Support for server session cache.

net/socket/ssl_server_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This test suite uses SSLClientSocket to test the implementation of
 // SSLServerSocket. In order to establish connections between the sockets
 // we need two additional classes:
 // 1. FakeSocket
 //    Connects SSL socket to FakeDataChannel. This class is just a stub.
 //
@@ skipping 186 matching lines @@
 
   base::WeakPtrFactory<FakeDataChannel> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(FakeDataChannel);
 };
 
 class FakeSocket : public StreamSocket {
  public:
   FakeSocket(FakeDataChannel* incoming_channel,
              FakeDataChannel* outgoing_channel)
-      : incoming_(incoming_channel),
-        outgoing_(outgoing_channel) {
-  }
+      : incoming_(incoming_channel), outgoing_(outgoing_channel) {}
 
   ~FakeSocket() override {}
 
   int Read(IOBuffer* buf,
            int buf_len,
            const CompletionCallback& callback) override {
     // Read random number of bytes.
     buf_len = rand() % buf_len + 1;
     return incoming_->Read(buf, buf_len, callback);
   }
@@ skipping 110 matching lines @@
   EXPECT_LE(read, written);
   EXPECT_EQ(0, memcmp(kTestData, read_buf->data(), read));
 }
 
 class SSLServerSocketTest : public PlatformTest {
  public:
   SSLServerSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
         cert_verifier_(new MockCertVerifier()),
         client_cert_verifier_(new MockClientCertVerifier()),
-        transport_security_state_(new TransportSecurityState) {
+        transport_security_state_(new TransportSecurityState),
+        initialized_(false) {
     cert_verifier_->set_default_result(ERR_CERT_AUTHORITY_INVALID);
     client_cert_verifier_->set_default_result(ERR_CERT_AUTHORITY_INVALID);
   }
 
  protected:
-  void Initialize() {
-    scoped_ptr<ClientSocketHandle> client_connection(new ClientSocketHandle);
-    client_connection->SetSocket(
-        scoped_ptr<StreamSocket>(new FakeSocket(&channel_1_, &channel_2_)));
-    scoped_ptr<StreamSocket> server_socket(
-        new FakeSocket(&channel_2_, &channel_1_));
-
+  void InitializeContext() {
+    std::string server_cert_der;
     scoped_refptr<X509Certificate> server_cert(
         ImportCertFromFile(GetTestCertsDirectory(), "unittest.selfsigned.der"));
     scoped_ptr<crypto::RSAPrivateKey> server_private_key(
         ReadTestKey("unittest.key.bin"));
+    server_context_ = CreateSSLServerContext(
+        server_cert.get(), *server_private_key, server_ssl_config_);
 
-    client_ssl_config_.false_start_enabled = false;
-    client_ssl_config_.channel_id_enabled = false;
+    if (!initialized_) {
+      initialized_ = true;

[davidben, 2016/02/24 21:01:26]

Ugh, globals. :-( Having you rewrite every test would be silly, but perhaps this
kind of a split would be tidier. What do you think?

1. Move lines 347-350 into the constructor. Save server_cert_ and
server_private_key_ since unlike everything else, those are actually logically
constants.

2. Move this block of code into the constructor.

3. Make channel_1_ and channel_2_ be scoped_ptr so you can drop them and create
new ones.

4. InitializeContext will:
   a) Reset sockets and channels because you're about to destroy the old server
context.
   b) Reset server_contet_

5. InitializeSockets will:
   a) Reset any existing sockets and channels.
   b) Create new FakeDataChannel objects and new sockets.

6. Optional: Maybe Initialize -> Create since you call it multiple times? Dunno.

Basically this is to merge InitialCacheSockets into InitializeSockets and get
rid of this awkward thing where InitializeContext is even more stateful than
before.

[ryanchung, 2016/02/25 00:46:39]

Done. Yes, this will make it a lot cleaner! Thanks.

