diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-18 15:44:44 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-18 15:44:44 +0000 |
| commit | 3e35b224fd0c36f17f432f23e2eb3729667210b1 (patch) | |
| tree | 9fc1ee327a5b872858aefe4bea60ded90080054e /net | |
| parent | be796bb642e82b4702fb84cfb451a09a37890c58 (diff) | |
| download | chromium_src-3e35b224fd0c36f17f432f23e2eb3729667210b1.zip chromium_src-3e35b224fd0c36f17f432f23e2eb3729667210b1.tar.gz chromium_src-3e35b224fd0c36f17f432f23e2eb3729667210b1.tar.bz2 | |
net: Plumb DnsCertProvenanceChecker around.
DnsCertProvenanceChecker is introduced to abstract away the action of
uploading reports. It's implemented by ChromeDnsCertProvenanceChecker
which lives in a scoped_ptr off of a URLRequestContext.
It's only active on the main context (i.e. not in incognito mode). This
might change in the future, but it's a nice, conservative choice for the
moment.
The DnsCertProvenanceChecker is plumbed all the way to SSLClientSocket
(via HttpCache) where it replaces the DnsRRResolver. Above
SSLClientSocket, it's plumbed in addition to the DnsRRResolver because
the later will end up going into SSLHostInfo in the future.
At the moment, ChromeDnsCertProvenanceCheckerContext is just a skeleton
to avoid putting too much real code in a plumbing job.
BUG=none
TEST=none
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@66623 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
39 files changed, 438 insertions, 315 deletions
diff --git a/net/http/http_cache.cc b/net/http/http_cache.cc index 1342afa..896a6ac 100644 --- a/net/http/http_cache.cc +++ b/net/http/http_cache.cc @@ -280,6 +280,7 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory { HttpCache::HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker_, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, @@ -292,7 +293,8 @@ HttpCache::HttpCache(HostResolver* host_resolver, ssl_host_info_factory_(new SSLHostInfoFactoryAdaptor( ALLOW_THIS_IN_INITIALIZER_LIST(this))), network_layer_(HttpNetworkLayer::CreateFactory(host_resolver, - dnsrr_resolver, ssl_host_info_factory_.get(), + dnsrr_resolver, dns_cert_checker_, + ssl_host_info_factory_.get(), proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, net_log)), ALLOW_THIS_IN_INITIALIZER_LIST(task_factory_(this)), diff --git a/net/http/http_cache.h b/net/http/http_cache.h index 0ce22e5..06c2ab9 100644 --- a/net/http/http_cache.h +++ b/net/http/http_cache.h @@ -41,6 +41,7 @@ class Entry; namespace net { +class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -117,6 +118,7 @@ class HttpCache : public HttpTransactionFactory, // The HttpCache takes ownership of the |backend_factory|. HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, diff --git a/net/http/http_network_layer.cc b/net/http/http_network_layer.cc index 5322e85..3da23c2 100644 --- a/net/http/http_network_layer.cc +++ b/net/http/http_network_layer.cc @@ -22,6 +22,7 @@ namespace net { HttpTransactionFactory* HttpNetworkLayer::CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -32,6 +33,7 @@ HttpTransactionFactory* HttpNetworkLayer::CreateFactory( return new HttpNetworkLayer(ClientSocketFactory::GetDefaultFactory(), host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, @@ -51,6 +53,7 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -60,6 +63,7 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -77,6 +81,7 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -87,6 +92,7 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -103,6 +109,7 @@ HttpNetworkLayer::HttpNetworkLayer( HttpNetworkLayer::HttpNetworkLayer(HttpNetworkSession* session) : socket_factory_(ClientSocketFactory::GetDefaultFactory()), dnsrr_resolver_(NULL), + dns_cert_checker_(NULL), ssl_host_info_factory_(NULL), ssl_config_service_(NULL), session_(session), @@ -144,6 +151,7 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { session_ = new HttpNetworkSession( host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, proxy_service_, socket_factory_, @@ -155,6 +163,7 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { // These were just temps for lazy-initializing HttpNetworkSession. host_resolver_ = NULL; dnsrr_resolver_ = NULL; + dns_cert_checker_ = NULL; ssl_host_info_factory_ = NULL; proxy_service_ = NULL; socket_factory_ = NULL; diff --git a/net/http/http_network_layer.h b/net/http/http_network_layer.h index 63ae3f2..7781efb 100644 --- a/net/http/http_network_layer.h +++ b/net/http/http_network_layer.h @@ -16,6 +16,7 @@ namespace net { class ClientSocketFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -34,6 +35,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { HttpNetworkLayer(ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -46,6 +48,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -62,6 +65,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { static HttpTransactionFactory* CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -100,6 +104,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { // creating |session_|. HostResolver* host_resolver_; DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* ssl_host_info_factory_; scoped_refptr<ProxyService> proxy_service_; diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc