1 files changed, 54 insertions, 10 deletions

diff --git a/net/quic/quic_client_session_test.cc b/net/quic/quic_client_session_test.cc
index ae1aea6..1e13e89 100644
--- a/net/quic/quic_client_session_test.cc
+++ b/net/quic/quic_client_session_test.cc
@@ -6,12 +6,14 @@
 
 #include <vector>
 
+#include "base/base64.h"
 #include "base/files/file_path.h"
 #include "base/rand_util.h"
 #include "net/base/capturing_net_log.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/http/transport_security_state.h"
 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
 #include "net/quic/crypto/crypto_protocol.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
@@ -24,6 +26,7 @@
 #include "net/quic/test_tools/quic_test_utils.h"
 #include "net/quic/test_tools/simple_quic_framer.h"
 #include "net/socket/socket_test_util.h"
+#include "net/spdy/spdy_test_utils.h"
 #include "net/test/cert_test_util.h"
 #include "net/udp/datagram_client_socket.h"
 
@@ -73,6 +76,7 @@ class QuicClientSessionTest : public ::testing::TestWithParam<QuicVersion> {
         connection_(
             new PacketSavingConnection(false, SupportedVersions(GetParam()))),
         session_(connection_, GetSocket().Pass(), writer_.Pass(), NULL, NULL,
+                 &transport_security_state_,
                  make_scoped_ptr((QuicServerInfo*)NULL),
                  QuicServerId(kServerHostname, kServerPort, false,
                               PRIVACY_MODE_DISABLED),
@@ -108,6 +112,7 @@ class QuicClientSessionTest : public ::testing::TestWithParam<QuicVersion> {
   CapturingNetLog net_log_;
   MockClientSocketFactory socket_factory_;
   StaticSocketDataProvider socket_data_;
+  TransportSecurityState transport_security_state_;
   QuicClientSession session_;
   MockClock clock_;
   MockRandom random_;
@@ -172,18 +177,15 @@ TEST_P(QuicClientSessionTest, GoAwayReceived) {
   EXPECT_EQ(NULL, session_.CreateOutgoingDataStream());
 }
 
-// TODO(rch): re-enable this.
-TEST_P(QuicClientSessionTest, DISABLED_CanPool) {
+TEST_P(QuicClientSessionTest, CanPool) {
   // Load a cert that is valid for:
   //   www.example.org
   //   mail.example.org
   //   www.example.com
-  base::FilePath certs_dir = GetTestCertsDirectory();
 
-  CertVerifyResult result;
   ProofVerifyDetailsChromium details;
   details.cert_verify_result.verified_cert =
-      ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
   ASSERT_TRUE(details.cert_verify_result.verified_cert);
 
   session_.OnProofVerifyDetailsAvailable(details);
@@ -196,18 +198,15 @@ TEST_P(QuicClientSessionTest, DISABLED_CanPool) {
   EXPECT_FALSE(session_.CanPool("mail.google.com"));
 }
 
-// TODO(rch): re-enable this.
-TEST_P(QuicClientSessionTest, DISABLED_ConnectionPooledWithTlsChannelId) {
+TEST_P(QuicClientSessionTest, ConnectionPooledWithTlsChannelId) {
   // Load a cert that is valid for:
   //   www.example.org
   //   mail.example.org
   //   www.example.com
-  base::FilePath certs_dir = GetTestCertsDirectory();
 
-  CertVerifyResult result;
   ProofVerifyDetailsChromium details;
   details.cert_verify_result.verified_cert =
-      ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
   ASSERT_TRUE(details.cert_verify_result.verified_cert);
 
   session_.OnProofVerifyDetailsAvailable(details);
@@ -220,6 +219,51 @@ TEST_P(QuicClientSessionTest, DISABLED_ConnectionPooledWithTlsChannelId) {
   EXPECT_FALSE(session_.CanPool("mail.google.com"));
 }
 
+TEST_P(QuicClientSessionTest, ConnectionNotPooledWithDifferentPin) {
+  uint8 primary_pin = 1;
+  uint8 backup_pin = 2;
+  uint8 bad_pin = 3;
+  AddPin(&transport_security_state_, "mail.example.org", primary_pin,
+         backup_pin);
+
+  ProofVerifyDetailsChromium details;
+  details.cert_verify_result.verified_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  details.cert_verify_result.is_issued_by_known_root = true;
+  details.cert_verify_result.public_key_hashes.push_back(
+      GetTestHashValue(bad_pin));
+
+  ASSERT_TRUE(details.cert_verify_result.verified_cert);
+
+  session_.OnProofVerifyDetailsAvailable(details);
+  CompleteCryptoHandshake();
+  QuicClientSessionPeer::SetChannelIDSent(&session_, true);
+
+  EXPECT_FALSE(session_.CanPool("mail.example.org"));
+}
+
+TEST_P(QuicClientSessionTest, ConnectionPooledWithMatchingPin) {
+  uint8 primary_pin = 1;
+  uint8 backup_pin = 2;
+  AddPin(&transport_security_state_, "mail.example.org", primary_pin,
+         backup_pin);
+
+  ProofVerifyDetailsChromium details;
+  details.cert_verify_result.verified_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  details.cert_verify_result.is_issued_by_known_root = true;
+  details.cert_verify_result.public_key_hashes.push_back(
+      GetTestHashValue(primary_pin));
+
+  ASSERT_TRUE(details.cert_verify_result.verified_cert);
+
+  session_.OnProofVerifyDetailsAvailable(details);
+  CompleteCryptoHandshake();
+  QuicClientSessionPeer::SetChannelIDSent(&session_, true);
+
+  EXPECT_TRUE(session_.CanPool("mail.example.org"));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace net