net: add --enable-snap-start

This adds --enable-snap-start to enable an experimental zero round
trip TLS handshake. Use of this option disables certificate checking.

TEST=it's complicated
BUG=none

Review URL: http://codereview.chromium.org/3557013

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62152 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 42 insertions, 1 deletions

diff --git a/net/http/http_cache_transaction.cc b/net/http/http_cache_transaction.cc
index b7a56f6..a6ef5e0 100644
--- a/net/http/http_cache_transaction.cc
+++ b/net/http/http_cache_transaction.cc
@@ -24,7 +24,9 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/ssl_cert_request_info.h"
+#include "net/base/ssl_config_service.h"
 #include "net/disk_cache/disk_cache.h"
+#include "net/http/disk_cache_based_ssl_host_info.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_transaction.h"
@@ -623,6 +625,16 @@ int HttpCache::Transaction::DoSendRequest() {
     return rv;
 
   next_state_ = STATE_SEND_REQUEST_COMPLETE;
+  if (request_->url.SchemeIs("https") &&
+      SSLConfigService::snap_start_enabled()) {
+    // TODO(agl): in order to support AlternateProtocol there should probably
+    // be an object hanging off the HttpNetworkSession which constructs these.
+    // Note: when this test is removed, don't forget to remove the #include of
+    // ssl_config_service.h
+    scoped_refptr<DiskCacheBasedSSLHostInfo> hostinfo =
+        new DiskCacheBasedSSLHostInfo(request_->url.host(), cache_);
+    network_trans_->SetSSLNonSensitiveHostInfo(hostinfo.get());
+  }
   rv = network_trans_->Start(request_, &io_callback_, net_log_);
   return rv;
 }
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index cab9831..c773b10 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -26,6 +26,7 @@
 #include "net/base/net_util.h"
 #include "net/base/ssl_cert_request_info.h"
 #include "net/base/ssl_connection_status_flags.h"
+#include "net/base/ssl_non_sensitive_host_info.h"
 #include "net/base/upload_data_stream.h"
 #include "net/http/http_auth.h"
 #include "net/http/http_auth_handler.h"
@@ -415,6 +416,11 @@ uint64 HttpNetworkTransaction::GetUploadProgress() const {
   return stream_->GetUploadProgress();
 }
 
+void HttpNetworkTransaction::SetSSLNonSensitiveHostInfo(
+    SSLNonSensitiveHostInfo* host_info) {
+  ssl_config_.ssl_host_info = host_info;
+}
+
 void HttpNetworkTransaction::OnStreamReady(HttpStream* stream) {
   DCHECK_EQ(STATE_CREATE_STREAM_COMPLETE, next_state_);
   DCHECK(stream_request_.get());
diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h
index d52b8ec..37fb5aa 100644
--- a/net/http/http_network_transaction.h
+++ b/net/http/http_network_transaction.h
@@ -30,6 +30,7 @@ class HttpNetworkSession;
 class HttpStream;
 class HttpStreamRequest;
 class IOBuffer;
+class SSLNonSensitiveHostInfo;
 struct HttpRequestInfo;
 
 class HttpNetworkTransaction : public HttpTransaction,
@@ -56,6 +57,7 @@ class HttpNetworkTransaction : public HttpTransaction,
   virtual const HttpResponseInfo* GetResponseInfo() const;
   virtual LoadState GetLoadState() const;
   virtual uint64 GetUploadProgress() const;
+  virtual void SetSSLNonSensitiveHostInfo(SSLNonSensitiveHostInfo* host_info);
 
   // StreamRequestDelegate methods:
   virtual void OnStreamReady(HttpStream* stream);
diff --git a/net/http/http_transaction.h b/net/http/http_transaction.h
index 690d521..2fcd245 100644
--- a/net/http/http_transaction.h
+++ b/net/http/http_transaction.h
@@ -17,6 +17,7 @@ struct HttpRequestInfo;
 class HttpResponseInfo;
 class IOBuffer;
 class X509Certificate;
+class SSLNonSensitiveHostInfo;
 
