Improve error pages on client certificate failures.

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include <errno.h>
 #include <string.h>
 
 #include <utility>
@@ skipping 270 matching lines @@
   if (result == ERR_IO_PENDING)
     return;
 
   user_read_buf_ = NULL;
   base::ResetAndReturn(&user_read_callback_).Run(result);
 }
 
 // Simulates synchronously receiving an error during Read() or Write()
 class SynchronousErrorStreamSocket : public WrappedStreamSocket {
  public:
-  explicit SynchronousErrorStreamSocket(
-      std::unique_ptr<StreamSocket> transport);
+  explicit SynchronousErrorStreamSocket(std::unique_ptr<StreamSocket> transport)
+      : WrappedStreamSocket(std::move(transport)) {}
   ~SynchronousErrorStreamSocket() override {}
 
   // Socket implementation:
   int Read(IOBuffer* buf,
            int buf_len,
            const CompletionCallback& callback) override;
   int Write(IOBuffer* buf,
             int buf_len,
             const CompletionCallback& callback) override;
 
@@ skipping 11 matching lines @@
   // If there is already a pending asynchronous write, the configured error
   // will not be returned until that asynchronous write has completed and
   // Write() is called again.
   void SetNextWriteError(int error) {
     DCHECK_GE(0, error);
     have_write_error_ = true;
     pending_write_error_ = error;
   }
 
  private:
-  bool have_read_error_;
-  int pending_read_error_;
+  bool have_read_error_ = false;
+  int pending_read_error_ = OK;
 
-  bool have_write_error_;
-  int pending_write_error_;
+  bool have_write_error_ = false;
+  int pending_write_error_ = OK;
 
   DISALLOW_COPY_AND_ASSIGN(SynchronousErrorStreamSocket);
 };
 
-SynchronousErrorStreamSocket::SynchronousErrorStreamSocket(
-    std::unique_ptr<StreamSocket> transport)
-    : WrappedStreamSocket(std::move(transport)),
-      have_read_error_(false),
-      pending_read_error_(OK),
-      have_write_error_(false),
-      pending_write_error_(OK) {}
-
 int SynchronousErrorStreamSocket::Read(IOBuffer* buf,
                                        int buf_len,
                                        const CompletionCallback& callback) {
   if (have_read_error_)
     return pending_read_error_;
   return transport_->Read(buf, buf_len, callback);
 }
 
 int SynchronousErrorStreamSocket::Write(IOBuffer* buf,
                                         int buf_len,
                                         const CompletionCallback& callback) {
   if (have_write_error_)
     return pending_write_error_;
   return transport_->Write(buf, buf_len, callback);
 }
 
 // FakeBlockingStreamSocket wraps an existing StreamSocket and simulates the
 // underlying transport needing to complete things asynchronously in a
 // deterministic manner (e.g.: independent of the TestServer and the OS's
 // semantics).
 class FakeBlockingStreamSocket : public WrappedStreamSocket {
  public:
-  explicit FakeBlockingStreamSocket(std::unique_ptr<StreamSocket> transport);
+  explicit FakeBlockingStreamSocket(std::unique_ptr<StreamSocket> transport)
+      : WrappedStreamSocket(std::move(transport)) {}
   ~FakeBlockingStreamSocket() override {}
 
   // Socket implementation:
   int Read(IOBuffer* buf,
            int buf_len,
            const CompletionCallback& callback) override;
   int Write(IOBuffer* buf,
             int buf_len,
             const CompletionCallback& callback) override;
 
   int pending_read_result() const { return pending_read_result_; }
   IOBuffer* pending_read_buf() const { return pending_read_buf_.get(); }
 
   // Blocks read results on the socket. Reads will not complete until
   // UnblockReadResult() has been called and a result is ready from the
   // underlying transport. Note: if BlockReadResult() is called while there is a
   // hanging asynchronous Read(), that Read is blocked.
   void BlockReadResult();
   void UnblockReadResult();
 
+  // Replaces the pending read with |data|. Returns true on success or false if
+  // the caller's reads were too small.
+  bool ReplaceReadResult(const std::string& data);
+
   // Waits for the blocked Read() call to be complete at the underlying
   // transport.
   void WaitForReadResult();
 
   // Causes the next call to Write() to return ERR_IO_PENDING, not beginning the
   // underlying transport until UnblockWrite() has been called. Note: if there
   // is a pending asynchronous write, it is NOT blocked. For purposes of
   // blocking writes, data is considered to have reached the underlying
   // transport as soon as Write() is called.
   void BlockWrite();
   void UnblockWrite();
 
   // Waits for the blocked Write() call to be scheduled.
   void WaitForWrite();
 
  private:
   // Handles completion from the underlying transport read.
   void OnReadCompleted(int result);
 
