diff options
Diffstat (limited to 'net/spdy')
| -rw-r--r-- | net/spdy/spdy_session.cc | 55 | ||||
| -rw-r--r-- | net/spdy/spdy_session.h | 11 | ||||
| -rw-r--r-- | net/spdy/spdy_session_pool.cc | 3 | ||||
| -rw-r--r-- | net/spdy/spdy_session_pool.h | 4 | ||||
| -rw-r--r-- | net/spdy/spdy_session_unittest.cc | 110 | ||||
| -rw-r--r-- | net/spdy/spdy_test_utils.cc | 33 | ||||
| -rw-r--r-- | net/spdy/spdy_test_utils.h | 18 |
7 files changed, 219 insertions, 15 deletions
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc index 64e2c04..51c6ee7 100644 --- a/net/spdy/spdy_session.cc +++ b/net/spdy/spdy_session.cc @@ -29,10 +29,12 @@ #include "net/base/net_log.h" #include "net/base/net_util.h" #include "net/cert/asn1_util.h" +#include "net/cert/cert_verify_result.h" #include "net/http/http_log_util.h" #include "net/http/http_network_session.h" #include "net/http/http_server_properties.h" #include "net/http/http_util.h" +#include "net/http/transport_security_state.h" #include "net/spdy/spdy_buffer_producer.h" #include "net/spdy/spdy_frame_builder.h" #include "net/spdy/spdy_http_utils.h" @@ -529,9 +531,47 @@ SpdySession::PushedStreamInfo::PushedStreamInfo( SpdySession::PushedStreamInfo::~PushedStreamInfo() {} +// static +bool SpdySession::CanPool(TransportSecurityState* transport_security_state, + const SSLInfo& ssl_info, + const std::string& old_hostname, + const std::string& new_hostname) { + // Pooling is prohibited if the server cert is not valid for the new domain, + // and for connections on which client certs were sent. It is also prohibited + // when channel ID was sent if the hosts are from different eTLDs+1. + if (IsCertStatusError(ssl_info.cert_status)) + return false; + + if (ssl_info.client_cert_sent) + return false; + + if (ssl_info.channel_id_sent && + ChannelIDService::GetDomainForHost(new_hostname) != + ChannelIDService::GetDomainForHost(old_hostname)) { + return false; + } + + bool unused = false; + if (!ssl_info.cert->VerifyNameMatch(new_hostname, &unused)) + return false; + + std::string pinning_failure_log; + if (!transport_security_state->CheckPublicKeyPins( + new_hostname, + true, /* sni_available */ + ssl_info.is_issued_by_known_root, + ssl_info.public_key_hashes, + &pinning_failure_log)) { + return false; + } + + return true; +} + SpdySession::SpdySession( const SpdySessionKey& spdy_session_key, const base::WeakPtr<HttpServerProperties>& http_server_properties, + TransportSecurityState* transport_security_state, bool verify_domain_authentication, bool enable_sending_initial_data, bool enable_compression, @@ -547,6 +587,7 @@ SpdySession::SpdySession( spdy_session_key_(spdy_session_key), pool_(NULL), http_server_properties_(http_server_properties), + transport_security_state_(transport_security_state), read_buffer_(new IOBuffer(kReadBufferSize)), stream_hi_water_mark_(kFirstStreamId), num_pushed_streams_(0u), @@ -714,18 +755,8 @@ bool SpdySession::VerifyDomainAuthentication(const std::string& domain) { if (!GetSSLInfo(&ssl_info, &was_npn_negotiated, &protocol_negotiated)) return true; // This is not a secure session, so all domains are okay. - // Disable pooling for secure sessions. - // TODO(rch): re-enable this. - return false; -#if 0 - bool unused = false; - return - !ssl_info.client_cert_sent && - (!ssl_info.channel_id_sent || - (ChannelIDService::GetDomainForHost(domain) == - ChannelIDService::GetDomainForHost(host_port_pair().host()))) && - ssl_info.cert->VerifyNameMatch(domain, &unused); -#endif + return CanPool(transport_security_state_, ssl_info, + host_port_pair().host(), domain); } int SpdySession::GetPushStream( diff --git a/net/spdy/spdy_session.h b/net/spdy/spdy_session.h index 4037e03..d2da863 100644 --- a/net/spdy/spdy_session.h +++ b/net/spdy/spdy_session.h @@ -70,6 +70,7 @@ class BoundNetLog; struct LoadTimingInfo; class SpdyStream; class SSLInfo; +class TransportSecurityState; // NOTE: There's an enum of the same name (also with numeric suffixes) // in histograms.xml. Be sure to add new values there also. @@ -222,6 +223,13 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, FLOW_CONTROL_STREAM_AND_SESSION }; + // Returns true if |hostname| can be pooled into an existing connection + // associated with |ssl_info|. + static bool CanPool(TransportSecurityState* transport_security_state, + const SSLInfo& ssl_info, + const std::string& old_hostname, + const std::string& new_hostname); + // Create a new SpdySession. // |spdy_session_key| is the host/port that this session connects to, privacy // and proxy configuration settings that it's using. @@ -229,6 +237,7 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, // network events