OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
| 7 #include <errno.h> |
| 8 #include <string.h> |
| 9 |
7 #include <utility> | 10 #include <utility> |
8 | 11 |
| 12 #include <openssl/bio.h> |
| 13 #include <openssl/evp.h> |
| 14 #include <openssl/pem.h> |
| 15 |
9 #include "base/callback_helpers.h" | 16 #include "base/callback_helpers.h" |
10 #include "base/files/file_util.h" | 17 #include "base/files/file_util.h" |
11 #include "base/location.h" | 18 #include "base/location.h" |
12 #include "base/macros.h" | 19 #include "base/macros.h" |
13 #include "base/memory/ref_counted.h" | 20 #include "base/memory/ref_counted.h" |
14 #include "base/run_loop.h" | 21 #include "base/run_loop.h" |
15 #include "base/single_thread_task_runner.h" | 22 #include "base/single_thread_task_runner.h" |
16 #include "base/thread_task_runner_handle.h" | 23 #include "base/thread_task_runner_handle.h" |
17 #include "base/time/time.h" | 24 #include "base/time/time.h" |
| 25 #include "crypto/scoped_openssl_types.h" |
18 #include "net/base/address_list.h" | 26 #include "net/base/address_list.h" |
19 #include "net/base/io_buffer.h" | 27 #include "net/base/io_buffer.h" |
20 #include "net/base/net_errors.h" | 28 #include "net/base/net_errors.h" |
21 #include "net/base/test_completion_callback.h" | 29 #include "net/base/test_completion_callback.h" |
22 #include "net/base/test_data_directory.h" | 30 #include "net/base/test_data_directory.h" |
23 #include "net/cert/asn1_util.h" | 31 #include "net/cert/asn1_util.h" |
24 #include "net/cert/ct_policy_enforcer.h" | 32 #include "net/cert/ct_policy_enforcer.h" |
25 #include "net/cert/ct_policy_status.h" | 33 #include "net/cert/ct_policy_status.h" |
26 #include "net/cert/ct_verifier.h" | 34 #include "net/cert/ct_verifier.h" |
27 #include "net/cert/mock_cert_verifier.h" | 35 #include "net/cert/mock_cert_verifier.h" |
(...skipping 10 matching lines...) Expand all Loading... |
38 #include "net/socket/client_socket_factory.h" | 46 #include "net/socket/client_socket_factory.h" |
39 #include "net/socket/client_socket_handle.h" | 47 #include "net/socket/client_socket_handle.h" |
40 #include "net/socket/socket_test_util.h" | 48 #include "net/socket/socket_test_util.h" |
41 #include "net/socket/tcp_client_socket.h" | 49 #include "net/socket/tcp_client_socket.h" |
42 #include "net/ssl/channel_id_service.h" | 50 #include "net/ssl/channel_id_service.h" |
43 #include "net/ssl/default_channel_id_store.h" | 51 #include "net/ssl/default_channel_id_store.h" |
44 #include "net/ssl/ssl_cert_request_info.h" | 52 #include "net/ssl/ssl_cert_request_info.h" |
45 #include "net/ssl/ssl_config_service.h" | 53 #include "net/ssl/ssl_config_service.h" |
46 #include "net/ssl/ssl_connection_status_flags.h" | 54 #include "net/ssl/ssl_connection_status_flags.h" |
47 #include "net/ssl/ssl_info.h" | 55 #include "net/ssl/ssl_info.h" |
| 56 #include "net/ssl/test_ssl_private_key.h" |
48 #include "net/test/cert_test_util.h" | 57 #include "net/test/cert_test_util.h" |
49 #include "net/test/spawned_test_server/spawned_test_server.h" | 58 #include "net/test/spawned_test_server/spawned_test_server.h" |
50 #include "testing/gmock/include/gmock/gmock.h" | 59 #include "testing/gmock/include/gmock/gmock.h" |
51 #include "testing/gtest/include/gtest/gtest.h" | 60 #include "testing/gtest/include/gtest/gtest.h" |
52 #include "testing/platform_test.h" | 61 #include "testing/platform_test.h" |
53 | 62 |
54 #if defined(USE_OPENSSL) | |
55 #include <errno.h> | |
56 #include <openssl/bio.h> | |
57 #include <openssl/evp.h> | |
58 #include <openssl/pem.h> | |
59 #include <string.h> | |
60 | |
61 #include "crypto/scoped_openssl_types.h" | |
62 #include "net/ssl/test_ssl_private_key.h" | |
63 #endif | |
64 | |
65 using testing::_; | 63 using testing::_; |
66 using testing::Return; | 64 using testing::Return; |
67 using testing::Truly; | 65 using testing::Truly; |
68 | 66 |
69 namespace net { | 67 namespace net { |
70 | 68 |
71 namespace { | 69 namespace { |
72 | 70 |
73 // WrappedStreamSocket is a base class that wraps an existing StreamSocket, | 71 // WrappedStreamSocket is a base class that wraps an existing StreamSocket, |
74 // forwarding the Socket and StreamSocket interfaces to the underlying | 72 // forwarding the Socket and StreamSocket interfaces to the underlying |