index 2850404..3ed54bf 100644 --- a/net/http/http_network_layer_unittest.cc +++ b/net/http/http_network_layer_unittest.cc @@ -25,6 +25,7 @@ TEST_F(HttpNetworkLayerTest, CreateAndDestroy) { NULL, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -44,6 +45,7 @@ TEST_F(HttpNetworkLayerTest, Suspend) { NULL, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -92,6 +94,7 @@ TEST_F(HttpNetworkLayerTest, GET) { &mock_socket_factory, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index d96f901..1e77b49 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -21,6 +21,7 @@ namespace net { HttpNetworkSession::HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -32,12 +33,14 @@ HttpNetworkSession::HttpNetworkSession( : socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), socket_pool_manager_(net_log, client_socket_factory, host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service), diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h index 53ae36a..43424d2 100644 --- a/net/http/http_network_session.h +++ b/net/http/http_network_session.h @@ -29,6 +29,7 @@ class Value; namespace net { class ClientSocketFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HttpAuthHandlerFactory; class HttpNetworkDelegate; @@ -48,6 +49,7 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -108,6 +110,9 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, ClientSocketFactory* socket_factory() { return socket_factory_; } HostResolver* host_resolver() { return host_resolver_; } DnsRRResolver* dnsrr_resolver() { return dnsrr_resolver_; } + DnsCertProvenanceChecker* dns_cert_checker() { + return dns_cert_checker_; + } ProxyService* proxy_service() { return proxy_service_; } SSLConfigService* ssl_config_service() { return ssl_config_service_; } SpdySessionPool* spdy_session_pool() { return spdy_session_pool_.get(); } @@ -148,6 +153,7 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpAlternateProtocols alternate_protocols_; HostResolver* const host_resolver_; DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; scoped_refptr<ProxyService> proxy_service_; scoped_refptr<SSLConfigService> ssl_config_service_; ClientSocketPoolManager socket_pool_manager_; diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc index 6a389af..f765696 100644 --- a/net/http/http_network_transaction_unittest.cc +++ b/net/http/http_network_transaction_unittest.cc @@ -100,6 +100,7 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -307,7 +308,7 @@ template<> CaptureGroupNameSSLSocketPool::CaptureGroupNameSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} //----------------------------------------------------------------------------- diff --git a/net/http/http_proxy_client_socket_pool_unittest.cc b/net/http/http_proxy_client_socket_pool_unittest.cc index f5bc2e7..56fae19 100644 --- a/net/http/http_proxy_client_socket_pool_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_unittest.cc @@ -66,6 +66,7 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { &ssl_histograms_, host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, &tcp_socket_pool_, @@ -77,6 +78,7 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { HttpAuthHandlerFactory::CreateDefault(host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, diff --git a/net/http/http_response_body_drainer_unittest.cc b/net/http/http_response_body_drainer_unittest.cc index d8c9bb7..75f099a 100644 --- a/net/http/http_response_body_drainer_unittest.cc +++ b/net/http/http_response_body_drainer_unittest.cc @@ -175,8 +175,9 @@ class HttpResponseBodyDrainerTest : public testing::Test { protected: HttpResponseBodyDrainerTest() : session_(new HttpNetworkSession( - NULL, - NULL, + NULL /* host_resolver */, + NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), NULL, diff --git a/net/http/http_stream_factory_unittest.cc b/net/http/http_stream_factory_unittest.cc index c295363..63fce33 100644 --- a/net/http/http_stream_factory_unittest.cc +++ b/net/http/http_stream_factory_unittest.cc @@ -44,6 +44,7 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -170,7 +171,7 @@ template<> CapturePreconnectsSSLSocketPool::CapturePreconnectsSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} TEST(HttpStreamFactoryTest, PreconnectDirect) { for (size_t i = 0; i < arraysize(kTests); ++i) { diff --git a/net/net.gyp b/net/net.gyp index b9e3776..dc6e4b6 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -582,8 +582,8 @@ 'socket/client_socket_pool_histograms.h', 'socket/client_socket_pool_manager.cc', 'socket/client_socket_pool_manager.h', - 'socket/dns_cert_provenance_check.cc', - 'socket/dns_cert_provenance_check.h', + 'socket/dns_cert_provenance_checker.cc', + 'socket/dns_cert_provenance_checker.h', 'socket/socket.h', 'socket/socks5_client_socket.cc', 'socket/socks5_client_socket.h', diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc index 4734997..6266b68 100644 --- a/net/proxy/proxy_script_fetcher_impl_unittest.cc +++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc @@ -43,7 +43,7 @@ class RequestContext : public URLRequestContext { ssl_config_service_ = new net::SSLConfigServiceDefaults; http_transaction_factory_ = new