to. SpdySession(const SpdySessionKey& spdy_session_key, const base::WeakPtr<HttpServerProperties>& http_server_properties, + TransportSecurityState* transport_security_state, bool verify_domain_authentication, bool enable_sending_initial_data, bool enable_compression, @@ -963,6 +972,8 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface, SpdySessionPool* pool_; const base::WeakPtr<HttpServerProperties> http_server_properties_; + TransportSecurityState* transport_security_state_; + // The socket handle for this session. scoped_ptr<ClientSocketHandle> connection_; diff --git a/net/spdy/spdy_session_pool.cc b/net/spdy/spdy_session_pool.cc index 189c945..d839785 100644 --- a/net/spdy/spdy_session_pool.cc +++ b/net/spdy/spdy_session_pool.cc @@ -31,6 +31,7 @@ SpdySessionPool::SpdySessionPool( HostResolver* resolver, SSLConfigService* ssl_config_service, const base::WeakPtr<HttpServerProperties>& http_server_properties, + TransportSecurityState* transport_security_state, bool force_single_domain, bool enable_compression, bool enable_ping_based_connection_checking, @@ -41,6 +42,7 @@ SpdySessionPool::SpdySessionPool( SpdySessionPool::TimeFunc time_func, const std::string& trusted_spdy_proxy) : http_server_properties_(http_server_properties), + transport_security_state_(transport_security_state), ssl_config_service_(ssl_config_service), resolver_(resolver), verify_domain_authentication_(true), @@ -98,6 +100,7 @@ base::WeakPtr<SpdySession> SpdySessionPool::CreateAvailableSessionFromSocket( scoped_ptr<SpdySession> new_session( new SpdySession(key, http_server_properties_, + transport_security_state_, verify_domain_authentication_, enable_sending_initial_data_, enable_compression_, diff --git a/net/spdy/spdy_session_pool.h b/net/spdy/spdy_session_pool.h index 0fad5d2..2fbb030 100644 --- a/net/spdy/spdy_session_pool.h +++ b/net/spdy/spdy_session_pool.h @@ -34,6 +34,7 @@ class ClientSocketHandle; class HostResolver; class HttpServerProperties; class SpdySession; +class TransportSecurityState; // This is a very simple pool for open SpdySessions. class NET_EXPORT SpdySessionPool @@ -50,6 +51,7 @@ class NET_EXPORT SpdySessionPool HostResolver* host_resolver, SSLConfigService* ssl_config_service, const base::WeakPtr<HttpServerProperties>& http_server_properties, + TransportSecurityState* transport_security_state, bool force_single_domain, bool enable_compression, bool enable_ping_based_connection_checking, @@ -191,6 +193,8 @@ class NET_EXPORT SpdySessionPool const base::WeakPtr<HttpServerProperties> http_server_properties_; + TransportSecurityState* transport_security_state_; + // The set of all sessions. This is a superset of the sessions in // |available_sessions_|. // diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc index 1fa5f2e..8194fe7 100644 --- a/net/spdy/spdy_session_unittest.cc +++ b/net/spdy/spdy_session_unittest.cc @@ -4,6 +4,7 @@ #include "net/spdy/spdy_session.h" +#include "base/base64.h" #include "base/bind.h" #include "base/callback.h" #include "base/memory/scoped_ptr.h" @@ -2375,7 +2376,7 @@ TEST_P(SpdySessionTest, CloseActivatedStreamThatClosesSession) { EXPECT_TRUE(session == NULL); } -TEST_P(SpdySessionTest, DISABLED_VerifyDomainAuthentication) { +TEST_P(SpdySessionTest, VerifyDomainAuthentication) { session_deps_.host_resolver->set_synchronous_mode(true); MockConnect connect_data(SYNCHRONOUS, OK); @@ -2417,8 +2418,7 @@ TEST_P(SpdySessionTest, DISABLED_VerifyDomainAuthentication) { EXPECT_FALSE(session->VerifyDomainAuthentication("mail.google.com")); } -// TODO(rch): re-enable this. -TEST_P(SpdySessionTest, DISABLED_ConnectionPooledWithTlsChannelId) { +TEST_P(SpdySessionTest, ConnectionPooledWithTlsChannelId) { session_deps_.host_resolver->set_synchronous_mode(true); MockConnect connect_data(SYNCHRONOUS, OK); @@ -5001,4 +5001,108 @@ TEST(MapNetErrorToGoAwayStatus, MapsValue) { CHECK_EQ(GOAWAY_PROTOCOL_ERROR, MapNetErrorToGoAwayStatus(ERR_UNEXPECTED)); } +TEST(CanPoolTest, CanPool) { + // Load a cert that is valid for: + // www.example.org + // mail.example.org + // www.example.com + + TransportSecurityState tss; + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + + EXPECT_TRUE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "www.example.org")); + EXPECT_TRUE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); + EXPECT_TRUE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.com")); + EXPECT_FALSE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.google.com")); +} + +TEST(CanPoolTest, CanNotPoolWithCertErrors) { + // Load a cert that is valid for: + // www.example.org + // mail.example.org + // www.example.com + + TransportSecurityState