diff options
| -rw-r--r-- | net/http/http_network_session.cc | 1 | ||||
| -rw-r--r-- | net/quic/quic_client_session.cc | 28 | ||||
| -rw-r--r-- | net/quic/quic_client_session.h | 3 | ||||
| -rw-r--r-- | net/quic/quic_client_session_test.cc | 64 | ||||
| -rw-r--r-- | net/quic/quic_http_stream_test.cc | 3 | ||||
| -rw-r--r-- | net/quic/quic_stream_factory.cc | 4 | ||||
| -rw-r--r-- | net/quic/quic_stream_factory.h | 1 | ||||
| -rw-r--r-- | net/quic/quic_stream_factory_test.cc | 6 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_pool_unittest.cc | 3 | ||||
| -rw-r--r-- | net/spdy/spdy_session.cc | 55 | ||||
| -rw-r--r-- | net/spdy/spdy_session.h | 11 | ||||
| -rw-r--r-- | net/spdy/spdy_session_pool.cc | 3 | ||||
| -rw-r--r-- | net/spdy/spdy_session_pool.h | 4 | ||||
| -rw-r--r-- | net/spdy/spdy_session_unittest.cc | 110 | ||||
| -rw-r--r-- | net/spdy/spdy_test_utils.cc | 33 | ||||
| -rw-r--r-- | net/spdy/spdy_test_utils.h | 18 |
16 files changed, 55 insertions, 292 deletions
diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc index d1a7236..b48d660 100644 --- a/net/http/http_network_session.cc +++ b/net/http/http_network_session.cc @@ -135,7 +135,6 @@ HttpNetworkSession::HttpNetworkSession(const Params& params) spdy_session_pool_(params.host_resolver, params.ssl_config_service, params.http_server_properties, - params.transport_security_state, params.force_spdy_single_domain, params.enable_spdy_compression, params.enable_spdy_ping_based_connection_checking, diff --git a/net/quic/quic_client_session.cc b/net/quic/quic_client_session.cc index b136724..c6699f1 100644 --- a/net/quic/quic_client_session.cc +++ b/net/quic/quic_client_session.cc @@ -13,7 +13,6 @@ #include "base/values.h" #include "net/base/io_buffer.h" #include "net/base/net_errors.h" -#include "net/http/transport_security_state.h" #include "net/quic/crypto/proof_verifier_chromium.h" #include "net/quic/crypto/quic_server_info.h" #include "net/quic/quic_connection_helper.h" @@ -21,7 +20,6 @@ #include "net/quic/quic_default_packet_writer.h" #include "net/quic/quic_server_id.h" #include "net/quic/quic_stream_factory.h" -#include "net/spdy/spdy_session.h" #include "net/ssl/channel_id_service.h" #include "net/ssl/ssl_connection_status_flags.h" #include "net/ssl/ssl_info.h" @@ -140,7 +138,6 @@ QuicClientSession::QuicClientSession( scoped_ptr<QuicDefaultPacketWriter> writer, QuicStreamFactory* stream_factory, QuicCryptoClientStreamFactory* crypto_client_stream_factory, - TransportSecurityState* transport_security_state, scoped_ptr<QuicServerInfo> server_info, const QuicServerId& server_id, const QuicConfig& config, @@ -154,7 +151,6 @@ QuicClientSession::QuicClientSession( socket_(socket.Pass()), writer_(writer.Pass()), read_buffer_(new IOBufferWithSize(kMaxPacketSize)), - transport_security_state_(transport_security_state), server_info_(server_info.Pass()), read_pending_(false), num_total_streams_(0), @@ -493,8 +489,28 @@ bool QuicClientSession::CanPool(const std::string& hostname) const { return true; } - return SpdySession::CanPool(transport_security_state_, ssl_info, - server_host_port_.host(), hostname); + // Disable pooling for secure sessions. + // TODO(rch): re-enable this. + return false; +#if 0 + bool unused = false; + // Pooling is prohibited if the server cert is not valid for the new domain, + // and for connections on which client certs were sent. It is also prohibited + // when channel ID was sent if the hosts are from different eTLDs+1. + if (!ssl_info.cert->VerifyNameMatch(hostname, &unused)) + return false; + + if (ssl_info.client_cert_sent) + return false; + + if (ssl_info.channel_id_sent && + ChannelIDService::GetDomainForHost(hostname) != + ChannelIDService::GetDomainForHost(server_host_port_.host())) { + return false; + } + + return true; +#endif } QuicDataStream* QuicClientSession::CreateIncomingDataStream( diff --git a/net/quic/quic_client_session.h