OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
10 #include "net/base/address_list.h" | 10 #include "net/base/address_list.h" |
11 #include "net/base/io_buffer.h" | 11 #include "net/base/io_buffer.h" |
12 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
13 #include "net/base/net_log.h" | 13 #include "net/base/net_log.h" |
14 #include "net/base/net_log_unittest.h" | 14 #include "net/base/net_log_unittest.h" |
15 #include "net/base/test_completion_callback.h" | 15 #include "net/base/test_completion_callback.h" |
16 #include "net/base/test_data_directory.h" | 16 #include "net/base/test_data_directory.h" |
17 #include "net/cert/mock_cert_verifier.h" | 17 #include "net/cert/mock_cert_verifier.h" |
18 #include "net/cert/test_root_certs.h" | 18 #include "net/cert/test_root_certs.h" |
19 #include "net/dns/host_resolver.h" | 19 #include "net/dns/host_resolver.h" |
20 #include "net/http/transport_security_state.h" | 20 #include "net/http/transport_security_state.h" |
21 #include "net/socket/client_socket_factory.h" | 21 #include "net/socket/client_socket_factory.h" |
22 #include "net/socket/client_socket_handle.h" | 22 #include "net/socket/client_socket_handle.h" |
23 #include "net/socket/socket_test_util.h" | 23 #include "net/socket/socket_test_util.h" |
24 #include "net/socket/tcp_client_socket.h" | 24 #include "net/socket/tcp_client_socket.h" |
25 #include "net/ssl/default_server_bound_cert_store.h" | |
25 #include "net/ssl/ssl_cert_request_info.h" | 26 #include "net/ssl/ssl_cert_request_info.h" |
26 #include "net/ssl/ssl_config_service.h" | 27 #include "net/ssl/ssl_config_service.h" |
27 #include "net/test/cert_test_util.h" | 28 #include "net/test/cert_test_util.h" |
28 #include "net/test/spawned_test_server/spawned_test_server.h" | 29 #include "net/test/spawned_test_server/spawned_test_server.h" |
29 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
30 #include "testing/platform_test.h" | 31 #include "testing/platform_test.h" |
31 | 32 |
32 //----------------------------------------------------------------------------- | 33 //----------------------------------------------------------------------------- |
33 | 34 |
34 namespace net { | 35 namespace net { |
(...skipping 515 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
550 } | 551 } |
551 SetResult(result); | 552 SetResult(result); |
552 } | 553 } |
553 | 554 |
554 StreamSocket* socket_; | 555 StreamSocket* socket_; |
555 CompletionCallback callback_; | 556 CompletionCallback callback_; |
556 | 557 |
557 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback); | 558 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback); |
558 }; | 559 }; |
559 | 560 |
561 // A ServerBoundCertStore that always returns an error when asked for a | |
562 // certificate. | |
563 class FailingServerBoundCertStore : public ServerBoundCertStore { | |
564 virtual int GetServerBoundCert(const std::string& server_identifier, | |
565 base::Time* expiration_time, | |
566 std::string* private_key_result, | |
567 std::string* cert_result, | |
568 const GetCertCallback& callback) OVERRIDE { | |
569 return ERR_UNEXPECTED; | |
570 } | |
571 virtual void SetServerBoundCert(const std::string& server_identifier, | |
572 base::Time creation_time, | |
573 base::Time expiration_time, | |
574 const std::string& private_key, | |
575 const std::string& cert) OVERRIDE {} | |
576 virtual void DeleteServerBoundCert(const std::string& server_identifier, | |
577 const base::Closure& completion_callback) | |
578 OVERRIDE {} | |
579 virtual void DeleteAllCreatedBetween(base::Time delete_begin, | |
580 base::Time delete_end, | |
581 const base::Closure& completion_callback) | |
582 OVERRIDE {} | |
583 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {} | |
584 virtual void GetAllServerBoundCerts(const GetCertListCallback& callback) | |
585 OVERRIDE {} | |
586 virtual int GetCertCount() OVERRIDE { return 0; } | |
587 virtual void SetForceKeepSessionState() OVERRIDE {} | |
588 }; | |
589 | |
560 class SSLClientSocketTest : public PlatformTest { | 590 class SSLClientSocketTest : public PlatformTest { |
561 public: | 591 public: |
562 SSLClientSocketTest() | 592 SSLClientSocketTest() |
563 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 593 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
564 cert_verifier_(new MockCertVerifier), | 594 cert_verifier_(new MockCertVerifier), |
565 transport_security_state_(new TransportSecurityState) { | 595 transport_security_state_(new TransportSecurityState) { |
566 cert_verifier_->set_default_result(OK); | 596 cert_verifier_->set_default_result(OK); |
567 context_.cert_verifier = cert_verifier_.get(); | 597 context_.cert_verifier = cert_verifier_.get(); |
