Add TLS-SRP (RFC 5054) support

net/url_request/url_request_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <shlobj.h>
 #include <windows.h>
 #elif defined(USE_NSS)
 #include "base/nss_util.h"
+#include <sslproto.h>
 #endif
 
 #include <algorithm>
 #include <string>
 
 #include "base/file_util.h"
 #include "base/format_macros.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
 #include "base/process_util.h"
 #include "base/string_number_conversions.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/utf_string_conversions.h"
 #include "net/base/cookie_monster.h"
 #include "net/base/cookie_policy.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
 #include "net/base/net_module.h"
 #include "net/base/net_util.h"
 #include "net/base/ssl_connection_status_flags.h"
+#include "net/base/cert_status_flags.h"
 #include "net/base/upload_data.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_cache.h"
 #include "net/http/http_network_layer.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
 #include "net/proxy/proxy_service.h"
 #include "net/test/test_server.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_file_dir_job.h"
 #include "net/url_request/url_request_http_job.h"
 #include "net/url_request/url_request_test_job.h"
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
 using base::Time;
 
 namespace {
 
 const string16 kChrome(ASCIIToUTF16("chrome"));
 const string16 kSecret(ASCIIToUTF16("secret"));
+const string16 kWrongSecret(ASCIIToUTF16("wrongsecret"));
 const string16 kUser(ASCIIToUTF16("user"));
+const string16 kWrongUser(ASCIIToUTF16("wronguser"));
 
 base::StringPiece TestNetResourceProvider(int key) {
   return "header";
 }
 
 // Do a case-insensitive search through |haystack| for |needle|.
 bool ContainsString(const std::string& haystack, const char* needle) {
   std::string::const_iterator it =
       std::search(haystack.begin(),
                   haystack.end(),
@@ skipping 36 matching lines @@
 
   // -1 means unknown.  0 means no encryption.
   EXPECT_GT(ssl_info.security_bits, 0);
 
   // The cipher suite TLS_NULL_WITH_NULL_NULL (0) must not be negotiated.
   int cipher_suite = net::SSLConnectionStatusToCipherSuite(
       ssl_info.connection_status);
   EXPECT_NE(0, cipher_suite);
 }
 
+// Verify that the AuthChallengeInfo for TLS-SRP has valid values.
+void CheckTLSAuthChallengeInfo(net::AuthChallengeInfo* login_request,
+                               GURL& request_url) {
+  EXPECT_EQ(WideToUTF8(login_request->host_and_port),
+            net::GetHostAndPort(request_url));
+  EXPECT_EQ(net::kTLSSRPScheme, WideToUTF8(login_request->scheme));
+  EXPECT_EQ("", WideToUTF8(login_request->realm));
+  EXPECT_EQ(net::AUTH_OVER_TLS, login_request->over_protocol);
+}
+
 }  // namespace
 
 // Inherit PlatformTest since we require the autorelease pool on Mac OS X.f
 class URLRequestTest : public PlatformTest {
  public:
   static void SetUpTestCase() {
     net::URLRequest::AllowFileAccess();
   }
 };
 
@@ skipping 290 matching lines @@
     on_certificate_requested_count_++;
     MessageLoop::current()->Quit();
   }
   int on_certificate_requested_count() {
     return on_certificate_requested_count_;
   }
  private:
   int on_certificate_requested_count_;
 };
 
+class HTTPSVClientSRPLoginTestDelegate : public TestDelegate {
+ public:
+  HTTPSVClientSRPLoginTestDelegate() :
+      on_tls_login_required_count_(0),
+      last_login_request_info_(NULL) {
+  }
+  virtual void OnTLSLoginRequired(
+      net::URLRequest* request,
+      net::AuthChallengeInfo* login_request_info) {
+    on_tls_login_required_count_++;
+    last_login_request_info_ = login_request_info;
+    MessageLoop::current()->Quit();
+  }
+  int on_tls_login_required_count() {
+    return on_tls_login_required_count_;
+  };
+  net::AuthChallengeInfo* last_login_request_info() {
+    return last_login_request_info_;
+  }
+ private:
+  int on_tls_login_required_count_;
+  net::AuthChallengeInfo* last_login_request_info_;
+};
+
 }  // namespace
 