tss; + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + ssl_info.cert_status = CERT_STATUS_REVOKED; + + EXPECT_FALSE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); +} + +TEST(CanPoolTest, CanNotPoolWithClientCerts) { + // Load a cert that is valid for: + // www.example.org + // mail.example.org + // www.example.com + + TransportSecurityState tss; + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + ssl_info.client_cert_sent = true; + + EXPECT_FALSE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); +} + +TEST(CanPoolTest, CanNotPoolAcrossETLDsWithChannelID) { + // Load a cert that is valid for: + // www.example.org + // mail.example.org + // www.example.com + + TransportSecurityState tss; + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + ssl_info.channel_id_sent = true; + + EXPECT_TRUE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); + EXPECT_FALSE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "www.example.com")); +} + +TEST(CanPoolTest, CanNotPoolWithBadPins) { + uint8 primary_pin = 1; + uint8 backup_pin = 2; + uint8 bad_pin = 3; + TransportSecurityState tss; + test::AddPin(&tss, "mail.example.org", primary_pin, backup_pin); + + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + ssl_info.is_issued_by_known_root = true; + ssl_info.public_key_hashes.push_back(test::GetTestHashValue(bad_pin)); + + EXPECT_FALSE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); +} + +TEST(CanPoolTest, CanPoolWithAcceptablePins) { + uint8 primary_pin = 1; + uint8 backup_pin = 2; + TransportSecurityState tss; + test::AddPin(&tss, "mail.example.org", primary_pin, backup_pin); + + SSLInfo ssl_info; + ssl_info.cert = ImportCertFromFile(GetTestCertsDirectory(), + "spdy_pooling.pem"); + ssl_info.is_issued_by_known_root = true; + ssl_info.public_key_hashes.push_back(test::GetTestHashValue(primary_pin)); + + EXPECT_TRUE(SpdySession::CanPool( + &tss, ssl_info, "www.example.org", "mail.example.org")); +} + } // namespace net diff --git a/net/spdy/spdy_test_utils.cc b/net/spdy/spdy_test_utils.cc index e33a08b..7627abe 100644 --- a/net/spdy/spdy_test_utils.cc +++ b/net/spdy/spdy_test_utils.cc @@ -7,10 +7,13 @@ #include <cstring> #include <vector> +#include "base/base64.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/strings/string_number_conversions.h" #include "base/sys_byteorder.h" +#include "net/http/transport_security_state.h" +#include "net/ssl/ssl_info.h" #include "testing/gtest/include/gtest/gtest.h" namespace net { @@ -139,6 +142,36 @@ std::string a2b_hex(const char* hex_data) { return result; } +HashValue GetTestHashValue(uint8_t label) { + HashValue hash_value(HASH_VALUE_SHA256); + memset(hash_value.data(), label, hash_value.size()); + return hash_value; +} + +std::string GetTestPin(uint8_t label) { + HashValue hash_value = GetTestHashValue(label); + std::string base64; + base::Base64Encode(base::StringPiece( + reinterpret_cast<char*>(hash_value.data()), hash_value.size()), &base64); + + return std::string("pin-sha256=\"") + base64 + "\""; +} + +void AddPin(TransportSecurityState* state, + const std::string& host, + uint8_t primary_label, + uint8_t backup_label) { + std::string primary_pin = GetTestPin(primary_label); + std::string backup_pin = GetTestPin(backup_label); + std::string header = "max-age = 10000; " + primary_pin + "; " + backup_pin; + + // Construct a fake SSLInfo that will pass AddHPKPHeader's checks. + SSLInfo ssl_info; + ssl_info.is_issued_by_known_root = true; + ssl_info.public_key_hashes.push_back(GetTestHashValue(primary_label)); + EXPECT_TRUE(state->AddHPKPHeader(host, header, ssl_info)); +} + } // namespace test } // namespace net diff --git a/net/spdy/spdy_test_utils.h b/net/spdy/spdy_test_utils.h index 439311e..14bc8ef 100644 --- a/net/spdy/spdy_test_utils.h +++ b/net/spdy/spdy_test_utils.h @@ -5,12 +5,17 @@ #ifndef NET_SPDY_TEST_UTILS_H_ #define NET_SPDY_TEST_UTILS_H_ +#include <stdint.h> + #include <string> #include "net/spdy/spdy_protocol.h" namespace net { +class HashValue; +class TransportSecurityState; + namespace test { std::string HexDumpWithMarks(const unsigned char* data, int length, @@ -33,6 +38,19 @@ void SetFrameLength(SpdyFrame* frame, std::string a2b_hex(const char* hex_data); +// Returns a SHA1 HashValue in which each byte has the value |label|. +HashValue GetTestHashValue(uint8_t label); + +// Returns SHA1 pinning header for the of the base64 encoding of +// GetTestHashValue(|label|). +std::string GetTestPin(uint8_t label); + +// Adds a pin for |host| to |state|. +void AddPin(TransportSecurityState* state, + const std::string& host, + uint8_t primary_label, + uint8_t backup_label); + } // namespace test } // namespace net |