+      client_ssl_config_.false_start_enabled = false;
+      client_ssl_config_.channel_id_enabled = false;
 
-    // Certificate provided by the host doesn't need authority.
-    SSLConfig::CertAndStatus cert_and_status;
-    cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID;
-    std::string server_cert_der;
-    CHECK(X509Certificate::GetDEREncoded(server_cert->os_cert_handle(),
-                                         &server_cert_der));
-    cert_and_status.der_cert = server_cert_der;
-    client_ssl_config_.allowed_bad_certs.push_back(cert_and_status);
+      // Certificate provided by the host doesn't need authority.
+      SSLConfig::CertAndStatus cert_and_status;
+      cert_and_status.cert_status = CERT_STATUS_AUTHORITY_INVALID;
+      std::string server_cert_der;
+      CHECK(X509Certificate::GetDEREncoded(server_cert->os_cert_handle(),
+                                           &server_cert_der));
+      cert_and_status.der_cert = server_cert_der;
+      client_ssl_config_.allowed_bad_certs.push_back(cert_and_status);
+
+      socket_factory_->ClearSSLSessionCache();

[davidben, 2016/02/24 21:01:26]

[Chatted out-of-band, but I think we can remove this line.]

[ryanchung, 2016/02/25 00:46:39]

Done.

+    }
+  }
+
+  void InitializeClientServerSocket(FakeDataChannel* channel_1,
+                                    FakeDataChannel* channel_2) {
+    scoped_ptr<ClientSocketHandle> client_connection(new ClientSocketHandle);
+    client_connection->SetSocket(
+        scoped_ptr<StreamSocket>(new FakeSocket(channel_1, channel_2)));
+    scoped_ptr<StreamSocket> server_socket(
+        new FakeSocket(channel_2, channel_1));
 
     HostPortPair host_and_pair("unittest", 0);
     SSLClientSocketContext context;
     context.cert_verifier = cert_verifier_.get();
     context.transport_security_state = transport_security_state_.get();
-    socket_factory_->ClearSSLSessionCache();
     client_socket_ = socket_factory_->CreateSSLClientSocket(
         std::move(client_connection), host_and_pair, client_ssl_config_,
         context);
+
     server_socket_ =
-        CreateSSLServerSocket(std::move(server_socket), server_cert.get(),
-                              *server_private_key, server_ssl_config_);
+        server_context_->CreateSSLServerSocket(std::move(server_socket));
+  }
+
+  void InitializeSockets() {
+    InitializeClientServerSocket(&channel_1a, &channel_1b);
+  }
+
+  void InitializeCacheSockets() {
+    InitializeClientServerSocket(&channel_2a, &channel_2b);
   }
 
 #if defined(USE_OPENSSL)
   void ConfigureClientCertsForClient(const char* cert_file_name,
                                      const char* private_key_file_name) {
     client_ssl_config_.send_client_cert = true;
     client_ssl_config_.client_cert =
         ImportCertFromFile(GetTestCertsDirectory(), cert_file_name);
     ASSERT_TRUE(client_ssl_config_.client_cert);
     scoped_ptr<crypto::RSAPrivateKey> key = ReadTestKey(private_key_file_name);
@@ skipping 36 matching lines @@
     std::vector<uint8_t> key_vector(
         reinterpret_cast<const uint8_t*>(key_string.data()),
         reinterpret_cast<const uint8_t*>(key_string.data() +
                                          key_string.length()));
     scoped_ptr<crypto::RSAPrivateKey> key(
         crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector));
     return key;
   }
 #endif
 
-  FakeDataChannel channel_1_;
-  FakeDataChannel channel_2_;
+  FakeDataChannel channel_1a;
+  FakeDataChannel channel_1b;
+  FakeDataChannel channel_2a;
+  FakeDataChannel channel_2b;

[davidben, 2016/02/24 21:01:26]

Style: Should end with underscores.

[ryanchung, 2016/02/25 00:46:39]

Done.