(...skipping 1421 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1496 // the ERR_IO_PENDING caused by SetReadShouldBlock() and thus return. | 1494 // the ERR_IO_PENDING caused by SetReadShouldBlock() and thus return. |
1497 SSLClientSocket* raw_sock = sock.get(); | 1495 SSLClientSocket* raw_sock = sock.get(); |
1498 DeleteSocketCallback read_callback(sock.release()); | 1496 DeleteSocketCallback read_callback(sock.release()); |
1499 scoped_refptr<IOBuffer> read_buf(new IOBuffer(4096)); | 1497 scoped_refptr<IOBuffer> read_buf(new IOBuffer(4096)); |
1500 rv = raw_sock->Read(read_buf.get(), 4096, read_callback.callback()); | 1498 rv = raw_sock->Read(read_buf.get(), 4096, read_callback.callback()); |
1501 | 1499 |
1502 // Ensure things didn't complete synchronously, otherwise |sock| is invalid. | 1500 // Ensure things didn't complete synchronously, otherwise |sock| is invalid. |
1503 ASSERT_EQ(ERR_IO_PENDING, rv); | 1501 ASSERT_EQ(ERR_IO_PENDING, rv); |
1504 ASSERT_FALSE(read_callback.have_result()); | 1502 ASSERT_FALSE(read_callback.have_result()); |
1505 | 1503 |
1506 #if !defined(USE_OPENSSL) | |
1507 // NSS follows a pattern where a call to PR_Write will only consume as | |
1508 // much data as it can encode into application data records before the | |
1509 // internal memio buffer is full, which should only fill if writing a large | |
1510 // amount of data and the underlying transport is blocked. Once this happens, | |
1511 // NSS will return (total size of all application data records it wrote) - 1, | |
1512 // with the caller expected to resume with the remaining unsent data. | |
1513 // | |
1514 // This causes SSLClientSocketNSS::Write to return that it wrote some data | |
1515 // before it will return ERR_IO_PENDING, so make an extra call to Write() to | |
1516 // get the socket in the state needed for the test below. | |
1517 // | |
1518 // This is not needed for OpenSSL, because for OpenSSL, | |
1519 // SSL_MODE_ENABLE_PARTIAL_WRITE is not specified - thus | |
1520 // SSLClientSocketOpenSSL::Write() will not return until all of | |
1521 // |request_buffer| has been written to the underlying BIO (although not | |
1522 // necessarily the underlying transport). | |
1523 rv = callback.GetResult(raw_sock->Write(request_buffer.get(), | |
1524 request_buffer->BytesRemaining(), | |
1525 callback.callback())); | |
1526 ASSERT_LT(0, rv); | |
1527 request_buffer->DidConsume(rv); | |
1528 | |
1529 // Guard to ensure that |request_buffer| was larger than all of the internal | |
1530 // buffers (transport, memio, NSS) along the way - otherwise the next call | |
1531 // to Write() will crash with an invalid buffer. | |
1532 ASSERT_LT(0, request_buffer->BytesRemaining()); | |
1533 #endif | |
1534 | |
1535 // Attempt to write the remaining data. NSS will not be able to consume the | 1504 // Attempt to write the remaining data. NSS will not be able to consume the |
1536 // application data because the internal buffers are full, while OpenSSL will | 1505 // application data because the internal buffers are full, while OpenSSL will |
1537 // return that its blocked because the underlying transport is blocked. | 1506 // return that its blocked because the underlying transport is blocked. |
1538 rv = raw_sock->Write(request_buffer.get(), | 1507 rv = raw_sock->Write(request_buffer.get(), |
1539 request_buffer->BytesRemaining(), | 1508 request_buffer->BytesRemaining(), |
1540 callback.callback()); | 1509 callback.callback()); |
1541 ASSERT_EQ(ERR_IO_PENDING, rv); | 1510 ASSERT_EQ(ERR_IO_PENDING, rv); |
1542 ASSERT_FALSE(callback.have_result()); | 1511 ASSERT_FALSE(callback.have_result()); |
1543 | 1512 |
1544 // Now unblock Write(), which will invoke OnSendComplete and (eventually) | 1513 // Now unblock Write(), which will invoke OnSendComplete and (eventually) |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1634 ASSERT_LT(0, long_request_buffer->BytesRemaining()); | 1603 ASSERT_LT(0, long_request_buffer->BytesRemaining()); |
1635 } | 1604 } |
1636 } while (rv > 0); | 1605 } while (rv > 0); |
1637 | 1606 |
1638 EXPECT_EQ(ERR_CONNECTION_RESET, rv); | 1607 EXPECT_EQ(ERR_CONNECTION_RESET, rv); |
1639 | 1608 |
1640 // Release the read. | 1609 // Release the read. |
