diff options
50 files changed, 511 insertions, 323 deletions
diff --git a/chrome/browser/net/chrome_url_request_context.cc b/chrome/browser/net/chrome_url_request_context.cc index 159c674..547893e 100644 --- a/chrome/browser/net/chrome_url_request_context.cc +++ b/chrome/browser/net/chrome_url_request_context.cc @@ -33,6 +33,7 @@ #include "net/proxy/proxy_config_service_fixed.h" #include "net/proxy/proxy_script_fetcher.h" #include "net/proxy/proxy_service.h" +#include "net/socket/dns_cert_provenance_checker.h" #include "net/url_request/url_request.h" #include "webkit/glue/webkit_glue.h" @@ -223,6 +224,47 @@ class ChromeCookieMonsterDelegate : public net::CookieMonster::Delegate { }; // ---------------------------------------------------------------------------- +// Implementation of DnsCertProvenanceChecker +// ---------------------------------------------------------------------------- + +// WARNING: do not use this with anything other than the main +// ChromeURLRequestContext. Eventually we'll want to have the other contexts +// point to the main ChromeURLRequestContext, which then causes lifetime +// ordering issues wrt ChromeURLRequestContexts, since we're using a raw +// pointer, and we'll get shutdown ordering problems. + +class ChromeDnsCertProvenanceChecker : + public net::DnsCertProvenanceChecker, + public net::DnsCertProvenanceChecker::Delegate { + public: + ChromeDnsCertProvenanceChecker( + net::DnsRRResolver* dnsrr_resolver, + ChromeURLRequestContext* url_req_context) + : dnsrr_resolver_(dnsrr_resolver), + url_req_context_(url_req_context) { + } + + // DnsCertProvenanceChecker interface + virtual void DoAsyncVerification( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs) { + net::DnsCertProvenanceChecker::DoAsyncLookup(hostname, der_certs, + dnsrr_resolver_, this); + } + + // DnsCertProvenanceChecker::Delegate interface + virtual void OnDnsCertLookupFailed( + const std::string& hostname, + const std::vector<std::string>& der_certs) { + // Currently unimplemented. + } + + private: + net::DnsRRResolver* const dnsrr_resolver_; + ChromeURLRequestContext* const url_req_context_; +}; + +// ---------------------------------------------------------------------------- // Helper factories // ---------------------------------------------------------------------------- @@ -264,6 +306,10 @@ ChromeURLRequestContext* FactoryForOriginal::Create() { context->set_dnsrr_resolver(io_thread_globals->dnsrr_resolver.get()); context->set_http_auth_handler_factory( io_thread_globals->http_auth_handler_factory.get()); + context->set_dns_cert_checker( + new ChromeDnsCertProvenanceChecker( + io_thread_globals->dnsrr_resolver.get(), + context)); const CommandLine& command_line = *CommandLine::ForCurrentProcess(); @@ -280,6 +326,7 @@ ChromeURLRequestContext* FactoryForOriginal::Create() { net::HttpCache* cache = new net::HttpCache(context->host_resolver(), context->dnsrr_resolver(), + context->dns_cert_checker(), context->proxy_service(), context->ssl_config_service(), context->http_auth_handler_factory(), @@ -406,6 +453,7 @@ ChromeURLRequestContext* FactoryForOffTheRecord::Create() { net::HttpCache* cache = new net::HttpCache(context->host_resolver(), context->dnsrr_resolver(), + NULL /* dns_cert_checker */, context->proxy_service(), context->ssl_config_service(), context->http_auth_handler_factory(), @@ -498,6 +546,7 @@ ChromeURLRequestContext* FactoryForMedia::Create() { // new set of network stack. cache = new net::HttpCache(main_context->host_resolver(), main_context->dnsrr_resolver(), + NULL /* dns_cert_checker */, main_context->proxy_service(), main_context->ssl_config_service(), main_context->http_auth_handler_factory(), diff --git a/chrome/browser/net/chrome_url_request_context.h b/chrome/browser/net/chrome_url_request_context.h index 72a31af..d7c08c0 100644 --- a/chrome/browser/net/chrome_url_request_context.h +++ b/chrome/browser/net/chrome_url_request_context.h @@ -33,6 +33,7 @@ class PrefService; class Profile; namespace net { +class DnsCertProvenanceChecker; class NetworkDelegate; class ProxyConfig; } @@ -130,6 +131,9 @@ class ChromeURLRequestContext : public URLRequestContext { void set_dnsrr_resolver(net::DnsRRResolver* dnsrr_resolver) { dnsrr_resolver_ = dnsrr_resolver; } + void set_dns_cert_checker(net::DnsCertProvenanceChecker* ctx) { + dns_cert_checker_.reset(ctx); + } void set_http_transaction_factory(net::HttpTransactionFactory* factory) { http_transaction_factory_ = factory; } diff --git a/chrome/browser/net/connection_tester.cc b/chrome/browser/net/connection_tester.cc index 8f762ef..35a9a71 100644 --- a/chrome/browser/net/connection_tester.cc +++ b/chrome/browser/net/connection_tester.cc @@ -65,6 +65,7 @@ class ExperimentURLRequestContext : public URLRequestContext { host_resolver_); http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, dnsrr_resolver_, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, http_auth_handler_factory_, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); diff --git a/chrome/browser/policy/device_management_backend_impl.cc b/chrome/browser/policy/device_management_backend_impl.cc index c0e9b07..a3dd0e8 100644 --- a/chrome/browser/policy/device_management_backend_impl.cc +++ b/chrome/browser/policy/device_management_backend_impl.cc @@ -71,6 +71,7 @@ DeviceManagementBackendRequestContext::DeviceManagementBackendRequestContext( http_transaction_factory_ = net::HttpNetworkLayer::CreateFactory(host_resolver_, io_globals->dnsrr_resolver.get(), + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome/service/net/service_url_request_context.cc b/chrome/service/net/service_url_request_context.cc index c7268f5..ce32f67 100644 --- a/chrome/service/net/service_url_request_context.cc +++ b/chrome/service/net/service_url_request_context.cc @@ -125,6 +125,7 @@ ServiceURLRequestContext::ServiceURLRequestContext( http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, dnsrr_resolver_, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome/test/plugin/plugin_test.cpp b/chrome/test/plugin/plugin_test.cpp index 4fc85d1..7b2b4e0 100644 --- a/chrome/test/plugin/plugin_test.cpp +++ b/chrome/test/plugin/plugin_test.cpp @@ -281,6 +281,7 @@ class PluginInstallerDownloadTest http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/chrome_frame/metrics_service.cc b/chrome_frame/metrics_service.cc index eecf468..c970e7a 100644 --- a/chrome_frame/metrics_service.cc +++ b/chrome_frame/metrics_service.cc @@ -176,6 +176,7 @@ class ChromeFrameUploadRequestContext : public URLRequestContext { http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resovler */, + NULL /* dns_cert_checker*/, NULL /* ssl_host_info */, proxy_service_, ssl_config_service_, diff --git a/chrome_frame/test/test_server_test.cc b/chrome_frame/test/test_server_test.cc index fae70ae..450f021 100644 --- a/chrome_frame/test/test_server_test.cc +++ b/chrome_frame/test/test_server_test.cc @@ -70,9 +70,15 @@ class URLRequestTestContext : public URLRequestContext { host_resolver_); http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory( - host_resolver_, NULL /* dnsrr_resolver */, - NULL /* ssl_host_info_factory */, proxy_service_, - ssl_config_service_, http_auth_handler_factory_, NULL, NULL), + host_resolver_, + NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, + NULL /* ssl_host_info_factory */, + proxy_service_, + ssl_config_service_, + http_auth_handler_factory_, + NULL /* network_delegate */, + NULL /* net_log */), net::HttpCache::DefaultBackend::InMemory(0)); // In-memory cookie store. cookie_store_ = new net::CookieMonster(NULL, NULL); diff --git a/jingle/notifier/base/xmpp_client_socket_factory.cc b/jingle/notifier/base/xmpp_client_socket_factory.cc index c290325..0de822a 100644 --- a/jingle/notifier/base/xmpp_client_socket_factory.cc +++ b/jingle/notifier/base/xmpp_client_socket_factory.cc @@ -35,10 +35,10 @@ net::SSLClientSocket* XmppClientSocketFactory::CreateSSLClientSocket( const net::HostPortPair& host_and_port, const net::SSLConfig& ssl_config, net::SSLHostInfo* ssl_host_info, - net::DnsRRResolver* dnsrr_resolver) { + net::DnsCertProvenanceChecker* dns_cert_checker) { return client_socket_factory_->CreateSSLClientSocket( transport_socket, host_and_port, ssl_config, ssl_host_info, - dnsrr_resolver); + dns_cert_checker); } } // namespace diff --git a/jingle/notifier/base/xmpp_client_socket_factory.h b/jingle/notifier/base/xmpp_client_socket_factory.h index e629be6..fef3bfa 100644 --- a/jingle/notifier/base/xmpp_client_socket_factory.h +++ b/jingle/notifier/base/xmpp_client_socket_factory.h @@ -10,7 +10,7 @@ #include "net/socket/client_socket_factory.h" namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class HostPortPair; class SSLHostInfo; } @@ -33,7 +33,8 @@ class XmppClientSocketFactory : public net::ClientSocketFactory { virtual net::SSLClientSocket* CreateSSLClientSocket( net::ClientSocketHandle* transport_socket, const net::HostPortPair& host_and_port, const net::SSLConfig& ssl_config, - net::SSLHostInfo* ssl_host_info, net::DnsRRResolver* dnsrr_resolver); + net::SSLHostInfo* ssl_host_info, + net::DnsCertProvenanceChecker* dns_cert_checker); private: net::ClientSocketFactory* const client_socket_factory_; diff --git a/net/http/http_cache.cc b/net/http/http_cache.cc index 1342afa..896a6ac 100644 --- a/net/http/http_cache.cc +++ b/net/http/http_cache.cc @@ -280,6 +280,7 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory { HttpCache::HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker_, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, @@ -292,7 +293,8 @@ HttpCache::HttpCache(HostResolver* host_resolver, ssl_host_info_factory_(new SSLHostInfoFactoryAdaptor( ALLOW_THIS_IN_INITIALIZER_LIST(this))), network_layer_(HttpNetworkLayer::CreateFactory(host_resolver, - dnsrr_resolver, ssl_host_info_factory_.get(), + dnsrr_resolver, dns_cert_checker_, + ssl_host_info_factory_.get(), proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, net_log)), ALLOW_THIS_IN_INITIALIZER_LIST(task_factory_(this)), diff --git a/net/http/http_cache.h b/net/http/http_cache.h index 0ce22e5..06c2ab9 100644 --- a/net/http/http_cache.h +++ b/net/http/http_cache.h @@ -41,6 +41,7 @@ class Entry; namespace net { +class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -117,6 +118,7 @@ class HttpCache : public HttpTransactionFactory, // The HttpCache takes ownership of the |backend_factory|. HttpCache(HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, ProxyService* proxy_service, SSLConfigService* ssl_config_service, HttpAuthHandlerFactory* http_auth_handler_factory, diff --git a/net/http/http_network_layer.cc b/net/http/http_network_layer.cc index 5322e85..3da23c2 100644 --- a/net/http/http_network_layer.cc +++ b/net/http/http_network_layer.cc @@ -22,6 +22,7 @@ namespace net { HttpTransactionFactory* HttpNetworkLayer::CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -32,6 +33,7 @@ HttpTransactionFactory* HttpNetworkLayer::CreateFactory( return new HttpNetworkLayer(ClientSocketFactory::GetDefaultFactory(), host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service, http_auth_handler_factory, network_delegate, @@ -51,6 +53,7 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -60,6 +63,7 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -77,6 +81,7 @@ HttpNetworkLayer::HttpNetworkLayer( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -87,6 +92,7 @@ HttpNetworkLayer::HttpNetworkLayer( : socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -103,6 +109,7 @@ HttpNetworkLayer::HttpNetworkLayer( HttpNetworkLayer::HttpNetworkLayer(HttpNetworkSession* session) : socket_factory_(ClientSocketFactory::GetDefaultFactory()), dnsrr_resolver_(NULL), + dns_cert_checker_(NULL), ssl_host_info_factory_(NULL), ssl_config_service_(NULL), session_(session), @@ -144,6 +151,7 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { session_ = new HttpNetworkSession( host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, proxy_service_, socket_factory_, @@ -155,6 +163,7 @@ HttpNetworkSession* HttpNetworkLayer::GetSession() { // These were just temps for lazy-initializing HttpNetworkSession. host_resolver_ = NULL; dnsrr_resolver_ = NULL; + dns_cert_checker_ = NULL; ssl_host_info_factory_ = NULL; proxy_service_ = NULL; socket_factory_ = NULL; diff --git a/net/http/http_network_layer.h b/net/http/http_network_layer.h index 63ae3f2..7781efb 100644 --- a/net/http/http_network_layer.h +++ b/net/http/http_network_layer.h @@ -16,6 +16,7 @@ namespace net { class ClientSocketFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostResolver; class HttpAuthHandlerFactory; @@ -34,6 +35,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { HttpNetworkLayer(ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -46,6 +48,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -62,6 +65,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { static HttpTransactionFactory* CreateFactory( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service, @@ -100,6 +104,7 @@ class HttpNetworkLayer : public HttpTransactionFactory, public NonThreadSafe { // creating |session_|. HostResolver* host_resolver_; DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* ssl_host_info_factory_; scoped_refptr<ProxyService> proxy_service_; diff --git a/net/http/http_network_layer_unittest.cc b/net/http/http_network_layer_unittest.cc index 2850404..3ed54bf 100644 --- a/net/http/http_network_layer_unittest.cc +++ b/net/http/http_network_layer_unittest.cc @@ -25,6 +25,7 @@ TEST_F(HttpNetworkLayerTest, CreateAndDestroy) { NULL, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -44,6 +45,7 @@ TEST_F(HttpNetworkLayerTest, Suspend) { NULL, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, @@ -92,6 +94,7 @@ TEST_F(HttpNetworkLayerTest, GET) { &mock_socket_factory, &host_resolver, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, net::ProxyService::CreateDirect(), new net::SSLConfigServiceDefaults, diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index d96f901..1e77b49 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -21,6 +21,7 @@ namespace net { HttpNetworkSession::HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -32,12 +33,14 @@ HttpNetworkSession::HttpNetworkSession( : socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), socket_pool_manager_(net_log, client_socket_factory, host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, proxy_service, ssl_config_service), diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h index 53ae36a..43424d2 100644 --- a/net/http/http_network_session.h +++ b/net/http/http_network_session.h @@ -29,6 +29,7 @@ class Value; namespace net { class ClientSocketFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HttpAuthHandlerFactory; class HttpNetworkDelegate; @@ -48,6 +49,7 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpNetworkSession( HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, ClientSocketFactory* client_socket_factory, @@ -108,6 +110,9 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, ClientSocketFactory* socket_factory() { return socket_factory_; } HostResolver* host_resolver() { return host_resolver_; } DnsRRResolver* dnsrr_resolver() { return dnsrr_resolver_; } + DnsCertProvenanceChecker* dns_cert_checker() { + return dns_cert_checker_; + } ProxyService* proxy_service() { return proxy_service_; } SSLConfigService* ssl_config_service() { return ssl_config_service_; } SpdySessionPool* spdy_session_pool() { return spdy_session_pool_.get(); } @@ -148,6 +153,7 @@ class HttpNetworkSession : public base::RefCounted<HttpNetworkSession>, HttpAlternateProtocols alternate_protocols_; HostResolver* const host_resolver_; DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; scoped_refptr<ProxyService> proxy_service_; scoped_refptr<SSLConfigService> ssl_config_service_; ClientSocketPoolManager socket_pool_manager_; diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc index 6a389af..f765696 100644 --- a/net/http/http_network_transaction_unittest.cc +++ b/net/http/http_network_transaction_unittest.cc @@ -100,6 +100,7 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -307,7 +308,7 @@ template<> CaptureGroupNameSSLSocketPool::CaptureGroupNameSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} //----------------------------------------------------------------------------- diff --git a/net/http/http_proxy_client_socket_pool_unittest.cc b/net/http/http_proxy_client_socket_pool_unittest.cc index f5bc2e7..56fae19 100644 --- a/net/http/http_proxy_client_socket_pool_unittest.cc +++ b/net/http/http_proxy_client_socket_pool_unittest.cc @@ -66,6 +66,7 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { &ssl_histograms_, host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, &tcp_socket_pool_, @@ -77,6 +78,7 @@ class HttpProxyClientSocketPoolTest : public TestWithHttpParam { HttpAuthHandlerFactory::CreateDefault(host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, diff --git a/net/http/http_response_body_drainer_unittest.cc b/net/http/http_response_body_drainer_unittest.cc index d8c9bb7..75f099a 100644 --- a/net/http/http_response_body_drainer_unittest.cc +++ b/net/http/http_response_body_drainer_unittest.cc @@ -175,8 +175,9 @@ class HttpResponseBodyDrainerTest : public testing::Test { protected: HttpResponseBodyDrainerTest() : session_(new HttpNetworkSession( - NULL, - NULL, + NULL /* host_resolver */, + NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), NULL, diff --git a/net/http/http_stream_factory_unittest.cc b/net/http/http_stream_factory_unittest.cc index c295363..63fce33 100644 --- a/net/http/http_stream_factory_unittest.cc +++ b/net/http/http_stream_factory_unittest.cc @@ -44,6 +44,7 @@ struct SessionDependencies { HttpNetworkSession* CreateSession(SessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, &session_deps->socket_factory, @@ -170,7 +171,7 @@ template<> CapturePreconnectsSSLSocketPool::CapturePreconnectsSocketPool( HttpNetworkSession* session) : SSLClientSocketPool(0, 0, NULL, session->host_resolver(), NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL) {} + NULL, NULL, NULL, NULL, NULL, NULL, NULL) {} TEST(HttpStreamFactoryTest, PreconnectDirect) { for (size_t i = 0; i < arraysize(kTests); ++i) { diff --git a/net/net.gyp b/net/net.gyp index b9e3776..dc6e4b6 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -582,8 +582,8 @@ 'socket/client_socket_pool_histograms.h', 'socket/client_socket_pool_manager.cc', 'socket/client_socket_pool_manager.h', - 'socket/dns_cert_provenance_check.cc', - 'socket/dns_cert_provenance_check.h', + 'socket/dns_cert_provenance_checker.cc', + 'socket/dns_cert_provenance_checker.h', 'socket/socket.h', 'socket/socks5_client_socket.cc', 'socket/socks5_client_socket.h', diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc index 4734997..6266b68 100644 --- a/net/proxy/proxy_script_fetcher_impl_unittest.cc +++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc @@ -43,7 +43,7 @@ class RequestContext : public URLRequestContext { ssl_config_service_ = new net::SSLConfigServiceDefaults; http_transaction_factory_ = new net::HttpCache( - net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, + net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL, NULL, NULL, proxy_service_, ssl_config_service_, NULL, NULL, NULL), net::HttpCache::DefaultBackend::InMemory(0)); } diff --git a/net/socket/client_socket_factory.cc b/net/socket/client_socket_factory.cc index 72afd63..8965630 100644 --- a/net/socket/client_socket_factory.cc +++ b/net/socket/client_socket_factory.cc @@ -21,7 +21,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; namespace { @@ -30,7 +30,7 @@ SSLClientSocket* DefaultSSLClientSocketFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); #if defined(OS_WIN) return new SSLClientSocketWin(transport_socket, host_and_port, ssl_config); @@ -39,10 +39,10 @@ SSLClientSocket* DefaultSSLClientSocketFactory( ssl_config); #elif defined(USE_NSS) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #elif defined(OS_MACOSX) return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); #else NOTIMPLEMENTED(); return NULL; @@ -65,9 +65,9 @@ class DefaultClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { return g_ssl_factory(transport_socket, host_and_port, ssl_config, - ssl_host_info, dnsrr_resolver); + ssl_host_info, dns_cert_checker); } }; @@ -93,7 +93,8 @@ SSLClientSocket* ClientSocketFactory::CreateSSLClientSocket( ClientSocketHandle* socket_handle = new ClientSocketHandle(); socket_handle->set_socket(transport_socket); return CreateSSLClientSocket(socket_handle, host_and_port, ssl_config, - ssl_host_info, NULL /* DnsRRResolver */); + ssl_host_info, + NULL /* DnsCertProvenanceChecker */); } } // namespace net diff --git a/net/socket/client_socket_factory.h b/net/socket/client_socket_factory.h index 196b2ab..0ab370a9 100644 --- a/net/socket/client_socket_factory.h +++ b/net/socket/client_socket_factory.h @@ -16,7 +16,7 @@ namespace net { class AddressList; class ClientSocket; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class HostPortPair; class SSLClientSocket; struct SSLConfig; @@ -28,7 +28,7 @@ typedef SSLClientSocket* (*SSLClientSocketFactory)( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); // An interface used to instantiate ClientSocket objects. Used to facilitate // testing code with mock socket implementations. @@ -48,7 +48,7 @@ class ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) = 0; + DnsCertProvenanceChecker* dns_cert_checker) = 