net: replace DnsRRResoler with TransportSecurityState in plumbing.

The DnsRRResoler has served its time and I don't have any further plans for it.

The TransportSecurityState will be used (in a future CL) to enforce public key
pinning at certificate verification time. Currently we only enforce it in
url_request_http_job.cc which means that we've already sent the HTTP request
(inc cookies) by the time we catch the problem. This was expeditious while we
fixed some other issues, but it's time to fix it.

BUG=none
TEST=compiles


Review URL: http://codereview.chromium.org/8692012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113410 0039d316-1c4b-4281-b951-d872f2087c98

8 files changed, 18 insertions, 66 deletions

diff --git a/net/socket/client_socket_pool_manager_impl.cc b/net/socket/client_socket_pool_manager_impl.cc
index 3626ec7..3159c09 100644
--- a/net/socket/client_socket_pool_manager_impl.cc
+++ b/net/socket/client_socket_pool_manager_impl.cc
@@ -38,7 +38,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
     HostResolver* host_resolver,
     CertVerifier* cert_verifier,
     OriginBoundCertService* origin_bound_cert_service,
-    DnsRRResolver* dnsrr_resolver,
+    TransportSecurityState* transport_security_state,
     DnsCertProvenanceChecker* dns_cert_checker,
     SSLHostInfoFactory* ssl_host_info_factory,
     ProxyService* proxy_service,
@@ -48,7 +48,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
       host_resolver_(host_resolver),
       cert_verifier_(cert_verifier),
       origin_bound_cert_service_(origin_bound_cert_service),
-      dnsrr_resolver_(dnsrr_resolver),
+      transport_security_state_(transport_security_state),
       dns_cert_checker_(dns_cert_checker),
       ssl_host_info_factory_(ssl_host_info_factory),
       proxy_service_(proxy_service),
@@ -67,7 +67,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
           host_resolver,
           cert_verifier,
           origin_bound_cert_service,
-          dnsrr_resolver,
+          transport_security_state,
           dns_cert_checker,
           ssl_host_info_factory,
           socket_factory,
@@ -287,7 +287,7 @@ ClientSocketPoolManagerImpl::GetSocketPoolForHTTPProxy(
                   host_resolver_,
                   cert_verifier_,
                   origin_bound_cert_service_,
-                  dnsrr_resolver_,
+                  transport_security_state_,
                   dns_cert_checker_,
                   ssl_host_info_factory_,
                   socket_factory_,
@@ -326,7 +326,7 @@ SSLClientSocketPool* ClientSocketPoolManagerImpl::GetSocketPoolForSSLWithProxy(
       host_resolver_,
       cert_verifier_,
       origin_bound_cert_service_,
-      dnsrr_resolver_,
+      transport_security_state_,
       dns_cert_checker_,
       ssl_host_info_factory_,
       socket_factory_,
diff --git a/net/socket/client_socket_pool_manager_impl.h b/net/socket/client_socket_pool_manager_impl.h
index 554cfcb..a4ba519 100644
--- a/net/socket/client_socket_pool_manager_impl.h
+++ b/net/socket/client_socket_pool_manager_impl.h
@@ -24,7 +24,6 @@ class CertVerifier;
 class ClientSocketFactory;
 class ClientSocketPoolHistograms;
 class DnsCertProvenanceChecker;
-class DnsRRResolver;
 class HttpProxyClientSocketPool;
 class HostResolver;
 class NetLog;
@@ -35,6 +34,7 @@ class SSLClientSocketPool;
 class SSLConfigService;
 class SSLHostInfoFactory;
 class TransportClientSocketPool;
+class TransportSecurityState;
 
 namespace internal {
 
@@ -63,7 +63,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe,
                               HostResolver* host_resolver,
                               CertVerifier* cert_verifier,
                               OriginBoundCertService* origin_bound_cert_service,
-                              DnsRRResolver* dnsrr_resolver,
+                              TransportSecurityState* transport_security_state,
                               DnsCertProvenanceChecker* dns_cert_checker,
                               SSLHostInfoFactory* ssl_host_info_factory,
                               ProxyService* proxy_service,
@@ -109,7 +109,7 @@ class ClientSocketPoolManagerImpl : public base::NonThreadSafe,
   HostResolver* const host_resolver_;
   CertVerifier* const cert_verifier_;
   OriginBoundCertService* const origin_bound_cert_service_;
-  DnsRRResolver* const dnsrr_resolver_;
+  TransportSecurityState* const transport_security_state_;
   DnsCertProvenanceChecker* const dns_cert_checker_;
   SSLHostInfoFactory* const ssl_host_info_factory_;
   ProxyService* const proxy_service_;
diff --git a/net/socket/ssl_client_socket.h b/net/socket/ssl_client_socket.h
index feaa3cf..c847e9f 100644
--- a/net/socket/ssl_client_socket.h
+++ b/net/socket/ssl_client_socket.h
@@ -18,29 +18,12 @@ namespace net {
 