1641 raw_transport->UnblockReadResult(); | 1610 raw_transport->UnblockReadResult(); |
1642 rv = read_callback.WaitForResult(); | 1611 rv = read_callback.WaitForResult(); |
1643 | 1612 |
1644 #if defined(USE_OPENSSL) | |
1645 // Should still read bytes despite the write error. | 1613 // Should still read bytes despite the write error. |
1646 EXPECT_LT(0, rv); | 1614 EXPECT_LT(0, rv); |
1647 #else | |
1648 // NSS attempts to flush the write buffer in PR_Read on an SSL socket before | |
1649 // pumping the read state machine, unless configured with SSL_ENABLE_FDX, so | |
1650 // the write error stops future reads. | |
1651 EXPECT_EQ(ERR_CONNECTION_RESET, rv); | |
1652 #endif | |
1653 } | 1615 } |
1654 | 1616 |
1655 // Tests that SSLClientSocket fails the handshake if the underlying | 1617 // Tests that SSLClientSocket fails the handshake if the underlying |
1656 // transport is cleanly closed. | 1618 // transport is cleanly closed. |
1657 TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) { | 1619 TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) { |
1658 ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions())); | 1620 ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions())); |
1659 | 1621 |
1660 TestCompletionCallback callback; | 1622 TestCompletionCallback callback; |
1661 std::unique_ptr<StreamSocket> real_transport( | 1623 std::unique_ptr<StreamSocket> real_transport( |
1662 new TCPClientSocket(addr(), NULL, NULL, NetLog::Source())); | 1624 new TCPClientSocket(addr(), NULL, NULL, NetLog::Source())); |
(...skipping 603 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2266 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); | 2228 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); |
2267 ASSERT_TRUE(request_info.get()); | 2229 ASSERT_TRUE(request_info.get()); |
2268 ASSERT_EQ(2u, request_info->cert_authorities.size()); | 2230 ASSERT_EQ(2u, request_info->cert_authorities.size()); |
2269 EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen), | 2231 EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen), |
2270 request_info->cert_authorities[0]); | 2232 request_info->cert_authorities[0]); |
2271 EXPECT_EQ( | 2233 EXPECT_EQ( |
2272 std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen), | 2234 std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen), |
2273 request_info->cert_authorities[1]); | 2235 request_info->cert_authorities[1]); |
2274 } | 2236 } |
2275 | 2237 |
2276 // cert_key_types is currently only populated on OpenSSL. | |
2277 #if defined(USE_OPENSSL) | |
2278 TEST_F(SSLClientSocketCertRequestInfoTest, CertKeyTypes) { | 2238 TEST_F(SSLClientSocketCertRequestInfoTest, CertKeyTypes) { |
2279 SpawnedTestServer::SSLOptions ssl_options; | 2239 SpawnedTestServer::SSLOptions ssl_options; |
2280 ssl_options.request_client_certificate = true; | 2240 ssl_options.request_client_certificate = true; |
2281 ssl_options.client_cert_types.push_back(CLIENT_CERT_RSA_SIGN); | 2241 ssl_options.client_cert_types.push_back(CLIENT_CERT_RSA_SIGN); |
2282 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); | 2242 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN); |
2283 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); | 2243 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options); |
2284 ASSERT_TRUE(request_info.get()); | 2244 ASSERT_TRUE(request_info.get()); |
2285 ASSERT_EQ(2u, request_info->cert_key_types.size()); | 2245 ASSERT_EQ(2u, request_info->cert_key_types.size()); |
2286 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]); | 2246 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]); |
2287 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]); | 2247 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]); |
2288 } | 2248 } |
2289 #endif // defined(USE_OPENSSL) | |
2290 | 2249 |
2291 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) { | 2250 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) { |
2292 SpawnedTestServer::SSLOptions ssl_options; | 2251 SpawnedTestServer::SSLOptions ssl_options; |
2293 ssl_options.signed_cert_timestamps_tls_ext = "test"; | 2252 ssl_options.signed_cert_timestamps_tls_ext = "test"; |
2294 | 2253 |
2295 ASSERT_TRUE(StartTestServer(ssl_options)); | 2254 ASSERT_TRUE(StartTestServer(ssl_options)); |
2296 | 2255 |
2297 SSLConfig ssl_config; | 2256 SSLConfig ssl_config; |