   SSLConfig client_ssl_config_;
   SSLServerConfig server_ssl_config_;
   scoped_ptr<SSLClientSocket> client_socket_;
   scoped_ptr<SSLServerSocket> server_socket_;
   ClientSocketFactory* socket_factory_;
   scoped_ptr<MockCertVerifier> cert_verifier_;
   scoped_ptr<MockClientCertVerifier> client_cert_verifier_;
   scoped_ptr<TransportSecurityState> transport_security_state_;
+  scoped_ptr<SSLServerContext> server_context_;
+  bool initialized_;
 };
 
 // This test only executes creation of client and server sockets. This is to
 // test that creation of sockets doesn't crash and have minimal code to run
 // under valgrind in order to help debugging memory problems.
 TEST_F(SSLServerSocketTest, Initialize) {
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 }
 
 // This test executes Connect() on SSLClientSocket and Handshake() on
 // SSLServerSocket to make sure handshaking between the two sockets is
 // completed successfully.
 TEST_F(SSLServerSocketTest, Handshake) {
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
 
   client_ret = connect_callback.GetResult(client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
 
@@ skipping 11 matching lines @@
       SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
   const char* key_exchange;
   const char* cipher;
   const char* mac;
   bool is_aead;
   SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, cipher_suite);
   EXPECT_STREQ("ECDHE_RSA", key_exchange);
   EXPECT_TRUE(is_aead);
 }
 
-// NSS ports don't support client certificates.
+// This tests makes sure the session cache is working

[davidben, 2016/02/24 21:01:26]

(I suspect this test or the following one will blow up on NSS. You'll probably
need to move them under the #ifdef.)

[ryanchung, 2016/02/25 00:46:39]

Done.

+TEST_F(SSLServerSocketTest, HandshakeCached) {
+  InitializeContext();
+  InitializeSockets();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);

[davidben, 2016/02/24 21:01:26]

(You probably don't need to bother with checking the cert status. Ditto below)

[ryanchung, 2016/02/25 00:46:39]

Done.

+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);

[davidben, 2016/02/24 21:01:26]

Maybe check both the client and server SSLInfo? Ditto below.

[ryanchung, 2016/02/25 00:46:39]

Done.

+
+  // Make sure the second connection is cached

[davidben, 2016/02/24 21:01:26]

Nit: period at end

[ryanchung, 2016/02/25 00:46:39]

Done.

+  InitializeCacheSockets();
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info2));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  EXPECT_EQ(ssl_info2.handshake_type, SSLInfo::HANDSHAKE_RESUME);
+}
+
+// This tests makes sure the session cache separates out by server context
+TEST_F(SSLServerSocketTest, HandshakeCachedContextSwitch) {
+  InitializeContext();
+  InitializeSockets();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+
+  // Make sure the second connection is NOT cached when using a new context.
+  InitializeContext();
+  InitializeCacheSockets();
+
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  ASSERT_TRUE(client_socket_->GetSSLInfo(&ssl_info2));
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  EXPECT_EQ(ssl_info2.handshake_type, SSLInfo::HANDSHAKE_FULL);
+}
+
+// NSS ports don't support client certificates
 #if defined(USE_OPENSSL)
 
 // This test executes Connect() on SSLClientSocket and Handshake() on
 // SSLServerSocket to make sure handshaking between the two sockets is
 // completed successfully, using client certificate.
 TEST_F(SSLServerSocketTest, HandshakeWithClientCert) {
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   ConfigureClientCertsForClient(kClientCertFileName, kClientPrivateKeyFileName);
   ConfigureClientCertsForServer();
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
 
   client_ret = connect_callback.GetResult(client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
 
   ASSERT_EQ(OK, client_ret);
   ASSERT_EQ(OK, server_ret);
 
   // Make sure the cert status is expected.
   SSLInfo ssl_info;
   client_socket_->GetSSLInfo(&ssl_info);
   EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
   server_socket_->GetSSLInfo(&ssl_info);
   EXPECT_TRUE(ssl_info.cert.get());
   EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get()));
 }
 