 // TODO(davidben): Test the rest of the code. Specifically,
 // - Filtering which certificates to select.
 // - Sending a certificate back.
 // - Getting a certificate request in an SSL renegotiation sending the
 //   HTTP request.
 TEST_F(HTTPSRequestTest, ClientAuthTest) {
   net::TestServer::HTTPSOptions https_options;
   https_options.request_client_certificate = true;
@@ skipping 20 matching lines @@
     r.ContinueWithCertificate(NULL);
 
     MessageLoop::current()->Run();
 
     EXPECT_EQ(1, d.response_started_count());
     EXPECT_FALSE(d.received_data_before_response());
     EXPECT_NE(0, d.bytes_received());
   }
 }
 
+TEST_F(HTTPSRequestTest, HTTPSSRPLoginTest) {
+  bool only_tls_srp = false;
+  for (int i = 0; i < 2; i++, only_tls_srp = !only_tls_srp) {
+    net::TestServer::HTTPSOptions https_options;
+    https_options.use_tls_srp = true;
+    https_options.only_tls_srp = only_tls_srp;
+    net::TestServer test_server(https_options, FilePath());
+    ASSERT_TRUE(test_server.Start());
+
+    TestDelegate d;
+    {
+      TestURLRequest r(test_server.GetURL("tlslogininfo"), &d);
+      r.SetTLSLogin(kUser, kSecret);
+
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+
+      MessageLoop::current()->Run();
+
+      EXPECT_NE(0, d.bytes_received());
+      EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                  std::string::npos);
+      EXPECT_FALSE(d.received_data_before_response());
+    }
+  }
+}
+
+// Provide no TLS login credentials at first; wait to be prompted by the
+// server, and then provide them.
+TEST_F(HTTPSRequestTest, HTTPSSRPLoginContinueTest) {
+  bool only_tls_srp = false;
+  for (int i = 0; i < 2; i++, only_tls_srp = !only_tls_srp) {
+    net::TestServer::HTTPSOptions https_options;
+    https_options.use_tls_srp = true;
+    https_options.only_tls_srp = only_tls_srp;
+    net::TestServer test_server(https_options, FilePath());
+    ASSERT_TRUE(test_server.Start());
+
+    HTTPSVClientSRPLoginTestDelegate d;
+    {
+      GURL https_url = test_server.GetURL("tlslogininfo");
+      TestURLRequest r(https_url, &d);
+
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+      MessageLoop::current()->Run();
+      EXPECT_EQ(0, d.bytes_received());
+      EXPECT_FALSE(d.received_data_before_response());
+      EXPECT_EQ(1, d.on_tls_login_required_count());
+      CheckTLSAuthChallengeInfo(d.last_login_request_info(), https_url);
+
+      r.SetTLSLogin(kUser, kSecret);
+      r.ContinueWithTLSLogin();
+      MessageLoop::current()->Run();
+
+      EXPECT_NE(0, d.bytes_received());
+      EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                  std::string::npos);
+      EXPECT_FALSE(d.received_data_before_response());
+    }
+  }
+}
+
+// Open a connection to the same host using SSL certificate auth, and then open
+// a connection to the same host requesting TLS-SRP auth.
+// TODO(sqs): disabled - see todo below.
+//
+// TODO(sqs): This happens on, e.g., GnuTLS/mod_gnutls. If the Client Hello has
+// no "srp" extension but has SRP cipher suites, GnuTLS will choose a non-SRP
+// ciphersuite. Other implementations (OpenSSL, TLS Lite) will send
+// "unknown_psk_identity".
+TEST_F(HTTPSRequestTest, DISABLED_SSLCertThenWantUpgradeToSRP) {
+  net::TestServer::HTTPSOptions https_options;
+  https_options.use_tls_srp = true;
+  https_options.only_tls_srp = false;
+  net::TestServer test_server(https_options, FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  GURL https_url = test_server.GetURL("tlslogininfo");
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr("httpsv");
+  GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+  {
+    TestDelegate d_https;
+    d_https.set_allow_certificate_errors(true);
+    TestURLRequest r_https(https_url, &d_https);
+    // TODO(sqs): need to force this connection to use certificate auth. Right