b/net/quic/quic_client_session.h index 9808cac..6112e1e 100644 --- a/net/quic/quic_client_session.h +++ b/net/quic/quic_client_session.h @@ -35,7 +35,6 @@ class QuicServerId; class QuicServerInfo; class QuicStreamFactory; class SSLInfo; -class TransportSecurityState; namespace test { class QuicClientSessionPeer; @@ -96,7 +95,6 @@ class NET_EXPORT_PRIVATE QuicClientSession : public QuicClientSessionBase { scoped_ptr<QuicDefaultPacketWriter> writer, QuicStreamFactory* stream_factory, QuicCryptoClientStreamFactory* crypto_client_stream_factory, - TransportSecurityState* transport_security_state, scoped_ptr<QuicServerInfo> server_info, const QuicServerId& server_id, const QuicConfig& config, @@ -228,7 +226,6 @@ class NET_EXPORT_PRIVATE QuicClientSession : public QuicClientSessionBase { scoped_ptr<DatagramClientSocket> socket_; scoped_ptr<QuicDefaultPacketWriter> writer_; scoped_refptr<IOBufferWithSize> read_buffer_; - TransportSecurityState* transport_security_state_; scoped_ptr<QuicServerInfo> server_info_; scoped_ptr<CertVerifyResult> cert_verify_result_; std::string pinning_failure_log_; diff --git a/net/quic/quic_client_session_test.cc b/net/quic/quic_client_session_test.cc index 1e13e89..ae1aea6 100644 --- a/net/quic/quic_client_session_test.cc +++ b/net/quic/quic_client_session_test.cc @@ -6,14 +6,12 @@ #include <vector> -#include "base/base64.h" #include "base/files/file_path.h" #include "base/rand_util.h" #include "net/base/capturing_net_log.h" #include "net/base/test_completion_callback.h" #include "net/base/test_data_directory.h" #include "net/cert/cert_verify_result.h" -#include "net/http/transport_security_state.h" #include "net/quic/crypto/aes_128_gcm_12_encrypter.h" #include "net/quic/crypto/crypto_protocol.h" #include "net/quic/crypto/proof_verifier_chromium.h" @@ -26,7 +24,6 @@ #include "net/quic/test_tools/quic_test_utils.h" #include "net/quic/test_tools/simple_quic_framer.h" #include "net/socket/socket_test_util.h" -#include "net/spdy/spdy_test_utils.h" #include "net/test/cert_test_util.h" #include "net/udp/datagram_client_socket.h" @@ -76,7 +73,6 @@ class QuicClientSessionTest : public ::testing::TestWithParam<QuicVersion> { connection_( new PacketSavingConnection(false, SupportedVersions(GetParam()))), session_(connection_, GetSocket().Pass(), writer_.Pass(), NULL, NULL, - &transport_security_state_, make_scoped_ptr((QuicServerInfo*)NULL), QuicServerId(kServerHostname, kServerPort, false, PRIVACY_MODE_DISABLED), @@ -112,7 +108,6 @@ class QuicClientSessionTest : public ::testing::TestWithParam<QuicVersion> { CapturingNetLog net_log_; MockClientSocketFactory socket_factory_; StaticSocketDataProvider socket_data_; - TransportSecurityState transport_security_state_; QuicClientSession session_; MockClock clock_; MockRandom random_; @@ -177,15 +172,18 @@ TEST_P(QuicClientSessionTest, GoAwayReceived) { EXPECT_EQ(NULL, session_.CreateOutgoingDataStream()); } -TEST_P(QuicClientSessionTest, CanPool) { +// TODO(rch): re-enable this. +TEST_P(QuicClientSessionTest, DISABLED_CanPool) { // Load a cert that is valid for: // www.example.org // mail.example.org // www.example.com + base::FilePath certs_dir = GetTestCertsDirectory(); + CertVerifyResult result; ProofVerifyDetailsChromium details; details.cert_verify_result.verified_cert = - ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem"); + ImportCertFromFile(certs_dir, "spdy_pooling.pem"); ASSERT_TRUE(details.cert_verify_result.verified_cert); session_.OnProofVerifyDetailsAvailable(details); @@ -198,15 +196,18 @@ TEST_P(QuicClientSessionTest, CanPool) { EXPECT_FALSE(session_.CanPool("mail.google.com")); } -TEST_P(QuicClientSessionTest, ConnectionPooledWithTlsChannelId) { +// TODO(rch): re-enable this. +TEST_P(QuicClientSessionTest, DISABLED_ConnectionPooledWithTlsChannelId) { // Load a cert that is valid for: // www.example.org // mail.example.org // www.example.com + base::FilePath certs_dir = GetTestCertsDirectory(); + CertVerifyResult result; ProofVerifyDetailsChromium details; details.cert_verify_result.verified_cert = - ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem"); + ImportCertFromFile(certs_dir, "spdy_pooling.pem"); ASSERT_TRUE(details.cert_verify_result.verified_cert); session_.OnProofVerifyDetailsAvailable(details); @@ -219,51 +220,6 @@ TEST_P(QuicClientSessionTest, ConnectionPooledWithTlsChannelId) { EXPECT_FALSE(session_.CanPool("mail.google.com")); } -TEST_P(QuicClientSessionTest, ConnectionNotPooledWithDifferentPin) { - uint8 primary_pin = 1; - uint8 backup_pin = 2; - uint8 bad_pin = 3; - AddPin(&transport_security_state_, "mail.example.org", primary_pin, - backup_pin); - - ProofVerifyDetailsChromium details; - details.cert_verify_result.verified_cert = - ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem"); - details.cert_verify_result.is_issued_by_known_root = true; - details.cert_verify_result.public_key_hashes.push_back( - GetTestHashValue(bad_pin)); - - ASSERT_TRUE(details.cert_verify_result.verified_cert); - - session_.OnProofVerifyDetailsAvailable(details); - CompleteCryptoHandshake(); - QuicClientSessionPeer::SetChannelIDSent(&session_, true); - - EXPECT_FALSE(session_.CanPool("mail.example.org")); -} - -TEST_P(QuicClientSessionTest, ConnectionPooledWithMatchingPin) { - uint8 primary_pin = 1; - uint8 backup_pin = 2; - AddPin(&transport_security_state_, "mail.example.org", primary_pin, - backup_pin); - - ProofVerifyDetailsChromium details; - details.cert_verify_result.verified_cert = - ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem"); - details.cert_verify_result.is_issued_by_known_root = true; - details.cert_verify_result.public_key_hashes.push_back( - GetTestHashValue(primary_pin)); - - ASSERT_TRUE(details.cert_verify_result.verified_cert); - - session_.OnProofVerifyDetailsAvailable(details); - CompleteCryptoHandshake(); - QuicClientSessionPeer::SetChannelIDSent(&session_, true); - - EXPECT_TRUE(session_.CanPool("mail.example.org")); -} - } // namespace } // namespace test } // namespace net diff --git a/net/quic/quic_http_stream_test.cc b/net/quic/quic_http_stream_test.cc index 932f566..5e46258 100644 --- a/net/quic/quic_http_stream_test.cc +++ b/net/quic/quic_http_stream_test.cc @@ -11,7 +11,6 @@ #include "net/base/upload_bytes_element_reader.h" #include "net/base/upload_data_stream.h" #include "net/http/http_response_headers.h" -#include "net/http/transport_security_state.h" #include "net/quic/congestion_control/receive_algorithm_interface.h" #include "net/quic/congestion_control/send_algorithm_interface.h" #include "net/quic/crypto/crypto_protocol.h" @@ -215,7 +214,6 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<QuicVersion> { scoped_ptr<DatagramClientSocket>(socket), writer_.Pass(), NULL, &crypto_client_stream_factory_, - &transport_security_state_, make_scoped_ptr((QuicServerInfo*)NULL), QuicServerId(kServerHostname, kServerPort, false, PRIVACY_MODE_DISABLED), @@ -301,7 +299,6 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<QuicVersion> { testing::StrictMock<MockConnectionVisitor> visitor_; scoped_ptr<QuicHttpStream> stream_; scoped_ptr<QuicDefaultPacketWriter> writer_; - TransportSecurityState transport_security_state_; scoped_ptr<QuicClientSession> session_; QuicCryptoClientConfig crypto_config_; TestCompletionCallback callback_; diff --git a/net/quic/quic_stream_factory.cc b/net/quic/quic_stream_factory.cc index 1baf4c8..ea30b2e 100644 --- a/net/quic/quic_stream_factory.cc +++ b/net/quic/quic_stream_factory.cc @@ -861,8 +861,8 @@ int QuicStreamFactory::CreateSession( *session = new QuicClientSession( connection, socket.Pass(), writer.Pass(), this, - quic_crypto_client_stream_factory_, transport_security_state_, - server_info.Pass(), server_id, config, &crypto_config_, + quic_crypto_client_stream_factory_, server_info.Pass(), server_id, + config, &crypto_config_, base::MessageLoop::current()->message_loop_proxy().get(), net_log.net_log()); (*session)->InitializeSession(); diff --git a/net/quic/quic_stream_factory.h b/net/quic/quic_stream_factory.h index 262e276..574bf6f 100644 --- a/net/quic/quic_stream_factory.h +++ b/net/quic/quic_stream_factory.h @@ -238,7 +238,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory HostResolver* host_resolver_; ClientSocketFactory* client_socket_factory_; base::WeakPtr<HttpServerProperties> http_server_properties_; - TransportSecurityState* transport_security_state_; QuicServerInfoFactory* quic_server_info_factory_; QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory_; QuicRandom* random_generator_; diff --git a/net/quic/quic_stream_factory_test.cc b/net/quic/quic_stream_factory_test.cc index 59f97f5..df66134 100644 --- a/net/quic/quic_stream_factory_test.cc +++ b/net/quic/quic_stream_factory_test.cc @@ -360,7 +360,8 @@ TEST_P(QuicStreamFactoryTest, CreateHttpVsHttps) { EXPECT_TRUE(socket_data2.at_write_eof()); } -TEST_P(QuicStreamFactoryTest, Pooling) { +// TODO(rch): re-enable this. +TEST_P(QuicStreamFactoryTest, DISABLED_Pooling) { MockRead reads[] = { MockRead(ASYNC, OK, 0) // EOF }; @@ -476,7 +477,8 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) { EXPECT_TRUE(socket_data2.at_write_eof()); } -TEST_P(QuicStreamFactoryTest, HttpsPooling) { +// TODO(rch): re-enable this. +TEST_P(QuicStreamFactoryTest, DISABLED_HttpsPooling) { MockRead reads[] = { MockRead(ASYNC, OK, 0) // EOF }; diff --git a/net/socket/ssl_client_socket_pool_unittest.cc b/net/socket/ssl_client_socket_pool_unittest.cc index ad59889..14b0662 100644 --- a/net/socket/ssl_client_socket_pool_unittest.cc +++ b/net/socket/ssl_client_socket_pool_unittest.cc @@ -1257,7 +1257,8 @@ TEST_P(SSLClientSocketPoolTest, NeedProxyAuth) { EXPECT_FALSE(tunnel_handle->socket()->IsConnected()); } -TEST_P(SSLClientSocketPoolTest, IPPooling) { +// TODO(rch): re-enable this. +TEST_P(SSLClientSocketPoolTest, DISABLED_IPPooling) { const int kTestPort = 80; struct TestHosts { std::string name; diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc index 51c6ee7..64e2c04 100644 --- a/net/spdy/spdy_session.cc +++ b/net/spdy/spdy_session.cc @@ -29,12 +29,10 @@ #include "net/base/net_log.h" #include "net/base/net_util.h" #include "net/cert/asn1_util.h" -#include "net/cert/cert_verify_result.h" #include "net/http/http_log_util.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties.h" #include "net/http/http_util.h" -#include "net/http/transport_security_state.h" #include "net/spdy/spdy_buffer_producer.h" #include "net/spdy/spdy_frame_builder.h" #include "net/spdy/spdy_http_utils.h" @@ -531,47 +529,9 @@ SpdySession::PushedStreamInfo::PushedStreamInfo( SpdySession::PushedStreamInfo::~PushedStreamInfo() {} -// static -bool SpdySession::CanPool(TransportSecurityState* transport_security_state, - const SSLInfo& ssl_info, - const std::string& old_hostname, - const std::string& new_hostname) { - // Pooling is prohibited if the server cert is not valid for the new domain, - // and for connections on which client certs were sent. It is also prohibited - // when channel ID was sent if the hosts are from different eTLDs+1. - if (IsCertStatusError(ssl_info.cert_status)) - return false; - - if (ssl_info.client_cert_sent) - return false; - - if (ssl_info.channel_id_sent && - ChannelIDService::GetDomainForHost(new_hostname) != - ChannelIDService::GetDomainForHost(old_hostname)) { - return false; - } - - bool unused = false; - if (!ssl_info.cert->VerifyNameMatch(new_hostname, &unused)) - return false; - - std::string pinning_failure_log; - if (!transport_security_state->CheckPublicKeyPins( - new_hostname, - true, /* sni_available */ - ssl_info.is_issued_by_known_root, - ssl_info.public_key_hashes, - &pinning_failure_log)) { - return