+// This test executes Connect() on SSLClientSocket and Handshake() twice on
+// SSLServerSocket to make sure handshaking between the two sockets is
+// completed successfully, using client certificate. The second connection is
+// expected to succeed through the session cache.
+TEST_F(SSLServerSocketTest, HandshakeWithClientCertCached) {
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  ConfigureClientCertsForClient(kClientCertFileName, kClientPrivateKeyFileName);
+  ConfigureClientCertsForServer();
+  InitializeContext();
+  InitializeSockets();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+
+  client_ret = connect_callback.GetResult(client_ret);
+  server_ret = handshake_callback.GetResult(server_ret);
+
+  ASSERT_EQ(OK, client_ret);
+  ASSERT_EQ(OK, server_ret);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info;
+  client_socket_->GetSSLInfo(&ssl_info);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info.cert_status);
+  server_socket_->GetSSLInfo(&ssl_info);
+  EXPECT_TRUE(ssl_info.cert.get());
+  EXPECT_TRUE(client_cert->Equals(ssl_info.cert.get()));
+  EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
+  server_socket_->Disconnect();
+  client_socket_->Disconnect();
+
+  // Create the connection again

[davidben, 2016/02/24 21:01:26]

Nit: period at end

[ryanchung, 2016/02/25 00:46:39]

Done.

+  InitializeCacheSockets();
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+
+  client_ret2 = connect_callback2.GetResult(client_ret2);
+  server_ret2 = handshake_callback2.GetResult(server_ret2);
+
+  ASSERT_EQ(OK, client_ret2);
+  ASSERT_EQ(OK, server_ret2);
+
+  // Make sure the cert status is expected.
+  SSLInfo ssl_info2;
+  client_socket_->GetSSLInfo(&ssl_info2);
+  EXPECT_EQ(CERT_STATUS_AUTHORITY_INVALID, ssl_info2.cert_status);
+  server_socket_->GetSSLInfo(&ssl_info2);
+  EXPECT_TRUE(ssl_info2.cert.get());
+  EXPECT_TRUE(client_cert->Equals(ssl_info2.cert.get()));
+  EXPECT_EQ(ssl_info2.handshake_type, SSLInfo::HANDSHAKE_RESUME);
+}
+
 TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSupplied) {
   ConfigureClientCertsForServer();
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
   // Use the default setting for the client socket, which is to not send
   // a client certificate. This will cause the client to receive an
   // ERR_SSL_CLIENT_AUTH_CERT_NEEDED error, and allow for inspecting the
   // requested cert_authorities from the CertificateRequest sent by the
   // server.
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   TestCompletionCallback connect_callback;
   EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED,
             connect_callback.GetResult(
                 client_socket_->Connect(connect_callback.callback())));
 
   scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
   client_socket_->GetSSLCertRequestInfo(request_info.get());
 
   // Check that the authority name that arrived in the CertificateRequest
   // handshake message is as expected.
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities));
 
   client_socket_->Disconnect();
 
   EXPECT_EQ(ERR_FAILED, handshake_callback.GetResult(server_ret));
 }
 
+TEST_F(SSLServerSocketTest, HandshakeWithClientCertRequiredNotSuppliedCached) {
+  ConfigureClientCertsForServer();
+  InitializeContext();
+  InitializeSockets();
+  // Use the default setting for the client socket, which is to not send
+  // a client certificate. This will cause the client to receive an
+  // ERR_SSL_CLIENT_AUTH_CERT_NEEDED error, and allow for inspecting the
+  // requested cert_authorities from the CertificateRequest sent by the
+  // server.
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  TestCompletionCallback connect_callback;
+  EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED,
+            connect_callback.GetResult(
+                client_socket_->Connect(connect_callback.callback())));
+
+  scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
+  client_socket_->GetSSLCertRequestInfo(request_info.get());
+
+  // Check that the authority name that arrived in the CertificateRequest
+  // handshake message is as expected.
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info->cert_authorities));
+
+  client_socket_->Disconnect();
+
+  EXPECT_EQ(ERR_FAILED, handshake_callback.GetResult(server_ret));
+  server_socket_->Disconnect();
+
+  // Below, check that the cache didn't store the result of a failed handshake

[davidben, 2016/02/24 21:01:26]

Nit: period at end.

[ryanchung, 2016/02/25 00:46:39]

Done.