+  // Finishes the current read.
+  void ReturnReadResult();
+
   // True if read callbacks are blocked.
-  bool should_block_read_;
+  bool should_block_read_ = false;
 
   // The buffer for the pending read, or NULL if not consumed.
   scoped_refptr<IOBuffer> pending_read_buf_;
 
+  // The size of the pending read buffer, or -1 if not set.
+  int pending_read_buf_len_ = -1;
+
   // The user callback for the pending read call.
   CompletionCallback pending_read_callback_;
 
   // The result for the blocked read callback, or ERR_IO_PENDING if not
   // completed.
-  int pending_read_result_;
+  int pending_read_result_ = ERR_IO_PENDING;
 
   // WaitForReadResult() wait loop.
   std::unique_ptr<base::RunLoop> read_loop_;
 
   // True if write calls are blocked.
-  bool should_block_write_;
+  bool should_block_write_ = false;
 
   // The buffer for the pending write, or NULL if not scheduled.
   scoped_refptr<IOBuffer> pending_write_buf_;
 
   // The callback for the pending write call.
   CompletionCallback pending_write_callback_;
 
   // The length for the pending write, or -1 if not scheduled.
-  int pending_write_len_;
+  int pending_write_len_ = -1;
 
   // WaitForWrite() wait loop.
   std::unique_ptr<base::RunLoop> write_loop_;
 };
 
-FakeBlockingStreamSocket::FakeBlockingStreamSocket(
-    std::unique_ptr<StreamSocket> transport)
-    : WrappedStreamSocket(std::move(transport)),
-      should_block_read_(false),
-      pending_read_result_(ERR_IO_PENDING),
-      should_block_write_(false),
-      pending_write_len_(-1) {}
-
 int FakeBlockingStreamSocket::Read(IOBuffer* buf,
                                    int len,
                                    const CompletionCallback& callback) {
   DCHECK(!pending_read_buf_);
   DCHECK(pending_read_callback_.is_null());
   DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
   DCHECK(!callback.is_null());
 
   int rv = transport_->Read(buf, len, base::Bind(
       &FakeBlockingStreamSocket::OnReadCompleted, base::Unretained(this)));
-  if (rv == ERR_IO_PENDING) {
+  if (rv == ERR_IO_PENDING || should_block_read_) {
     // Save the callback to be called later.
     pending_read_buf_ = buf;
+    pending_read_buf_len_ = len;
     pending_read_callback_ = callback;
-  } else if (should_block_read_) {
-    // Save the callback and read result to be called later.
-    pending_read_buf_ = buf;
-    pending_read_callback_ = callback;
-    OnReadCompleted(rv);
-    rv = ERR_IO_PENDING;
+    // Save the read result.
+    if (rv != ERR_IO_PENDING) {
+      OnReadCompleted(rv);
+      rv = ERR_IO_PENDING;
+    }
   }
   return rv;
 }
 
 int FakeBlockingStreamSocket::Write(IOBuffer* buf,
                                     int len,
                                     const CompletionCallback& callback) {
   DCHECK(buf);
   DCHECK_LE(0, len);
 
@@ skipping 17 matching lines @@
 
 void FakeBlockingStreamSocket::BlockReadResult() {
   DCHECK(!should_block_read_);
   should_block_read_ = true;
 }
 
 void FakeBlockingStreamSocket::UnblockReadResult() {
   DCHECK(should_block_read_);
   should_block_read_ = false;
 
-  // If the operation is still pending in the underlying transport, immediately
-  // return - OnReadCompleted() will handle invoking the callback once the
-  // transport has completed.
-  if (pending_read_result_ == ERR_IO_PENDING)
-    return;
-  int result = pending_read_result_;
-  pending_read_buf_ = nullptr;
-  pending_read_result_ = ERR_IO_PENDING;
-  base::ResetAndReturn(&pending_read_callback_).Run(result);
+  // If the operation has since completed, return the result to the caller.
+  if (pending_read_result_ != ERR_IO_PENDING)
+    ReturnReadResult();
+}
+
+bool FakeBlockingStreamSocket::ReplaceReadResult(const std::string& data) {
+  DCHECK(should_block_read_);
+  DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
+  DCHECK(pending_read_buf_);
+  DCHECK_NE(-1, pending_read_buf_len_);
+
+  if (static_cast<size_t>(pending_read_buf_len_) < data.size())
+    return false;
+
+  memcpy(pending_read_buf_->data(), data.data(), data.size());
+  pending_read_result_ = data.size();
+  return true;
 }
 
 void FakeBlockingStreamSocket::WaitForReadResult() {
   DCHECK(should_block_read_);
   DCHECK(!read_loop_);
 
   if (pending_read_result_ != ERR_IO_PENDING)
     return;
   read_loop_.reset(new base::RunLoop);
   read_loop_->Run();
@@ skipping 35 matching lines @@
   write_loop_.reset(new base::RunLoop);
   write_loop_->Run();
   write_loop_.reset();
   DCHECK(pending_write_buf_.get());
 }
 
 void FakeBlockingStreamSocket::OnReadCompleted(int result) {
   DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
   DCHECK(!pending_read_callback_.is_null());
 