false; - } - - return true; -} - SpdySession::SpdySession( const SpdySessionKey& spdy_session_key, const base::WeakPtr<HttpServerProperties>& http_server_properties, - TransportSecurityState* transport_security_state, bool verify_domain_authentication, bool enable_sending_initial_data, bool enable_compression, @@ -587,7 +547,6 @@ SpdySession::SpdySession( spdy_session_key_(spdy_session_key), pool_(NULL), http_server_properties_(http_server_properties), - transport_security_state_(transport_security_state), read_buffer_(new IOBuffer(kReadBufferSize)), stream_hi_water_mark_(kFirstStreamId), num_pushed_streams_(0u), @@ -755,8 +714,18 @@ bool SpdySession::VerifyDomainAuthentication(const std::string& domain) { if (!GetSSLInfo(&ssl_info, &was_npn_negotiated, &protocol_negotiated)) return true; // This is not a secure session, so all domains are okay. - return CanPool(transport_security_state_, ssl_info, - host_port_pair().host(), domain); + // Disable pooling for secure sessions. + // TODO(rch): re-enable this. + return false; +#if 0 + bool unused = false; + return + !ssl_info.client_cert_sent && + (!ssl_info.channel_id_sent || + (ChannelIDService::GetDomainForHost(domain) == + ChannelIDService::GetDomainForHost(host_port_pair().host()))) && + ssl_info.cert->VerifyNameMatch(domain, &unused); +#endif } int SpdySession::GetPushStream( diff --git a/net/spdy/spdy_session.h b/net/spdy/spdy_session.h index d2da863..4037e03 100644 --- a/net/spdy/spdy_session.h +++ b/net/spdy/spdy_session.h @@ -70,7 +70,6 @@ class BoundNetLog; struct LoadTimingInfo; class SpdyStream; class SSLInfo; -class TransportSecurityState; // NOTE: There's an enum of the same name (also with numeric suffixes) // in histograms.xml. Be sure to add new values there also. @@ -223,13 +222,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, FLOW_CONTROL_STREAM_AND_SESSION }; - // Returns true if |hostname| can be pooled into an existing connection - // associated with |ssl_info|. - static bool CanPool(TransportSecurityState* transport_security_state, - const SSLInfo& ssl_info, - const std::string& old_hostname, - const std::string& new_hostname); - // Create a new SpdySession. // |spdy_session_key| is the host/port that this session connects to, privacy // and proxy configuration settings that it's using. @@ -237,7 +229,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, // network events to. SpdySession(const SpdySessionKey& spdy_session_key, const base::WeakPtr<HttpServerProperties>& http_server_properties, - TransportSecurityState* transport_security_state, bool verify_domain_authentication, bool enable_sending_initial_data, bool enable_compression, @@ -972,8 +963,6 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, SpdySessionPool* pool_; const base::WeakPtr<HttpServerProperties> http_server_properties_; - TransportSecurityState* transport_security_state_; - // The socket handle for this session. scoped_ptr<ClientSocketHandle> connection_; diff --git a/net/spdy/spdy_session_pool.cc b/net/spdy/spdy_session_pool.cc index d839785..189c945 100644 --- a/net/spdy/spdy_session_pool.cc +++ b/net/spdy/spdy_session_pool.cc @@ -31,7 +31,6 @@ SpdySessionPool::SpdySessionPool( HostResolver* resolver, SSLConfigService* ssl_config_service, const base::WeakPtr<HttpServerProperties>& http_server_properties, - TransportSecurityState* transport_security_state, bool force_single_domain, bool enable_compression, bool enable_ping_based_connection_checking, @@ -42,7 +41,6 @@ SpdySessionPool::SpdySessionPool( SpdySessionPool::TimeFunc time_func, const std::string& trusted_spdy_proxy) : http_server_properties_(http_server_properties), - transport_security_state_(transport_security_state), ssl_config_service_(ssl_config_service), resolver_(resolver), verify_domain_authentication_(true), @@ -100,7 +98,6 @@ base::WeakPtr<SpdySession> SpdySessionPool::CreateAvailableSessionFromSocket( scoped_ptr<SpdySession> new_session( new