568 context_.transport_security_state = transport_security_state_.get(); | 598 context_.transport_security_state = transport_security_state_.get(); |
569 } | 599 } |
570 | 600 |
571 protected: | 601 protected: |
602 // Sets up a TCP connection to a HTTPS server. To actually do the SSL | |
603 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below. | |
604 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { | |
605 test_server_.reset(new SpawnedTestServer( | |
606 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); | |
607 if (!test_server_->Start()) { | |
608 LOG(ERROR) << "Could not start SpawnedTestServer"; | |
609 return false; | |
610 } | |
611 | |
612 if (!test_server_->GetAddressList(&addr_)) { | |
613 LOG(ERROR) << "Could not get SpawnedTestServer address list"; | |
614 return false; | |
615 } | |
616 | |
617 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source())); | |
618 int rv = callback_.GetResult(transport_->Connect(callback_.callback())); | |
619 if (rv != OK) { | |
620 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | |
621 return false; | |
622 } | |
623 return true; | |
624 } | |
625 | |
572 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | 626 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( |
573 scoped_ptr<StreamSocket> transport_socket, | 627 scoped_ptr<StreamSocket> transport_socket, |
574 const HostPortPair& host_and_port, | 628 const HostPortPair& host_and_port, |
575 const SSLConfig& ssl_config) { | 629 const SSLConfig& ssl_config) { |
576 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | 630 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); |
577 connection->SetSocket(transport_socket.Pass()); | 631 connection->SetSocket(transport_socket.Pass()); |
578 return socket_factory_->CreateSSLClientSocket( | 632 return socket_factory_->CreateSSLClientSocket( |
579 connection.Pass(), host_and_port, ssl_config, context_); | 633 connection.Pass(), host_and_port, ssl_config, context_); |
580 } | 634 } |
581 | 635 |
636 // Create an SSLClientSocket object and use it to connect to a test | |
637 // server, then wait for connection results. This must be called after | |
638 // a successful ConnectToTestServer() call. | |
639 // |ssl_config| the SSL configuration to use. | |
640 // |result| will retrieve the ::Connect() result value. | |
641 // Returns true on success, false otherwise. Success means that the socket | |
642 // could be created and its Connect() was called, not that the connection | |
643 // itself was a success. | |
644 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) { | |
645 sock_ = CreateSSLClientSocket( | |
646 transport_.Pass(), test_server_->host_port_pair(), ssl_config); | |
647 | |
648 if (sock_->IsConnected()) { | |
649 LOG(ERROR) << "SSL Socket prematurely connected"; | |
650 return false; | |
651 } | |
652 | |
653 *result = callback_.GetResult(sock_->Connect(callback_.callback())); | |
654 return true; | |
655 } | |
656 | |
582 ClientSocketFactory* socket_factory_; | 657 ClientSocketFactory* socket_factory_; |
583 scoped_ptr<MockCertVerifier> cert_verifier_; | 658 scoped_ptr<MockCertVerifier> cert_verifier_; |
584 scoped_ptr<TransportSecurityState> transport_security_state_; | 659 scoped_ptr<TransportSecurityState> transport_security_state_; |
585 SSLClientSocketContext context_; | 660 SSLClientSocketContext context_; |
661 scoped_ptr<SSLClientSocket> sock_; | |
662 CapturingNetLog log_; | |
663 | |
664 private: | |
665 scoped_ptr<StreamSocket> transport_; | |
666 scoped_ptr<SpawnedTestServer> test_server_; | |
667 TestCompletionCallback callback_; | |
668 AddressList addr_; | |
586 }; | 669 }; |
587 | 670 |
588 // Verifies the correctness of GetSSLCertRequestInfo. | 671 // Verifies the correctness of GetSSLCertRequestInfo. |
589 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest { | 672 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest { |
590 protected: | 673 protected: |
591 // Creates a test server with the given SSLOptions, connects to it and returns | 674 // Creates a test server with the given SSLOptions, connects to it and returns |
592 // the SSLCertRequestInfo reported by the socket. | 675 // the SSLCertRequestInfo reported by the socket. |
593 scoped_refptr<SSLCertRequestInfo> GetCertRequest( | 676 scoped_refptr<SSLCertRequestInfo> GetCertRequest( |
594 SpawnedTestServer::SSLOptions ssl_options) { | 677 SpawnedTestServer::SSLOptions ssl_options) { |
595 SpawnedTestServer test_server( | 678 SpawnedTestServer test_server( |
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
706 EXPECT_LT(0, rv); | 789 EXPECT_LT(0, rv); |
707 } else { | 790 } else { |
708 // False Start is not enabled, so the handshake will not complete because | 791 // False Start is not enabled, so the handshake will not complete because |
709 // the server second leg is blocked. | 792 // the server second leg is blocked. |