+  pending_read_result_ = result;
+
   if (should_block_read_) {
-    // Store the result so that the callback can be invoked once Unblock() is
-    // called.
-    pending_read_result_ = result;
-
-    // Stop the WaitForReadResult() call if any.
+    // Defer the result until UnblockReadResult is called.
     if (read_loop_)
       read_loop_->Quit();
-  } else {
-    // Either the Read() was never blocked or UnblockReadResult() was called
-    // before the Read() completed. Either way, return the result to the caller.
-    pending_read_buf_ = nullptr;
-    base::ResetAndReturn(&pending_read_callback_).Run(result);
+    return;
   }
+
+  ReturnReadResult();
+}
+
+void FakeBlockingStreamSocket::ReturnReadResult() {
+  int result = pending_read_result_;
+  pending_read_result_ = ERR_IO_PENDING;
+  pending_read_buf_ = nullptr;
+  pending_read_buf_len_ = -1;
+  base::ResetAndReturn(&pending_read_callback_).Run(result);
 }
 
 // CountingStreamSocket wraps an existing StreamSocket and maintains a count of
 // reads and writes on the socket.
 class CountingStreamSocket : public WrappedStreamSocket {
  public:
   explicit CountingStreamSocket(std::unique_ptr<StreamSocket> transport)
       : WrappedStreamSocket(std::move(transport)),
         read_count_(0),
         write_count_(0) {}
@@ skipping 425 matching lines @@
   void EnableAsyncFailingChannelID() {
     channel_id_service_.reset(new ChannelIDService(
         new AsyncFailingChannelIDStore(), base::ThreadTaskRunnerHandle::Get()));
     context_.channel_id_service = channel_id_service_.get();
   }
 
  private:
   std::unique_ptr<ChannelIDService> channel_id_service_;
 };
 
+// Returns a serialized unencrypted TLS 1.2 alert record for the given alert
+// value.
+std::string FormatTLS12Alert(uint8_t alert) {
+  std::string ret;
+  // ContentType.alert
+  ret.push_back(21);
+  // Record-layer version. Assume TLS 1.2.
+  ret.push_back(0x03);
+  ret.push_back(0x03);
+  // Record length.
+  ret.push_back(0);
+  ret.push_back(2);
+  // AlertLevel.fatal.
+  ret.push_back(2);
+  // The alert itself.
+  ret.push_back(alert);
+  return ret;
+}
+
 }  // namespace
 
 TEST_F(SSLClientSocketTest, Connect) {
   ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
 
   TestCompletionCallback callback;
   TestNetLog log;
   std::unique_ptr<StreamSocket> transport(
       new TCPClientSocket(addr(), NULL, &log, NetLog::Source()));
   int rv = callback.GetResult(transport->Connect(callback.callback()));
@@ skipping 2239 matching lines @@
   ssl_options.request_client_certificate = true;
   ssl_options.client_authorities.push_back(
       GetTestClientCertsDirectory().AppendASCII("client_1_ca.pem"));
 
   ASSERT_TRUE(StartTestServer(ssl_options));
 
   base::FilePath certs_dir = GetTestCertsDirectory();
   SSLConfig ssl_config;
   ssl_config.send_client_cert = true;
   ssl_config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
-
-  // This is required to ensure that signing works with the client
-  // certificate's private key.
   ssl_config.client_private_key =
       LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
 
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(sock_->IsConnected());
 
   SSLInfo ssl_info;
@@ skipping 170 matching lines @@
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
 
   EXPECT_THAT(rv, IsError(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN));
   EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PINNED_KEY_MISSING);
   EXPECT_TRUE(ssl_info.cert_status &
               CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
   EXPECT_TRUE(sock_->IsConnected());
 }
 
+// Test that handshake_failure alerts at the ServerHello are mapped to
+// ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
+TEST_F(SSLClientSocketTest, HandshakeFailureServerHello) {
+  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(),
+      SSLConfig()));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
+}
+
+// Test that handshake_failure alerts after the ServerHello but without a
+// CertificateRequest are mapped to ERR_SSL_PROTOCOL_ERROR.
+TEST_F(SSLClientSocketTest, HandshakeFailureNoClientCerts) {
+  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(),
+      SSLConfig()));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Release the ServerHello and wait for the client to write its second flight.
+  raw_transport->BlockWrite();
+  raw_transport->UnblockReadResult();
+  raw_transport->WaitForWrite();
+
+  // Wait for the server's final flight.
+  raw_transport->BlockReadResult();
+  raw_transport->UnblockWrite();
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
+}
+
+// Test that handshake_failure alerts after the ServerHello map to
+// ERR_BAD_SSL_CLIENT_AUTH_CERT if a client certificate was requested but not
+// supplied. TLS does not have an alert for this case, so handshake_failure is
+// common. See https://crbug.com/646567.
+TEST_F(SSLClientSocketTest, LateHandshakeFailureMissingClientCerts) {
+  // Request a client certificate.
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.request_client_certificate = true;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  // Send no client certificate.
+  SSLConfig config;
+  config.send_client_cert = true;
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(), config));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Release the ServerHello and wait for the client to write its second flight.
+  raw_transport->BlockWrite();
+  raw_transport->UnblockReadResult();
+  raw_transport->WaitForWrite();
+
+  // Wait for the server's final flight.
+  raw_transport->BlockReadResult();
+  raw_transport->UnblockWrite();
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
+}
+
+// Test that handshake_failure alerts after the ServerHello map to
+// ERR_SSL_PROTOCOL_ERROR if received after sending a client certificate. It is
+// assumed servers will send a more appropriate alert in this case.
+TEST_F(SSLClientSocketTest, LateHandshakeFailureSendClientCerts) {
+  // Request a client certificate.
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.request_client_certificate = true;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  // Send a client certificate.
+  base::FilePath certs_dir = GetTestCertsDirectory();
+  SSLConfig config;
+  config.send_client_cert = true;
+  config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
+  config.client_private_key =
+      LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"));
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(), config));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Release the ServerHello and wait for the client to write its second flight.
+  raw_transport->BlockWrite();
+  raw_transport->UnblockReadResult();
+  raw_transport->WaitForWrite();
+
+  // Wait for the server's final flight.
+  raw_transport->BlockReadResult();
+  raw_transport->UnblockWrite();
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
+}
+
+// Test that access_denied alerts are mapped to ERR_SSL_PROTOCOL_ERROR if
+// received on a connection not requesting client certificates. This is an
+// incorrect use of the alert but is common. See https://crbug.com/630883.
+TEST_F(SSLClientSocketTest, AccessDeniedNoClientCerts) {
+  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(),
+      SSLConfig()));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Release the ServerHello and wait for the client to write its second flight.
+  raw_transport->BlockWrite();
+  raw_transport->UnblockReadResult();
+  raw_transport->WaitForWrite();
+
+  // Wait for the server's final flight.
+  raw_transport->BlockReadResult();
+  raw_transport->UnblockWrite();
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(49 /* AlertDescription.access_denied */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
+}
+
+// Test that access_denied alerts are mapped to ERR_BAD_SSL_CLIENT_AUTH_CERT if
+// received on a connection requesting client certificates.
+TEST_F(SSLClientSocketTest, AccessDeniedClientCerts) {
+  // Request a client certificate.
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.request_client_certificate = true;
+  ASSERT_TRUE(StartTestServer(ssl_options));
+
+  TestCompletionCallback callback;
+  std::unique_ptr<StreamSocket> real_transport(
+      new TCPClientSocket(addr(), NULL, NULL, NetLog::Source()));
+  std::unique_ptr<FakeBlockingStreamSocket> transport(
+      new FakeBlockingStreamSocket(std::move(real_transport)));
+  FakeBlockingStreamSocket* raw_transport = transport.get();
+  int rv = callback.GetResult(transport->Connect(callback.callback()));
+  ASSERT_THAT(rv, IsOk());
+
+  // Send a client certificate.
+  base::FilePath certs_dir = GetTestCertsDirectory();
+  SSLConfig config;
+  config.send_client_cert = true;
+  config.client_cert = ImportCertFromFile(certs_dir, "client_1.pem");
+  config.client_private_key =
+      LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key"));
+  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      std::move(transport), spawned_test_server()->host_port_pair(), config));
+
+  // Connect. Stop before the client processes ServerHello.
+  raw_transport->BlockReadResult();
+  rv = sock->Connect(callback.callback());
+  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  raw_transport->WaitForReadResult();
+
+  // Release the ServerHello and wait for the client to write its second flight.
+  raw_transport->BlockWrite();
+  raw_transport->UnblockReadResult();
+  raw_transport->WaitForWrite();
+
+  // Wait for the server's final flight.
+  raw_transport->BlockReadResult();
+  raw_transport->UnblockWrite();
+  raw_transport->WaitForReadResult();
+
+  // Replace it with an alert.
+  raw_transport->ReplaceReadResult(
+      FormatTLS12Alert(49 /* AlertDescription.access_denied */));
+  raw_transport->UnblockReadResult();
+
+  rv = callback.GetResult(rv);
+  EXPECT_THAT(rv, IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
+}
+
 }  // namespace net