OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
10 #include "net/base/address_list.h" | 10 #include "net/base/address_list.h" |
11 #include "net/base/io_buffer.h" | 11 #include "net/base/io_buffer.h" |
12 #include "net/base/net_errors.h" | 12 #include "net/base/net_errors.h" |
13 #include "net/base/net_log.h" | 13 #include "net/base/net_log.h" |
14 #include "net/base/net_log_unittest.h" | 14 #include "net/base/net_log_unittest.h" |
15 #include "net/base/test_completion_callback.h" | 15 #include "net/base/test_completion_callback.h" |
16 #include "net/base/test_data_directory.h" | 16 #include "net/base/test_data_directory.h" |
17 #include "net/cert/mock_cert_verifier.h" | 17 #include "net/cert/mock_cert_verifier.h" |
18 #include "net/cert/test_root_certs.h" | 18 #include "net/cert/test_root_certs.h" |
19 #include "net/dns/host_resolver.h" | 19 #include "net/dns/host_resolver.h" |
20 #include "net/http/transport_security_state.h" | 20 #include "net/http/transport_security_state.h" |
21 #include "net/socket/client_socket_factory.h" | 21 #include "net/socket/client_socket_factory.h" |
22 #include "net/socket/client_socket_handle.h" | 22 #include "net/socket/client_socket_handle.h" |
23 #include "net/socket/socket_test_util.h" | 23 #include "net/socket/socket_test_util.h" |
24 #include "net/socket/tcp_client_socket.h" | 24 #include "net/socket/tcp_client_socket.h" |
| 25 #include "net/ssl/default_server_bound_cert_store.h" |
25 #include "net/ssl/ssl_cert_request_info.h" | 26 #include "net/ssl/ssl_cert_request_info.h" |
26 #include "net/ssl/ssl_config_service.h" | 27 #include "net/ssl/ssl_config_service.h" |
27 #include "net/test/cert_test_util.h" | 28 #include "net/test/cert_test_util.h" |
28 #include "net/test/spawned_test_server/spawned_test_server.h" | 29 #include "net/test/spawned_test_server/spawned_test_server.h" |
29 #include "testing/gtest/include/gtest/gtest.h" | 30 #include "testing/gtest/include/gtest/gtest.h" |
30 #include "testing/platform_test.h" | 31 #include "testing/platform_test.h" |
31 | 32 |
32 //----------------------------------------------------------------------------- | 33 //----------------------------------------------------------------------------- |
33 | 34 |
34 namespace net { | 35 namespace net { |
(...skipping 515 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
550 } | 551 } |
551 SetResult(result); | 552 SetResult(result); |
552 } | 553 } |
553 | 554 |
554 StreamSocket* socket_; | 555 StreamSocket* socket_; |
555 CompletionCallback callback_; | 556 CompletionCallback callback_; |
556 | 557 |
557 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback); | 558 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback); |
558 }; | 559 }; |
559 | 560 |
| 561 // A ServerBoundCertStore that always returns an error when asked for a |
| 562 // certificate. |
| 563 class FailingServerBoundCertStore : public ServerBoundCertStore { |
| 564 virtual int GetServerBoundCert(const std::string& server_identifier, |
| 565 base::Time* expiration_time, |
| 566 std::string* private_key_result, |
| 567 std::string* cert_result, |
| 568 const GetCertCallback& callback) OVERRIDE { |
| 569 return ERR_UNEXPECTED; |
| 570 } |
| 571 virtual void SetServerBoundCert(const std::string& server_identifier, |
| 572 base::Time creation_time, |
| 573 base::Time expiration_time, |
| 574 const std::string& private_key, |
| 575 const std::string& cert) OVERRIDE {} |
| 576 virtual void DeleteServerBoundCert(const std::string& server_identifier, |
| 577 const base::Closure& completion_callback) |
| 578 OVERRIDE {} |
| 579 virtual void DeleteAllCreatedBetween(base::Time delete_begin, |
| 580 base::Time delete_end, |
| 581 const base::Closure& completion_callback) |
| 582 OVERRIDE {} |
| 583 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {} |
| 584 virtual void GetAllServerBoundCerts(const GetCertListCallback& callback) |
| 585 OVERRIDE {} |
| 586 virtual int GetCertCount() OVERRIDE { return 0; } |
| 587 virtual void SetForceKeepSessionState() OVERRIDE {} |
| 588 }; |
| 589 |
560 class SSLClientSocketTest : public PlatformTest { | 590 class SSLClientSocketTest : public PlatformTest { |
561 public: | 591 public: |
562 SSLClientSocketTest() | 592 SSLClientSocketTest() |
563 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 593 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
564 cert_verifier_(new MockCertVerifier), | 594 cert_verifier_(new MockCertVerifier), |
