net: replace DnsRRResoler with TransportSecurityState in plumbing.

The DnsRRResoler has served its time and I don't have any further plans for it. The TransportSecurityState will be used (in a future CL) to enforce public key pinning at certificate verification time. Currently we only enforce it in url_request_http_job.cc which means that we've already sent the HTTP request (inc cookies) by the time we catch the problem. This was expeditious while we fixed some other issues, but it's time to fix it. BUG=none TEST=compiles Review URL: http://codereview.chromium.org/8692012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@113410 0039d316-1c4b-4281-b951-d872f2087c98
cbchan · Dec 7, 2011 · a2a4197 · a2a4197
1 parent 6e5ad86
commit a2a4197
Show file tree

Hide file tree

Showing 26 changed files with 49 additions and 125 deletions.
diff --git a/chrome/browser/io_thread.cc b/chrome/browser/io_thread.cc
@@ -256,7 +256,8 @@ ConstructProxyScriptFetcherContext(IOThread::Globals* globals,
   context->set_net_log(net_log);
   context->set_host_resolver(globals->host_resolver.get());
   context->set_cert_verifier(globals->cert_verifier.get());
-  context->set_dnsrr_resolver(globals->dnsrr_resolver.get());
+  context->set_transport_security_state(
+      globals->transport_security_state.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->proxy_script_fetcher_proxy_service.get());
@@ -282,7 +283,8 @@ ConstructSystemRequestContext(IOThread::Globals* globals,
   context->set_net_log(net_log);
   context->set_host_resolver(globals->host_resolver.get());
   context->set_cert_verifier(globals->cert_verifier.get());
-  context->set_dnsrr_resolver(globals->dnsrr_resolver.get());
+  context->set_transport_security_state(
+      globals->transport_security_state.get());
   context->set_http_auth_handler_factory(
       globals->http_auth_handler_factory.get());
   context->set_proxy_service(globals->system_proxy_service.get());
@@ -446,6 +448,7 @@ void IOThread::Init() {
       CreateGlobalHostResolver(net_log_));
   globals_->cert_verifier.reset(new net::CertVerifier);
   globals_->dnsrr_resolver.reset(new net::DnsRRResolver);
+  globals_->transport_security_state.reset(new net::TransportSecurityState(""));
   globals_->ssl_config_service = GetSSLConfigService();
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
@@ -464,6 +467,8 @@ void IOThread::Init() {
   session_params.cert_verifier = globals_->cert_verifier.get();
   session_params.origin_bound_cert_service =
       globals_->system_origin_bound_cert_service.get();
+  session_params.transport_security_state =
+      globals_->transport_security_state.get();
   session_params.proxy_service =
       globals_->proxy_script_fetcher_proxy_service.get();
   session_params.http_auth_handler_factory =
@@ -656,7 +661,8 @@ void IOThread::InitSystemRequestContextOnIOThread() {
   system_params.cert_verifier = globals_->cert_verifier.get();
   system_params.origin_bound_cert_service =
       globals_->system_origin_bound_cert_service.get();
-  system_params.dnsrr_resolver = globals_->dnsrr_resolver.get();
+  system_params.transport_security_state =
+      globals_->transport_security_state.get();
   system_params.dns_cert_checker = NULL;
   system_params.ssl_host_info_factory = NULL;
   system_params.proxy_service = globals_->system_proxy_service.get();

diff --git a/chrome/browser/io_thread.h b/chrome/browser/io_thread.h
@@ -41,6 +41,7 @@ class ProxyConfigService;
 class ProxyService;
 class SdchManager;
 class SSLConfigService;
+class TransportSecurityState;
 class URLRequestContext;
 class URLRequestContextGetter;
 class URLSecurityManager;
@@ -65,6 +66,10 @@ class IOThread : public content::BrowserThreadDelegate {
     scoped_ptr<net::NetworkDelegate> system_network_delegate;
     scoped_ptr<net::HostResolver> host_resolver;
     scoped_ptr<net::CertVerifier> cert_verifier;
+    // This TransportSecurityState doesn't load or save any state. It's only
+    // used to enforce pinning for system requests and will only use built-in
+    // pins.
+    scoped_ptr<net::TransportSecurityState> transport_security_state;
     scoped_ptr<net::DnsRRResolver> dnsrr_resolver;
     scoped_refptr<net::SSLConfigService> ssl_config_service;
     scoped_ptr<net::HttpAuthHandlerFactory> http_auth_handler_factory;