net::HttpCache( - net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, + net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, NULL, proxy_service_, ssl_config_service_, NULL, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); } diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 72afd63..8965630 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -21,7 +21,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; namespace { @@ -30,7 +30,7 @@ SSLClientSocket* DefaultSSLClientSocketFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); @@ -39,10 +39,10 @@ SSLClientSocket* DefaultSSLClientSocketFactory( ssl_config); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #else NOTIMPLEMENTED(); return NULL; @@ -65,9 +65,9 @@ class DefaultClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { return g_ssl_factory(transport_socket, host_and_port, ssl_config, - ssl_host_info, dnsrr_resolver); + ssl_host_info, dns_cert_checker); } }; @@ -93,7 +93,8 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, - ssl_host_info, NULL /* DnsRRResolver */); + ssl_host_info, + NULL /* DnsCertProvenanceChecker */); } } // namespace net diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 196b2ab..0ab370a9 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -16,7 +16,7 @@ namespace net { class AddressList; class ClientSocket; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class HostPortPair; class SSLClientSocket; struct SSLConfig; @@ -28,7 +28,7 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); // An interface used to instantiate ClientSocket objects. Used to facilitate // testing code with mock socket implementations. @@ -48,7 +48,7 @@ class ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) = 0; + DnsCertProvenanceChecker* dns_cert_checker) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. virtual SSLClientSocket* CreateSSLClientSocket( diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 5e7eb7f..d145bdf 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -110,7 +110,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc index 512360b..6c73c36 100644 --- a/net/socket/client_socket_pool_manager.cc +++ b/net/socket/client_socket_pool_manager.cc @@ -56,6 +56,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service) @@ -63,6 +64,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -79,6 +81,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( &ssl_pool_histograms_, host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, socket_factory, tcp_socket_pool_.get(), @@ -228,6 +231,7 @@ HttpProxyClientSocketPool* ClientSocketPoolManager::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, tcp_https_ret.first->second /* https proxy */, @@ -263,6 +267,7 @@ SSLClientSocketPool* ClientSocketPoolManager::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, NULL, /* no tcp pool, we always go through a proxy */ diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h index c6d8f6f..823213e 100644 --- a/net/socket/client_socket_pool_manager.h +++ b/net/socket/client_socket_pool_manager.h @@ -25,6 +25,7 @@ namespace net { class ClientSocketFactory; class ClientSocketPoolHistograms; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -61,6 +62,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service); @@ -105,6 +107,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; const scoped_refptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; diff --git a/net/socket/dns_cert_provenance_check.cc b/net/socket/dns_cert_provenance_check.cc deleted file mode 100644 index 61b9a04..0000000 --- a/net/socket/dns_cert_provenance_check.cc +++ /dev/null @@ -1,247 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/socket/dns_cert_provenance_check.h" - -#include <nspr.h> - -#include <hasht.h> -#include <keyhi.h> -#include <pk11pub.h> -#include <sechash.h> - -#include <string> - -#include "base/crypto/encryptor.h" -#include "base/crypto/symmetric_key.h" -#include "base/non_thread_safe.h" -#include "base/pickle.h" -#include "net/base/completion_callback.h" -#include "net/base/dns_util.h" -#include "net/base/dnsrr_resolver.h" -#include "net/base/net_errors.h" -#include "net/base/net_log.h" - -namespace net { - -namespace { - -// A DER encoded SubjectPublicKeyInfo structure containing the server's public -// key. -const uint8 kServerPublicKey[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, - 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, - 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, - 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, - 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, - 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, -}; - -class DNSCertProvenanceChecker : public NonThreadSafe { - public: - DNSCertProvenanceChecker(const std::string hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) - : hostname_(hostname), - dnsrr_resolver_(dnsrr_resolver), - der_certs_(der_certs.size()), - handle_(DnsRRResolver::kInvalidHandle), - ALLOW_THIS_IN_INITIALIZER_LIST(callback_( - this, &DNSCertProvenanceChecker::ResolutionComplete)) { - for (size_t i = 0; i < der_certs.size(); i++) - der_certs_[i] = der_certs[i].as_string(); - } - - void Start() { - DCHECK(CalledOnValidThread()); - - if (der_certs_.empty()) - return; - - uint8 