.WriteInt(der_certs.size()); + for (std::vector<std::string>::const_iterator + i = der_certs.begin(); i != der_certs.end(); i++) { + p.WriteString(*i); + } + // We pad to eliminate the possibility that someone could see the size of + // an upload and use that information to reduce the anonymity set of the + // certificate chain. + // The "2*sizeof(uint32)" here covers the padding length which we add next + // and Pickle's internal length which it includes at the beginning of the + // data. + unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); + p.WriteUInt32(pad_bytes); + char* padding = new char[pad_bytes]; + memset(padding, 0, pad_bytes); + p.WriteData(padding, pad_bytes); + delete[] padding; + + // We generate a random public value and perform a DH key agreement with + // the server's fixed value. + SECKEYPublicKey* pub_key = NULL; + SECKEYPrivateKey* priv_key = NULL; + SECItem ec_der_params; + memset(&ec_der_params, 0, sizeof(ec_der_params)); + ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); + ec_der_params.len = sizeof(kANSIX962CurveParams); + priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); + SECKEYPublicKey* server_pub_key = GetServerPubKey(); + + // This extracts the big-endian, x value of the shared point. + // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS + // 3.12.8's lib/ssl/ssl3ecc.c + PK11SymKey* pms = PK11_PubDeriveWithKDF( + priv_key, server_pub_key, PR_FALSE /* is sender */, + NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, + CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, + CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); + SECKEY_DestroyPublicKey(server_pub_key); + SECStatus rv = PK11_ExtractKeyValue(pms); + DCHECK_EQ(SECSuccess, rv); + SECItem* x_data = PK11_GetKeyData(pms); + + // The key and IV are 128-bits and generated from a SHA256 hash of the x + // value. + char key_data[SHA256_LENGTH]; + HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), + x_data->data, x_data->len); + PK11_FreeSymKey(pms); + + DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); + std::string raw_key(key_data, kKeySizeInBytes); + + scoped_ptr<base::SymmetricKey> symkey( + base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); + std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); + + base::Encryptor encryptor; + bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); + CHECK(r); + + std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); + std::string ciphertext; + encryptor.Encrypt(plaintext, &ciphertext); + + // We use another Pickle object to serialise the 'outer' wrapping of the + // plaintext. + Pickle outer; + outer.WriteInt(kVersion); + + SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); + outer.WriteString( + std::string(reinterpret_cast<char*>(pub_key_serialized->data), + pub_key_serialized->len)); + SECITEM_FreeItem(pub_key_serialized, PR_TRUE); + + outer.WriteString(ciphertext); + + SECKEY_DestroyPublicKey(pub_key); + SECKEY_DestroyPrivateKey(priv_key); + + return std::string(reinterpret_cast<const char*>(outer.data()), + outer.size()); +} + +void DnsCertProvenanceChecker::DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate) { + DnsCertProvenanceCheck* check = new DnsCertProvenanceCheck( + hostname, dnsrr_resolver, delegate, der_certs); + check->Start(); +} + +DnsCertProvenanceChecker::Delegate::~Delegate() { +} + +DnsCertProvenanceChecker::~DnsCertProvenanceChecker() { +} + +} // namespace net + +#else // USE_OPENSSL + +namespace net { + +std::string DnsCertProvenanceChecker::BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs) { + return ""; +} + +void DnsCertProvenanceChecker::DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate) { +} + +DnsCertProvenanceChecker::Delegate::~Delegate() { +} + +DnsCertProvenanceChecker::~DnsCertProvenanceChecker() { +} + +} // namespace net + +#endif // USE_OPENSSL diff --git a/net/socket/dns_cert_provenance_checker.h b/net/socket/dns_cert_provenance_checker.h new file mode 100644 index 0000000..8fef60f --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.h @@ -0,0 +1,60 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H +#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +class DnsRRResolver; + +// DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS +// certificates via a DNS side-channel. +class DnsCertProvenanceChecker { + public: + class Delegate { + public: + virtual ~Delegate(); + + virtual void OnDnsCertLookupFailed( + const std::string& hostname, + const std::vector<std::string>& der_certs) = 0; + }; + + virtual ~DnsCertProvenanceChecker(); + + // DoAsyncVerification starts an asynchronous check for the given certificate + // chain. It must be run on the network thread. + virtual void DoAsyncVerification( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs) = 0; + + + protected: + // DoAsyncLookup performs a DNS lookup for the given name and certificate + // chain. In the event that the lookup reports a failure, the Delegate is + // called back. + static void DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate); + + // BuildEncryptedRecord encrypts the certificate chain to a fixed public key + // and returns the encrypted blob. Since this code is reporting a possible + // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded + // report. + static std::string BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs); +}; + +} // namespace net + +#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index 8378c1d..b2e738a 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -1016,7 +1016,7 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); @@ -1066,7 +1066,7 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index ba0b94a..147a4ba 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -535,7 +535,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; } @@ -880,7 +880,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<DeterministicSocketData>& mock_data() { return mock_data_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index a4ffb78..bf732e6 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -14,7 +14,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { delete ssl_host_info; return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); } diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index c8f48ea..5539136 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketMac objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index cefe630..b9c6dff 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -87,7 +87,7 @@ #include "net/base/sys_addrinfo.