diff --git a/chrome/browser/net/connection_tester.cc b/chrome/browser/net/connection_tester.cc
@@ -16,7 +16,6 @@
 #include "chrome/common/chrome_switches.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/host_resolver.h"
 #include "net/base/host_resolver_impl.h"
 #include "net/base/io_buffer.h"
@@ -72,7 +71,6 @@ class ExperimentURLRequestContext : public net::URLRequestContext {
     // The rest of the dependencies are standard, and don't depend on the
     // experiment being run.
     storage_.set_cert_verifier(new net::CertVerifier);
-    storage_.set_dnsrr_resolver(new net::DnsRRResolver);
     storage_.set_ftp_transaction_factory(
         new net::FtpNetworkLayer(host_resolver()));
     storage_.set_ssl_config_service(new net::SSLConfigServiceDefaults);
@@ -82,7 +80,6 @@ class ExperimentURLRequestContext : public net::URLRequestContext {
 
     net::HttpNetworkSession::Params session_params;
     session_params.host_resolver = host_resolver();
-    session_params.dnsrr_resolver = dnsrr_resolver();
     session_params.cert_verifier = cert_verifier();
     session_params.proxy_service = proxy_service();
     session_params.http_auth_handler_factory = http_auth_handler_factory();

diff --git a/chrome/browser/net/connection_tester_unittest.cc b/chrome/browser/net/connection_tester_unittest.cc
@@ -8,7 +8,6 @@
 #include "content/test/test_browser_thread.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/mock_host_resolver.h"
 #include "net/base/ssl_config_service_defaults.h"
 #include "net/ftp/ftp_network_layer.h"
@@ -108,7 +107,6 @@ class ConnectionTesterTest : public PlatformTest {
   ConnectionTesterDelegate test_delegate_;
   net::MockHostResolver host_resolver_;
   net::CertVerifier cert_verifier_;
-  net::DnsRRResolver dnsrr_resolver_;
   scoped_ptr<net::ProxyService> proxy_service_;
   scoped_refptr<net::SSLConfigService> ssl_config_service_;
   scoped_ptr<net::HttpTransactionFactory> http_transaction_factory_;
@@ -120,7 +118,6 @@ class ConnectionTesterTest : public PlatformTest {
   void InitializeRequestContext() {
     proxy_script_fetcher_context_->set_host_resolver(&host_resolver_);
     proxy_script_fetcher_context_->set_cert_verifier(&cert_verifier_);
-    proxy_script_fetcher_context_->set_dnsrr_resolver(&dnsrr_resolver_);
     proxy_script_fetcher_context_->set_http_auth_handler_factory(
         &http_auth_handler_factory_);
     proxy_service_.reset(net::ProxyService::CreateDirect());
@@ -129,7 +126,6 @@ class ConnectionTesterTest : public PlatformTest {
     net::HttpNetworkSession::Params session_params;
     session_params.host_resolver = &host_resolver_;
     session_params.cert_verifier = &cert_verifier_;
-    session_params.dnsrr_resolver = &dnsrr_resolver_;
     session_params.http_auth_handler_factory = &http_auth_handler_factory_;
     session_params.ssl_config_service = ssl_config_service_;
     session_params.proxy_service = proxy_service_.get();

diff --git a/chrome/browser/profiles/off_the_record_profile_io_data.cc b/chrome/browser/profiles/off_the_record_profile_io_data.cc
@@ -161,8 +161,6 @@ void OffTheRecordProfileIOData::LazyInitializeInternal(
       io_thread_globals->host_resolver.get());
   main_context->set_cert_verifier(
       io_thread_globals->cert_verifier.get());
-  main_context->set_dnsrr_resolver(
-      io_thread_globals->dnsrr_resolver.get());
   main_context->set_http_auth_handler_factory(
       io_thread_globals->http_auth_handler_factory.get());
   main_context->set_dns_cert_checker(dns_cert_checker());
@@ -200,7 +198,7 @@ void OffTheRecordProfileIOData::LazyInitializeInternal(
       new net::HttpCache(main_context->host_resolver(),
                          main_context->cert_verifier(),
                          main_context->origin_bound_cert_service(),
-                         main_context->dnsrr_resolver(),
+                         main_context->transport_security_state(),
                          main_context->dns_cert_checker(),
                          main_context->proxy_service(),
                          main_context->ssl_config_service(),

