Make SSLClientSocketImpl pass in its NIK to TransportSecurityState.

When there's an Expect-CT failure, a new URLRequest will be created to report the failure, and that request needs to have a NetworkIsolationKey to prevent cross-site information leakage. Bug: 969893, 1082280 Change-Id: I5daa400fed87ce23f7a9b34121888f91b9249895 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2219091 Commit-Queue: Matt Menke <mmenke@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Cr-Commit-Position: refs/heads/master@{#773350}

Make SSLClientSocketImpl pass in its NIK to TransportSecurityState.
When there's an Expect-CT failure, a new URLRequest will be created to report the failure, and that request needs to have a NetworkIsolationKey to prevent cross-site information leakage. Bug: 969893, 1082280 Change-Id: I5daa400fed87ce23f7a9b34121888f91b9249895 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2219091 Commit-Queue: Matt Menke <mmenke@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Cr-Commit-Position: refs/heads/master@{#773350}
32ae142f · Matt Menke · Commit Bot · 1e20ab0a · 32ae142f · 32ae142f
Commit 32ae142f authored May 29, 2020 by Matt Menke Committed by Commit Bot May 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 8 deletions

net/socket/ssl_client_socket_impl.cc net/socket/ssl_client_socket_impl.cc +2 -1

net/socket/ssl_client_socket_unittest.cc net/socket/ssl_client_socket_unittest.cc +15 -7

No files found.
--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -1648,7 +1648,8 @@ int SSLClientSocketImpl::VerifyCT() {
          server_cert_verify_result_.verified_cert.get(), server_cert_.get(),
          ct_verify_result_.scts,
          TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
-          ct_verify_result_.policy_compliance, NetworkIsolationKey::Todo());
+          ct_verify_result_.policy_compliance,
+          ssl_config_.network_isolation_key);
  if (ct_requirement_status != TransportSecurityState::CT_NOT_REQUIRED) {
    ct_verify_result_.policy_compliance_required = true;
    if (server_cert_verify_result_.is_issued_by_known_root) {

--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -578,21 +578,25 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
    served_certificate_chain_ = served_certificate_chain;
    validated_certificate_chain_ = validated_certificate_chain;
    signed_certificate_timestamps_ = signed_certificate_timestamps;
+    network_isolation_key_ = network_isolation_key;
  }

-  const HostPortPair& host_port_pair() { return host_port_pair_; }
-  const GURL& report_uri() { return report_uri_; }
-  uint32_t num_failures() { return num_failures_; }
-  const X509Certificate* served_certificate_chain() {
+  const HostPortPair& host_port_pair() const { return host_port_pair_; }
+  const GURL& report_uri() const { return report_uri_; }
+  uint32_t num_failures() const { return num_failures_; }
+  const X509Certificate* served_certificate_chain() const {
    return served_certificate_chain_;
  }
-  const X509Certificate* validated_certificate_chain() {
+  const X509Certificate* validated_certificate_chain() const {
    return validated_certificate_chain_;
  }
-  const SignedCertificateTimestampAndStatusList&
-  signed_certificate_timestamps() {
+  const SignedCertificateTimestampAndStatusList& signed_certificate_timestamps()
+      const {
    return signed_certificate_timestamps_;
  }
+  const NetworkIsolationKey network_isolation_key() const {
+    return network_isolation_key_;
+  }

 private:
  HostPortPair host_port_pair_;
@@ -601,6 +605,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
  const X509Certificate* served_certificate_chain_;
  const X509Certificate* validated_certificate_chain_;
  SignedCertificateTimestampAndStatusList signed_certificate_timestamps_;
+  NetworkIsolationKey network_isolation_key_;
 };

 // A mock CTVerifier that records every call to Verify but doesn't verify
@@ -4432,6 +4437,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
          Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));

  SSLConfig ssl_config;
+  ssl_config.network_isolation_key = NetworkIsolationKey::CreateTransient();
  int rv;
  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
  SSLInfo ssl_info;
@@ -4448,6 +4454,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
            reporter.served_certificate_chain());
  EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain());
  EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size());
+  EXPECT_EQ(ssl_config.network_isolation_key, reporter.network_isolation_key());

  transport_security_state_->ClearReportCachesForTesting();
  EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
@@ -4467,6 +4474,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
            reporter.served_certificate_chain());
  EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain());
  EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size());
+  EXPECT_EQ(ssl_config.network_isolation_key, reporter.network_isolation_key());

  // If the connection is CT compliant, then there should be no socket error nor
  // a report.