2298 ssl_config.signed_cert_timestamps_enabled = true; | 2257 ssl_config.signed_cert_timestamps_enabled = true; |
2299 | 2258 |
(...skipping 532 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2832 | 2791 |
2833 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { | 2792 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { |
2834 // False Start requires NPN/ALPN, ECDHE, and an AEAD. | 2793 // False Start requires NPN/ALPN, ECDHE, and an AEAD. |
2835 SpawnedTestServer::SSLOptions server_options; | 2794 SpawnedTestServer::SSLOptions server_options; |
2836 server_options.key_exchanges = | 2795 server_options.key_exchanges = |
2837 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2796 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
2838 server_options.bulk_ciphers = | 2797 server_options.bulk_ciphers = |
2839 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2798 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2840 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2799 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2841 SSLConfig client_config; | 2800 SSLConfig client_config; |
2842 #if !defined(USE_OPENSSL) | |
2843 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2844 #endif | |
2845 client_config.npn_protos.push_back(kProtoHTTP11); | 2801 client_config.npn_protos.push_back(kProtoHTTP11); |
2846 ASSERT_NO_FATAL_FAILURE( | 2802 ASSERT_NO_FATAL_FAILURE( |
2847 TestFalseStart(server_options, client_config, true)); | 2803 TestFalseStart(server_options, client_config, true)); |
2848 } | 2804 } |
2849 | 2805 |
2850 // Test that False Start is disabled without NPN. | 2806 // Test that False Start is disabled without NPN. |
2851 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { | 2807 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { |
2852 SpawnedTestServer::SSLOptions server_options; | 2808 SpawnedTestServer::SSLOptions server_options; |
2853 server_options.key_exchanges = | 2809 server_options.key_exchanges = |
2854 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2810 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
2855 server_options.bulk_ciphers = | 2811 server_options.bulk_ciphers = |
2856 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2812 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2857 SSLConfig client_config; | 2813 SSLConfig client_config; |
2858 client_config.alpn_protos.clear(); | 2814 client_config.alpn_protos.clear(); |
2859 client_config.npn_protos.clear(); | 2815 client_config.npn_protos.clear(); |
2860 ASSERT_NO_FATAL_FAILURE( | 2816 ASSERT_NO_FATAL_FAILURE( |
2861 TestFalseStart(server_options, client_config, false)); | 2817 TestFalseStart(server_options, client_config, false)); |
2862 } | 2818 } |
2863 | 2819 |
2864 // Test that False Start is disabled with plain RSA ciphers. | 2820 // Test that False Start is disabled with plain RSA ciphers. |
2865 TEST_F(SSLClientSocketFalseStartTest, RSA) { | 2821 TEST_F(SSLClientSocketFalseStartTest, RSA) { |
2866 SpawnedTestServer::SSLOptions server_options; | 2822 SpawnedTestServer::SSLOptions server_options; |
2867 server_options.key_exchanges = | 2823 server_options.key_exchanges = |
2868 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | 2824 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; |
2869 server_options.bulk_ciphers = | 2825 server_options.bulk_ciphers = |
2870 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2826 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2871 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2827 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2872 SSLConfig client_config; | 2828 SSLConfig client_config; |
2873 #if !defined(USE_OPENSSL) | |
2874 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2875 #endif | |
2876 client_config.npn_protos.push_back(kProtoHTTP11); | 2829 client_config.npn_protos.push_back(kProtoHTTP11); |
2877 ASSERT_NO_FATAL_FAILURE( | 2830 ASSERT_NO_FATAL_FAILURE( |
2878 TestFalseStart(server_options, client_config, false)); | 2831 TestFalseStart(server_options, client_config, false)); |
2879 } | 2832 } |
2880 | 2833 |
2881 // Test that False Start is disabled with DHE_RSA ciphers. | 2834 // Test that False Start is disabled with DHE_RSA ciphers. |