 class CertVerifier;
 class DnsCertProvenanceChecker;
-class DnsRRResolver;
 class OriginBoundCertService;
 class SSLCertRequestInfo;
 class SSLHostInfo;
 class SSLHostInfoFactory;
 class SSLInfo;
-struct RRResponse;
-
-// DNSSECProvider is an interface to an object that can return DNSSEC data.
-class DNSSECProvider {
- public:
-  // GetDNSSECRecords will either:
-  //   1) set |*out| to NULL and return OK.
-  //   2) set |*out| to a pointer, which is owned by this object, and return OK.
-  //   3) return IO_PENDING and call |callback| on the current MessageLoop at
-  //      some point in the future. Once the callback has been made, this
-  //      function will return OK if called again.
-  virtual int GetDNSSECRecords(RRResponse** out,
-                               OldCompletionCallback* callback) = 0;
-
- private:
-  ~DNSSECProvider() {}
-};
+class TransportSecurityState;
 
 // This struct groups together several fields which are used by various
 // classes related to SSLClientSocket.
@@ -48,24 +31,23 @@ struct SSLClientSocketContext {
   SSLClientSocketContext()
       : cert_verifier(NULL),
         origin_bound_cert_service(NULL),
-        dnsrr_resolver(NULL),
         dns_cert_checker(NULL),
         ssl_host_info_factory(NULL) {}
 
   SSLClientSocketContext(CertVerifier* cert_verifier_arg,
                          OriginBoundCertService* origin_bound_cert_service_arg,
-                         DnsRRResolver* dnsrr_resolver_arg,
+                         TransportSecurityState* transport_security_state_arg,
                          DnsCertProvenanceChecker* dns_cert_checker_arg,
                          SSLHostInfoFactory* ssl_host_info_factory_arg)
       : cert_verifier(cert_verifier_arg),
         origin_bound_cert_service(origin_bound_cert_service_arg),
-        dnsrr_resolver(dnsrr_resolver_arg),
+        transport_security_state(transport_security_state_arg),
         dns_cert_checker(dns_cert_checker_arg),
         ssl_host_info_factory(ssl_host_info_factory_arg) {}
 
   CertVerifier* cert_verifier;
   OriginBoundCertService* origin_bound_cert_service;
-  DnsRRResolver* dnsrr_resolver;
+  TransportSecurityState* transport_security_state;
   DnsCertProvenanceChecker* dns_cert_checker;
   SSLHostInfoFactory* ssl_host_info_factory;
 };
@@ -140,8 +122,6 @@ class NET_EXPORT SSLClientSocket : public SSLSocket {
 
   virtual bool set_was_npn_negotiated(bool negotiated);
 
-  virtual void UseDNSSEC(DNSSECProvider*) { }
-
   virtual bool was_spdy_negotiated() const;
 
   virtual bool set_was_spdy_negotiated(bool negotiated);
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 6d99f28..6464cd7 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -84,7 +84,6 @@
 #include "net/base/cert_verifier.h"
 #include "net/base/connection_type_histograms.h"
 #include "net/base/dns_util.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/dnssec_chain_verifier.h"
 #include "net/base/transport_security_state.h"
 #include "net/base/io_buffer.h"
diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc
index 601ad73..dffe962 100644
--- a/net/socket/ssl_client_socket_pool.cc
+++ b/net/socket/ssl_client_socket_pool.cc
@@ -194,9 +194,6 @@ int SSLConnectJob::DoTransportConnect() {
   }
 
