Move RC4 behind a fallback.

net/socket/ssl_client_socket_unittest.cc

Index: net/socket/ssl_client_socket_unittest.cc
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 4b74ca0b93dd6caa20495c7efd8614df05c70f16..1fe3d3da6c89fb389f2bdf9262938f727666423e 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -2199,16 +2199,17 @@ TEST_F(SSLClientSocketTest, PrematureApplicationData) {
 }
 
 TEST_F(SSLClientSocketTest, CipherSuiteDisables) {
-  // Rather than exhaustively disabling every RC4 ciphersuite defined at
-  // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml,
-  // only disabling those cipher suites that the test server actually
-  // implements.
-  const uint16 kCiphersToDisable[] = {0x0005,  // TLS_RSA_WITH_RC4_128_SHA
+  // Rather than exhaustively disabling every AES_128_CBC ciphersuite defined at
+  // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml, only
+  // disabling those cipher suites that the test server actually implements.
+  const uint16 kCiphersToDisable[] = {
+      0x002f,  // TLS_RSA_WITH_AES_128_CBC_SHA
+      0x0033,  // TLS_DHE_RSA_WITH_AES_128_CBC_SHA
   };
 
   SpawnedTestServer::SSLOptions ssl_options;
   // Enable only RC4 on the test server.
-  ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4;
+  ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128;
   SpawnedTestServer test_server(
       SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
   ASSERT_TRUE(test_server.Start());
@@ -2875,6 +2876,74 @@ TEST_F(SSLClientSocketTest, FallbackShardSessionCache) {
             SSLConnectionStatusToVersion(ssl_info.connection_status));
 }
 
+// Test that RC4 is only enabled if enable_deprecated_cipher_suites is set.
+TEST_F(SSLClientSocketTest, DeprecatedRC4) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  // Normal handshakes with RC4 do not work.
+  SSLConfig ssl_config;
+  TestCompletionCallback callback;
+  scoped_ptr<StreamSocket> transport(
+      new TCPClientSocket(addr(), &log_, NetLog::Source()));
+  ASSERT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
+  scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      transport.Pass(), test_server()->host_port_pair(), ssl_config));
+  ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH,
+            callback.GetResult(sock->Connect(callback.callback())));
+
+  // Enabling deprecated ciphers works fine.
+  ssl_config.enable_deprecated_cipher_suites = true;
+  transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
+  ASSERT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
+  sock = CreateSSLClientSocket(transport.Pass(),
+                               test_server()->host_port_pair(), ssl_config);
+  ASSERT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
+}
+
+// Tests that enabling deprecated ciphers shards the session cache.
+TEST_F(SSLClientSocketTest, DeprecatedShardSessionCache) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  // Prepare a normal and deprecated SSL config.
+  SSLConfig ssl_config;
+  SSLConfig deprecated_ssl_config;
+  deprecated_ssl_config.enable_deprecated_cipher_suites = true;
+
+  // Connect with deprecated ciphers enabled to warm the session cache cache.
+  TestCompletionCallback callback;
+  scoped_ptr<StreamSocket> transport(
+      new TCPClientSocket(addr(), &log_, NetLog::Source()));
+  EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
+  scoped_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(transport.Pass(), test_server()->host_port_pair(),
+                            deprecated_ssl_config));
+  EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
+  SSLInfo ssl_info;
+  EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+
+  // Test that re-connecting with deprecated ciphers enabled still resumes.
+  transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
+  EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
+  sock = CreateSSLClientSocket(
+      transport.Pass(), test_server()->host_port_pair(), deprecated_ssl_config);
+  EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
+  EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+
+  // However, a normal connection needs a full handshake.

[Ryan Sleevi, 2015/04/02 06:32:06]

But does a normal connection prime a deprecated cache? 

[I know the answer is no, but the test doesn't confirm that side; for example,
this could have broken resumption for all normal handshakes]

[davidben, 2015/04/03 19:58:26]

Done. (Though I can't imagine an implementation that could possibly have that
bug. :-) Not sure I see how it could have broken resumption for all normal
handshakes. It could have... broken a spurious fallback connection... when
connecting to servers that didn't need the fallback? If anything, we actually
want the mixing in that direction.)

+  transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
+  EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
+  sock = CreateSSLClientSocket(transport.Pass(),
+                               test_server()->host_port_pair(), ssl_config);
+  EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
+  EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+}
+
 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) {
   if (!SupportsAESGCM()) {
     LOG(WARNING) << "Skipping test because AES-GCM is not supported.";