+  InitializeCacheSockets();
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+
+  TestCompletionCallback connect_callback2;
+  EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED,
+            connect_callback2.GetResult(
+                client_socket_->Connect(connect_callback2.callback())));
+
+  scoped_refptr<SSLCertRequestInfo> request_info2 = new SSLCertRequestInfo();
+  client_socket_->GetSSLCertRequestInfo(request_info2.get());
+
+  // Check that the authority name that arrived in the CertificateRequest
+  // handshake message is as expected.
+  EXPECT_TRUE(client_cert->IsIssuedByEncoded(request_info2->cert_authorities));
+
+  client_socket_->Disconnect();
+
+  EXPECT_EQ(ERR_FAILED, handshake_callback2.GetResult(server_ret2));
+}
+
 TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSupplied) {
   scoped_refptr<X509Certificate> client_cert =
       ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
   ConfigureClientCertsForClient(kWrongClientCertFileName,
                                 kWrongClientPrivateKeyFileName);
   ConfigureClientCertsForServer();
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
+
+  TestCompletionCallback connect_callback;
+  int client_ret = client_socket_->Connect(connect_callback.callback());
+
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            connect_callback.GetResult(client_ret));
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            handshake_callback.GetResult(server_ret));
+}
+
+TEST_F(SSLServerSocketTest, HandshakeWithWrongClientCertSuppliedCached) {
+  scoped_refptr<X509Certificate> client_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), kClientCertFileName);
+  ConfigureClientCertsForClient(kWrongClientCertFileName,
+                                kWrongClientPrivateKeyFileName);
+  ConfigureClientCertsForServer();
+  InitializeContext();
+  InitializeSockets();
+
+  TestCompletionCallback handshake_callback;
+  int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
 
   EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
             connect_callback.GetResult(client_ret));
   EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
             handshake_callback.GetResult(server_ret));
+
+  client_socket_->Disconnect();
+  server_socket_->Disconnect();
+
+  // Below, check that the cache didn't store the result of a failed handshake

[davidben, 2016/02/24 21:01:26]

Nit: period at end.

[ryanchung, 2016/02/25 00:46:39]

Done.

+  InitializeCacheSockets();
+  TestCompletionCallback handshake_callback2;
+  int server_ret2 = server_socket_->Handshake(handshake_callback2.callback());
+
+  TestCompletionCallback connect_callback2;
+  int client_ret2 = client_socket_->Connect(connect_callback2.callback());
+
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            connect_callback2.GetResult(client_ret2));
+  EXPECT_EQ(ERR_BAD_SSL_CLIENT_AUTH_CERT,
+            handshake_callback2.GetResult(server_ret2));
 }
 #endif  // defined(USE_OPENSSL)
 
 TEST_F(SSLServerSocketTest, DataTransfer) {
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   // Establish connection.
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
   ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
   ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);
 
   client_ret = connect_callback.GetResult(client_ret);
   ASSERT_EQ(OK, client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
   ASSERT_EQ(OK, server_ret);
 
   const int kReadBufSize = 1024;
   scoped_refptr<StringIOBuffer> write_buf =
       new StringIOBuffer("testing123");
   scoped_refptr<DrainableIOBuffer> read_buf =
       new DrainableIOBuffer(new IOBuffer(kReadBufSize), kReadBufSize);
 
   // Write then read.
   TestCompletionCallback write_callback;
   TestCompletionCallback read_callback;
-  server_ret = server_socket_->Write(
-      write_buf.get(), write_buf->size(), write_callback.callback());
+  server_ret = server_socket_->Write(write_buf.get(), write_buf->size(),
+                                     write_callback.callback());
   EXPECT_TRUE(server_ret > 0 || server_ret == ERR_IO_PENDING);
   client_ret = client_socket_->Read(
       read_buf.get(), read_buf->BytesRemaining(), read_callback.callback());
   EXPECT_TRUE(client_ret > 0 || client_ret == ERR_IO_PENDING);
 
   server_ret = write_callback.GetResult(server_ret);
   EXPECT_GT(server_ret, 0);
   client_ret = read_callback.GetResult(client_ret);
   ASSERT_GT(client_ret, 0);
 
   read_buf->DidConsume(client_ret);
   while (read_buf->BytesConsumed() < write_buf->size()) {
     client_ret = client_socket_->Read(
         read_buf.get(), read_buf->BytesRemaining(), read_callback.callback());
     EXPECT_TRUE(client_ret > 0 || client_ret == ERR_IO_PENDING);
     client_ret = read_callback.GetResult(client_ret);
     ASSERT_GT(client_ret, 0);
     read_buf->DidConsume(client_ret);
   }
   EXPECT_EQ(write_buf->size(), read_buf->BytesConsumed());
   read_buf->SetOffset(0);
   EXPECT_EQ(0, memcmp(write_buf->data(), read_buf->data(), write_buf->size()));
 