fingerprint[SHA1_LENGTH]; - SECStatus rv = HASH_HashBuf( - HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), - der_certs_[0].size()); - DCHECK_EQ(SECSuccess, rv); - char fingerprint_hex[SHA1_LENGTH * 2 + 1]; - for (unsigned i = 0; i < sizeof(fingerprint); i++) { - static const char hextable[] = "0123456789abcdef"; - fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; - fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; - } - fingerprint_hex[SHA1_LENGTH * 2] = 0; - - static const char kBaseCertName[] = ".certs.links.org"; - domain_.assign(fingerprint_hex); - domain_.append(kBaseCertName); - - handle_ = dnsrr_resolver_->Resolve( - domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, - 0 /* priority */, BoundNetLog()); - if (handle_ == DnsRRResolver::kInvalidHandle) { - LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; - delete this; - } - } - - private: - void ResolutionComplete(int status) { - DCHECK(CalledOnValidThread()); - - if (status == ERR_NAME_NOT_RESOLVED || - (status == OK && response_.rrdatas.empty())) { - LOG(ERROR) << "FAILED" - << " hostname:" << hostname_ - << " domain:" << domain_; - BuildRecord(); - } else if (status == OK) { - LOG(ERROR) << "GOOD" - << " hostname:" << hostname_ - << " resp:" << response_.rrdatas[0]; - } else { - LOG(ERROR) << "Unknown error " << status << " for " << domain_; - } - - delete this; - } - - // BuildRecord encrypts the certificate chain to a fixed public key and - // returns the encrypted blob. Since this code is reporting a possible HTTPS - // failure, it would seem silly to use HTTPS to protect the uploaded report. - std::string BuildRecord() { - static const int kVersion = 0; - static const unsigned kKeySizeInBytes = 16; // AES-128 - static const unsigned kIVSizeInBytes = 16; // AES's block size - static const unsigned kPadSize = 4096; // we pad up to 4KB, - // This is a DER encoded, ANSI X9.62 CurveParams object which simply - // specifies P256. - static const uint8 kANSIX962CurveParams[] = { - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 - }; - - DCHECK(CalledOnValidThread()); - - Pickle p; - p.WriteString(hostname_); - p.WriteInt(der_certs_.size()); - for (std::vector<std::string>::const_iterator - i = der_certs_.begin(); i != der_certs_.end(); i++) { - p.WriteString(*i); - } - // We pad to eliminate the possibility that someone could see the size of - // an upload and use that information to reduce the anonymity set of the - // certificate chain. - // The "2*sizeof(uint32)" here covers the padding length which we add next - // and Pickle's internal length which it includes at the beginning of the - // data. - unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); - p.WriteUInt32(pad_bytes); - char* padding = new char[pad_bytes]; - memset(padding, 0, pad_bytes); - p.WriteData(padding, pad_bytes); - delete[] padding; - - // We generate a random public value and perform a DH key agreement with - // the server's fixed value. - SECKEYPublicKey* pub_key = NULL; - SECKEYPrivateKey* priv_key = NULL; - SECItem ec_der_params; - memset(&ec_der_params, 0, sizeof(ec_der_params)); - ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); - ec_der_params.len = sizeof(kANSIX962CurveParams); - priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); - SECKEYPublicKey* server_pub_key = GetServerPubKey(); - - // This extracts the big-endian, x value of the shared point. - // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS - // 3.12.8's lib/ssl/ssl3ecc.c - PK11SymKey* pms = PK11_PubDeriveWithKDF( - priv_key, server_pub_key, PR_FALSE /* is sender */, - NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, - CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); - SECKEY_DestroyPublicKey(server_pub_key); - SECStatus rv = PK11_ExtractKeyValue(pms); - DCHECK_EQ(SECSuccess, rv); - SECItem* x_data = PK11_GetKeyData(pms); - - // The key and IV are 128-bits and generated from a SHA256 hash of the x - // value. - char key_data[SHA256_LENGTH]; - HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), - x_data->data, x_data->len); - PK11_FreeSymKey(pms); - - DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); - std::string raw_key(key_data, kKeySizeInBytes); - - scoped_ptr<base::SymmetricKey> symkey( - base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); - std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); - - base::Encryptor encryptor; - bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); - CHECK(r); - - std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); - std::string ciphertext; - encryptor.Encrypt(plaintext, &ciphertext); - - // We use another Pickle object to serialise the 'outer' wrapping of the - // plaintext. - Pickle outer; - outer.WriteInt(kVersion); - - SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); - outer.WriteString( - std::string(reinterpret_cast<char*>(pub_key_serialized->data), - pub_key_serialized->len)); - SECITEM_FreeItem(pub_key_serialized, PR_TRUE); - - outer.WriteString(ciphertext); - - SECKEY_DestroyPublicKey(pub_key); - SECKEY_DestroyPrivateKey(priv_key); - - return std::string(reinterpret_cast<const char*>(outer.data()), - outer.size()); - } - - SECKEYPublicKey* GetServerPubKey() { - DCHECK(CalledOnValidThread()); - - SECItem