diff options
50 files changed, 323 insertions, 511 deletions
diff --git a/chrome/browser/net/chrome_url_request_context.cc b/chrome/browser/net/chrome_url_request_context.cc index 547893e..159c674 100644 --- a/chrome/browser/net/chrome_url_request_context.cc +++ b/chrome/browser/net/chrome_url_request_context.cc @@ -33,7 +33,6 @@ #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_script_fetcher.h" #include "net/proxy/proxy_service.h" -#include "net/socket/dns_cert_provenance_checker.h" #include "net/url_request/url_request.h" #include "webkit/glue/webkit_glue.h" @@ -224,47 +223,6 @@ class ChromeCookieMonsterDelegate : public net::CookieMonster::Delegate { }; // ---------------------------------------------------------------------------- -// Implementation of DnsCertProvenanceChecker -// ---------------------------------------------------------------------------- - -// WARNING: do not use this with anything other than the main -// ChromeURLRequestContext. Eventually we'll want to have the other contexts -// point to the main ChromeURLRequestContext, which then causes lifetime -// ordering issues wrt ChromeURLRequestContexts, since we're using a raw -// pointer, and we'll get shutdown ordering problems. - -class ChromeDnsCertProvenanceChecker : - public net::DnsCertProvenanceChecker, - public net::DnsCertProvenanceChecker::Delegate { - public: - ChromeDnsCertProvenanceChecker( - net::DnsRRResolver* dnsrr_resolver, - ChromeURLRequestContext* url_req_context) - : dnsrr_resolver_(dnsrr_resolver), - url_req_context_(url_req_context) { - } - - // DnsCertProvenanceChecker interface - virtual void DoAsyncVerification( - const std::string& hostname, - const std::vector<base::StringPiece>& der_certs) { - net::DnsCertProvenanceChecker::DoAsyncLookup(hostname, der_certs, - dnsrr_resolver_, this); - } - - // DnsCertProvenanceChecker::Delegate interface - virtual void OnDnsCertLookupFailed( - const std::string& hostname, - const std::vector<std::string>& der_certs) { - // Currently unimplemented. - } - - private: - net::DnsRRResolver* const dnsrr_resolver_; - ChromeURLRequestContext* const url_req_context_; -}; - -// ---------------------------------------------------------------------------- // Helper factories // ---------------------------------------------------------------------------- @@ -306,10 +264,6 @@ ChromeURLRequestContext* FactoryForOriginal::Create() { context->set_dnsrr_resolver(io_thread_globals->dnsrr_resolver.get()); context->set_http_auth_handler_factory( io_thread_globals->http_auth_handler_factory.get()); - context->set_dns_cert_checker( - new ChromeDnsCertProvenanceChecker( - io_thread_globals->dnsrr_resolver.get(), - context)); const CommandLine& command_line = *CommandLine::ForCurrentProcess(); @@ -326,7 +280,6 @@ ChromeURLRequestContext* FactoryForOriginal::Create() { net::HttpCache* cache = new net::HttpCache(context->host_resolver(), context->dnsrr_resolver(), - context->dns_cert_checker(), context->proxy_service(), context->ssl_config_service(), context->http_auth_handler_factory(), @@ -453,7 +406,6 @@ ChromeURLRequestContext* FactoryForOffTheRecord::Create() { net::HttpCache* cache = new net::HttpCache(context->host_resolver(), context->dnsrr_resolver(), - NULL /* dns_cert_checker */, context->proxy_service(), context->ssl_config_service(), context->http_auth_handler_factory(), @@ -546,7 +498,6 @@ ChromeURLRequestContext* FactoryForMedia::Create() { // new set of network stack. cache = new net::HttpCache(main_context->host_resolver(), main_context->dnsrr_resolver(), - NULL /* dns_cert_checker */, main_context->proxy_service(), main_context->ssl_config_service(), main_context->http_auth_handler_factory(), diff --git a/chrome/browser/net/chrome_url_request_context.h b/chrome/browser/net/chrome_url_request_context.h index d7c08c0..72a31af 100644 --- a/chrome/browser/net/chrome_url_request_context.h +++ b/chrome/browser/net/chrome_url_request_context.h @@ -33,7 +33,6 @@ class PrefService; class Profile; namespace net { -class DnsCertProvenanceChecker; class NetworkDelegate; class ProxyConfig; } @@ -131,9 +130,6 @@ class ChromeURLRequestContext : public URLRequestContext { void set_dnsrr_resolver(net::DnsRRResolver* dnsrr_resolver) { dnsrr_resolver_ = dnsrr_resolver; } - void set_dns_cert_checker(net::DnsCertProvenanceChecker* ctx) { - dns_cert_checker_.reset(ctx); - } void set_http_transaction_factory(net::HttpTransactionFactory* factory) { http_transaction_factory_ = factory; } diff --git a/chrome/browser/net/connection_tester.cc b/chrome/browser/net/connection_tester.cc index 35a9a71..8f762ef 100644 --- a/chrome/browser/net/connection_tester.cc +++ b/chrome/browser/net/connection_tester.cc @@ -65,7 +65,6 @@ class ExperimentURLRequestContext : public URLRequestContext { host_resolver_); http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, dnsrr_resolver_, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, http_auth_handler_factory_, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); diff --git a/chrome/browser/policy/device_management_backend_impl.cc b/chrome/browser/policy/device_management_backend_impl.cc index a3dd0e8..c0e9b07 100644 --- a/chrome/browser/policy/device_management_backend_impl.cc +++ b/chrome/browser/policy/device_management_backend_impl.cc @@ -71,7 +71,6 @@ DeviceManagementBackendRequestContext::DeviceManagementBackendRequestContext( http_transaction_factory_ = net::HttpNetworkLayer::CreateFactory(host_resolver_, io_globals->dnsrr_resolver.get(), - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome/service/net/service_url_request_context.cc b/chrome/service/net/service_url_request_context.cc index ce32f67..c7268f5 100644 --- a/chrome/service/net/service_url_request_context.cc +++ b/chrome/service/net/service_url_request_context.cc @@ -125,7 +125,6 @@ ServiceURLRequestContext::ServiceURLRequestContext( http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, dnsrr_resolver_, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome/test/plugin/plugin_test.cpp b/chrome/test/plugin/plugin_test.cpp index 7b2b4e0..4fc85d1 100644 --- a/chrome/test/plugin/plugin_test.cpp +++ b/chrome/test/plugin/plugin_test.cpp @@ -281,7 +281,6 @@ class PluginInstallerDownloadTest http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome_frame/metrics_service.cc b/chrome_frame/metrics_service.cc index c970e7a..eecf468 100644 --- a/chrome_frame/metrics_service.cc +++ b/chrome_frame/metrics_service.cc @@ -176,7 +176,6 @@ class ChromeFrameUploadRequestContext : public URLRequestContext { http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resovler */, - NULL /* dns_cert_checker*/, NULL /* ssl_host_info */, proxy_service_, ssl_config_service_, diff --git a/chrome_frame/test/test_server_test.cc b/chrome_frame/test/test_server_test.cc index 450f021..fae70ae 100644 --- a/chrome_frame/test/test_server_test.cc +++ b/chrome_frame/test/test_server_test.cc @@ -70,15 +70,9 @@ class URLRequestTestContext : public URLRequestContext { host_resolver_); http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory( - host_resolver_, - NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, - NULL /* ssl_host_info_factory */, - proxy_service_, - ssl_config_service_, - http_auth_handler_factory_, - NULL /* network_delegate */, - NULL /* net_log */), + host_resolver_, NULL /* dnsrr_resolver */, + NULL /* ssl_host_info_factory */, proxy_service_, + ssl_config_service_, http_auth_handler_factory_, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); // In-memory cookie store. cookie_store_ = new net::CookieMonster(NULL, NULL); diff --git a/jingle/notifier/base/xmpp_client_socket_factory.cc b/jingle/notifier/base/xmpp_client_socket_factory.cc index 0de822a..c290325 100644 --- a/jingle/notifier/base/xmpp_client_socket_factory.cc +++ b/jingle/notifier/base/xmpp_client_socket_factory.cc @@ -35,10 +35,10 @@ net::SSLClientSocket* XmppClientSocketFactory::CreateSSLClientSocket( const net::HostPortPair& host_and_port, const net::SSLConfig& ssl_config, net::SSLHostInfo* ssl_host_info, - net::DnsCertProvenanceChecker* dns_cert_checker) { + net::DnsRRResolver* dnsrr_resolver) { return client_socket_factory_->CreateSSLClientSocket( transport_socket, host_and_port, ssl_config, ssl_host_info, - dns_cert_checker); + dnsrr_resolver); } } // namespace diff --git a/jingle/notifier/base/xmpp_client_socket_factory.h b/jingle/notifier/base/xmpp_client_socket_factory.h index fef3bfa..e629be6 100644 --- a/jingle/notifier/base/xmpp_client_socket_factory.h +++ b/jingle/notifier/base/xmpp_client_socket_factory.h @@ -10,7 +10,7 @@ #include "net/socket/client_socket_factory.h" namespace net { -class DnsCertProvenanceChecker; +class DnsRRResolver; class HostPortPair; class SSLHostInfo; } @@ -33,8 +33,7 @@ class XmppClientSocketFactory : public net::ClientSocketFactory { virtual net::SSLClientSocket* CreateSSLClientSocket( net::ClientSocketHandle* transport_socket, const net::HostPortPair& host_and_port, const net::SSLConfig& ssl_config, - net::SSLHostInfo* ssl_host_info, - net::DnsCertProvenanceChecker* dns_cert_checker); + net::SSLHostInfo* ssl_host_info, net::DnsRRResolver* dnsrr_resolver); private: net::ClientSocketFactory* const client_socket_factory_; diff --git a/net/http/http_cache.cc b/net/http/http_cache.cc index 896a6ac..1342afa 100644 --- a/net/http/http_cache.cc +++ b/net/http/http_cache.cc @@ -280,7 +280,6 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory { HttpCache::HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker_, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, @@ -293,8 +292,7 @@ HttpCache::HttpCache(HostResolver* host_resolver, ssl_host_info_factory_(new SSLHostInfoFactoryAdaptor( ALLOW_THIS_IN_INITIALIZER_LIST(this))), network_layer_(HttpNetworkLayer::CreateFactory(host_resolver, - dnsrr_resolver, dns_cert_checker_, - ssl_host_info_factory_.get(), + dnsrr_resolver, ssl_host_info_factory_.get(), proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, net_log)), ALLOW_THIS_IN_INITIALIZER_LIST(task_factory_(this)), diff --git a/net/http/http_cache.h b/net/http/http_cache.h index 06c2ab9..0ce22e5 100644 --- a/net/http/http_cache.h +++ b/net/http/http_cache.h @@ -41,7 +41,6 @@ class Entry; namespace net { -class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -118,7 +117,6 @@ class HttpCache : public HttpTransactionFactory, // The HttpCache takes ownership of the |backend_factory|. HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, diff --git a/net/http/http_network_layer.cc b/net/http/http_network_layer.cc index 3da23c2..5322e85 100644 --- a/net/http/http_network_layer.cc +++ b/net/http/http_network_layer.cc @@ -22,7 +22,6 @@ namespace net { HttpTransactionFactory* HttpNetworkLayer::CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -33,7 +32,6 @@ HttpTransactionFactory* HttpNetworkLayer::CreateFactory( return new HttpNetworkLayer(ClientSocketFactory::GetDefaultFactory(), host_resolver, dnsrr_resolver, - dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, @@ -53,7 +51,6 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -63,7 +60,6 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -81,7 +77,6 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -92,7 +87,6 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -109,7 +103,6 @@ HttpNetworkLayer::HttpNetworkLayer( HttpNetworkLayer::HttpNetworkLayer(HttpNetworkSession* session) : socket_factory_(ClientSocketFactory::GetDefaultFactory()), dnsrr_resolver_(NULL), - dns_cert_checker_(NULL), ssl_host_info_factory_(NULL), ssl_config_service_(NULL), session_(session), @@ -151,7 +144,6 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { session_ = new HttpNetworkSession( host_resolver_, dnsrr_resolver_, - dns_cert_checker_, ssl_host_info_factory_, proxy_service_, socket_factory_, @@ -163,7 +155,6 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { // These were just temps for lazy-initializing HttpNetworkSession. host_resolver_ = NULL; dnsrr_resolver_ = NULL; - dns_cert_checker_ = NULL; ssl_host_info_factory_ = NULL; proxy_service_ = NULL; socket_factory_ = NULL; diff --git a/net/http/http_network_layer.h b/net/http/http_network_layer.h index 7781efb..63ae3f2 100644 --- a/net/http/http_network_layer.h +++ b/net/http/http_network_layer.h @@ -16,7 +16,6 @@ namespace net { class ClientSocketFactory; -class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -35,7 +34,6 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { HttpNetworkLayer(ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -48,7 +46,6 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -65,7 +62,6 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { static HttpTransactionFactory* CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -104,7 +100,6 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { // creating |session_|. HostResolver* host_resolver_; DnsRRResolver* dnsrr_resolver_; - DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* ssl_host_info_factory_; scoped_refptr<ProxyService> proxy_service_; diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc index 3ed54bf..2850404 100644 --- a/net/http/http_network_layer_unittest.cc +++ b/net/http/http_network_layer_unittest.cc @@ -25,7 +25,6 @@ TEST_F(HttpNetworkLayerTest, CreateAndDestroy) { NULL, &host_resolver, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -45,7 +44,6 @@ TEST_F(HttpNetworkLayerTest, Suspend) { NULL, &host_resolver, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -94,7 +92,6 @@ TEST_F(HttpNetworkLayerTest, GET) { &mock_socket_factory, &host_resolver, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index 1e77b49..d96f901 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -21,7 +21,6 @@ namespace net { HttpNetworkSession::HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -33,14 +32,12 @@ HttpNetworkSession::HttpNetworkSession( : socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), socket_pool_manager_(net_log, client_socket_factory, host_resolver, dnsrr_resolver, - dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service), diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h index 43424d2..53ae36a 100644 --- a/net/http/http_network_session.h +++ b/net/http/http_network_session.h @@ -29,7 +29,6 @@ class Value; namespace net { class ClientSocketFactory; -class DnsCertProvenanceChecker; class DnsRRResolver; class HttpAuthHandlerFactory; class HttpNetworkDelegate; @@ -49,7 +48,6 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -110,9 +108,6 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, ClientSocketFactory* socket_factory() { return socket_factory_; } HostResolver* host_resolver() { return host_resolver_; } DnsRRResolver* dnsrr_resolver() { return dnsrr_resolver_; } - DnsCertProvenanceChecker* dns_cert_checker() { - return dns_cert_checker_; - } ProxyService* proxy_service() { return proxy_service_; } SSLConfigService* ssl_config_service() { return ssl_config_service_; } SpdySessionPool* spdy_session_pool() { return spdy_session_pool_.get(); } @@ -153,7 +148,6 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpAlternateProtocols alternate_protocols_; HostResolver* const host_resolver_; DnsRRResolver* dnsrr_resolver_; - DnsCertProvenanceChecker* dns_cert_checker_; scoped_refptr<ProxyService> proxy_service_; scoped_refptr<SSLConfigService> ssl_config_service_; ClientSocketPoolManager socket_pool_manager_; diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc index f765696..6a389af 100644 --- a/net/http/http_network_transaction_unittest.cc +++ b/net/http/http_network_transaction_unittest.cc @@ -100,7 +100,6 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -308,7 +307,7 @@ template<> CaptureGroupNameSSLSocketPool::CaptureGroupNameSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL) {} //----------------------------------------------------------------------------- diff --git a/net/http/http_proxy_client_socket_pool_unittest.cc b/net/http/http_proxy_client_socket_pool_unittest.cc index 56fae19..f5bc2e7 100644 --- a/net/http/http_proxy_client_socket_pool_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_unittest.cc @@ -66,7 +66,6 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { &ssl_histograms_, host_resolver_.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, &tcp_socket_pool_, @@ -78,7 +77,6 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { HttpAuthHandlerFactory::CreateDefault(host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, diff --git a/net/http/http_response_body_drainer_unittest.cc b/net/http/http_response_body_drainer_unittest.cc index 75f099a..d8c9bb7 100644 --- a/net/http/http_response_body_drainer_unittest.cc +++ b/net/http/http_response_body_drainer_unittest.cc @@ -175,9 +175,8 @@ class HttpResponseBodyDrainerTest : public testing::Test { protected: HttpResponseBodyDrainerTest() : session_(new HttpNetworkSession( - NULL /* host_resolver */, - NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, + NULL, + NULL, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), NULL, diff --git a/net/http/http_stream_factory_unittest.cc b/net/http/http_stream_factory_unittest.cc index 63fce33..c295363 100644 --- a/net/http/http_stream_factory_unittest.cc +++ b/net/http/http_stream_factory_unittest.cc @@ -44,7 +44,6 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -171,7 +170,7 @@ template<> CapturePreconnectsSSLSocketPool::CapturePreconnectsSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL) {} TEST(HttpStreamFactoryTest, PreconnectDirect) { for (size_t i = 0; i < arraysize(kTests); ++i) { diff --git a/net/net.gyp b/net/net.gyp index dc6e4b6..b9e3776 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -582,8 +582,8 @@ 'socket/client_socket_pool_histograms.h', 'socket/client_socket_pool_manager.cc', 'socket/client_socket_pool_manager.h', - 'socket/dns_cert_provenance_checker.cc', - 'socket/dns_cert_provenance_checker.h', + 'socket/dns_cert_provenance_check.cc', + 'socket/dns_cert_provenance_check.h', 'socket/socket.h', 'socket/socks5_client_socket.cc', 'socket/socks5_client_socket.h', diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc index 6266b68..4734997 100644 --- a/net/proxy/proxy_script_fetcher_impl_unittest.cc +++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc @@ -43,7 +43,7 @@ class RequestContext : public URLRequestContext { ssl_config_service_ = new net::SSLConfigServiceDefaults; http_transaction_factory_ = new net::HttpCache( - net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, NULL, + net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, proxy_service_, ssl_config_service_, NULL, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); } diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 8965630..72afd63 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -21,7 +21,7 @@ namespace net { -class DnsCertProvenanceChecker; +class DnsRRResolver; namespace { @@ -30,7 +30,7 @@ SSLClientSocket* DefaultSSLClientSocketFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); @@ -39,10 +39,10 @@ SSLClientSocket* DefaultSSLClientSocketFactory( ssl_config); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), dnsrr_resolver); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), dnsrr_resolver); #else NOTIMPLEMENTED(); return NULL; @@ -65,9 +65,9 @@ class DefaultClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { return g_ssl_factory(transport_socket, host_and_port, ssl_config, - ssl_host_info, dns_cert_checker); + ssl_host_info, dnsrr_resolver); } }; @@ -93,8 +93,7 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, - ssl_host_info, - NULL /* DnsCertProvenanceChecker */); + ssl_host_info, NULL /* DnsRRResolver */); } } // namespace net diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 