 // Represents a single HTTP transaction (i.e., a single request/response pair).
 // HTTP redirects are not followed and authentication challenges are not
@@ -104,6 +105,11 @@ class HttpTransaction {
   // Returns the upload progress in bytes.  If there is no upload data,
   // zero will be returned.  This does not include the request headers.
   virtual uint64 GetUploadProgress() const = 0;
+
+  // SetSSLNonSensitiveHostInfo sets a object which reads and writes public
+  // information about an SSL server. It's used to implement Snap Start.
+  // TODO(agl): remove this.
+  virtual void SetSSLNonSensitiveHostInfo(SSLNonSensitiveHostInfo*) { };
 };
 
 }  // namespace net
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 4353bdbc..b24a708 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -475,6 +475,7 @@ void SSLClientSocketNSS::SaveSnapStartInfo() {
     NOTREACHED();
     return;
   }
+  LOG(ERROR) << "Snap Start: " << snap_start_type << " " << hostname_;
   if (snap_start_type == SSL_SNAP_START_FULL ||
       snap_start_type == SSL_SNAP_START_RESUME) {
     // If we did a successful Snap Start then our information was correct and
@@ -586,6 +587,7 @@ void SSLClientSocketNSS::SaveSnapStartInfo() {
 
   DCHECK_EQ(j, len);
 
+  LOG(ERROR) << "Setting Snap Start info " << hostname_ << " " << len;
   ssl_config_.ssl_host_info->Set(std::string(
         reinterpret_cast<const char *>(&data[0]), len));
 
@@ -865,7 +867,8 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #ifdef SSL_ENABLE_SNAP_START
   // TODO(agl): check that SSL_ENABLE_SNAP_START actually does something in the
   // current NSS code.
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START, PR_TRUE);
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SNAP_START,
+                     SSLConfigService::snap_start_enabled());
   if (rv != SECSuccess)
     LOG(INFO) << "SSL_ENABLE_SNAP_START failed.  Old system nss?";
 #endif
@@ -1945,6 +1948,8 @@ int SSLClientSocketNSS::DoSnapStartLoadInfo() {
   int rv = ssl_config_.ssl_host_info->WaitForDataReady(&handshake_io_callback_);
 
   if (rv == OK) {
+    LOG(ERROR) << "SSL host info size " << hostname_ << " "
+               << ssl_config_.ssl_host_info->data().size();
     if (LoadSnapStartInfo(ssl_config_.ssl_host_info->data())) {
       pseudo_connected_ = true;
       GotoState(STATE_SNAP_START_WAIT_FOR_WRITE);
@@ -2297,6 +2302,10 @@ int SSLClientSocketNSS::DoVerifyCert(int result) {
 int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
   verifier_.reset();
 
+  // Using Snap Start disables certificate verification for now.
+  if (SSLConfigService::snap_start_enabled())
+    result = OK;
+
   if (result == OK) {
     // Remember the intermediate CA certs if the server sends them to us.
     //
diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc
index cdb877d..ea0a177 100644
--- a/net/socket/ssl_client_socket_pool.cc
+++ b/net/socket/ssl_client_socket_pool.cc
@@ -188,6 +188,12 @@ int SSLConnectJob::DoLoop(int result) {
 int SSLConnectJob::DoTCPConnect() {
   DCHECK(tcp_pool_);
 
+  if (params_->ssl_config().ssl_host_info.get()) {
+    // This starts fetching the SSL host info from the disk cache for Snap
+    // Start.
+    params_->ssl_config().ssl_host_info->Start();
+  }
+
   next_state_ = STATE_TCP_CONNECT_COMPLETE;
   transport_socket_handle_.reset(new ClientSocketHandle());
   scoped_refptr<TCPSocketParams> tcp_params = params_->tcp_params();