der; - memset(&der, 0, sizeof(der)); - der.data = const_cast<uint8*>(kServerPublicKey); - der.len = sizeof(kServerPublicKey); - - CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); - SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); - SECKEY_DestroySubjectPublicKeyInfo(spki); - - return public_key; - } - - const std::string hostname_; - std::string domain_; - DnsRRResolver* const dnsrr_resolver_; - std::vector<std::string> der_certs_; - RRResponse response_; - DnsRRResolver::Handle handle_; - CompletionCallbackImpl<DNSCertProvenanceChecker> callback_; -}; - -} // anonymous namespace - -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) { - DNSCertProvenanceChecker* c(new DNSCertProvenanceChecker( - hostname, dnsrr_resolver, der_certs)); - c->Start(); -} - -} // namespace net diff --git a/net/socket/dns_cert_provenance_check.h b/net/socket/dns_cert_provenance_check.h deleted file mode 100644 index 289cccf..0000000 --- a/net/socket/dns_cert_provenance_check.h +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H -#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H - -#include <string> -#include <vector> - -#include "base/string_piece.h" - -namespace net { - -class DnsRRResolver; - -// DoAsyncDNSCertProvenanceVerification starts an asynchronous check for the -// given certificate chain. It must be run on the network thread. -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs); - -} // namespace net - -#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/dns_cert_provenance_checker.cc b/net/socket/dns_cert_provenance_checker.cc new file mode 100644 index 0000000..16ea87f --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.cc @@ -0,0 +1,258 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/dns_cert_provenance_checker.h" + +#include <nspr.h> + +#include <hasht.h> +#include <keyhi.h> +#include <pk11pub.h> +#include <sechash.h> + +#include <string> + +#include "base/basictypes.h" +#include "base/crypto/encryptor.h" +#include "base/crypto/symmetric_key.h" +#include "base/non_thread_safe.h" +#include "base/pickle.h" +#include "net/base/completion_callback.h" +#include "net/base/dns_util.h" +#include "net/base/dnsrr_resolver.h" +#include "net/base/net_errors.h" +#include "net/base/net_log.h" + +namespace net { + +namespace { + +// A DER encoded SubjectPublicKeyInfo structure containing the server's public +// key. +const uint8 kServerPublicKey[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, + 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, + 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, + 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, + 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, +}; + +// DnsCertProvenanceCheck performs the DNS lookup of the certificate. This +// class is self-deleting. +class DnsCertProvenanceCheck : public NonThreadSafe { + public: + DnsCertProvenanceCheck( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker::Delegate* delegate, + const std::vector<base::StringPiece>& der_certs) + : hostname_(hostname), + dnsrr_resolver_(dnsrr_resolver), + delegate_(delegate), + der_certs_(der_certs.size()), + handle_(DnsRRResolver::kInvalidHandle), + ALLOW_THIS_IN_INITIALIZER_LIST(callback_( + this, &DnsCertProvenanceCheck::ResolutionComplete)) { + for (size_t i = 0; i < der_certs.size(); i++) + der_certs_[i] = der_certs[i].as_string(); + } + + void Start() { + DCHECK(CalledOnValidThread()); + + if (der_certs_.empty()) + return; + + uint8 fingerprint[SHA1_LENGTH]; + SECStatus rv = HASH_HashBuf( + HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), + der_certs_[0].size()); + DCHECK_EQ(SECSuccess, rv); + char fingerprint_hex[SHA1_LENGTH * 2 + 1]; + for (unsigned i = 0; i < sizeof(fingerprint); i++) { + static const char hextable[] = "0123456789abcdef"; + fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; + fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; + } + fingerprint_hex[SHA1_LENGTH * 2] = 0; + + static const char kBaseCertName[] = ".certs.links.org"; + domain_.assign(fingerprint_hex); + domain_.append(kBaseCertName); + + handle_ = dnsrr_resolver_->Resolve( + domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, + 0 /* priority */, BoundNetLog()); + if (handle_ == DnsRRResolver::kInvalidHandle) { + LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; + delete this; + } + } + + private: + void ResolutionComplete(int status) { + DCHECK(CalledOnValidThread()); + + if (status == ERR_NAME_NOT_RESOLVED || + (status == OK && response_.rrdatas.empty())) { + LOG(ERROR) << "FAILED" + << " hostname:" << hostname_ + << " domain:" << domain_; + delegate_->OnDnsCertLookupFailed(hostname_, der_certs_); + } else if (status == OK) { + LOG(ERROR) << "GOOD" + << " hostname:" << hostname_ + << " resp:" << response_.rrdatas[0]; + } else { + LOG(ERROR) << "Unknown error " << status << " for " << domain_; + } + + delete this; + } + + + const std::string hostname_; + std::string domain_; + DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker::Delegate* const delegate_; + std::vector<std::string> der_certs_; + RRResponse response_; + DnsRRResolver::Handle