   // Read then write.
   write_buf = new StringIOBuffer("hello123");
   server_ret = server_socket_->Read(
       read_buf.get(), read_buf->BytesRemaining(), read_callback.callback());
   EXPECT_TRUE(server_ret > 0 || server_ret == ERR_IO_PENDING);
-  client_ret = client_socket_->Write(
-      write_buf.get(), write_buf->size(), write_callback.callback());
+  client_ret = client_socket_->Write(write_buf.get(), write_buf->size(),
+                                     write_callback.callback());
   EXPECT_TRUE(client_ret > 0 || client_ret == ERR_IO_PENDING);
 
   server_ret = read_callback.GetResult(server_ret);
   ASSERT_GT(server_ret, 0);
   client_ret = write_callback.GetResult(client_ret);
   EXPECT_GT(client_ret, 0);
 
   read_buf->DidConsume(server_ret);
   while (read_buf->BytesConsumed() < write_buf->size()) {
     server_ret = server_socket_->Read(
         read_buf.get(), read_buf->BytesRemaining(), read_callback.callback());
     EXPECT_TRUE(server_ret > 0 || server_ret == ERR_IO_PENDING);
     server_ret = read_callback.GetResult(server_ret);
     ASSERT_GT(server_ret, 0);
     read_buf->DidConsume(server_ret);
   }
   EXPECT_EQ(write_buf->size(), read_buf->BytesConsumed());
   read_buf->SetOffset(0);
   EXPECT_EQ(0, memcmp(write_buf->data(), read_buf->data(), write_buf->size()));
 }
 
 // A regression test for bug 127822 (http://crbug.com/127822).
 // If the server closes the connection after the handshake is finished,
 // the client's Write() call should not cause an infinite loop.
 // NOTE: this is a test for SSLClientSocket rather than SSLServerSocket.
 TEST_F(SSLServerSocketTest, ClientWriteAfterServerClose) {
-  Initialize();
-
+  InitializeContext();
+  InitializeSockets();
 
   // Establish connection.
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
   ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
   ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);
 
   client_ret = connect_callback.GetResult(client_ret);
   ASSERT_EQ(OK, client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
   ASSERT_EQ(OK, server_ret);
 
   scoped_refptr<StringIOBuffer> write_buf = new StringIOBuffer("testing123");
 
   // The server closes the connection. The server needs to write some
   // data first so that the client's Read() calls from the transport
   // socket won't return ERR_IO_PENDING.  This ensures that the client
   // will call Read() on the transport socket again.
   TestCompletionCallback write_callback;
-  server_ret = server_socket_->Write(
-      write_buf.get(), write_buf->size(), write_callback.callback());
+  server_ret = server_socket_->Write(write_buf.get(), write_buf->size(),
+                                     write_callback.callback());
   EXPECT_TRUE(server_ret > 0 || server_ret == ERR_IO_PENDING);
 
   server_ret = write_callback.GetResult(server_ret);
   EXPECT_GT(server_ret, 0);
 
   server_socket_->Disconnect();
 
   // The client writes some data. This should not cause an infinite loop.
-  client_ret = client_socket_->Write(
-      write_buf.get(), write_buf->size(), write_callback.callback());
+  client_ret = client_socket_->Write(write_buf.get(), write_buf->size(),
+                                     write_callback.callback());
   EXPECT_TRUE(client_ret > 0 || client_ret == ERR_IO_PENDING);
 
   client_ret = write_callback.GetResult(client_ret);
   EXPECT_GT(client_ret, 0);
 
   base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
       FROM_HERE, base::MessageLoop::QuitWhenIdleClosure(),
       base::TimeDelta::FromMilliseconds(10));
   base::MessageLoop::current()->Run();
 }
 