diff --git a/chrome/browser/profiles/profile_impl_io_data.cc b/chrome/browser/profiles/profile_impl_io_data.cc
@@ -285,10 +285,6 @@ void ProfileImplIOData::LazyInitializeInternal(
       io_thread_globals->cert_verifier.get());
   media_request_context_->set_cert_verifier(
       io_thread_globals->cert_verifier.get());
-  main_context->set_dnsrr_resolver(
-      io_thread_globals->dnsrr_resolver.get());
-  media_request_context_->set_dnsrr_resolver(
-      io_thread_globals->dnsrr_resolver.get());
   main_context->set_http_auth_handler_factory(
       io_thread_globals->http_auth_handler_factory.get());
   media_request_context_->set_http_auth_handler_factory(
@@ -373,7 +369,7 @@ void ProfileImplIOData::LazyInitializeInternal(
       main_context->host_resolver(),
       main_context->cert_verifier(),
       main_context->origin_bound_cert_service(),
-      main_context->dnsrr_resolver(),
+      main_context->transport_security_state(),
       main_context->dns_cert_checker(),
       main_context->proxy_service(),
       main_context->ssl_config_service(),

diff --git a/chrome/service/net/service_url_request_context.cc b/chrome/service/net/service_url_request_context.cc
@@ -16,7 +16,6 @@
 #include "chrome/service/service_process.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/host_resolver.h"
 #include "net/base/ssl_config_service_defaults.h"
 #include "net/ftp/ftp_network_layer.h"
@@ -117,7 +116,6 @@ ServiceURLRequestContext::ServiceURLRequestContext(
   storage_.set_proxy_service(net::ProxyService::CreateUsingSystemProxyResolver(
       net_proxy_config_service, 0u, NULL));
   storage_.set_cert_verifier(new net::CertVerifier);
-  storage_.set_dnsrr_resolver(new net::DnsRRResolver);
   storage_.set_ftp_transaction_factory(
       new net::FtpNetworkLayer(host_resolver()));
   storage_.set_ssl_config_service(new net::SSLConfigServiceDefaults);
@@ -128,7 +126,6 @@ ServiceURLRequestContext::ServiceURLRequestContext(
   net::HttpNetworkSession::Params session_params;
   session_params.host_resolver = host_resolver();
   session_params.cert_verifier = cert_verifier();
-  session_params.dnsrr_resolver = dnsrr_resolver();
   session_params.proxy_service = proxy_service();
   session_params.ssl_config_service = ssl_config_service();
   session_params.http_auth_handler_factory = http_auth_handler_factory();

diff --git a/content/shell/shell_url_request_context_getter.cc b/content/shell/shell_url_request_context_getter.cc
@@ -10,7 +10,6 @@
 #include "net/base/cert_verifier.h"
 #include "net/base/cookie_monster.h"
 #include "net/base/default_origin_bound_cert_store.h"
-#include "net/base/dnsrr_resolver.h"
 #include "net/base/host_resolver.h"
 #include "net/base/origin_bound_cert_service.h"
 #include "net/base/ssl_config_service_defaults.h"
@@ -77,13 +76,11 @@ net::URLRequestContext* ShellURLRequestContextGetter::GetURLRequestContext() {
             BrowserThread::GetMessageLoopProxyForThread(
                 BrowserThread::CACHE));
 