handle_; + CompletionCallbackImpl<DnsCertProvenanceCheck> callback_; +}; + +SECKEYPublicKey* GetServerPubKey() { + SECItem der; + memset(&der, 0, sizeof(der)); + der.data = const_cast<uint8*>(kServerPublicKey); + der.len = sizeof(kServerPublicKey); + + CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); + SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); + SECKEY_DestroySubjectPublicKeyInfo(spki); + + return public_key; +} + +} // namespace + +// static +std::string DnsCertProvenanceChecker::BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs) { + static const int kVersion = 0; + static const unsigned kKeySizeInBytes = 16; // AES-128 + static const unsigned kIVSizeInBytes = 16; // AES's block size + static const unsigned kPadSize = 4096; // we pad up to 4KB, + // This is a DER encoded, ANSI X9.62 CurveParams object which simply + // specifies P256. + static const uint8 kANSIX962CurveParams[] = { + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; + + Pickle p; + p.WriteString(hostname); + p.WriteInt(der_certs.size()); + for (std::vector<std::string>::const_iterator + i = der_certs.begin(); i != der_certs.end(); i++) { + p.WriteString(*i); + } + // We pad to eliminate the possibility that someone could see the size of + // an upload and use that information to reduce the anonymity set of the + // certificate chain. + // The "2*sizeof(uint32)" here covers the padding length which we add next + // and Pickle's internal length which it includes at the beginning of the + // data. + unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); + p.WriteUInt32(pad_bytes); + char* padding = new char[pad_bytes]; + memset(padding, 0, pad_bytes); + p.WriteData(padding, pad_bytes); + delete[] padding; + + // We generate a random public value and perform a DH key agreement with + // the server's fixed value. + SECKEYPublicKey* pub_key = NULL; + SECKEYPrivateKey* priv_key = NULL; + SECItem ec_der_params; + memset(&ec_der_params, 0, sizeof(ec_der_params)); + ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); + ec_der_params.len = sizeof(kANSIX962CurveParams); + priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); + SECKEYPublicKey* server_pub_key = GetServerPubKey(); + + // This extracts the big-endian, x value of the shared point. + // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS + // 3.12.8's lib/ssl/ssl3ecc.c + PK11SymKey* pms = PK11_PubDeriveWithKDF( + priv_key, server_pub_key, PR_FALSE /* is sender */, + NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, + CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, + CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); + SECKEY_DestroyPublicKey(server_pub_key); + SECStatus rv = PK11_ExtractKeyValue(pms); + DCHECK_EQ(SECSuccess, rv); + SECItem* x_data = PK11_GetKeyData(pms); + + // The key and IV are 128-bits and generated from a SHA256 hash of the x + // value. + char key_data[SHA256_LENGTH]; + HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), + x_data->data, x_data->len); + PK11_FreeSymKey(pms); + + DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); + std::string raw_key(key_data, kKeySizeInBytes); + + scoped_ptr<base::SymmetricKey> symkey( + base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); + std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); + + base::Encryptor encryptor; + bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); + CHECK(r); + + std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); + std::string ciphertext; + encryptor.Encrypt(plaintext, &ciphertext); + + // We use another Pickle object to serialise the 'outer' wrapping of the + // plaintext. + Pickle outer; + outer.WriteInt(kVersion); + + SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); + outer.WriteString( + std::string(reinterpret_cast<char*>(pub_key_serialized->data), + pub_key_serialized->len)); + SECITEM_FreeItem(pub_key_serialized, PR_TRUE); + + outer.WriteString(ciphertext); + + SECKEY_DestroyPublicKey(pub_key); + SECKEY_DestroyPrivateKey(priv_key); + + return std::string(reinterpret_cast<const char*>(outer.data()), + outer.size()); +} + +void DnsCertProvenanceChecker::DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate) { + DnsCertProvenanceCheck* check = new DnsCertProvenanceCheck( + hostname, dnsrr_resolver, delegate, der_certs); + check->Start(); +} + +DnsCertProvenanceChecker::Delegate::~Delegate() { +} + +DnsCertProvenanceChecker::~DnsCertProvenanceChecker() { +} + +} // namespace net diff --git a/net/socket/dns_cert_provenance_checker.h b/net/socket/dns_cert_provenance_checker.h new file mode 100644 index 0000000..8fef60f --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.h @@ -0,0 +1,60 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H +#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +class DnsRRResolver; + +// DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS +// certificates via a DNS side-channel. +class DnsCertProvenanceChecker { + public: + class Delegate { + public: + virtual ~Delegate(); + + virtual void OnDnsCertLookupFailed( + const std::string& hostname, + const std::vector<std::string>& der_certs) = 0; + }; + + virtual ~DnsCertProvenanceChecker(); + + // DoAsyncVerification starts an asynchronous check