+    // now, TLS Lite sends unknown_psk_identity if the client lists SRP cipher
+    // suites even if no srp username is sent in the client hello. One way to
+    // force this is to set all of the SRP cipher suites as disabled in the
+    // URLRequest's ssl_config, but it's not accessible (ssl_config is actually
+    // much deeper than URLRequest).
+
+    r_https.Start();
+    EXPECT_TRUE(r_https.is_pending());
+    MessageLoop::current()->Run();
+    EXPECT_EQ(1, d_https.response_started_count());
+    EXPECT_NE(0, d_https.bytes_received());
+    CheckSSLInfo(r_https.ssl_info());
+
+    HTTPSVClientSRPLoginTestDelegate d;
+    TestURLRequest r(httpsv_url, &d);
+    r.Start();
+    EXPECT_TRUE(r.is_pending());
+
+    MessageLoop::current()->Run();
+    EXPECT_EQ(0, d.bytes_received());
+    EXPECT_FALSE(d.received_data_before_response());
+    EXPECT_EQ(1, d.on_tls_login_required_count());
+    CheckTLSAuthChallengeInfo(d.last_login_request_info(), httpsv_url);
+
+    r.SetTLSLogin(kUser, kSecret);
+    r.ContinueWithTLSLogin();
+
+    MessageLoop::current()->Run();
+    EXPECT_NE(0, d.bytes_received());
+    EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                std::string::npos);
+    EXPECT_FALSE(d.received_data_before_response());
+  }
+}
+
+TEST_F(HTTPSRequestTest, TLSLoginCredentialsRemainCached) {
+  net::TestServer::HTTPSOptions https_options;
+  https_options.use_tls_srp = true;
+  net::TestServer test_server(https_options, FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  GURL https_url = test_server.GetURL("");
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr("httpsv");
+  GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+  GURL::Replacements replacements2;
+  replacements2.SetPathStr("tlslogininfo");
+  GURL https_url2 = https_url.ReplaceComponents(replacements2);
+
+  {
+    HTTPSVClientSRPLoginTestDelegate d;
+    TestURLRequest r(httpsv_url, &d);
+    r.Start();
+    EXPECT_TRUE(r.is_pending());
+
+    MessageLoop::current()->Run();
+    EXPECT_EQ(0, d.bytes_received());
+    EXPECT_FALSE(d.received_data_before_response());
+    EXPECT_EQ(1, d.on_tls_login_required_count());
+    CheckTLSAuthChallengeInfo(d.last_login_request_info(), httpsv_url);
+
+    r.SetTLSLogin(kUser, kSecret);
+    r.ContinueWithTLSLogin();
+
+    MessageLoop::current()->Run();
+    EXPECT_NE(0, d.bytes_received());
+    EXPECT_FALSE(d.received_data_before_response());
+
+    // Don't specify credentials for this request.
+    HTTPSVClientSRPLoginTestDelegate d2;
+    TestURLRequest r2(https_url2, &d2);
+    r2.Start();
+    EXPECT_TRUE(r2.is_pending());
+    MessageLoop::current()->Run();
+    EXPECT_NE(0, d2.bytes_received());
+    EXPECT_FALSE(d2.received_data_before_response());
+    LOG(INFO) << "GOT '" << d2.data_received() << "'";
+    EXPECT_TRUE(d2.data_received().find(UTF16ToUTF8(kUser)) !=
+                std::string::npos);
+  }
+}
+
+TEST_F(HTTPSRequestTest, HTTPSVLoginTest) {
+  bool only_tls_srp = false;
+  for (int i = 0; i < 2; i++, only_tls_srp = !only_tls_srp) {
+    net::TestServer::HTTPSOptions https_options;
+    https_options.use_tls_srp = true;
+    https_options.only_tls_srp = only_tls_srp;
+    net::TestServer test_server(https_options, FilePath());
+    ASSERT_TRUE(test_server.Start());
+
+    GURL https_url = test_server.GetURL("tlslogininfo");
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr("httpsv");
+    GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+    {
+      HTTPSVClientSRPLoginTestDelegate d;
+      TestURLRequest r(httpsv_url, &d);
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+
+      MessageLoop::current()->Run();
+      EXPECT_EQ(0, d.bytes_received());
+      EXPECT_FALSE(d.received_data_before_response());
+      EXPECT_EQ(1, d.on_tls_login_required_count());
