Use cert config options in SSLServerSocketOpenSSL.

net/socket/ssl_server_socket_unittest.cc

Index: net/socket/ssl_server_socket_unittest.cc
diff --git a/net/socket/ssl_server_socket_unittest.cc b/net/socket/ssl_server_socket_unittest.cc
index fab2cb136a1127db4e282aaff5c363a904fa072f..a5cbf09b7158704e46734fa14fca3f59f4ca2f99 100644
--- a/net/socket/ssl_server_socket_unittest.cc
+++ b/net/socket/ssl_server_socket_unittest.cc
@@ -326,30 +326,30 @@ class SSLServerSocketTest : public PlatformTest {
     scoped_ptr<crypto::RSAPrivateKey> private_key(
         crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector));
 
-    SSLConfig ssl_config;
-    ssl_config.false_start_enabled = false;
-    ssl_config.channel_id_enabled = false;
+    client_ssl_config_.false_start_enabled = false;
+    client_ssl_config_.channel_id_enabled = false;
 
     // Certificate provided by the host doesn't need authority.
     SSLConfig::CertAndStatus cert_and_status;
     cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID;
     cert_and_status.der_cert = cert_der;
-    ssl_config.allowed_bad_certs.push_back(cert_and_status);
+    client_ssl_config_.allowed_bad_certs.push_back(cert_and_status);
 
     HostPortPair host_and_pair("unittest", 0);
     SSLClientSocketContext context;
     context.cert_verifier = cert_verifier_.get();
     context.transport_security_state = transport_security_state_.get();
-    client_socket_ =
-        socket_factory_->CreateSSLClientSocket(
-            client_connection.Pass(), host_and_pair, ssl_config, context);
-    server_socket_ = CreateSSLServerSocket(
-        server_socket.Pass(),
-        cert.get(), private_key.get(), SSLConfig());
+    client_socket_ = socket_factory_->CreateSSLClientSocket(
+        client_connection.Pass(), host_and_pair, client_ssl_config_, context);
+    server_socket_ =
+        CreateSSLServerSocket(server_socket.Pass(), cert.get(),
+                              private_key.get(), server_ssl_config_);
   }
 
   FakeDataChannel channel_1_;
   FakeDataChannel channel_2_;
+  SSLConfig client_ssl_config_;
+  SSLConfig server_ssl_config_;
   scoped_ptr<SSLClientSocket> client_socket_;
   scoped_ptr<SSLServerSocket> server_socket_;
   ClientSocketFactory* socket_factory_;
@@ -591,4 +591,41 @@ TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
   EXPECT_NE(0, memcmp(server_out, client_bad, sizeof(server_out)));
 }
 
+// Verifies that SSLConfig::require_ecdhe flags works properly.
+TEST_F(SSLServerSocketTest, RequireEcdheFlag) {
+  // Disable all ECDHE suites on the client side.
+  client_ssl_config_.disabled_cipher_suites = {

[davidben, 2015/05/12 19:05:16]

This depends on C++11 initializer list support in std::vector. I would love for
this code to use them, but we can't assume C++11 library support yet. (Hopefully
this will change soonish? I hear Chrome for Android recently switched to libc++.
Dunno if there are other blockers.)

https://chromium-cpp.appspot.com/

[Sergey Ulanov, 2015/05/12 19:42:21]

Done. Thanks for catching it - for some reason I thought it's already allowed.

[davidben, 2015/05/12 19:46:11]

Be glad you don't have to do this nonsense. :-) Looking forward to ditching
it...
https://boringssl.googlesource.com/boringssl/+/master/crypto/test/stl_compat.h

+      0xC010,  // ECDHE_RSA_WITH_NULL_SHA
+      0xC011,  // ECDHE_RSA_WITH_RC4_128_SHA
+      0xC012,  // ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+      0xC013,  // ECDHE_RSA_WITH_AES_128_CBC_SHA
+      0xC014,  // ECDHE_RSA_WITH_AES_256_CBC_SHA
+      0xC023,  // ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+      0xC027,  // ECDHE_RSA_WITH_AES_128_CBC_SHA256
+      0xC02B,  // ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+      0xC02F,  // ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  };
+
+  // Require ECDHE on the server.
+  server_ssl_config_.require_ecdhe = true;
+
+  Initialize();
+
+  TestCompletionCallback connect_callback;
+  TestCompletionCallback handshake_callback;
+
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  if (client_ret == ERR_IO_PENDING) {
+    client_ret = connect_callback.WaitForResult();
+  }
+  if (server_ret == ERR_IO_PENDING) {
+    server_ret = handshake_callback.WaitForResult();
+  }

[davidben, 2015/05/12 19:05:16]

You can replace these with

  client_ret = connect_callback.GetResult(client_ret);
  server_ret = handshake_callback.GetResult(server_ret);

[Sergey Ulanov, 2015/05/12 19:42:21]

Done.

+
+  ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, client_ret);
+  ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, server_ret);
+}
+
 }  // namespace net