710 base::RunLoop().RunUntilIdle(); | 793 base::RunLoop().RunUntilIdle(); |
711 EXPECT_FALSE(callback.have_result()); | 794 EXPECT_FALSE(callback.have_result()); |
712 } | 795 } |
713 } | 796 } |
714 }; | 797 }; |
715 | 798 |
799 class SSLClientSocketChannelIDTest : public SSLClientSocketTest { | |
800 protected: | |
801 void EnableChannelID() { | |
802 cert_service_.reset( | |
803 new ServerBoundCertService(new DefaultServerBoundCertStore(NULL), | |
804 base::MessageLoopProxy::current())); | |
805 context_.server_bound_cert_service = cert_service_.get(); | |
806 } | |
807 | |
808 void EnableFailingChannelID() { | |
809 cert_service_.reset(new ServerBoundCertService( | |
810 new FailingServerBoundCertStore(), base::MessageLoopProxy::current())); | |
811 context_.server_bound_cert_service = cert_service_.get(); | |
812 } | |
813 | |
814 private: | |
815 scoped_ptr<ServerBoundCertService> cert_service_; | |
816 }; | |
817 | |
716 //----------------------------------------------------------------------------- | 818 //----------------------------------------------------------------------------- |
717 | 819 |
718 // LogContainsSSLConnectEndEvent returns true if the given index in the given | 820 // LogContainsSSLConnectEndEvent returns true if the given index in the given |
719 // log is an SSL connect end event. The NSS sockets will cork in an attempt to | 821 // log is an SSL connect end event. The NSS sockets will cork in an attempt to |
720 // merge the first application data record with the Finished message when false | 822 // merge the first application data record with the Finished message when false |
721 // starting. However, in order to avoid the server timing out the handshake, | 823 // starting. However, in order to avoid the server timing out the handshake, |
722 // they'll give up waiting for application data and send the Finished after a | 824 // they'll give up waiting for application data and send the Finished after a |
723 // timeout. This means that an SSL connect end event may appear as a socket | 825 // timeout. This means that an SSL connect end event may appear as a socket |
724 // write. | 826 // write. |
725 static bool LogContainsSSLConnectEndEvent( | 827 static bool LogContainsSSLConnectEndEvent( |
(...skipping 1630 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2356 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { | 2458 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { |
2357 SpawnedTestServer::SSLOptions server_options; | 2459 SpawnedTestServer::SSLOptions server_options; |
2358 server_options.key_exchanges = | 2460 server_options.key_exchanges = |
2359 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | 2461 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; |
2360 server_options.enable_npn = true; | 2462 server_options.enable_npn = true; |
2361 SSLConfig client_config; | 2463 SSLConfig client_config; |
2362 client_config.next_protos.push_back("http/1.1"); | 2464 client_config.next_protos.push_back("http/1.1"); |
2363 TestFalseStart(server_options, client_config, false); | 2465 TestFalseStart(server_options, client_config, false); |
2364 } | 2466 } |
2365 | 2467 |
2468 // Connect to a server using channel id. It should allow the connection. | |
2469 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { | |
2470 SpawnedTestServer::SSLOptions ssl_options; | |
2471 | |
2472 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
2473 | |
2474 EnableChannelID(); | |
2475 SSLConfig ssl_config = kDefaultSSLConfig; | |
2476 ssl_config.channel_id_enabled = true; | |
2477 | |
2478 int rv; | |
2479 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
2480 | |
2481 EXPECT_EQ(OK, rv); | |
2482 EXPECT_TRUE(sock_->IsConnected()); | |
2483 EXPECT_TRUE(sock_->WasChannelIDSent()); | |
2484 | |
2485 sock_->Disconnect(); | |
2486 EXPECT_FALSE(sock_->IsConnected()); | |
2487 } | |
2488 | |
2489 // Connect to a server using channel id but without sending a key. It should | |
2490 // fail. | |
2491 TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) { | |
2492 SpawnedTestServer::SSLOptions ssl_options; | |
2493 | |
2494 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | |
2495 | |
2496 EnableFailingChannelID(); | |
2497 SSLConfig ssl_config = kDefaultSSLConfig; | |
2498 ssl_config.channel_id_enabled = true; | |
2499 | |
2500 int rv; | |
2501 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
2502 | |
2503 EXPECT_EQ(ERR_UNEXPECTED, rv); | |
haavardm
2014/05/14 08:26:02
An alternative quick fix for now could simply be t
wtc
2014/05/14 16:51:08
Unless the fix is straightforward, I am fine with
| |
2504 EXPECT_FALSE(sock_->IsConnected()); | |
2505 } | |
2506 | |
2366 } // namespace net | 2507 } // namespace net |
OLD | NEW |