2882 TEST_F(SSLClientSocketFalseStartTest, DHE_RSA) { | 2835 TEST_F(SSLClientSocketFalseStartTest, DHE_RSA) { |
2883 SpawnedTestServer::SSLOptions server_options; | 2836 SpawnedTestServer::SSLOptions server_options; |
2884 server_options.key_exchanges = | 2837 server_options.key_exchanges = |
2885 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2838 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; |
2886 server_options.bulk_ciphers = | 2839 server_options.bulk_ciphers = |
2887 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2840 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2888 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2841 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2889 SSLConfig client_config; | 2842 SSLConfig client_config; |
2890 #if !defined(USE_OPENSSL) | |
2891 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2892 #endif | |
2893 client_config.npn_protos.push_back(kProtoHTTP11); | 2843 client_config.npn_protos.push_back(kProtoHTTP11); |
2894 // DHE is only advertised when deprecated ciphers are enabled. | 2844 // DHE is only advertised when deprecated ciphers are enabled. |
2895 client_config.deprecated_cipher_suites_enabled = true; | 2845 client_config.deprecated_cipher_suites_enabled = true; |
2896 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); | 2846 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); |
2897 } | 2847 } |
2898 | 2848 |
2899 // Test that False Start is disabled without an AEAD. | 2849 // Test that False Start is disabled without an AEAD. |
2900 TEST_F(SSLClientSocketFalseStartTest, NoAEAD) { | 2850 TEST_F(SSLClientSocketFalseStartTest, NoAEAD) { |
2901 SpawnedTestServer::SSLOptions server_options; | 2851 SpawnedTestServer::SSLOptions server_options; |
2902 server_options.key_exchanges = | 2852 server_options.key_exchanges = |
2903 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2853 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
2904 server_options.bulk_ciphers = | 2854 server_options.bulk_ciphers = |
2905 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128; | 2855 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128; |
2906 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2856 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2907 SSLConfig client_config; | 2857 SSLConfig client_config; |
2908 #if !defined(USE_OPENSSL) | |
2909 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2910 #endif | |
2911 client_config.npn_protos.push_back(kProtoHTTP11); | 2858 client_config.npn_protos.push_back(kProtoHTTP11); |
2912 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); | 2859 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); |
2913 } | 2860 } |
2914 | 2861 |
2915 // Test that sessions are resumable after receiving the server Finished message. | 2862 // Test that sessions are resumable after receiving the server Finished message. |
2916 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { | 2863 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { |
2917 // Start a server. | 2864 // Start a server. |
2918 SpawnedTestServer::SSLOptions server_options; | 2865 SpawnedTestServer::SSLOptions server_options; |
2919 server_options.key_exchanges = | 2866 server_options.key_exchanges = |
2920 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2867 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
2921 server_options.bulk_ciphers = | 2868 server_options.bulk_ciphers = |
2922 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2869 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2923 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2870 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2924 SSLConfig client_config; | 2871 SSLConfig client_config; |
2925 #if !defined(USE_OPENSSL) | |
2926 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2927 #endif | |
2928 client_config.npn_protos.push_back(kProtoHTTP11); | 2872 client_config.npn_protos.push_back(kProtoHTTP11); |
2929 | 2873 |
2930 // Let a full handshake complete with False Start. | 2874 // Let a full handshake complete with False Start. |
2931 ASSERT_NO_FATAL_FAILURE( | 2875 ASSERT_NO_FATAL_FAILURE( |
2932 TestFalseStart(server_options, client_config, true)); | 2876 TestFalseStart(server_options, client_config, true)); |
2933 | 2877 |