for the given certificate + // chain. It must be run on the network thread. + virtual void DoAsyncVerification( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs) = 0; + + + protected: + // DoAsyncLookup performs a DNS lookup for the given name and certificate + // chain. In the event that the lookup reports a failure, the Delegate is + // called back. + static void DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate); + + // BuildEncryptedRecord encrypts the certificate chain to a fixed public key + // and returns the encrypted blob. Since this code is reporting a possible + // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded + // report. + static std::string BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs); +}; + +} // namespace net + +#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index 8378c1d..b2e738a 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -1016,7 +1016,7 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); @@ -1066,7 +1066,7 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index ba0b94a..147a4ba 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -535,7 +535,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; } @@ -880,7 +880,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<DeterministicSocketData>& mock_data() { return mock_data_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index a4ffb78..bf732e6 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -14,7 +14,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { delete ssl_host_info; return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); } diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index c8f48ea..5539136 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketMac objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 3234320..0625698 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -93,7 +93,7 @@ #include "net/base/sys_addrinfo.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" -#include "net/socket/dns_cert_provenance_check.h" +#include "net/socket/dns_cert_provenance_checker.h" #include "net/socket/ssl_error_params.h" #include "net/socket/ssl_host_info.h" @@ -399,7 +399,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) + DnsCertProvenanceChecker* dns_ctx) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -435,7 +435,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, predicted_npn_status_(kNextProtoUnsupported), predicted_npn_proto_used_(false), ssl_host_info_(ssl_host_info), - dnsrr_resolver_(dnsrr_resolver) { + dns_cert_checker_(dns_ctx) { EnterFunction(""); } @@ -2348,6 +2348,13 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { + if (ssl_config_.dns_cert_provenance_checking_enabled && + dns_cert_checker_) { + PeerCertificateChain certs(nss_fd_); + dns_cert_checker_->DoAsyncVerification( + host_and_port_.host(), certs.AsStringPieceVector()); + } + if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), server_cert_nss_); diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index b2725f6..7743097 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -31,7 +31,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; class X509Certificate; @@ -48,7 +48,7 @@ class SSLClientSocketNSS : public SSLClientSocket { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dnsrr_resolver); ~SSLClientSocketNSS(); // SSLClientSocket methods: @@ -250,7 +250,7 @@ class SSLClientSocketNSS : public SSLClientSocket { bool predicted_npn_proto_used_; scoped_ptr<SSLHostInfo> ssl_host_info_; - DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index f7fc435..e4c01f0 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -19,10 +19,10 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index c51b5be..15b05b2 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketNSS objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 785faab..5b21005 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -78,6 +78,7 @@ SSLConnectJob::SSLConnectJob( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log) @@ -90,6 +91,7 @@ SSLConnectJob::SSLConnectJob( client_socket_factory_(client_socket_factory), resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), ALLOW_THIS_IN_INITIALIZER_LIST( callback_(this, &SSLConnectJob::OnIOComplete)) {} @@ -287,7 +289,7 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->host_and_port(), - params_->ssl_config(), ssl_host_info_.release(), dnsrr_resolver_)); + params_->ssl_config(), ssl_host_info_.release(), dns_cert_checker_)); return ssl_socket_->Connect(&callback_); } @@ -358,8 +360,8 @@ ConnectJob* SSLClientSocketPool::SSLConnectJobFactory::NewConnectJob( return new SSLConnectJob(group_name, request.params(), ConnectionTimeout(), tcp_pool_, socks_pool_, http_proxy_pool_, client_socket_factory_, host_resolver_, - dnsrr_resolver_, ssl_host_info_factory_, delegate, - net_log_); + dnsrr_resolver_, dns_cert_checker_, + ssl_host_info_factory_, delegate, net_log_); } SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( @@ -369,6 +371,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log) : tcp_pool_(tcp_pool), @@ -377,6 +380,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( client_socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), net_log_(net_log) { base::TimeDelta