0; // Deprecated function (http://crbug.com/37810) that takes a ClientSocket. virtual SSLClientSocket* CreateSSLClientSocket( diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc index 5e7eb7f..d145bdf 100644 --- a/net/socket/client_socket_pool_base_unittest.cc +++ b/net/socket/client_socket_pool_base_unittest.cc @@ -110,7 +110,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc index 512360b..6c73c36 100644 --- a/net/socket/client_socket_pool_manager.cc +++ b/net/socket/client_socket_pool_manager.cc @@ -56,6 +56,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service) @@ -63,6 +64,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( socket_factory_(socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), proxy_service_(proxy_service), ssl_config_service_(ssl_config_service), @@ -79,6 +81,7 @@ ClientSocketPoolManager::ClientSocketPoolManager( &ssl_pool_histograms_, host_resolver, dnsrr_resolver, + dns_cert_checker, ssl_host_info_factory, socket_factory, tcp_socket_pool_.get(), @@ -228,6 +231,7 @@ HttpProxyClientSocketPool* ClientSocketPoolManager::GetSocketPoolForHTTPProxy( &ssl_for_https_proxy_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, tcp_https_ret.first->second /* https proxy */, @@ -263,6 +267,7 @@ SSLClientSocketPool* ClientSocketPoolManager::GetSocketPoolForSSLWithProxy( &ssl_pool_histograms_, host_resolver_, dnsrr_resolver_, + dns_cert_checker_, ssl_host_info_factory_, socket_factory_, NULL, /* no tcp pool, we always go through a proxy */ diff --git a/net/socket/client_socket_pool_manager.h b/net/socket/client_socket_pool_manager.h index c6d8f6f..823213e 100644 --- a/net/socket/client_socket_pool_manager.h +++ b/net/socket/client_socket_pool_manager.h @@ -25,6 +25,7 @@ namespace net { class ClientSocketFactory; class ClientSocketPoolHistograms; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -61,6 +62,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ProxyService* proxy_service, SSLConfigService* ssl_config_service); @@ -105,6 +107,7 @@ class ClientSocketPoolManager : public NonThreadSafe { ClientSocketFactory* const socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; const scoped_refptr<ProxyService> proxy_service_; const scoped_refptr<SSLConfigService> ssl_config_service_; diff --git a/net/socket/dns_cert_provenance_check.cc b/net/socket/dns_cert_provenance_check.cc deleted file mode 100644 index 61b9a04..0000000 --- a/net/socket/dns_cert_provenance_check.cc +++ /dev/null @@ -1,247 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/socket/dns_cert_provenance_check.h" - -#include <nspr.h> - -#include <hasht.h> -#include <keyhi.h> -#include <pk11pub.h> -#include <sechash.h> - -#include <string> - -#include "base/crypto/encryptor.h" -#include "base/crypto/symmetric_key.h" -#include "base/non_thread_safe.h" -#include "base/pickle.h" -#include "net/base/completion_callback.h" -#include "net/base/dns_util.h" -#include "net/base/dnsrr_resolver.h" -#include "net/base/net_errors.h" -#include "net/base/net_log.h" - -namespace net { - -namespace { - -// A DER encoded SubjectPublicKeyInfo structure containing the server's public -// key. -const uint8 kServerPublicKey[] = { - 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, - 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, - 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, - 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, - 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, - 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, -}; - -class DNSCertProvenanceChecker : public NonThreadSafe { - public: - DNSCertProvenanceChecker(const std::string hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) - : hostname_(hostname), - dnsrr_resolver_(dnsrr_resolver), - der_certs_(der_certs.size()), - handle_(DnsRRResolver::kInvalidHandle), - ALLOW_THIS_IN_INITIALIZER_LIST(callback_( - this, &DNSCertProvenanceChecker::ResolutionComplete)) { - for (size_t i = 0; i < der_certs.size(); i++) - der_certs_[i] = der_certs[i].as_string(); - } - - void Start() { - DCHECK(CalledOnValidThread()); - - if (der_certs_.empty()) - return; - - uint8 fingerprint[SHA1_LENGTH]; - SECStatus rv = HASH_HashBuf( - HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), - der_certs_[0].size()); - DCHECK_EQ(SECSuccess, rv); - char fingerprint_hex[SHA1_LENGTH * 2 + 1]; - for (unsigned i = 0; i < sizeof(fingerprint); i++) { - static const char hextable[] = "0123456789abcdef"; - fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; - fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; - } - fingerprint_hex[SHA1_LENGTH * 2] = 0; - - static const char kBaseCertName[] = ".certs.links.org"; - domain_.assign(fingerprint_hex); - domain_.append(kBaseCertName); - - handle_ = dnsrr_resolver_->Resolve( - domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, - 0 /* priority */, BoundNetLog()); - if (handle_ == DnsRRResolver::kInvalidHandle) { - LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; - delete this; - } - } - - private: - void ResolutionComplete(int status) { - DCHECK(CalledOnValidThread()); - - if (status == ERR_NAME_NOT_RESOLVED || - (status == OK && response_.rrdatas.empty())) { - LOG(ERROR) << "FAILED" - << " hostname:" << hostname_ - << " domain:" << domain_; - BuildRecord(); - } else if (status == OK) { - LOG(ERROR) << "GOOD" - << " hostname:" << hostname_ - << " resp:" << response_.rrdatas[0]; - } else { - LOG(ERROR) << "Unknown error " << status << " for " << domain_; - } - - delete this; - } - - // BuildRecord encrypts the certificate chain to a fixed public key and - // returns the encrypted blob. Since this code is reporting a possible HTTPS - // failure, it would seem silly to use HTTPS to protect the uploaded report. - std::string BuildRecord() { - static const int kVersion = 0; - static const unsigned kKeySizeInBytes = 16; // AES-128 - static const unsigned kIVSizeInBytes = 16; // AES's block size - static const unsigned kPadSize = 4096; // we pad up to 4KB, - // This is a DER encoded, ANSI X9.62 CurveParams object which simply - // specifies P256. - static const uint8 kANSIX962CurveParams[] = { - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 - }; - - DCHECK(CalledOnValidThread()); - - Pickle p; - p.WriteString(hostname_); - p.WriteInt(der_certs_.size()); - for (std::vector<std::string>::const_iterator - i = der_certs_.begin(); i != der_certs_.end(); i++) { - p.WriteString(*i); - } - // We pad to eliminate the possibility that someone could see the size of - // an upload and use that information to reduce the anonymity set of the - // certificate chain. - // The "2*sizeof(uint32)" here covers the padding length which we add next - // and Pickle's internal length which it includes at the beginning of the - // data. - unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); - p.WriteUInt32(pad_bytes); - char* padding = new char[pad_bytes]; - memset(padding, 0, pad_bytes); - p.WriteData(padding, pad_bytes); - delete[] padding; - - // We generate a random public value and perform a DH key agreement with - // the server's fixed value. - SECKEYPublicKey* pub_key = NULL; - SECKEYPrivateKey* priv_key = NULL; - SECItem ec_der_params; - memset(&ec_der_params, 0, sizeof(ec_der_params)); - ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); - ec_der_params.len = sizeof(kANSIX962CurveParams); - priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); - SECKEYPublicKey* server_pub_key = GetServerPubKey(); - - // This extracts the big-endian, x value of the shared point. - // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS - // 3.12.8's lib/ssl/ssl3ecc.c - PK11SymKey* pms = PK11_PubDeriveWithKDF( - priv_key, server_pub_key, PR_FALSE /* is sender */, - NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, - CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); - SECKEY_DestroyPublicKey(server_pub_key); - SECStatus rv = PK11_ExtractKeyValue(pms); - DCHECK_EQ(SECSuccess, rv); - SECItem* x_data = PK11_GetKeyData(pms); - - // The key and IV are 128-bits and generated from a SHA256 hash of the x - // value. - char key_data[SHA256_LENGTH]; - HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), - x_data->data, x_data->len); - PK11_FreeSymKey(pms); - - DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); - std::string raw_key(key_data, kKeySizeInBytes); - - scoped_ptr<base::SymmetricKey> symkey( - base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); - std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); - - base::Encryptor encryptor; - bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); - CHECK(r); - - std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); - std::string ciphertext; - encryptor.Encrypt(plaintext, &ciphertext); - - // We use another Pickle object to serialise the 'outer' wrapping of the - // plaintext. - Pickle outer; - outer.WriteInt(kVersion); - - SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); - outer.WriteString( - std::string(reinterpret_cast<char*>(pub_key_serialized->data), - pub_key_serialized->len)); - SECITEM_FreeItem(pub_key_serialized, PR_TRUE); - - outer.WriteString(ciphertext); - - SECKEY_DestroyPublicKey(pub_key); - SECKEY_DestroyPrivateKey(priv_key); - - return std::string(reinterpret_cast<const char*>(outer.data()), - outer.size()); - } - - SECKEYPublicKey* GetServerPubKey() { - DCHECK(CalledOnValidThread()); - - SECItem der; - memset(&der, 0, sizeof(der)); - der.data = const_cast<uint8*>(kServerPublicKey); - der.len = sizeof(kServerPublicKey); - - CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); - SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); - SECKEY_DestroySubjectPublicKeyInfo(spki); - - return public_key; - } - - const std::string hostname_; - std::string domain_; - DnsRRResolver* const dnsrr_resolver_; - std::vector<std::string> der_certs_; - RRResponse response_; - DnsRRResolver::Handle handle_; - CompletionCallbackImpl<DNSCertProvenanceChecker> callback_; -}; - -} // anonymous namespace - -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs) { - DNSCertProvenanceChecker* c(new DNSCertProvenanceChecker( - hostname, dnsrr_resolver, der_certs)); - c->Start(); -} - -} // namespace net diff --git a/net/socket/dns_cert_provenance_check.h b/net/socket/dns_cert_provenance_check.h deleted file mode 100644 index 289cccf..0000000 --- a/net/socket/dns_cert_provenance_check.h +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H -#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H - -#include <string> -#include <vector> - -#include "base/string_piece.h" - -namespace net { - -class DnsRRResolver; - -// DoAsyncDNSCertProvenanceVerification starts an asynchronous check for the -// given certificate chain. It must be run on the network thread. -void DoAsyncDNSCertProvenanceVerification( - const std::string& hostname, - DnsRRResolver* dnsrr_resolver, - const std::vector<base::StringPiece>& der_certs); - -} // namespace net - -#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/dns_cert_provenance_checker.cc b/net/socket/dns_cert_provenance_checker.cc new file mode 100644 index 0000000..16ea87f --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.cc @@ -0,0 +1,258 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/socket/dns_cert_provenance_checker.h" + +#include <nspr.h> + +#include <hasht.h> +#include <keyhi.h> +#include <pk11pub.h> +#include <sechash.h> + +#include <string> + +#include "base/basictypes.h" +#include "base/crypto/encryptor.h" +#include "base/crypto/symmetric_key.h" +#include "base/non_thread_safe.h" +#include "base/pickle.h" +#include "net/base/completion_callback.h" +#include "net/base/dns_util.h" +#include "net/base/dnsrr_resolver.h" +#include "net/base/net_errors.h" +#include "net/base/net_log.h" + +namespace net { + +namespace { + +// A DER encoded SubjectPublicKeyInfo structure containing the server's public +// key. +const uint8 kServerPublicKey[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, + 0x04, 0xc7, 0xea, 0x88, 0x60, 0x52, 0xe3, 0xa3, 0x3e, 0x39, 0x92, 0x0f, 0xa4, + 0x3d, 0xba, 0xd8, 0x02, 0x2d, 0x06, 0x4d, 0x64, 0x98, 0x66, 0xb4, 0x82, 0xf0, + 0x23, 0xa6, 0xd8, 0x37, 0x55, 0x7c, 0x01, 0xbf, 0x18, 0xd8, 0x16, 0x9e, 0x66, + 0xdc, 0x49, 0xbf, 0x2e, 0x86, 0xe3, 0x99, 0xbd, 0xb3, 0x75, 0x25, 0x61, 0x04, + 0x6c, 0x2e, 0xfb, 0x32, 0x42, 0x27, 0xe4, 0x23, 0xea, 0xcd, 0x81, 0x62, 0xc1, +}; + +// DnsCertProvenanceCheck performs the DNS lookup of the certificate. This +// class is self-deleting. +class DnsCertProvenanceCheck : public NonThreadSafe { + public: + DnsCertProvenanceCheck( + const std::string& hostname, + DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker::Delegate* delegate, + const std::vector<base::StringPiece>& der_certs) + : hostname_(hostname), + dnsrr_resolver_(dnsrr_resolver), + delegate_(delegate), + der_certs_(der_certs.size()), + handle_(DnsRRResolver::kInvalidHandle), + ALLOW_THIS_IN_INITIALIZER_LIST(callback_( + this, &DnsCertProvenanceCheck::ResolutionComplete)) { + for (size_t i = 0; i < der_certs.size(); i++) + der_certs_[i] = der_certs[i].as_string(); + } + + void Start() { + DCHECK(CalledOnValidThread()); + + if (der_certs_.empty()) + return; + + uint8 fingerprint[SHA1_LENGTH]; + SECStatus rv = HASH_HashBuf( + HASH_AlgSHA1, fingerprint, (uint8*) der_certs_[0].data(), + der_certs_[0].size()); + DCHECK_EQ(SECSuccess, rv); + char fingerprint_hex[SHA1_LENGTH * 2 + 1]; + for (unsigned i = 0; i < sizeof(fingerprint); i++) { + static const char hextable[] = "0123456789abcdef"; + fingerprint_hex[i*2] = hextable[fingerprint[i] >> 4]; + fingerprint_hex[i*2 + 1] = hextable[fingerprint[i] & 15]; + } + fingerprint_hex[SHA1_LENGTH * 2] = 0; + + static const char kBaseCertName[] = ".certs.links.org"; + domain_.assign(fingerprint_hex); + domain_.append(kBaseCertName); + + handle_ = dnsrr_resolver_->Resolve( + domain_, kDNS_TXT, 0 /* flags */, &callback_, &response_, + 0 /* priority */, BoundNetLog()); + if (handle_ == DnsRRResolver::kInvalidHandle) { + LOG(ERROR) << "Failed to resolve " << domain_ << " for " << hostname_; + delete this; + } + } + + private: + void ResolutionComplete(int status) { + DCHECK(CalledOnValidThread()); + + if (status == ERR_NAME_NOT_RESOLVED || + (status == OK && response_.rrdatas.empty())) { + LOG(ERROR) << "FAILED" + << " hostname:" << hostname_ + << " domain:" << domain_; + delegate_->OnDnsCertLookupFailed(hostname_, der_certs_); + } else if (status == OK) { + LOG(ERROR) << "GOOD" + << " hostname:" << hostname_ + << " resp:" << response_.rrdatas[0]; + } else { + LOG(ERROR) << "Unknown error " << status << " for " << domain_; + } + + delete this; + } + + + const std::string hostname_; + std::string domain_; + DnsRRResolver* dnsrr_resolver_; + DnsCertProvenanceChecker::Delegate* const delegate_; + std::vector<std::string> der_certs_; + RRResponse response_; + DnsRRResolver::Handle handle_; + CompletionCallbackImpl<DnsCertProvenanceCheck> callback_; +}; + +SECKEYPublicKey* GetServerPubKey() { + SECItem der; + memset(&der, 0, sizeof(der)); + der.data = const_cast<uint8*>(kServerPublicKey); + der.len = sizeof(kServerPublicKey); + + CERTSubjectPublicKeyInfo* spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); + SECKEYPublicKey* public_key = SECKEY_ExtractPublicKey(spki); + SECKEY_DestroySubjectPublicKeyInfo(spki); + + return public_key; +} + +} // namespace + +// static +std::string DnsCertProvenanceChecker::BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs) { + static const int kVersion = 0; + static const unsigned kKeySizeInBytes = 16; // AES-128 + static const unsigned kIVSizeInBytes = 16; // AES's block size + static const unsigned kPadSize = 4096; // we pad up to 4KB, + // This is a DER encoded, ANSI X9.62 CurveParams object which simply + // specifies P256. + static const uint8 kANSIX962CurveParams[] = { + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; + + Pickle p; + p.WriteString(hostname); + p.WriteInt(der_certs.size()); + for (std::vector<std::string>::const_iterator + i = der_certs.begin(); i != der_certs.end(); i++) { + p.WriteString(*i); + } + // We pad to eliminate the possibility that someone could see the size of + // an upload and use that information to reduce the anonymity set of the + // certificate chain. + // The "2*sizeof(uint32)" here covers the padding length which we add next + // and Pickle's internal length which it includes at the beginning of the + // data. + unsigned pad_bytes = kPadSize - ((p.size() + 2*sizeof(uint32)) % kPadSize); + p.WriteUInt32(pad_bytes); + char* padding = new char[pad_bytes]; + memset(padding, 0, pad_bytes); + p.WriteData(padding, pad_bytes); + delete[] padding; + + // We generate a random public value and perform a DH key agreement with + // the server's fixed value. + SECKEYPublicKey* pub_key = NULL; + SECKEYPrivateKey* priv_key = NULL; + SECItem ec_der_params; + memset(&ec_der_params, 0, sizeof(ec_der_params)); + ec_der_params.data = const_cast<uint8*>(kANSIX962CurveParams); + ec_der_params.len = sizeof(kANSIX962CurveParams); + priv_key = SECKEY_CreateECPrivateKey(&ec_der_params, &pub_key, NULL); + SECKEYPublicKey* server_pub_key = GetServerPubKey(); + + // This extracts the big-endian, x value of the shared point. + // The values of the arguments match ssl3_SendECDHClientKeyExchange in NSS + // 3.12.8's lib/ssl/ssl3ecc.c + PK11SymKey* pms = PK11_PubDeriveWithKDF( + priv_key, server_pub_key, PR_FALSE /* is sender */, + NULL /* random a */, NULL /* random b */, CKM_ECDH1_DERIVE, + CKM_TLS_MASTER_KEY_DERIVE_DH, CKA_DERIVE, 0 /* key size */, + CKD_NULL /* KDF */, NULL /* shared data */, NULL /* wincx */); + SECKEY_DestroyPublicKey(server_pub_key); + SECStatus rv = PK11_ExtractKeyValue(pms); + DCHECK_EQ(SECSuccess, rv); + SECItem* x_data = PK11_GetKeyData(pms); + + // The key and IV are 128-bits and generated from a SHA256 hash of the x + // value. + char key_data[SHA256_LENGTH]; + HASH_HashBuf(HASH_AlgSHA256, reinterpret_cast<uint8*>(key_data), + x_data->data, x_data->len); + PK11_FreeSymKey(pms); + + DCHECK_GE(sizeof(key_data), kKeySizeInBytes + kIVSizeInBytes); + std::string raw_key(key_data, kKeySizeInBytes); + + scoped_ptr<base::SymmetricKey> symkey( + base::SymmetricKey::Import(base::SymmetricKey::AES, raw_key)); + std::string iv(key_data + kKeySizeInBytes, kIVSizeInBytes); + + base::Encryptor encryptor; + bool r = encryptor.Init(symkey.get(), base::Encryptor::CBC, iv); + CHECK(r); + + std::string plaintext(reinterpret_cast<const char*>(p.data()), p.size()); + std::string ciphertext; + encryptor.Encrypt(plaintext, &ciphertext); + + // We use another Pickle object to serialise the 'outer' wrapping of the + // plaintext. + Pickle outer; + outer.WriteInt(kVersion); + + SECItem* pub_key_serialized = SECKEY_EncodeDERSubjectPublicKeyInfo(pub_key); + outer.WriteString( + std::string(reinterpret_cast<char*>(pub_key_serialized->data), + pub_key_serialized->len)); + SECITEM_FreeItem(pub_key_serialized, PR_TRUE); + + outer.WriteString(ciphertext); + + SECKEY_DestroyPublicKey(pub_key); + SECKEY_DestroyPrivateKey(priv_key); + + return std::string(reinterpret_cast<const char*>(outer.data()), + outer.size()); +} + +void DnsCertProvenanceChecker::DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate) { + DnsCertProvenanceCheck* check = new DnsCertProvenanceCheck( + hostname, dnsrr_resolver, delegate, der_certs); + check->Start(); +} + +DnsCertProvenanceChecker::Delegate::~Delegate() { +} + +DnsCertProvenanceChecker::~DnsCertProvenanceChecker() { +} + +} // namespace net diff --git a/net/socket/dns_cert_provenance_checker.h b/net/socket/dns_cert_provenance_checker.h new file mode 100644 index 0000000..8fef60f --- /dev/null +++ b/net/socket/dns_cert_provenance_checker.h @@ -0,0 +1,60 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H +#define NET_SOCKET_DNS_CERT_PROVENANCE_CHECKER_H + +#include <string> +#include <vector> + +#include "base/string_piece.h" + +namespace net { + +class DnsRRResolver; + +// DnsCertProvenanceChecker is an interface for asynchronously checking HTTPS +// certificates via a DNS side-channel. +class DnsCertProvenanceChecker { + public: + class Delegate { + public: + virtual ~Delegate(); + + virtual void OnDnsCertLookupFailed( + const std::string& hostname, + const std::vector<std::string>& der_certs) = 0; + }; + + virtual ~DnsCertProvenanceChecker(); + + // DoAsyncVerification starts an asynchronous check for the given certificate + // chain. It must be run on the network thread. + virtual void DoAsyncVerification( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs) = 0; + + + protected: + // DoAsyncLookup performs a DNS lookup for the given name and certificate + // chain. In the event that the lookup reports a failure, the Delegate is + // called back. + static void DoAsyncLookup( + const std::string& hostname, + const std::vector<base::StringPiece>& der_certs, + DnsRRResolver* dnsrr_resolver, + Delegate* delegate); + + // BuildEncryptedRecord encrypts the certificate chain to a fixed public key + // and returns the encrypted blob. Since this code is reporting a possible + // HTTPS failure, it would seem silly to use HTTPS to protect the uploaded + // report. + static std::string BuildEncryptedReport( + const std::string& hostname, + const std::vector<std::string>& der_certs); +}; + +} // namespace net + +#endif // NET_SOCKET_DNS_CERT_PROVENANCE_CHECK_H diff --git a/net/socket/socket_test_util.cc b/net/socket/socket_test_util.cc index 8378c1d..b2e738a 100644 --- a/net/socket/socket_test_util.cc +++ b/net/socket/socket_test_util.cc @@ -1016,7 +1016,7 @@ SSLClientSocket* MockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); @@ -1066,7 +1066,7 @@ SSLClientSocket* DeterministicMockClientSocketFactory::CreateSSLClientSocket( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { MockSSLClientSocket* socket = new MockSSLClientSocket(transport_socket, host_and_port, ssl_config, ssl_host_info, mock_ssl_data_.GetNext()); diff --git a/net/socket/socket_test_util.h b/net/socket/socket_test_util.h index ba0b94a..147a4ba 100644 --- a/net/socket/socket_test_util.h +++ b/net/socket/socket_test_util.h @@ -535,7 +535,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<SocketDataProvider>& mock_data() { return mock_data_; } @@ -880,7 +880,7 @@ class DeterministicMockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); SocketDataProviderArray<DeterministicSocketData>& mock_data() { return mock_data_; diff --git a/net/socket/ssl_client_socket_mac_factory.cc b/net/socket/ssl_client_socket_mac_factory.cc index a4ffb78..bf732e6 100644 --- a/net/socket/ssl_client_socket_mac_factory.cc +++ b/net/socket/ssl_client_socket_mac_factory.cc @@ -14,7 +14,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { delete ssl_host_info; return new SSLClientSocketMac(transport_socket, host_and_port, ssl_config); } diff --git a/net/socket/ssl_client_socket_mac_factory.h b/net/socket/ssl_client_socket_mac_factory.h index c8f48ea..5539136 100644 --- a/net/socket/ssl_client_socket_mac_factory.h +++ b/net/socket/ssl_client_socket_mac_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketMac objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketMacFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index 3234320..0625698 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -93,7 +93,7 @@ #include "net/base/sys_addrinfo.h" #include "net/ocsp/nss_ocsp.h" #include "net/socket/client_socket_handle.h" -#include "net/socket/dns_cert_provenance_check.h" +#include "net/socket/dns_cert_provenance_checker.h" #include "net/socket/ssl_error_params.h" #include "net/socket/ssl_host_info.h" @@ -399,7 +399,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) + DnsCertProvenanceChecker* dns_ctx) : ALLOW_THIS_IN_INITIALIZER_LIST(buffer_send_callback_( this, &SSLClientSocketNSS::BufferSendComplete)), ALLOW_THIS_IN_INITIALIZER_LIST(buffer_recv_callback_( @@ -435,7 +435,7 @@ SSLClientSocketNSS::SSLClientSocketNSS(ClientSocketHandle* transport_socket, predicted_npn_status_(kNextProtoUnsupported), predicted_npn_proto_used_(false), ssl_host_info_(ssl_host_info), - dnsrr_resolver_(dnsrr_resolver) { + dns_cert_checker_(dns_ctx) { EnterFunction(""); } @@ -2348,6 +2348,13 @@ static DNSValidationResult CheckDNSSECChain( } int SSLClientSocketNSS::DoVerifyDNSSEC(int result) { + if (ssl_config_.dns_cert_provenance_checking_enabled && + dns_cert_checker_) { + PeerCertificateChain certs(nss_fd_); + dns_cert_checker_->DoAsyncVerification( + host_and_port_.host(), certs.AsStringPieceVector()); + } + if (ssl_config_.dnssec_enabled) { DNSValidationResult r = CheckDNSSECChain(host_and_port_.host(), server_cert_nss_); diff --git a/net/socket/ssl_client_socket_nss.h b/net/socket/ssl_client_socket_nss.h index b2725f6..7743097 100644 --- a/net/socket/ssl_client_socket_nss.h +++ b/net/socket/ssl_client_socket_nss.h @@ -31,7 +31,7 @@ namespace net { class BoundNetLog; class CertVerifier; class ClientSocketHandle; -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; class X509Certificate; @@ -48,7 +48,7 @@ class SSLClientSocketNSS : public SSLClientSocket { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dnsrr_resolver); ~SSLClientSocketNSS(); // SSLClientSocket methods: @@ -250,7 +250,7 @@ class SSLClientSocketNSS : public SSLClientSocket { bool predicted_npn_proto_used_; scoped_ptr<SSLHostInfo> ssl_host_info_; - DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; }; } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.cc b/net/socket/ssl_client_socket_nss_factory.cc index f7fc435..e4c01f0 100644 --- a/net/socket/ssl_client_socket_nss_factory.cc +++ b/net/socket/ssl_client_socket_nss_factory.cc @@ -19,10 +19,10 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { scoped_ptr<SSLHostInfo> shi(ssl_host_info); return new SSLClientSocketNSS(transport_socket, host_and_port, ssl_config, - shi.release(), dnsrr_resolver); + shi.release(), dns_cert_checker); } } // namespace net diff --git a/net/socket/ssl_client_socket_nss_factory.h b/net/socket/ssl_client_socket_nss_factory.h index c51b5be..15b05b2 100644 --- a/net/socket/ssl_client_socket_nss_factory.h +++ b/net/socket/ssl_client_socket_nss_factory.h @@ -10,7 +10,7 @@ namespace net { -class DnsRRResolver; +class DnsCertProvenanceChecker; class SSLHostInfo; // Creates SSLClientSocketNSS objects. @@ -19,7 +19,7 @@ SSLClientSocket* SSLClientSocketNSSFactory( const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver); + DnsCertProvenanceChecker* dns_cert_checker); } // namespace net diff --git a/net/socket/ssl_client_socket_pool.cc b/net/socket/ssl_client_socket_pool.cc index 785faab..5b21005 100644 --- a/net/socket/ssl_client_socket_pool.cc +++ b/net/socket/ssl_client_socket_pool.cc @@ -78,6 +78,7 @@ SSLConnectJob::SSLConnectJob( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log) @@ -90,6 +91,7 @@ SSLConnectJob::SSLConnectJob( client_socket_factory_(client_socket_factory), resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), ALLOW_THIS_IN_INITIALIZER_LIST( callback_(this, &SSLConnectJob::OnIOComplete)) {} @@ -287,7 +289,7 @@ int SSLConnectJob::DoSSLConnect() { ssl_socket_.reset(client_socket_factory_->CreateSSLClientSocket( transport_socket_handle_.release(), params_->host_and_port(), - params_->ssl_config(), ssl_host_info_.release(), dnsrr_resolver_)); + params_->ssl_config(), ssl_host_info_.release(), dns_cert_checker_)); return ssl_socket_->Connect(&callback_); } @@ -358,8 +360,8 @@ ConnectJob* SSLClientSocketPool::SSLConnectJobFactory::NewConnectJob( return new SSLConnectJob(group_name, request.params(), ConnectionTimeout(), tcp_pool_, socks_pool_, http_proxy_pool_, client_socket_factory_, host_resolver_, - dnsrr_resolver_, ssl_host_info_factory_, delegate, - net_log_); + dnsrr_resolver_, dns_cert_checker_, + ssl_host_info_factory_, delegate, net_log_); } SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( @@ -369,6 +371,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log) : tcp_pool_(tcp_pool), @@ -377,6 +380,7 @@ SSLClientSocketPool::SSLConnectJobFactory::SSLConnectJobFactory( client_socket_factory_(client_socket_factory), host_resolver_(host_resolver), dnsrr_resolver_(dnsrr_resolver), + dns_cert_checker_(dns_cert_checker), ssl_host_info_factory_(ssl_host_info_factory), net_log_(net_log) { base::TimeDelta max_transport_timeout = base::TimeDelta(); @@ -403,6 +407,7 @@ SSLClientSocketPool::SSLClientSocketPool( ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -419,7 +424,8 @@ SSLClientSocketPool::SSLClientSocketPool( base::TimeDelta::FromSeconds(kUsedIdleSocketTimeout), new