 // This test executes ExportKeyingMaterial() on the client and server sockets,
 // after connecting them, and verifies that the results match.
 // This test will fail if False Start is enabled (see crbug.com/90208).
 TEST_F(SSLServerSocketTest, ExportKeyingMaterial) {
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
   ASSERT_TRUE(client_ret == OK || client_ret == ERR_IO_PENDING);
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
   ASSERT_TRUE(server_ret == OK || server_ret == ERR_IO_PENDING);
 
   if (client_ret == ERR_IO_PENDING) {
     ASSERT_EQ(OK, connect_callback.WaitForResult());
   }
   if (server_ret == ERR_IO_PENDING) {
     ASSERT_EQ(OK, handshake_callback.WaitForResult());
   }
 
   const int kKeyingMaterialSize = 32;
   const char kKeyingLabel[] = "EXPERIMENTAL-server-socket-test";
   const char kKeyingContext[] = "";
   unsigned char server_out[kKeyingMaterialSize];
-  int rv = server_socket_->ExportKeyingMaterial(kKeyingLabel,
-                                                false, kKeyingContext,
-                                                server_out, sizeof(server_out));
+  int rv = server_socket_->ExportKeyingMaterial(
+      kKeyingLabel, false, kKeyingContext, server_out, sizeof(server_out));
   ASSERT_EQ(OK, rv);
 
   unsigned char client_out[kKeyingMaterialSize];
-  rv = client_socket_->ExportKeyingMaterial(kKeyingLabel,
-                                            false, kKeyingContext,
+  rv = client_socket_->ExportKeyingMaterial(kKeyingLabel, false, kKeyingContext,
                                             client_out, sizeof(client_out));
   ASSERT_EQ(OK, rv);
   EXPECT_EQ(0, memcmp(server_out, client_out, sizeof(server_out)));
 
   const char kKeyingLabelBad[] = "EXPERIMENTAL-server-socket-test-bad";
   unsigned char client_bad[kKeyingMaterialSize];
-  rv = client_socket_->ExportKeyingMaterial(kKeyingLabelBad,
-                                            false, kKeyingContext,
-                                            client_bad, sizeof(client_bad));
+  rv = client_socket_->ExportKeyingMaterial(
+      kKeyingLabelBad, false, kKeyingContext, client_bad, sizeof(client_bad));
   ASSERT_EQ(rv, OK);
   EXPECT_NE(0, memcmp(server_out, client_bad, sizeof(server_out)));
 }
 
 // Verifies that SSLConfig::require_ecdhe flags works properly.
 TEST_F(SSLServerSocketTest, RequireEcdheFlag) {
   // Disable all ECDHE suites on the client side.
   uint16_t kEcdheCiphers[] = {
       0xc007,  // ECDHE_ECDSA_WITH_RC4_128_SHA
       0xc009,  // ECDHE_ECDSA_WITH_AES_128_CBC_SHA
       0xc00a,  // ECDHE_ECDSA_WITH_AES_256_CBC_SHA
       0xc011,  // ECDHE_RSA_WITH_RC4_128_SHA
       0xc013,  // ECDHE_RSA_WITH_AES_128_CBC_SHA
       0xc014,  // ECDHE_RSA_WITH_AES_256_CBC_SHA
       0xc02b,  // ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
       0xc02f,  // ECDHE_RSA_WITH_AES_128_GCM_SHA256
       0xcc13,  // ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
       0xcc14,  // ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
   };
   client_ssl_config_.disabled_cipher_suites.assign(
       kEcdheCiphers, kEcdheCiphers + arraysize(kEcdheCiphers));
 
   // Require ECDHE on the server.
   server_ssl_config_.require_ecdhe = true;
 
-  Initialize();
+  InitializeContext();
+  InitializeSockets();
 
   TestCompletionCallback connect_callback;
   int client_ret = client_socket_->Connect(connect_callback.callback());
 
   TestCompletionCallback handshake_callback;
   int server_ret = server_socket_->Handshake(handshake_callback.callback());
 
   client_ret = connect_callback.GetResult(client_ret);
   server_ret = handshake_callback.GetResult(server_ret);
 
   ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, client_ret);
   ASSERT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, server_ret);
 }
 
 }  // namespace net