+      CheckTLSAuthChallengeInfo(d.last_login_request_info(), httpsv_url);
+
+      r.SetTLSLogin(kUser, kSecret);
+      r.ContinueWithTLSLogin();
+
+      MessageLoop::current()->Run();
+      EXPECT_NE(0, d.bytes_received());
+      EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                  std::string::npos);
+      EXPECT_FALSE(d.received_data_before_response());
+    }
+  }
+}
+
+TEST_F(HTTPSRequestTest, HTTPSVSRPLoginWithCertTest) {
+  net::TestServer::HTTPSOptions https_options(
+      net::TestServer::HTTPSOptions::CERT_OK);
+  https_options.use_tls_srp = true;
+  net::TestServer test_server(https_options,
+                              FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  GURL https_url = test_server.GetURL("tlslogininfo");
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr("httpsv");
+  GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+  TestDelegate d;
+  {
+    TestURLRequest r(httpsv_url, &d);
+    r.SetTLSLogin(kUser, kSecret);
+
+    r.Start();
+    EXPECT_TRUE(r.is_pending());
+
+    MessageLoop::current()->Run();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_FALSE(d.received_data_before_response());
+    EXPECT_NE(0, d.bytes_received());
+    CheckSSLInfo(r.ssl_info());
+    EXPECT_FALSE(net::IsCertStatusError(r.ssl_info().cert_status));
+    EXPECT_TRUE(r.ssl_info().cert.get());
+    EXPECT_EQ(kUser, r.ssl_info().tls_username);
+    EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                std::string::npos);
+  }
+}
+
+// Check that we still validate certs on SRP cipher suites that use certs.
+TEST_F(HTTPSRequestTest, HTTPSVSRPBadCertFailureTest) {
+  bool cert_err_allowed = false;
+  for (int i = 0; i < 2; i++, cert_err_allowed = !cert_err_allowed) {
+    net::TestServer::HTTPSOptions https_options(
+        net::TestServer::HTTPSOptions::CERT_EXPIRED);
+    https_options.use_tls_srp = true;
+    net::TestServer test_server(https_options,
+                                FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+    ASSERT_TRUE(test_server.Start());
+
+    GURL https_url = test_server.GetURL("tlslogininfo");
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr("httpsv");
+    GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+    TestDelegate d;
+    {
+      d.set_allow_certificate_errors(cert_err_allowed);
+      TestURLRequest r(httpsv_url, &d);
+      r.SetTLSLogin(kUser, kSecret);
+
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+      MessageLoop::current()->Run();
+
+      EXPECT_EQ(1, d.response_started_count());
+      EXPECT_FALSE(d.received_data_before_response());
+      EXPECT_TRUE(d.have_certificate_errors());
+
+      if (cert_err_allowed) {
+        EXPECT_NE(0, d.bytes_received());
+        CheckSSLInfo(r.ssl_info());
+        EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                    std::string::npos);
+      } else {
+        EXPECT_EQ(0, d.bytes_received());
+      }
+    }
+  }
+}
+
+TEST_F(HTTPSRequestTest, HTTPSVBadSecretFailureTest) {
+  bool only_tls_srp = false;
+  for (int i = 0; i < 2; i++, only_tls_srp = !only_tls_srp) {
+    net::TestServer::HTTPSOptions https_options;
+    https_options.use_tls_srp = true;
+    https_options.only_tls_srp = only_tls_srp;
+    net::TestServer test_server(https_options, FilePath());
+    ASSERT_TRUE(test_server.Start());
+
+    GURL https_url = test_server.GetURL("tlslogininfo");
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr("httpsv");
+    GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+    {
+      HTTPSVClientSRPLoginTestDelegate d;
+
+      TestURLRequest r(httpsv_url, &d);
+      // Try wrong password. Since this is an httpsv URL, even when the server
+      // also offers certificate-based cipher suites, we will fail to connect.