0ab370a9..196b2ab 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -16,7 +16,7 @@ namespace net { class AddressList; class ClientSocket; class ClientSocketHandle; -class DnsCertProvenanceChecker; +class DnsRRResolver; class HostPortPair; class SSLClientSocket; struct SSLConfig; @@ -28,7 +28,7 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker); + DnsRRResolver* dnsrr_resolver); // An interface used to instantiate ClientSocket objects. Used to facilitate // testing code with mock socket implementations. @@ -48,7 +48,7 @@ class ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) = 0; + DnsRRResolver* dnsrr_resolver) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. virtual SSLClientSocket* CreateSSLClientSocket( diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index d145bdf..5e7eb7f 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -110,7 +110,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc index 6c73c36..512360b 100644 --- a/net/socket/client_socket_pool_manager.cc +++ b/net/socket/client_socket_pool_manager.cc @@ -56,7 +56,6 @@ ClientSocketPoolManager::ClientSocketPoolManager( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service) @@ -64,7 +63,6 @@ ClientSocketPoolManager::ClientSocketPoolManager( socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -81,7 +79,6 @@ ClientSocketPoolManager::ClientSocketPoolManager( &ssl_pool_histograms_, host_resolver, dnsrr_resolver, - dns_cert_checker, ssl_host_info_factory, socket_factory, tcp_socket_pool_.get(), @@ -231,7 +228,6 @@ HttpProxyClientSocketPool* ClientSocketPoolManager::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, dnsrr_resolver_, - dns_cert_checker_, ssl_host_info_factory_, socket_factory_, tcp_https_ret.first->second /* https proxy */, @@ -267,7 +263,6 @@ SSLClientSocketPool* ClientSocketPoolManager::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, dnsrr_resolver_, - dns_cert_checker_, ssl_host_info_factory_, socket_factory_, NULL, /* no tcp pool, we always go through a proxy */ diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h index 823213e..c6d8f6f 100644 --- a/net/socket/client_socket_pool_manager.h +++ b/net/socket/client_socket_pool_manager.h @@ -25,7 +25,6 @@ namespace net { class ClientSocketFactory; class ClientSocketPoolHistograms; -class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -62,7 +61,6 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service); @@ -107,7 +105,6 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; - DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; const scoped_refptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; diff --git a/net/socket/dns_cert_provenance_check.cc b/net/socket/dns_cert_provenance_check.cc new file mode 100644 index 0000000..61b9a04 --- /dev/null +++ b/net/socket/dns_cert_provenance_check.cc @@ -0,0 +1,247 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/dns_cert_provenance_check.h" + +#include <nspr.h> + +#include <hasht.h> +#include <keyhi.h> +#include <pk11pub.h> +#include <sechash.h> + +#include <string> + +#include "base/crypto/encryptor.h" +#include "base/crypto/symmetric_key.h" +#include "base/non_thread_safe.h" +#include "base/pickle.h" +#include "net/base/completion_callback.h" +#include "net/base/dns_util.h" +#include "net/base/dnsrr_resolver.h" +#include "net/base/net_errors.h" +#include "net/base/net_log.h" + +namespace net { + +namespace { + +// A DER encoded SubjectPublicKeyInfo structure containing the server's public +// key. +const uint8 kServerPublicKey[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, + 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, + 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, + 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, + 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, +}; + +class DNSCertProvenanceChecker : public NonThreadSafe { + public: + DNSCertProvenanceChecker(const std::string hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs) + : hostname_(hostname), + dnsrr_resolver_(dnsrr_resolver), + der_certs_(der_certs.size()), + handle_(DnsRRResolver::kInvalidHandle), + ALLOW_THIS_IN_INITIALIZER_LIST(callback_( + this, &DNSCertProvenanceChecker::ResolutionComplete)) { + for (size_t i = 0; i < der_certs.size(); i++) + der_certs_[i] = der_certs[i].as_string(); + } + + void Start() { + DCHECK(CalledOnValidThread()); + + if (der_certs_.empty()) + return; + + uint8 fingerprint[SHA1_LENGTH]; + SECStatus rv = HASH_HashBuf( + HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), + der_certs_[0].size()); + DCHECK_EQ(SECSuccess, rv); + char fingerprint_hex[SHA1_LENGTH * 2 + 1]; + for (unsigned i = 0; i < sizeof(fingerprint); i++) { + static const char hextable[] = "0123456789abcdef"; + fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; + fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; + } + fingerprint_hex[SHA1_LENGTH * 2] = 0; + + static const char kBaseCertName[] = ".certs.links.org"; + domain_.assign(fingerprint_hex); + domain_.append(kBaseCertName); + + handle_ = dnsrr_resolver_->Resolve( + domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, + 0 /* priority */, BoundNetLog()); + if (handle_ == DnsRRResolver::kInvalidHandle) { + LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; + delete this; + } + } + + private: + void ResolutionComplete(int status) { + DCHECK(CalledOnValidThread()); + + if (status == ERR_NAME_NOT_RESOLVED || + (status == OK && response_.rrdatas.empty())) { + LOG(ERROR) << "FAILED" + << " hostname:" << hostname_ + << " domain:" << domain_; + BuildRecord(); + } else if (status == OK) { + LOG(ERROR) << "GOOD" + << " hostname:" << hostname_ + << " resp:" << response_.rrdatas[0]; + } else { + LOG(ERROR) << "Unknown error " << status << " for " << domain_; + } + + delete this; + } + + // BuildRecord encrypts the certificate chain to a fixed public key and + // returns the encrypted blob. Since this code is reporting a possible HTTPS + // failure, it would seem silly to use HTTPS to protect the uploaded report. + std::string BuildRecord() { + static const int kVersion = 0; + static const unsigned kKeySizeInBytes = 16; // AES-128 + static const unsigned kIVSizeInBytes = 16; // AES's block size + static const unsigned kPadSize = 4096; // we pad up to 4KB, + // This is a DER encoded, ANSI X9.62 CurveParams object which simply + // specifies P256. + static const uint8 kANSIX962CurveParams[] = { + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; + + DCHECK(CalledOnValidThread()); + + Pickle p; + p.WriteString(hostname_); + p.WriteInt(der_certs_.size()); + for (std::vector<std::string>::const_iterator + i = der_certs_.begin(); i != der_certs_.end(); i++) { + p.WriteString(*i); + } + // We pad to eliminate the possibility that someone could see the size of + // an upload and use that information to reduce the anonymity set of the + // certificate chain. + // The "2*sizeof(uint32)" here covers the padding length which we add next + // and Pickle's internal length which it includes at the beginning of the + // data. + unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); + p.WriteUInt32(pad_bytes); + char* padding = new char[pad_bytes]; + memset(padding, 0, pad_bytes); + p.WriteData(padding, pad_bytes); + delete[] padding; + + // We generate a random public value and perform a DH key agreement with + // the server's fixed value. + SECKEYPublicKey* pub_key = NULL; + SECKEYPrivateKey* priv_key = NULL; + SECItem ec_der_params; + memset(&ec_der_params, 0, sizeof(ec_der_params)); + ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); + ec_der_params.len = sizeof(kANSIX962CurveParams); + priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); + SECKEYPublicKey* server_pub_key = GetServerPubKey(); + + // This extracts the big-endian, x value of the shared point. + // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS + // 3.12.8's lib/ssl/ssl3ecc.c + PK11SymKey* pms = PK11_PubDeriveWithKDF( + priv_key, server_pub_key, PR_FALSE /* is sender */, + NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, + CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, + CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); + SECKEY_DestroyPublicKey(server_pub_key); + SECStatus rv = PK11_ExtractKeyValue(pms); + DCHECK_EQ(SECSuccess, rv); + SECItem* x_data = PK11_GetKeyData(pms); + + // The key and IV are 128-bits and generated from a SHA256 hash of the x + // value. + char key_data[SHA256_LENGTH]; + HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), + x_data->data, x_data->len); + PK11_FreeSymKey(pms); + + DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); + std::string raw_key(key_data, kKeySizeInBytes); + + scoped_ptr<base::SymmetricKey> symkey( + base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); + std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); + + base::Encryptor encryptor; + bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); + CHECK(r); + + std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); + std::string ciphertext; + encryptor.Encrypt(plaintext, &ciphertext); + + // We use another Pickle object to serialise the 'outer' wrapping of the + // plaintext. + Pickle outer; + outer.WriteInt(kVersion); + + SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); + outer.WriteString( + std::string(reinterpret_cast<char*>(pub_key_serialized->data), + pub_key_serialized->len)); + SECITEM_FreeItem(pub_key_serialized, PR_TRUE); + + outer.WriteString(ciphertext); + + SECKEY_DestroyPublicKey(pub_key); + SECKEY_DestroyPrivateKey(priv_key); + + return std::string(reinterpret_cast<const char*>(outer.data()), + outer.size()); + } + + SECKEYPublicKey* GetServerPubKey() { + DCHECK(CalledOnValidThread()); + + SECItem der; + memset(&der, 0, sizeof(der)); + der.data = const_cast<uint8*>(kServerPublicKey); + der.len = sizeof(kServerPublicKey); + + CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); + SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); + SECKEY_DestroySubjectPublicKeyInfo(spki); + + return public_key; + } + + const std::string hostname_; + std::string domain_; + DnsRRResolver* const dnsrr_resolver_; + std::vector<std::string> der_certs_; + RRResponse response_; + DnsRRResolver::Handle handle_; + CompletionCallbackImpl<DNSCertProvenanceChecker> callback_; +}; + +} // anonymous namespace + +void DoAsyncDNSCertProvenanceVerification( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs) { + DNSCertProvenanceChecker* c(new DNSCertProvenanceChecker( + hostname, dnsrr_resolver, der_certs)); + c->Start(); +} + +} // namespace net diff --git a/net/socket/dns_cert_provenance_check.h b/net/socket/dns_cert_provenance_check.h new file mode 100644 index 0000000..289cccf --- /dev/null +++ b/net/socket/dns_cert_provenance_check.h @@ -0,0 +1,26 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H +#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +class DnsRRResolver; + +// DoAsyncDNSCertProvenanceVerification starts an asynchronous check for the +// given certificate chain. It must be run on the network thread. +void DoAsyncDNSCertProvenanceVerification( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + const std::vector<base::StringPiece>& der_certs); + +} // namespace net + +#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/dns_cert_provenance_checker.cc b/net/socket/dns_cert_provenance_checker.cc deleted file mode 100644 index 16ea87f..0000000 --- a/net/socket/dns_cert_provenance_checker.cc +++ /dev/null @@ -1,258 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/socket/dns_cert_provenance_checker.h" - -#include <nspr.h> - -#include <hasht.h> -#include <keyhi.h> -#include <pk11pub.h> -#include <sechash.h> - -#include <string> - -#include "base/basictypes.h" -#include "base/crypto/encryptor.h" -#include "base/crypto/symmetric_key.h" -#include "base/non_thread_safe.h" -#include "base/pickle.h" -#include "net/base/completion_callback.h" -#include "net/base/dns_util.h" -#include "net/base/dnsrr_resolver.h" -#include "net/base/net_errors.h" -#include "net/base/net_log.h" - -namespace net { - -namespace { - -// A DER encoded SubjectPublicKeyInfo structure containing the server's public -// key. -const uint8 kServerPublicKey[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, - 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, - 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, - 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, - 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, - 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, -}; - -// DnsCertProvenanceCheck performs the DNS lookup of the certificate. This -// class is self-deleting. -class DnsCertProvenanceCheck : public NonThreadSafe { - public: - DnsCertProvenanceCheck( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker::Delegate* delegate, - const std::vector<base::StringPiece>& der_certs) - : hostname_(hostname), - dnsrr_resolver_(dnsrr_resolver), - delegate_(delegate), - der_certs_(der_certs.size()), - handle_(DnsRRResolver::kInvalidHandle), - ALLOW_THIS_IN_INITIALIZER_LIST(callback_( - this, &DnsCertProvenanceCheck::ResolutionComplete)) { - for (size_t i = 