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" -#include "net/socket/dns_cert_provenance_check.h" +#include "net/socket/dns_cert_provenance_checker.h" #include "net/socket/ssl_error_params.h" #include "net/socket/ssl_host_info.h" @@ -405,7 +405,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) + DnsCertProvenanceChecker* dns_ctx) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -441,7 +441,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, predicted_npn_status_(kNextProtoUnsupported), predicted_npn_proto_used_(false), ssl_host_info_(ssl_host_info), - dnsrr_resolver_(dnsrr_resolver) { + dns_cert_checker_(dns_ctx) { EnterFunction(""); } @@ -2354,6 +2354,13 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { + if (ssl_config_.dns_cert_provenance_checking_enabled && + dns_cert_checker_) { + PeerCertificateChain certs(nss_fd_); + dns_cert_checker_->DoAsyncVerification( + host_and_port_.host(), certs.AsStringPieceVector()); + } + if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), server_cert_nss_); diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index b2725f6..7743097 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -31,7 +31,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; class X509Certificate; @@ -48,7 +48,7 @@ class SSLClientSocketNSS : public SSLClientSocket { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dnsrr_resolver); ~SSLClientSocketNSS(); // SSLClientSocket methods: @@ -250,7 +250,7 @@ class SSLClientSocketNSS : public SSLClientSocket { bool predicted_npn_proto_used_; scoped_ptr<SSLHostInfo> ssl_host_info_; - DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index f7fc435..e4c01f0 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -19,10 +19,10 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index c51b5be..15b05b2 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketNSS objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 785faab..5b21005 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -78,6 +78,7 @@ SSLConnectJob::SSLConnectJob( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log) @@ -90,6 +91,7 @@ SSLConnectJob::SSLConnectJob( client_socket_factory_(client_socket_factory), resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), ALLOW_THIS_IN_INITIALIZER_LIST( callback_(this, &SSLConnectJob::OnIOComplete)) {} @@ -287,7 +289,7 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->host_and_port(), - params_->ssl_config(), ssl_host_info_.release(), dnsrr_resolver_)); + params_->ssl_config(), ssl_host_info_.release(), dns_cert_checker_)); return ssl_socket_->Connect(&callback_); } @@ -358,8 +360,8 @@ ConnectJob* SSLClientSocketPool::SSLConnectJobFactory::NewConnectJob( return new SSLConnectJob(group_name, request.params(), ConnectionTimeout(), tcp_pool_, socks_pool_, http_proxy_pool_, client_socket_factory_, host_resolver_, - dnsrr_resolver_, ssl_host_info_factory_, delegate, - net_log_); + dnsrr_resolver_, dns_cert_checker_, + ssl_host_info_factory_, delegate, net_log_); } SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( @@ -369,6 +371,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log) : tcp_pool_(tcp_pool), @@ -377,6 +380,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( client_socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), net_log_(net_log) { base::TimeDelta max_transport_timeout = base::TimeDelta(); @@ -403,6 +407,7 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -419,7 +424,8 @@ SSLClientSocketPool::SSLClientSocketPool( base::TimeDelta::FromSeconds(kUsedIdleSocketTimeout), new SSLConnectJobFactory(tcp_pool, socks_pool, http_proxy_pool, client_socket_factory, host_resolver, - dnsrr_resolver, ssl_host_info_factory, + dnsrr_resolver, dns_cert_checker, + ssl_host_info_factory, net_log)), ssl_config_service_(ssl_config_service) { if (ssl_config_service_) diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 11cf250..5eb8594 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -24,6 +24,7 @@ namespace net { class ClientSocketFactory; class ConnectJobFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -95,6 +96,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log); @@ -144,6 +146,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* const client_socket_factory_; HostResolver* const resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; State next_state_; @@ -171,6 +174,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -244,6 +248,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log); @@ -264,6 +269,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* const client_socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; base::TimeDelta timeout_; NetLog* net_log_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index f58a762..247638b 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -40,6 +40,7 @@ class SSLClientSocketPoolTest : public testing::Test { host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, @@ -97,6 +98,7 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, tcp_pool ? &tcp_socket_pool_ : NULL, diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index 215b9ba..c44815c 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -251,7 +251,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; |