SpdySession(key, http_server_properties_, - transport_security_state_, verify_domain_authentication_, enable_sending_initial_data_, enable_compression_, diff --git a/net/spdy/spdy_session_pool.h b/net/spdy/spdy_session_pool.h index 2fbb030..0fad5d2 100644 --- a/net/spdy/spdy_session_pool.h +++ b/net/spdy/spdy_session_pool.h @@ -34,7 +34,6 @@ class ClientSocketHandle; class HostResolver; class HttpServerProperties; class SpdySession; -class TransportSecurityState; // This is a very simple pool for open SpdySessions. class NET_EXPORT SpdySessionPool @@ -51,7 +50,6 @@ class NET_EXPORT SpdySessionPool HostResolver* host_resolver, SSLConfigService* ssl_config_service, const base::WeakPtr<HttpServerProperties>& http_server_properties, - TransportSecurityState* transport_security_state, bool force_single_domain, bool enable_compression, bool enable_ping_based_connection_checking, @@ -193,8 +191,6 @@ class NET_EXPORT SpdySessionPool const base::WeakPtr<HttpServerProperties> http_server_properties_; - TransportSecurityState* transport_security_state_; - // The set of all sessions. This is a superset of the sessions in // |available_sessions_|. // diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc index 8194fe7..1fa5f2e 100644 --- a/net/spdy/spdy_session_unittest.cc +++ b/net/spdy/spdy_session_unittest.cc @@ -4,7 +4,6 @@ #include "net/spdy/spdy_session.h" -#include "base/base64.h" #include "base/bind.h" #include "base/callback.h" #include "base/memory/scoped_ptr.h" @@ -2376,7 +2375,7 @@ TEST_P(SpdySessionTest, CloseActivatedStreamThatClosesSession) { EXPECT_TRUE(session == NULL); } -TEST_P(SpdySessionTest, VerifyDomainAuthentication) { +TEST_P(SpdySessionTest, DISABLED_VerifyDomainAuthentication) { session_deps_.host_resolver->set_synchronous_mode(true); MockConnect connect_data(SYNCHRONOUS, OK); @@ -2418,7 +2417,8 @@ TEST_P(SpdySessionTest, VerifyDomainAuthentication) { EXPECT_FALSE(session->VerifyDomainAuthentication("mail.google.com")); } -TEST_P(SpdySessionTest, ConnectionPooledWithTlsChannelId) { +// TODO(rch): re-enable this. +TEST_P(SpdySessionTest, DISABLED_ConnectionPooledWithTlsChannelId) { session_deps_.host_resolver->set_synchronous_mode(true); MockConnect connect_data(SYNCHRONOUS, OK); @@ -5001,108 +5001,4 @@ TEST(MapNetErrorToGoAwayStatus, MapsValue) { CHECK_EQ(GOAWAY_PROTOCOL_ERROR, MapNetErrorToGoAwayStatus(ERR_UNEXPECTED)); } -TEST(CanPoolTest, CanPool) { - // Load a cert that is valid for: - // www.example.org - // mail.example.org - // www.example.com - - TransportSecurityState tss; - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - - EXPECT_TRUE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "www.example.org")); - EXPECT_TRUE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); - EXPECT_TRUE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.com")); - EXPECT_FALSE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.google.com")); -} - -TEST(CanPoolTest, CanNotPoolWithCertErrors) { - // Load a cert that is valid for: - // www.example.org - // mail.example.org - // www.example.com - - TransportSecurityState tss; - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - ssl_info.cert_status = CERT_STATUS_REVOKED; - - EXPECT_FALSE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); -} - -TEST(CanPoolTest, CanNotPoolWithClientCerts) { - // Load a cert that is valid for: - // www.example.org - // mail.example.org - // www.example.com - - TransportSecurityState tss; - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - ssl_info.client_cert_sent = true; - - EXPECT_FALSE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); -} - -TEST(CanPoolTest, CanNotPoolAcrossETLDsWithChannelID) { - // Load a cert that is valid for: - // www.example.org - // mail.example.org - // www.example.com - - TransportSecurityState tss; - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - ssl_info.channel_id_sent = true; - - EXPECT_TRUE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); - EXPECT_FALSE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "www.example.com")); -} - -TEST(CanPoolTest, CanNotPoolWithBadPins) { - uint8 primary_pin = 1; - uint8 backup_pin = 2; - uint8 bad_pin = 3; - TransportSecurityState tss; - test::AddPin(&tss, "mail.example.org", primary_pin, backup_pin); - - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - ssl_info.is_issued_by_known_root = true; - ssl_info.public_key_hashes.push_back(test::GetTestHashValue(bad_pin)); - - EXPECT_FALSE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); -} - -TEST(CanPoolTest, CanPoolWithAcceptablePins) { - uint8 primary_pin = 1; - uint8 backup_pin = 2; - TransportSecurityState tss; - test::AddPin(&tss, "mail.example.org", primary_pin, backup_pin); - - SSLInfo ssl_info; - ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), - "spdy_pooling.pem"); - ssl_info.is_issued_by_known_root = true; - ssl_info.public_key_hashes.push_back(test::GetTestHashValue(primary_pin)); - - EXPECT_TRUE(SpdySession::CanPool( - &tss, ssl_info, "www.example.org", "mail.example.org")); -} - } // namespace net diff --git a/net/spdy/spdy_test_utils.cc b/net/spdy/spdy_test_utils.cc index 7627abe..e33a08b 100644 --- a/net/spdy/spdy_test_utils.cc +++ b/net/spdy/spdy_test_utils.cc @@ -7,13 +7,10 @@ #include <cstring> #include <vector> -#include "base/base64.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/strings/string_number_conversions.h" #include "base/sys_byteorder.h" -#include "net/http/transport_security_state.h" -#include "net/ssl/ssl_info.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { @@ -142,36 +139,6 @@ std::string a2b_hex(const char* hex_data) { return result; } -HashValue GetTestHashValue(uint8_t label) { - HashValue hash_value(HASH_VALUE_SHA256); - memset(hash_value.data(), label, hash_value.size()); - return hash_value; -} - -std::string GetTestPin(uint8_t label) { - HashValue hash_value = GetTestHashValue(label); - std::string base64; - base::Base64Encode(base::StringPiece( - reinterpret_cast<char*>(hash_value.data()), hash_value.size()), &base64); - - return std::string("pin-sha256=\"") + base64 + "\""; -} - -void AddPin(TransportSecurityState* state, - const std::string& host, - uint8_t primary_label, - uint8_t backup_label) { - std::string primary_pin = GetTestPin(primary_label); - std::string backup_pin = GetTestPin(backup_label); - std::string header = "max-age = 10000; " + primary_pin + "; " + backup_pin; - - // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. - SSLInfo ssl_info; - ssl_info.is_issued_by_known_root = true; - ssl_info.public_key_hashes.push_back(GetTestHashValue(primary_label)); - EXPECT_TRUE(state->AddHPKPHeader(host, header, ssl_info)); -} - } // namespace test } // namespace net diff --git a/net/spdy/spdy_test_utils.h b/net/spdy/spdy_test_utils.h index 14bc8ef..439311e 100644 --- a/net/spdy/spdy_test_utils.h +++ b/net/spdy/spdy_test_utils.h @@ -5,17 +5,12 @@ #ifndef NET_SPDY_TEST_UTILS_H_ #define NET_SPDY_TEST_UTILS_H_ -#include <stdint.h> - #include <string> #include "net/spdy/spdy_protocol.h" namespace net { -class HashValue; -class TransportSecurityState; - namespace test { std::string HexDumpWithMarks(const unsigned char* data, int length, @@ -38,19 +33,6 @@ void SetFrameLength(SpdyFrame* frame, std::string a2b_hex(const char* hex_data); -// Returns a SHA1 HashValue in which each byte has the value |label|. -HashValue GetTestHashValue(uint8_t label); - -// Returns SHA1 pinning header for the of the base64 encoding of -// GetTestHashValue(|label|). -std::string GetTestPin(uint8_t label); - -// Adds a pin for |host| to |state|. -void AddPin(TransportSecurityState* state, - const std::string& host, - uint8_t primary_label, - uint8_t backup_label); - } // namespace test } // namespace net |