   if (ssl_host_info_.get()) {
-    if (context_.dnsrr_resolver)
-      ssl_host_info_->StartDnsLookup(context_.dnsrr_resolver);
-
     // This starts fetching the SSL host info from the disk cache for early
     // certificate verification and the TLS cached information extension.
     ssl_host_info_->Start();
@@ -447,7 +444,7 @@ SSLClientSocketPool::SSLClientSocketPool(
     HostResolver* host_resolver,
     CertVerifier* cert_verifier,
     OriginBoundCertService* origin_bound_cert_service,
-    DnsRRResolver* dnsrr_resolver,
+    TransportSecurityState* transport_security_state,
     DnsCertProvenanceChecker* dns_cert_checker,
     SSLHostInfoFactory* ssl_host_info_factory,
     ClientSocketFactory* client_socket_factory,
@@ -470,7 +467,7 @@ SSLClientSocketPool::SSLClientSocketPool(
                                      SSLClientSocketContext(
                                          cert_verifier,
                                          origin_bound_cert_service,
-                                         dnsrr_resolver,
+                                         transport_security_state,
                                          dns_cert_checker,
                                          ssl_host_info_factory),
                                      net_log)),
diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h
index ac5c22b7..2ca42b5 100644
--- a/net/socket/ssl_client_socket_pool.h
+++ b/net/socket/ssl_client_socket_pool.h
@@ -26,7 +26,6 @@ class CertVerifier;
 class ClientSocketFactory;
 class ConnectJobFactory;
 class DnsCertProvenanceChecker;
-class DnsRRResolver;
 class HostPortPair;
 class HttpProxyClientSocketPool;
 class HttpProxySocketParams;
@@ -34,8 +33,9 @@ class SOCKSClientSocketPool;
 class SOCKSSocketParams;
 class SSLClientSocket;
 class SSLHostInfoFactory;
-class TransportSocketParams;
 class TransportClientSocketPool;
+class TransportSecurityState;
+class TransportSocketParams;
 
 // SSLSocketParams only needs the socket params for the transport socket
 // that will be used (denoted by |proxy|).
@@ -179,7 +179,7 @@ class NET_EXPORT_PRIVATE SSLClientSocketPool
       HostResolver* host_resolver,
       CertVerifier* cert_verifier,
       OriginBoundCertService* origin_bound_cert_service,
-      DnsRRResolver* dnsrr_resolver,
+      TransportSecurityState* transport_security_state,
       DnsCertProvenanceChecker* dns_cert_checker,
       SSLHostInfoFactory* ssl_host_info_factory,
       ClientSocketFactory* client_socket_factory,
diff --git a/net/socket/ssl_host_info.cc b/net/socket/ssl_host_info.cc
index 83fab41..ad9165c 100644
--- a/net/socket/ssl_host_info.cc
+++ b/net/socket/ssl_host_info.cc
@@ -8,8 +8,6 @@
 #include "base/metrics/histogram.h"
 #include "base/pickle.h"
 #include "base/string_piece.h"
-#include "net/base/dns_util.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/ssl_config_service.h"
 #include "net/base/x509_certificate.h"
 #include "net/socket/ssl_client_socket.h"
@@ -35,22 +33,10 @@ SSLHostInfo::SSLHostInfo(
       rev_checking_enabled_(ssl_config.rev_checking_enabled),
       verify_ev_cert_(ssl_config.verify_ev_cert),
       verifier_(cert_verifier),
-      ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)),
-      dnsrr_resolver_(NULL),
-      dns_callback_(NULL),
-      dns_handle_(DnsRRResolver::kInvalidHandle) {
+      ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)) {
 }
 
 SSLHostInfo::~SSLHostInfo() {
-  if (dns_handle_ != DnsRRResolver::kInvalidHandle) {
-    dnsrr_resolver_->CancelResolve(dns_handle_);
-    delete dns_callback_;
-  }
-}
-
-void SSLHostInfo::StartDnsLookup(DnsRRResolver* dnsrr_resolver) {
-  dnsrr_resolver_ = dnsrr_resolver;
-  // Note: currently disabled.
 }
 
 const SSLHostInfo::State& SSLHostInfo::state() const {
diff --git a/net/socket/ssl_host_info.h b/net/socket/ssl_host_info.h
index 54eeb2f..406dae9 100644
--- a/net/socket/ssl_host_info.h
+++ b/net/socket/ssl_host_info.h
@@ -15,7 +15,6 @@
 #include "net/base/cert_verifier.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/completion_callback.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/net_export.h"
 #include "net/socket/ssl_client_socket.h"
 
@@ -60,9 +59,6 @@ class NET_EXPORT_PRIVATE SSLHostInfo {
   // callback.
   virtual void Persist() = 0;
 
-  // StartDnsLookup triggers a DNS lookup for the host.
-  void StartDnsLookup(DnsRRResolver* dnsrr_resolver);
-
   struct State {
     State();
     ~State();
@@ -132,12 +128,6 @@ class NET_EXPORT_PRIVATE SSLHostInfo {
   SingleRequestCertVerifier verifier_;
   scoped_refptr<X509Certificate> cert_;
   base::WeakPtrFactory<SSLHostInfo> weak_factory_;
-
-  DnsRRResolver* dnsrr_resolver_;
-  OldCompletionCallback* dns_callback_;
-  DnsRRResolver::Handle dns_handle_;
-  RRResponse dns_response_;
-  base::TimeTicks dns_lookup_start_time_;
   base::TimeTicks cert_verification_finished_time_;
 };