0; i < der_certs.size(); i++) - der_certs_[i] = der_certs[i].as_string(); - } - - void Start() { - DCHECK(CalledOnValidThread()); - - if (der_certs_.empty()) - return; - - uint8 fingerprint[SHA1_LENGTH]; - SECStatus rv = HASH_HashBuf( - HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), - der_certs_[0].size()); - DCHECK_EQ(SECSuccess, rv); - char fingerprint_hex[SHA1_LENGTH * 2 + 1]; - for (unsigned i = 0; i < sizeof(fingerprint); i++) { - static const char hextable[] = "0123456789abcdef"; - fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; - fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; - } - fingerprint_hex[SHA1_LENGTH * 2] = 0; - - static const char kBaseCertName[] = ".certs.links.org"; - domain_.assign(fingerprint_hex); - domain_.append(kBaseCertName); - - handle_ = dnsrr_resolver_->Resolve( - domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, - 0 /* priority */, BoundNetLog()); - if (handle_ == DnsRRResolver::kInvalidHandle) { - LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; - delete this; - } - } - - private: - void ResolutionComplete(int status) { - DCHECK(CalledOnValidThread()); - - if (status == ERR_NAME_NOT_RESOLVED || - (status == OK && response_.rrdatas.empty())) { - LOG(ERROR) << "FAILED" - << " hostname:" << hostname_ - << " domain:" << domain_; - delegate_->OnDnsCertLookupFailed(hostname_, der_certs_); - } else if (status == OK) { - LOG(ERROR) << "GOOD" - << " hostname:" << hostname_ - << " resp:" << response_.rrdatas[0]; - } else { - LOG(ERROR) << "Unknown error " << status << " for " << domain_; - } - - delete this; - } - - - const std::string hostname_; - std::string domain_; - DnsRRResolver* dnsrr_resolver_; - DnsCertProvenanceChecker::Delegate* const delegate_; - std::vector<std::string> der_certs_; - RRResponse response_; - DnsRRResolver::Handle handle_; - CompletionCallbackImpl<DnsCertProvenanceCheck> callback_; -}; - -SECKEYPublicKey* GetServerPubKey() { - SECItem der; - memset(&der, 0, sizeof(der)); - der.data = const_cast<uint8*>(kServerPublicKey); - der.len = sizeof(kServerPublicKey); - - CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); - SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); - SECKEY_DestroySubjectPublicKeyInfo(spki); - - return public_key; -} - -} // namespace - -// static -std::string DnsCertProvenanceChecker::BuildEncryptedReport( - const std::string& hostname, - const std::vector<std::string>& der_certs) { - static const int kVersion = 0; - static const unsigned kKeySizeInBytes = 16; // AES-128 - static const unsigned kIVSizeInBytes = 16; // AES's block size - static const unsigned kPadSize = 4096; // we pad up to 4KB, - // This is a DER encoded, ANSI X9.62 CurveParams object which simply - // specifies P256. - static const uint8 kANSIX962CurveParams[] = { - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 - }; - - Pickle p; - p.WriteString(hostname); - p.WriteInt(der_certs.size()); - for (std::vector<std::string>::const_iterator - i = der_certs.begin(); i != der_certs.end(); i++) { - p.WriteString(*i); - } - // We pad to eliminate the possibility that someone could see the size of - // an upload and use that information to reduce the anonymity set of the - // certificate chain. - // The "2*sizeof(uint32)" here covers the padding length which we add next - // and Pickle's internal length which it includes at the beginning of the - // data. - unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); - p.WriteUInt32(pad_bytes); - char* padding = new char[pad_bytes]; - memset(padding, 0, pad_bytes); - p.WriteData(padding, pad_bytes); - delete[] padding; - - // We generate a random public value and perform a DH key agreement with - // the server's fixed value. - SECKEYPublicKey* pub_key = NULL; - SECKEYPrivateKey* priv_key = NULL; - SECItem ec_der_params; - memset(&ec_der_params, 0, sizeof(ec_der_params)); - ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); - ec_der_params.len = sizeof(kANSIX962CurveParams); - priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); - SECKEYPublicKey* server_pub_key = GetServerPubKey(); - - // This extracts the big-endian, x value of the shared point. - // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS - // 3.12.8's lib/ssl/ssl3ecc.c - PK11SymKey* pms = PK11_PubDeriveWithKDF( - priv_key, server_pub_key, PR_FALSE /* is sender */, - NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, - CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); - SECKEY_DestroyPublicKey(server_pub_key); - SECStatus rv = PK11_ExtractKeyValue(pms); - DCHECK_EQ(SECSuccess, rv); - SECItem* x_data = PK11_GetKeyData(pms); - - // The key and IV are 128-bits and generated from a SHA256 hash of the x - // value. - char key_data[SHA256_LENGTH]; - HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), - x_data->data, x_data->len); - PK11_FreeSymKey(pms); - - DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); - std::string raw_key(key_data, kKeySizeInBytes); - - scoped_ptr<base::SymmetricKey> symkey( - base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); - std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); - - base::Encryptor encryptor; - bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); - CHECK(r); - - std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); - std::string ciphertext; - encryptor.Encrypt(plaintext, &ciphertext); - - // We use another Pickle object to serialise the 'outer' wrapping of the - // plaintext. - Pickle outer; - outer.WriteInt(kVersion); - - SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); - outer.WriteString( - std::string(reinterpret_cast<char*>(pub_key_serialized->data), - pub_key_serialized->len)); - SECITEM_FreeItem(pub_key_serialized, PR_TRUE); - - outer.WriteString(ciphertext); - - SECKEY_DestroyPublicKey(pub_key); - SECKEY_DestroyPrivateKey(priv_key); - - return std::string(reinterpret_cast<const char*>(outer.data()), - outer.size()); -} - -void DnsCertProvenanceChecker::DoAsyncLookup( - const std::string& hostname, - const std::vector<base::StringPiece>& der_certs, - DnsRRResolver* dnsrr_resolver, - Delegate* delegate) { - DnsCertProvenanceCheck* check = new DnsCertProvenanceCheck( - hostname, dnsrr_resolver, delegate, der_certs); - check->Start(); -} - -DnsCertProvenanceChecker::Delegate::~Delegate() { -} - -DnsCertProvenanceChecker::~DnsCertProvenanceChecker() { -} - -} // namespace net diff --git a/net/socket/dns_cert_provenance_checker.h b/net/socket/dns_cert_provenance_checker.h deleted file mode 100644 index 8fef60f..0000000 --- a/net/socket/dns_cert_provenance_checker.h +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H -#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H - -#include <string> -#include <vector> - -#include "base/string_piece.h" - -namespace net { - -class DnsRRResolver; - -// DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS -// certificates via a DNS side-channel. -class DnsCertProvenanceChecker { - public: - class Delegate { - public: - virtual ~Delegate(); - - virtual void OnDnsCertLookupFailed( - const std::string& hostname, - const std::vector<std::string>& der_certs) = 0; - }; - - virtual ~DnsCertProvenanceChecker(); - - // DoAsyncVerification starts an asynchronous check for the given certificate - // chain. It must be run on the network thread. - virtual void DoAsyncVerification( - const std::string& hostname, - const std::vector<base::StringPiece>& der_certs) = 0; - - - protected: - // DoAsyncLookup performs a DNS lookup for the given name and certificate - // chain. In the event that the lookup reports a failure, the Delegate is - // called back. - static void DoAsyncLookup( - const std::string& hostname, - const std::vector<base::StringPiece>& der_certs, - DnsRRResolver* dnsrr_resolver, - Delegate* delegate); - - // BuildEncryptedRecord encrypts the certificate chain to a fixed public key - // and returns the encrypted blob. Since this code is reporting a possible - // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded - // report. - static std::string BuildEncryptedReport( - const std::string& hostname, - const std::vector<std::string>& der_certs); -}; - -} // namespace net - -#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index b2e738a..8378c1d 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -1016,7 +1016,7 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); @@ -1066,7 +1066,7 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index 147a4ba..ba0b94a 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -535,7 +535,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker); + DnsRRResolver* dnsrr_resolver); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; } @@ -880,7 +880,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker); + DnsRRResolver* dnsrr_resolver); SocketDataProviderArray<DeterministicSocketData>& mock_data() { return mock_data_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index bf732e6..a4ffb78 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -14,7 +14,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { delete ssl_host_info; return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); } diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index 5539136..c8f48ea 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsCertProvenanceChecker; +class DnsRRResolver; class SSLHostInfo; // Creates SSLClientSocketMac objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker); + DnsRRResolver* dnsrr_resolver); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 0625698..3234320 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -93,7 +93,7 @@ #include "net/base/sys_addrinfo.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" -#include "net/socket/dns_cert_provenance_checker.h" +#include "net/socket/dns_cert_provenance_check.h" #include "net/socket/ssl_error_params.h" #include "net/socket/ssl_host_info.h" @@ -399,7 +399,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_ctx) + DnsRRResolver* dnsrr_resolver) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -435,7 +435,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, predicted_npn_status_(kNextProtoUnsupported), predicted_npn_proto_used_(false), ssl_host_info_(ssl_host_info), - dns_cert_checker_(dns_ctx) { + dnsrr_resolver_(dnsrr_resolver) { EnterFunction(""); } @@ -2348,13 +2348,6 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { - if (ssl_config_.dns_cert_provenance_checking_enabled && - dns_cert_checker_) { - PeerCertificateChain certs(nss_fd_); - dns_cert_checker_->DoAsyncVerification( - host_and_port_.host(), certs.AsStringPieceVector()); - } - if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), server_cert_nss_); diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index 7743097..b2725f6 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -31,7 +31,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class DnsCertProvenanceChecker; +class DnsRRResolver; class SSLHostInfo; class X509Certificate; @@ -48,7 +48,7 @@ class SSLClientSocketNSS : public SSLClientSocket { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dnsrr_resolver); + DnsRRResolver* dnsrr_resolver); ~SSLClientSocketNSS(); // SSLClientSocket methods: @@ -250,7 +250,7 @@ class SSLClientSocketNSS : public SSLClientSocket { bool predicted_npn_proto_used_; scoped_ptr<SSLHostInfo> ssl_host_info_; - DnsCertProvenanceChecker* const dns_cert_checker_; + DnsRRResolver* const dnsrr_resolver_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index e4c01f0..f7fc435 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -19,10 +19,10 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dns_cert_checker); + shi.release(), dnsrr_resolver); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index 15b05b2..c51b5be 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsCertProvenanceChecker; +class DnsRRResolver; class SSLHostInfo; // Creates SSLClientSocketNSS objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker); + DnsRRResolver* dnsrr_resolver); } // namespace net diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 5b21005..785faab 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -78,7 +78,6 @@ SSLConnectJob::SSLConnectJob( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log) @@ -91,7 +90,6 @@ SSLConnectJob::SSLConnectJob( client_socket_factory_(client_socket_factory), resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), ALLOW_THIS_IN_INITIALIZER_LIST( callback_(this, &SSLConnectJob::OnIOComplete)) {} @@ -289,7 +287,7 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->host_and_port(), - params_->ssl_config(), ssl_host_info_.release(), dns_cert_checker_)); + params_->ssl_config(), ssl_host_info_.release(), dnsrr_resolver_)); return ssl_socket_->Connect(&callback_); } @@ -360,8 +358,8 @@ ConnectJob* SSLClientSocketPool::SSLConnectJobFactory::NewConnectJob( return new SSLConnectJob(group_name, request.params(), ConnectionTimeout(), tcp_pool_, socks_pool_, http_proxy_pool_, client_socket_factory_, host_resolver_, - dnsrr_resolver_, dns_cert_checker_, - ssl_host_info_factory_, delegate, net_log_); + dnsrr_resolver_, ssl_host_info_factory_, delegate, + net_log_); } SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( @@ -371,7 +369,6 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log) : tcp_pool_(tcp_pool), @@ -380,7 +377,6 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( client_socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), - dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), net_log_(net_log) { base::TimeDelta max_transport_timeout = base::TimeDelta(); @@ -407,7 +403,6 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -424,8 +419,7 @@ SSLClientSocketPool::SSLClientSocketPool( base::TimeDelta::FromSeconds(kUsedIdleSocketTimeout), new SSLConnectJobFactory(tcp_pool, socks_pool, http_proxy_pool, client_socket_factory, host_resolver, - dnsrr_resolver, dns_cert_checker, - ssl_host_info_factory, + dnsrr_resolver, ssl_host_info_factory, net_log)), ssl_config_service_(ssl_config_service) { if (ssl_config_service_) diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 5eb8594..11cf250 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -24,7 +24,6 @@ namespace net { class ClientSocketFactory; class ConnectJobFactory; -class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -96,7 +95,6 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log); @@ -146,7 +144,6 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* const client_socket_factory_; HostResolver* const resolver_; DnsRRResolver* const dnsrr_resolver_; - DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; State next_state_; @@ -174,7 +171,6 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -248,7 +244,6 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, - DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log); @@ -269,7 +264,6 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* const client_socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; - DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; base::TimeDelta timeout_; NetLog* net_log_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index 247638b..f58a762 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -40,7 +40,6 @@ class SSLClientSocketPoolTest : public testing::Test { host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, @@ -98,7 +97,6 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, tcp_pool ? &tcp_socket_pool_ : NULL, diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index c44815c..215b9ba 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -251,7 +251,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsCertProvenanceChecker* dns_cert_checker) { + DnsRRResolver* dnsrr_resolver) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/spdy/spdy_test_util.h b/net/spdy/spdy_test_util.h index 0a81bb7..aecf08e 100644 --- a/net/spdy/spdy_test_util.h +++ b/net/spdy/spdy_test_util.h @@ -358,7 +358,6 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps->socket_factory.get(), @@ -372,7 +371,6 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps-> @@ -397,7 +395,6 @@ class SpdyURLRequestContext : public URLRequestContext { new HttpNetworkLayer(&socket_factory_, host_resolver_, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/net/tools/fetch/fetch_client.cc b/net/tools/fetch/fetch_client.cc index 138bed3..3bdbcbf 100644 --- a/net/tools/fetch/fetch_client.cc +++ b/net/tools/fetch/fetch_client.cc @@ -147,7 +147,7 @@ int main(int argc, char**argv) { scoped_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory( net::HttpAuthHandlerFactory::CreateDefault(host_resolver.get())); if (use_cache) { - factory = new net::HttpCache(host_resolver.get(), NULL, NULL, proxy_service, + factory = new net::HttpCache(host_resolver.get(), NULL, proxy_service, ssl_config_service, http_auth_handler_factory.get(), NULL, NULL, net::HttpCache::DefaultBackend::InMemory(0)); } else { @@ -155,7 +155,6 @@ int main(int argc, char**argv) { net::ClientSocketFactory::GetDefaultFactory(), host_resolver.get(), NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service, ssl_config_service, diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc index 281aa7e..137901d 100644 --- a/net/url_request/url_request_context.cc +++ b/net/url_request/url_request_context.cc @@ -12,7 +12,6 @@ URLRequestContext::URLRequestContext() : net_log_(NULL), host_resolver_(NULL), dnsrr_resolver_(NULL), - dns_cert_checker_(NULL), http_transaction_factory_(NULL), ftp_transaction_factory_(NULL), http_auth_handler_factory_(NULL), diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h index f935f5f..bbbae67 100644 --- a/net/url_request/url_request_context.h +++ b/net/url_request/url_request_context.h @@ -18,12 +18,10 @@ #include "net/base/transport_security_state.h" #include "net/ftp/ftp_auth_cache.h" #include "net/proxy/proxy_service.h" -#include "net/socket/dns_cert_provenance_checker.h" namespace net { class CookiePolicy; class CookieStore; -class DnsCertProvenanceChecker; class DnsRRResolver; class FtpTransactionFactory; class HostResolver; @@ -53,10 +51,6 @@ class URLRequestContext return dnsrr_resolver_; } - net::DnsCertProvenanceChecker* dns_cert_checker() const { - return dns_cert_checker_.get(); - } - // Get the proxy service for this context. net::ProxyService* proxy_service() const { return proxy_service_; @@ -130,7 +124,6 @@ class URLRequestContext net::NetLog* net_log_; net::HostResolver* host_resolver_; net::DnsRRResolver* dnsrr_resolver_; - scoped_ptr<net::DnsCertProvenanceChecker> dns_cert_checker_; scoped_refptr<net::ProxyService> proxy_service_; scoped_refptr<net::SSLConfigService> ssl_config_service_; net::HttpTransactionFactory* http_transaction_factory_; diff --git a/net/url_request/url_request_unittest.h b/net/url_request/url_request_unittest.h index 378b133..abb6ab5 100644 --- a/net/url_request/url_request_unittest.h +++ b/net/url_request/url_request_unittest.h @@ -162,7 +162,6 @@ class TestURLRequestContext : public URLRequestContext { http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resolver */, - NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/webkit/tools/test_shell/test_shell_request_context.cc b/webkit/tools/test_shell/test_shell_request_context.cc index 0c07a88..d0e93e2 100644 --- a/webkit/tools/test_shell/test_shell_request_context.cc +++ b/webkit/tools/test_shell/test_shell_request_context.cc @@ -74,7 +74,7 @@ void TestShellRequestContext::Init( cache_path, 0, SimpleResourceLoaderBridge::GetCacheThread()); net::HttpCache* cache = - new net::HttpCache(host_resolver_, NULL, NULL, proxy_service_, + new net::HttpCache(host_resolver_, NULL, proxy_service_, ssl_config_service_, http_auth_handler_factory_, NULL, NULL, backend); |