2934 // Make a second connection. | 2878 // Make a second connection. |
2935 int rv; | 2879 int rv; |
2936 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 2880 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
2937 EXPECT_EQ(OK, rv); | 2881 EXPECT_EQ(OK, rv); |
(...skipping 10 matching lines...) Expand all Loading... |
2948 // Start a server. | 2892 // Start a server. |
2949 SpawnedTestServer::SSLOptions server_options; | 2893 SpawnedTestServer::SSLOptions server_options; |
2950 server_options.key_exchanges = | 2894 server_options.key_exchanges = |
2951 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2895 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
2952 server_options.bulk_ciphers = | 2896 server_options.bulk_ciphers = |
2953 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2897 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
2954 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2898 server_options.npn_protocols.push_back(std::string("http/1.1")); |
2955 ASSERT_TRUE(StartTestServer(server_options)); | 2899 ASSERT_TRUE(StartTestServer(server_options)); |
2956 | 2900 |
2957 SSLConfig client_config; | 2901 SSLConfig client_config; |
2958 #if !defined(USE_OPENSSL) | |
2959 client_config.alpn_protos.push_back(kProtoHTTP11); | |
2960 #endif | |
2961 client_config.npn_protos.push_back(kProtoHTTP11); | 2902 client_config.npn_protos.push_back(kProtoHTTP11); |
2962 | 2903 |
2963 // Start a handshake up to the server Finished message. | 2904 // Start a handshake up to the server Finished message. |
2964 TestCompletionCallback callback; | 2905 TestCompletionCallback callback; |
2965 FakeBlockingStreamSocket* raw_transport1 = NULL; | 2906 FakeBlockingStreamSocket* raw_transport1 = NULL; |
2966 std::unique_ptr<SSLClientSocket> sock1; | 2907 std::unique_ptr<SSLClientSocket> sock1; |
2967 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | 2908 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( |
2968 client_config, &callback, &raw_transport1, &sock1)); | 2909 client_config, &callback, &raw_transport1, &sock1)); |
2969 // Although raw_transport1 has the server Finished blocked, the handshake | 2910 // Although raw_transport1 has the server Finished blocked, the handshake |
2970 // still completes. | 2911 // still completes. |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3005 // Start a server. | 2946 // Start a server. |
3006 SpawnedTestServer::SSLOptions server_options; | 2947 SpawnedTestServer::SSLOptions server_options; |
3007 server_options.key_exchanges = | 2948 server_options.key_exchanges = |
3008 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; | 2949 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
3009 server_options.bulk_ciphers = | 2950 server_options.bulk_ciphers = |
3010 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2951 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
3011 server_options.npn_protocols.push_back(std::string("http/1.1")); | 2952 server_options.npn_protocols.push_back(std::string("http/1.1")); |
3012 ASSERT_TRUE(StartTestServer(server_options)); | 2953 ASSERT_TRUE(StartTestServer(server_options)); |
3013 | 2954 |
3014 SSLConfig client_config; | 2955 SSLConfig client_config; |
3015 #if !defined(USE_OPENSSL) | |
3016 client_config.alpn_protos.push_back(kProtoHTTP11); | |
3017 #endif | |
3018 client_config.npn_protos.push_back(kProtoHTTP11); | 2956 client_config.npn_protos.push_back(kProtoHTTP11); |
3019 | 2957 |
3020 // Start a handshake up to the server Finished message. | 2958 // Start a handshake up to the server Finished message. |
3021 TestCompletionCallback callback; | 2959 TestCompletionCallback callback; |
3022 FakeBlockingStreamSocket* raw_transport1 = NULL; | 2960 FakeBlockingStreamSocket* raw_transport1 = NULL; |
3023 std::unique_ptr<SSLClientSocket> sock1; | 2961 std::unique_ptr<SSLClientSocket> sock1; |
3024 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | 2962 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( |
3025 client_config, &callback, &raw_transport1, &sock1)); | 2963 client_config, &callback, &raw_transport1, &sock1)); |
3026 // Although raw_transport1 has the server Finished blocked, the handshake | 2964 // Although raw_transport1 has the server Finished blocked, the handshake |