SSLConnectJobFactory(tcp_pool, socks_pool, http_proxy_pool, client_socket_factory, host_resolver, - dnsrr_resolver, ssl_host_info_factory, + dnsrr_resolver, dns_cert_checker, + ssl_host_info_factory, net_log)), ssl_config_service_(ssl_config_service) { if (ssl_config_service_) diff --git a/net/socket/ssl_client_socket_pool.h b/net/socket/ssl_client_socket_pool.h index 11cf250..5eb8594 100644 --- a/net/socket/ssl_client_socket_pool.h +++ b/net/socket/ssl_client_socket_pool.h @@ -24,6 +24,7 @@ namespace net { class ClientSocketFactory; class ConnectJobFactory; +class DnsCertProvenanceChecker; class DnsRRResolver; class HostPortPair; class HttpProxyClientSocketPool; @@ -95,6 +96,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, Delegate* delegate, NetLog* net_log); @@ -144,6 +146,7 @@ class SSLConnectJob : public ConnectJob { ClientSocketFactory* const client_socket_factory_; HostResolver* const resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; State next_state_; @@ -171,6 +174,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketPoolHistograms* histograms, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, ClientSocketFactory* client_socket_factory, TCPClientSocketPool* tcp_pool, @@ -244,6 +248,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* client_socket_factory, HostResolver* host_resolver, DnsRRResolver* dnsrr_resolver, + DnsCertProvenanceChecker* dns_cert_checker, SSLHostInfoFactory* ssl_host_info_factory, NetLog* net_log); @@ -264,6 +269,7 @@ class SSLClientSocketPool : public ClientSocketPool, ClientSocketFactory* const client_socket_factory_; HostResolver* const host_resolver_; DnsRRResolver* const dnsrr_resolver_; + DnsCertProvenanceChecker* const dns_cert_checker_; SSLHostInfoFactory* const ssl_host_info_factory_; base::TimeDelta timeout_; NetLog* net_log_; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index f58a762..247638b 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -40,6 +40,7 @@ class SSLClientSocketPoolTest : public testing::Test { host_resolver_.get())), session_(new HttpNetworkSession(host_resolver_.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, ProxyService::CreateDirect(), &socket_factory_, @@ -97,6 +98,7 @@ class SSLClientSocketPoolTest : public testing::Test { ssl_histograms_.get(), NULL, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, &socket_factory_, tcp_pool ? &tcp_socket_pool_ : NULL, diff --git a/net/socket/tcp_client_socket_pool_unittest.cc b/net/socket/tcp_client_socket_pool_unittest.cc index 215b9ba..c44815c 100644 --- a/net/socket/tcp_client_socket_pool_unittest.cc +++ b/net/socket/tcp_client_socket_pool_unittest.cc @@ -251,7 +251,7 @@ class MockClientSocketFactory : public ClientSocketFactory { const HostPortPair& host_and_port, const SSLConfig& ssl_config, SSLHostInfo* ssl_host_info, - DnsRRResolver* dnsrr_resolver) { + DnsCertProvenanceChecker* dns_cert_checker) { NOTIMPLEMENTED(); delete ssl_host_info; return NULL; diff --git a/net/spdy/spdy_test_util.h b/net/spdy/spdy_test_util.h index aecf08e..0a81bb7 100644 --- a/net/spdy/spdy_test_util.h +++ b/net/spdy/spdy_test_util.h @@ -358,6 +358,7 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps->socket_factory.get(), @@ -371,6 +372,7 @@ class SpdySessionDependencies { SpdySessionDependencies* session_deps) { return new HttpNetworkSession(session_deps->host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, session_deps->proxy_service, session_deps-> @@ -395,6 +397,7 @@ class SpdyURLRequestContext : public URLRequestContext { new HttpNetworkLayer(&socket_factory_, host_resolver_, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/net/tools/fetch/fetch_client.cc b/net/tools/fetch/fetch_client.cc index 3bdbcbf..138bed3 100644 --- a/net/tools/fetch/fetch_client.cc +++ b/net/tools/fetch/fetch_client.cc @@ -147,7 +147,7 @@ int main(int argc, char**argv) { scoped_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory( net::HttpAuthHandlerFactory::CreateDefault(host_resolver.get())); if (use_cache) { - factory = new net::HttpCache(host_resolver.get(), NULL, proxy_service, + factory = new net::HttpCache(host_resolver.get(), NULL, NULL, proxy_service, ssl_config_service, http_auth_handler_factory.get(), NULL, NULL, net::HttpCache::DefaultBackend::InMemory(0)); } else { @@ -155,6 +155,7 @@ int main(int argc, char**argv) { net::ClientSocketFactory::GetDefaultFactory(), host_resolver.get(), NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service, ssl_config_service, diff --git a/net/url_request/url_request_context.cc b/net/url_request/url_request_context.cc index 137901d..281aa7e 100644 --- a/net/url_request/url_request_context.cc +++ b/net/url_request/url_request_context.cc @@ -12,6 +12,7 @@ URLRequestContext::URLRequestContext() : net_log_(NULL), host_resolver_(NULL), dnsrr_resolver_(NULL), + dns_cert_checker_(NULL), http_transaction_factory_(NULL), ftp_transaction_factory_(NULL), http_auth_handler_factory_(NULL), diff --git a/net/url_request/url_request_context.h b/net/url_request/url_request_context.h index bbbae67..f935f5f 100644 --- a/net/url_request/url_request_context.h +++ b/net/url_request/url_request_context.h @@ -18,10 +18,12 @@ #include "net/base/transport_security_state.h" #include "net/ftp/ftp_auth_cache.h" #include "net/proxy/proxy_service.h" +#include "net/socket/dns_cert_provenance_checker.h" namespace net { class CookiePolicy; class CookieStore; +class DnsCertProvenanceChecker; class DnsRRResolver; class FtpTransactionFactory; class HostResolver; @@ -51,6 +53,10 @@ class URLRequestContext return dnsrr_resolver_; } + net::DnsCertProvenanceChecker* dns_cert_checker() const { + return dns_cert_checker_.get(); + } + // Get the proxy service for this context. net::ProxyService* proxy_service() const { return proxy_service_; @@ -124,6 +130,7 @@ class URLRequestContext net::NetLog* net_log_; net::HostResolver* host_resolver_; net::DnsRRResolver* dnsrr_resolver_; + scoped_ptr<net::DnsCertProvenanceChecker> dns_cert_checker_; scoped_refptr<net::ProxyService> proxy_service_; scoped_refptr<net::SSLConfigService> ssl_config_service_; net::HttpTransactionFactory* http_transaction_factory_; diff --git a/net/url_request/url_request_unittest.h b/net/url_request/url_request_unittest.h index abb6ab5..378b133 100644 --- a/net/url_request/url_request_unittest.h +++ b/net/url_request/url_request_unittest.h @@ -162,6 +162,7 @@ class TestURLRequestContext : public URLRequestContext { http_transaction_factory_ = new net::HttpCache( net::HttpNetworkLayer::CreateFactory(host_resolver_, NULL /* dnsrr_resolver */, + NULL /* dns_cert_checker */, NULL /* ssl_host_info_factory */, proxy_service_, ssl_config_service_, diff --git a/webkit/tools/test_shell/test_shell_request_context.cc b/webkit/tools/test_shell/test_shell_request_context.cc index d0e93e2..0c07a88 100644 --- a/webkit/tools/test_shell/test_shell_request_context.cc +++ b/webkit/tools/test_shell/test_shell_request_context.cc @@ -74,7 +74,7 @@ void TestShellRequestContext::Init( cache_path, 0, SimpleResourceLoaderBridge::GetCacheThread()); net::HttpCache* cache = - new net::HttpCache(host_resolver_, NULL, proxy_service_, + new net::HttpCache(host_resolver_, NULL, NULL, proxy_service_, ssl_config_service_, http_auth_handler_factory_, NULL, NULL, backend); |