-    storage_->set_dnsrr_resolver(new net::DnsRRResolver());
-
     net::HttpCache* main_cache = new net::HttpCache(
         url_request_context_->host_resolver(),
         url_request_context_->cert_verifier(),
         url_request_context_->origin_bound_cert_service(),
-        url_request_context_->dnsrr_resolver(),
+        NULL, //tranport_security_state
         NULL, //dns_cert_checker
         url_request_context_->proxy_service(),
         url_request_context_->ssl_config_service(),

diff --git a/jingle/notifier/base/proxy_resolving_client_socket.cc b/jingle/notifier/base/proxy_resolving_client_socket.cc
@@ -48,7 +48,8 @@ ProxyResolvingClientSocket::ProxyResolvingClientSocket(
   session_params.cert_verifier = request_context->cert_verifier();
   // TODO(rkn): This is NULL because OriginBoundCertService is not thread safe.
   session_params.origin_bound_cert_service = NULL;
-  session_params.dnsrr_resolver = request_context->dnsrr_resolver();
+  // transport_security_state is NULL because it's not thread safe.
+  session_params.transport_security_state = NULL;
   session_params.dns_cert_checker = request_context->dns_cert_checker();
   session_params.proxy_service = request_context->proxy_service();
   session_params.ssl_host_info_factory = NULL;

diff --git a/net/http/disk_cache_based_ssl_host_info_unittest.cc b/net/http/disk_cache_based_ssl_host_info_unittest.cc
@@ -5,6 +5,7 @@
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/compiler_specific.h"
+#include "base/message_loop.h"
 #include "net/base/net_errors.h"
 #include "net/base/ssl_config_service.h"
 #include "net/http/disk_cache_based_ssl_host_info.h"

diff --git a/net/http/http_cache.cc b/net/http/http_cache.cc
@@ -45,7 +45,7 @@ HttpNetworkSession* CreateNetworkSession(
     HostResolver* host_resolver,
     CertVerifier* cert_verifier,
     OriginBoundCertService* origin_bound_cert_service,
-    DnsRRResolver* dnsrr_resolver,
+    TransportSecurityState* transport_security_state,
     DnsCertProvenanceChecker* dns_cert_checker,
     ProxyService* proxy_service,
     SSLHostInfoFactory* ssl_host_info_factory,
@@ -58,7 +58,7 @@ HttpNetworkSession* CreateNetworkSession(
   params.host_resolver = host_resolver;
   params.cert_verifier = cert_verifier;
   params.origin_bound_cert_service = origin_bound_cert_service;
-  params.dnsrr_resolver = dnsrr_resolver;
+  params.transport_security_state = transport_security_state;
   params.dns_cert_checker = dns_cert_checker;
   params.proxy_service = proxy_service;
   params.ssl_host_info_factory = ssl_host_info_factory;
@@ -318,7 +318,7 @@ class HttpCache::SSLHostInfoFactoryAdaptor : public SSLHostInfoFactory {
 HttpCache::HttpCache(HostResolver* host_resolver,
                      CertVerifier* cert_verifier,
                      OriginBoundCertService* origin_bound_cert_service,
-                     DnsRRResolver* dnsrr_resolver,
+                     TransportSecurityState* transport_security_state,
                      DnsCertProvenanceChecker* dns_cert_checker_,
                      ProxyService* proxy_service,
                      SSLConfigService* ssl_config_service,
@@ -340,7 +340,7 @@ HttpCache::HttpCache(HostResolver* host_resolver,
                   host_resolver,
                   cert_verifier,
                   origin_bound_cert_service,
-                  dnsrr_resolver,
+                  transport_security_state,
                   dns_cert_checker_,
                   proxy_service,
                   ssl_host_info_factory_.get(),

diff --git a/net/http/http_cache.h b/net/http/http_cache.h
@@ -44,11 +44,9 @@ namespace net {
 
 class CertVerifier;
 class DnsCertProvenanceChecker;
-class DnsRRResolver;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpNetworkSession;
-struct HttpRequestInfo;
 class HttpResponseInfo;
 class HttpServerProperties;
 class IOBuffer;
@@ -57,7 +55,9 @@ class NetworkDelegate;
 class OriginBoundCertService;
 class ProxyService;
 class SSLConfigService;
+class TransportSecurityState;
 class ViewCacheHelper;
+struct HttpRequestInfo;
 
 class NET_EXPORT HttpCache : public HttpTransactionFactory,
                              public base::SupportsWeakPtr<HttpCache>,
@@ -123,7 +123,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory,
   HttpCache(HostResolver* host_resolver,
             CertVerifier* cert_verifier,
             OriginBoundCertService* origin_bound_cert_service,
-            DnsRRResolver* dnsrr_resolver,
+            TransportSecurityState* transport_security_state,
             DnsCertProvenanceChecker* dns_cert_checker,
             ProxyService* proxy_service,
             SSLConfigService* ssl_config_service,

diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc
@@ -40,7 +40,7 @@ HttpNetworkSession::HttpNetworkSession(const Params& params)
               params.host_resolver,
               params.cert_verifier,
               params.origin_bound_cert_service,
-              params.dnsrr_resolver,
+              params.transport_security_state,
               params.dns_cert_checker,
               params.ssl_host_info_factory,
               params.proxy_service,

diff --git a/net/http/http_network_session.h b/net/http/http_network_session.h
@@ -28,7 +28,6 @@ namespace net {
 class CertVerifier;
 class ClientSocketFactory;
 class DnsCertProvenanceChecker;
-class DnsRRResolver;
 class HostResolver;
 class HttpAuthHandlerFactory;
 class HttpNetworkSessionPeer;
@@ -44,6 +43,7 @@ class SSLClientSocketPool;
 class SSLConfigService;
 class SSLHostInfoFactory;
 class TransportClientSocketPool;
+class TransportSecurityState;
 
 // This class holds session objects used by HttpNetworkTransaction objects.
 class NET_EXPORT HttpNetworkSession
@@ -56,7 +56,7 @@ class NET_EXPORT HttpNetworkSession
           host_resolver(NULL),
           cert_verifier(NULL),
           origin_bound_cert_service(NULL),
-          dnsrr_resolver(NULL),
+          transport_security_state(NULL),
           dns_cert_checker(NULL),
           proxy_service(NULL),
           ssl_host_info_factory(NULL),
@@ -70,7 +70,7 @@ class NET_EXPORT HttpNetworkSession
     HostResolver* host_resolver;
     CertVerifier* cert_verifier;
     OriginBoundCertService* origin_bound_cert_service;
-    DnsRRResolver* dnsrr_resolver;
+    TransportSecurityState* transport_security_state;
     DnsCertProvenanceChecker* dns_cert_checker;
     ProxyService* proxy_service;
     SSLHostInfoFactory* ssl_host_info_factory;

diff --git a/net/socket/client_socket_pool_manager_impl.cc b/net/socket/client_socket_pool_manager_impl.cc
@@ -38,7 +38,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
     HostResolver* host_resolver,
     CertVerifier* cert_verifier,
     OriginBoundCertService* origin_bound_cert_service,
-    DnsRRResolver* dnsrr_resolver,
+    TransportSecurityState* transport_security_state,
     DnsCertProvenanceChecker* dns_cert_checker,
     SSLHostInfoFactory* ssl_host_info_factory,
     ProxyService* proxy_service,
@@ -48,7 +48,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
       host_resolver_(host_resolver),
       cert_verifier_(cert_verifier),
       origin_bound_cert_service_(origin_bound_cert_service),
-      dnsrr_resolver_(dnsrr_resolver),
+      transport_security_state_(transport_security_state),
       dns_cert_checker_(dns_cert_checker),
       ssl_host_info_factory_(ssl_host_info_factory),
       proxy_service_(proxy_service),
@@ -67,7 +67,7 @@ ClientSocketPoolManagerImpl::ClientSocketPoolManagerImpl(
           host_resolver,
           cert_verifier,
           origin_bound_cert_service,
-          dnsrr_resolver,
+          transport_security_state,
           dns_cert_checker,
           ssl_host_info_factory,
           socket_factory,
@@ -287,7 +287,7 @@ ClientSocketPoolManagerImpl::GetSocketPoolForHTTPProxy(
                   host_resolver_,
                   cert_verifier_,
                   origin_bound_cert_service_,
-                  dnsrr_resolver_,
+                  transport_security_state_,
                   dns_cert_checker_,
                   ssl_host_info_factory_,
                   socket_factory_,
@@ -326,7 +326,7 @@ SSLClientSocketPool* ClientSocketPoolManagerImpl::GetSocketPoolForSSLWithProxy(
       host_resolver_,
       cert_verifier_,
       origin_bound_cert_service_,
-      dnsrr_resolver_,
+      transport_security_state_,
       dns_cert_checker_,
       ssl_host_info_factory_,
       socket_factory_,