3027 // still completes. | 2965 // still completes. |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3154 EXPECT_TRUE(ssl_info.channel_id_sent); | 3092 EXPECT_TRUE(ssl_info.channel_id_sent); |
3155 } | 3093 } |
3156 | 3094 |
3157 TEST_F(SSLClientSocketTest, NPN) { | 3095 TEST_F(SSLClientSocketTest, NPN) { |
3158 SpawnedTestServer::SSLOptions server_options; | 3096 SpawnedTestServer::SSLOptions server_options; |
3159 server_options.npn_protocols.push_back(std::string("spdy/3.1")); | 3097 server_options.npn_protocols.push_back(std::string("spdy/3.1")); |
3160 server_options.npn_protocols.push_back(std::string("h2")); | 3098 server_options.npn_protocols.push_back(std::string("h2")); |
3161 ASSERT_TRUE(StartTestServer(server_options)); | 3099 ASSERT_TRUE(StartTestServer(server_options)); |
3162 | 3100 |
3163 SSLConfig client_config; | 3101 SSLConfig client_config; |
3164 #if !defined(USE_OPENSSL) | |
3165 client_config.alpn_protos.push_back(kProtoHTTP2); | |
3166 client_config.alpn_protos.push_back(kProtoHTTP11); | |
3167 #endif | |
3168 client_config.npn_protos.push_back(kProtoHTTP2); | 3102 client_config.npn_protos.push_back(kProtoHTTP2); |
3169 client_config.npn_protos.push_back(kProtoHTTP11); | 3103 client_config.npn_protos.push_back(kProtoHTTP11); |
3170 | 3104 |
3171 int rv; | 3105 int rv; |
3172 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3106 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
3173 EXPECT_EQ(OK, rv); | 3107 EXPECT_EQ(OK, rv); |
3174 | 3108 |
3175 std::string proto; | 3109 std::string proto; |
3176 EXPECT_EQ(SSLClientSocket::kNextProtoNegotiated, sock_->GetNextProto(&proto)); | 3110 EXPECT_EQ(SSLClientSocket::kNextProtoNegotiated, sock_->GetNextProto(&proto)); |
3177 EXPECT_EQ("h2", proto); | 3111 EXPECT_EQ("h2", proto); |
3178 } | 3112 } |
3179 | 3113 |
3180 // In case of no overlap between client and server list, SSLClientSocket should | 3114 // In case of no overlap between client and server list, SSLClientSocket should |
3181 // fall back to last one on the client list. | 3115 // fall back to last one on the client list. |
3182 TEST_F(SSLClientSocketTest, NPNNoOverlap) { | 3116 TEST_F(SSLClientSocketTest, NPNNoOverlap) { |
3183 SpawnedTestServer::SSLOptions server_options; | 3117 SpawnedTestServer::SSLOptions server_options; |
3184 server_options.npn_protocols.push_back(std::string("http/1.1")); | 3118 server_options.npn_protocols.push_back(std::string("http/1.1")); |
3185 ASSERT_TRUE(StartTestServer(server_options)); | 3119 ASSERT_TRUE(StartTestServer(server_options)); |
3186 | 3120 |
3187 SSLConfig client_config; | 3121 SSLConfig client_config; |
3188 #if !defined(USE_OPENSSL) | |
3189 client_config.alpn_protos.push_back(kProtoSPDY31); | |
3190 client_config.alpn_protos.push_back(kProtoHTTP2); | |
3191 #endif | |
3192 client_config.npn_protos.push_back(kProtoSPDY31); | 3122 client_config.npn_protos.push_back(kProtoSPDY31); |
3193 client_config.npn_protos.push_back(kProtoHTTP2); | 3123 client_config.npn_protos.push_back(kProtoHTTP2); |
3194 | 3124 |
3195 int rv; | 3125 int rv; |
3196 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3126 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
3197 EXPECT_EQ(OK, rv); | 3127 EXPECT_EQ(OK, rv); |
3198 | 3128 |
3199 std::string proto; | 3129 std::string proto; |
3200 EXPECT_EQ(SSLClientSocket::kNextProtoNoOverlap, sock_->GetNextProto(&proto)); | 3130 EXPECT_EQ(SSLClientSocket::kNextProtoNoOverlap, sock_->GetNextProto(&proto)); |
3201 EXPECT_EQ("h2", proto); | 3131 EXPECT_EQ("h2", proto); |
3202 } | 3132 } |
3203 | 3133 |
3204 // Server preference should be respected. The list is in decreasing order of | 3134 // Server preference should be respected. The list is in decreasing order of |
3205 // preference. | 3135 // preference. |
3206 TEST_F(SSLClientSocketTest, NPNServerPreference) { | 3136 TEST_F(SSLClientSocketTest, NPNServerPreference) { |
3207 SpawnedTestServer::SSLOptions server_options; | 3137 SpawnedTestServer::SSLOptions server_options; |
3208 server_options.npn_protocols.push_back(std::string("spdy/3.1")); | 3138 server_options.npn_protocols.push_back(std::string("spdy/3.1")); |
3209 server_options.npn_protocols.push_back(std::string("h2")); | 3139 server_options.npn_protocols.push_back(std::string("h2")); |
3210 ASSERT_TRUE(StartTestServer(server_options)); | 3140 ASSERT_TRUE(StartTestServer(server_options)); |