max_transport_timeout = base::TimeDelta(); @@ -403,6 +407,7 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -419,7 +424,8 @@ SSLClientSocketPool::SSLClientSocketPool( base::TimeDelta::FromSeconds(kUsedIdleSocketTimeout), new SSLConnectJobFactory(tcp_pool, socks_pool, http_proxy_pool, client_socket_factory, host_resolver, - dnsrr_resolver, ssl_host_info_factory, + dnsrr_resolver, dns_cert_checker, + ssl_host_info_factory, net_log)), ssl_config_service_(ssl_config_service) { if (ssl_config_service_) diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 11cf250..5eb8594 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -24,6 +24,7 @@ namespace net { class ClientSocketFactory; class ConnectJobFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -95,6 +96,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log); @@ -144,6 +146,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* const client_socket_factory_; HostResolver* const resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; State next_state_; @@ -171,6 +174,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -244,6 +248,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log); @@ -264,6 +269,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* const client_socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; base::TimeDelta timeout_; NetLog* net_log_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index f58a762..247638b 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -40,6 +40,7 @@ class SSLClientSocketPoolTest : public testing::Test { host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, @@ -97,6 +98,7 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, tcp_pool ? &tcp_socket_pool_ : NULL, diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index 215b9ba..c44815c 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -251,7 +251,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/spdy/spdy_test_util.h b/net/spdy/spdy_test_util.h index aecf08e..0a81bb7 100644 --- a/net/spdy/spdy_test_util.h +++ b/net/spdy/spdy_test_util.h @@ -358,6 +358,7 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps->socket_factory.get(), @@ -371,6 +372,7 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps-> @@ -395,6 +397,7 @@ class SpdyURLRequestContext : public URLRequestContext { new HttpNetworkLayer(&socket_factory_, host_resolver_, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/net/tools/fetch/fetch_client.cc b/net/tools/fetch/fetch_client.cc index 3bdbcbf..138bed3 100644 --- a/net/tools/fetch/fetch_client.cc +++ b/net/tools/fetch/fetch_client.cc @@ -147,7 +147,7 @@ int main(int argc, char**argv) { scoped_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory( net::HttpAuthHandlerFactory::CreateDefault(host_resolver.get())); if (use_cache) { - factory = new net::HttpCache(host_resolver.get(), NULL, proxy_service, + factory = new net::HttpCache(host_resolver.get(), NULL, NULL, proxy_service, ssl_config_service, http_auth_handler_factory.get(), NULL, NULL, net::HttpCache::DefaultBackend::InMemory(0)); } else { @@ -155,6 +155,7 @@ int main(int argc, char**argv) { net::ClientSocketFactory::GetDefaultFactory(), host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service, ssl_config_service, diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc index 137901d..281aa7e 100644 --- a/net/url_request/url_request_context.cc +++ b/net/url_request/url_request_context.cc @@ -12,6 +12,7 @@ URLRequestContext::URLRequestContext() : net_log_(NULL), host_resolver_(NULL), dnsrr_resolver_(NULL), + dns_cert_checker_(NULL), http_transaction_factory_(NULL), ftp_transaction_factory_(NULL), http_auth_handler_factory_(NULL), diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h index bbbae67..f935f5f 100644 --- a/net/url_request/url_request_context.h +++ b/net/url_request/url_request_context.h @@ -18,10 +18,12 @@ #include "net/base/transport_security_state.h" #include "net/ftp/ftp_auth_cache.h" #include "net/proxy/proxy_service.h" +#include "net/socket/dns_cert_provenance_checker.h" namespace net { class CookiePolicy; class CookieStore; +class DnsCertProvenanceChecker; class DnsRRResolver; class FtpTransactionFactory; class HostResolver; @@ -51,6 +53,10 @@ class URLRequestContext return dnsrr_resolver_; } + net::DnsCertProvenanceChecker* dns_cert_checker() const { + return dns_cert_checker_.get(); + } + // Get the proxy service for this context. net::ProxyService* proxy_service() const { return proxy_service_; @@ -124,6 +130,7 @@ class URLRequestContext net::NetLog* net_log_; net::HostResolver* host_resolver_; net::DnsRRResolver* dnsrr_resolver_; + scoped_ptr<net::DnsCertProvenanceChecker> dns_cert_checker_; scoped_refptr<net::ProxyService> proxy_service_; scoped_refptr<net::SSLConfigService> ssl_config_service_; net::HttpTransactionFactory* http_transaction_factory_; diff --git a/net/url_request/url_request_unittest.h b/net/url_request/url_request_unittest.h index abb6ab5..378b133 100644 --- a/net/url_request/url_request_unittest.h +++ b/net/url_request/url_request_unittest.h @@ -162,6 +162,7 @@ class TestURLRequestContext : public URLRequestContext { http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, |