+      r.SetTLSLogin(kUser, kWrongSecret);
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+      MessageLoop::current()->Run();
+      EXPECT_EQ(0, d.bytes_received());
+      EXPECT_EQ(1, d.on_tls_login_required_count());
+      EXPECT_FALSE(d.received_data_before_response());
+
+      // Now continue with the correct password.
+      r.SetTLSLogin(kUser, kSecret);
+      r.ContinueWithTLSLogin();
+
+      MessageLoop::current()->Run();
+      EXPECT_NE(0, d.bytes_received());
+      EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                  std::string::npos);
+      EXPECT_FALSE(d.received_data_before_response());
+    }
+  }
+}
+
+TEST_F(HTTPSRequestTest, HTTPSVBadUsernameTest) {
+  bool only_tls_srp = false;
+  for (int i = 0; i < 2; i++, only_tls_srp = !only_tls_srp) {
+    net::TestServer::HTTPSOptions https_options;
+    https_options.use_tls_srp = true;
+    https_options.only_tls_srp = only_tls_srp;
+    net::TestServer test_server(https_options, FilePath());
+    ASSERT_TRUE(test_server.Start());
+
+    GURL https_url = test_server.GetURL("tlslogininfo");
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr("httpsv");
+    GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+    {
+      HTTPSVClientSRPLoginTestDelegate d;
+
+      TestURLRequest r(httpsv_url, &d);
+      // Try wrong password. Since this is an httpsv URL, even when the server
+      // also offers certificate-based cipher suites, we will fail to connect.
+      r.SetTLSLogin(kWrongUser, kSecret);
+      r.Start();
+      EXPECT_TRUE(r.is_pending());
+      MessageLoop::current()->Run();
+      EXPECT_EQ(0, d.bytes_received());
+      EXPECT_FALSE(d.received_data_before_response());
+      EXPECT_EQ(1, d.on_tls_login_required_count());
+      CheckTLSAuthChallengeInfo(d.last_login_request_info(), httpsv_url);
+
+      // Now continue with the correct password.
+      r.SetTLSLogin(kUser, kSecret);
+      r.ContinueWithTLSLogin();
+
+      MessageLoop::current()->Run();
+      EXPECT_NE(0, d.bytes_received());
+      EXPECT_TRUE(d.data_received().find(UTF16ToUTF8(kUser)) !=
+                  std::string::npos);
+      EXPECT_FALSE(d.received_data_before_response());
+    }
+  }
+}
+
+TEST_F(HTTPSRequestTest, HTTPSVCancelLoginTest) {
+  net::TestServer::HTTPSOptions https_options;
+  https_options.use_tls_srp = true;
+  https_options.only_tls_srp = true;
+  net::TestServer test_server(https_options, FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  GURL https_url = test_server.GetURL("");
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr("httpsv");
+  GURL httpsv_url = https_url.ReplaceComponents(replacements);
+
+  {
+    HTTPSVClientSRPLoginTestDelegate d;
+
+    TestURLRequest r(httpsv_url, &d);
+    r.Start();
+    EXPECT_TRUE(r.is_pending());
+    MessageLoop::current()->Run();
+
+    EXPECT_EQ(0, d.bytes_received());
+    EXPECT_EQ(1, d.on_tls_login_required_count());
+    EXPECT_FALSE(d.received_data_before_response());
+
+    r.CancelTLSLogin();
+
+    MessageLoop::current()->Run();
+    EXPECT_EQ(0, d.bytes_received());
+    EXPECT_FALSE(d.received_data_before_response());
+  }
+}
+
 TEST_F(URLRequestTestHTTP, CancelTest) {
   TestDelegate d;
   {
     TestURLRequest r(GURL("http://www.google.com/"), &d);
 
     r.Start();
     EXPECT_TRUE(r.is_pending());
 
     r.Cancel();
 
@@ skipping 2253 matching lines @@
   net::HttpRequestHeaders headers;
   headers.SetHeader(net::HttpRequestHeaders::kUserAgent, "Lynx (textmode)");
   req.SetExtraRequestHeaders(headers);
   req.Start();
   MessageLoop::current()->Run();
   // If the net tests are being run with ChromeFrame then we need to allow for
   // the 'chromeframe' suffix which is added to the user agent before the
   // closing parentheses.
   EXPECT_TRUE(StartsWithASCII(d.data_received(), "Lynx (textmode", true));
 }