3211 | 3141 |
3212 SSLConfig client_config; | 3142 SSLConfig client_config; |
3213 #if !defined(USE_OPENSSL) | |
3214 client_config.alpn_protos.push_back(kProtoHTTP2); | |
3215 client_config.alpn_protos.push_back(kProtoSPDY31); | |
3216 #endif | |
3217 client_config.npn_protos.push_back(kProtoHTTP2); | 3143 client_config.npn_protos.push_back(kProtoHTTP2); |
3218 client_config.npn_protos.push_back(kProtoSPDY31); | 3144 client_config.npn_protos.push_back(kProtoSPDY31); |
3219 | 3145 |
3220 int rv; | 3146 int rv; |
3221 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3147 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
3222 EXPECT_EQ(OK, rv); | 3148 EXPECT_EQ(OK, rv); |
3223 | 3149 |
3224 std::string proto; | 3150 std::string proto; |
3225 EXPECT_EQ(SSLClientSocket::kNextProtoNegotiated, sock_->GetNextProto(&proto)); | 3151 EXPECT_EQ(SSLClientSocket::kNextProtoNegotiated, sock_->GetNextProto(&proto)); |
3226 EXPECT_EQ("spdy/3.1", proto); | 3152 EXPECT_EQ("spdy/3.1", proto); |
(...skipping 17 matching lines...) Expand all Loading... |
3244 std::string proto; | 3170 std::string proto; |
3245 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, | 3171 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, |
3246 sock_->GetNextProto(&proto)); | 3172 sock_->GetNextProto(&proto)); |
3247 } | 3173 } |
3248 | 3174 |
3249 TEST_F(SSLClientSocketTest, NPNServerDisabled) { | 3175 TEST_F(SSLClientSocketTest, NPNServerDisabled) { |
3250 SpawnedTestServer::SSLOptions server_options; | 3176 SpawnedTestServer::SSLOptions server_options; |
3251 ASSERT_TRUE(StartTestServer(server_options)); | 3177 ASSERT_TRUE(StartTestServer(server_options)); |
3252 | 3178 |
3253 SSLConfig client_config; | 3179 SSLConfig client_config; |
3254 #if !defined(USE_OPENSSL) | |
3255 client_config.alpn_protos.push_back(kProtoHTTP11); | |
3256 #endif | |
3257 client_config.npn_protos.push_back(kProtoHTTP11); | 3180 client_config.npn_protos.push_back(kProtoHTTP11); |
3258 | 3181 |
3259 int rv; | 3182 int rv; |
3260 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); | 3183 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv)); |
3261 EXPECT_EQ(OK, rv); | 3184 EXPECT_EQ(OK, rv); |
3262 | 3185 |
3263 std::string proto; | 3186 std::string proto; |
3264 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, | 3187 EXPECT_EQ(SSLClientSocket::kNextProtoUnsupported, |
3265 sock_->GetNextProto(&proto)); | 3188 sock_->GetNextProto(&proto)); |
3266 } | 3189 } |
3267 | 3190 |
3268 // Client auth is not supported in NSS ports. | |
3269 #if defined(USE_OPENSSL) | |
3270 | |
3271 namespace { | 3191 namespace { |
3272 | 3192 |
3273 // Loads a PEM-encoded private key file into a SSLPrivateKey object. | 3193 // Loads a PEM-encoded private key file into a SSLPrivateKey object. |
3274 // |filepath| is the private key file path. | 3194 // |filepath| is the private key file path. |
3275 // Returns the new SSLPrivateKey. | 3195 // Returns the new SSLPrivateKey. |
3276 scoped_refptr<SSLPrivateKey> LoadPrivateKeyOpenSSL( | 3196 scoped_refptr<SSLPrivateKey> LoadPrivateKeyOpenSSL( |
3277 const base::FilePath& filepath) { | 3197 const base::FilePath& filepath) { |
3278 std::string data; | 3198 std::string data; |
3279 if (!base::ReadFileToString(filepath, &data)) { | 3199 if (!base::ReadFileToString(filepath, &data)) { |
3280 LOG(ERROR) << "Could not read private key file: " << filepath.value(); | 3200 LOG(ERROR) << "Could not read private key file: " << filepath.value(); |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3363 EXPECT_EQ(OK, rv); | 3283 EXPECT_EQ(OK, rv); |
3364 EXPECT_TRUE(sock_->IsConnected()); | 3284 EXPECT_TRUE(sock_->IsConnected()); |
3365 | 3285 |
3366 SSLInfo ssl_info; | 3286 SSLInfo ssl_info; |
3367 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | 3287 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
3368 EXPECT_TRUE(ssl_info.client_cert_sent); | 3288 EXPECT_TRUE(ssl_info.client_cert_sent); |
3369 | 3289 |
3370 sock_->Disconnect(); | 3290 sock_->Disconnect(); |
3371 EXPECT_FALSE(sock_->IsConnected()); | 3291 EXPECT_FALSE(sock_->IsConnected()); |
3372 } | 3292 } |
3373 #endif // defined(USE_OPENSSL) | |
3374 | 3293 |
3375 } // namespace net | 3294 } // namespace net |
OLD | NEW |