565 transport_security_state_(new TransportSecurityState) { | 595 transport_security_state_(new TransportSecurityState) { |
566 cert_verifier_->set_default_result(OK); | 596 cert_verifier_->set_default_result(OK); |
567 context_.cert_verifier = cert_verifier_.get(); | 597 context_.cert_verifier = cert_verifier_.get(); |
568 context_.transport_security_state = transport_security_state_.get(); | 598 context_.transport_security_state = transport_security_state_.get(); |
569 } | 599 } |
570 | 600 |
571 protected: | 601 protected: |
| 602 // Sets up a TCP connection to a HTTPS server. To actually do the SSL |
| 603 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below. |
| 604 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { |
| 605 test_server_.reset(new SpawnedTestServer( |
| 606 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); |
| 607 if (!test_server_->Start()) { |
| 608 LOG(ERROR) << "Could not start SpawnedTestServer"; |
| 609 return false; |
| 610 } |
| 611 |
| 612 if (!test_server_->GetAddressList(&addr_)) { |
| 613 LOG(ERROR) << "Could not get SpawnedTestServer address list"; |
| 614 return false; |
| 615 } |
| 616 |
| 617 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source())); |
| 618 int rv = callback_.GetResult(transport_->Connect(callback_.callback())); |
| 619 if (rv != OK) { |
| 620 LOG(ERROR) << "Could not connect to SpawnedTestServer"; |
| 621 return false; |
| 622 } |
| 623 return true; |
| 624 } |
| 625 |
572 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( | 626 scoped_ptr<SSLClientSocket> CreateSSLClientSocket( |
573 scoped_ptr<StreamSocket> transport_socket, | 627 scoped_ptr<StreamSocket> transport_socket, |
574 const HostPortPair& host_and_port, | 628 const HostPortPair& host_and_port, |
575 const SSLConfig& ssl_config) { | 629 const SSLConfig& ssl_config) { |
576 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); | 630 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle); |
577 connection->SetSocket(transport_socket.Pass()); | 631 connection->SetSocket(transport_socket.Pass()); |
578 return socket_factory_->CreateSSLClientSocket( | 632 return socket_factory_->CreateSSLClientSocket( |
579 connection.Pass(), host_and_port, ssl_config, context_); | 633 connection.Pass(), host_and_port, ssl_config, context_); |
580 } | 634 } |
581 | 635 |
| 636 // Create an SSLClientSocket object and use it to connect to a test |
| 637 // server, then wait for connection results. This must be called after |
| 638 // a successful ConnectToTestServer() call. |
| 639 // |ssl_config| the SSL configuration to use. |
| 640 // |result| will retrieve the ::Connect() result value. |
| 641 // Returns true on success, false otherwise. Success means that the socket |
| 642 // could be created and its Connect() was called, not that the connection |
| 643 // itself was a success. |
| 644 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) { |
| 645 sock_ = CreateSSLClientSocket( |
| 646 transport_.Pass(), test_server_->host_port_pair(), ssl_config); |
| 647 |
| 648 if (sock_->IsConnected()) { |
| 649 LOG(ERROR) << "SSL Socket prematurely connected"; |
| 650 return false; |
| 651 } |
| 652 |
| 653 *result = callback_.GetResult(sock_->Connect(callback_.callback())); |
| 654 return true; |
| 655 } |
| 656 |
582 ClientSocketFactory* socket_factory_; | 657 ClientSocketFactory* socket_factory_; |
583 scoped_ptr<MockCertVerifier> cert_verifier_; | 658 scoped_ptr<MockCertVerifier> cert_verifier_; |
584 scoped_ptr<TransportSecurityState> transport_security_state_; | 659 scoped_ptr<TransportSecurityState> transport_security_state_; |
585 SSLClientSocketContext context_; | 660 SSLClientSocketContext context_; |
| 661 scoped_ptr<SSLClientSocket> sock_; |
| 662 CapturingNetLog log_; |
| 663 |
| 664 private: |
| 665 scoped_ptr<StreamSocket> transport_; |
| 666 scoped_ptr<SpawnedTestServer> test_server_; |
| 667 TestCompletionCallback callback_; |
| 668 AddressList addr_; |
586 }; | 669 }; |
587 | 670 |
588 // Verifies the correctness of GetSSLCertRequestInfo. | 671 // Verifies the correctness of GetSSLCertRequestInfo. |
589 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest { | 672 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest { |
590 protected: | 673 protected: |
591 // Creates a test server with the given SSLOptions, connects to it and returns | 674 // Creates a test server with the given SSLOptions, connects to it and returns |
592 // the SSLCertRequestInfo reported by the socket. | 675 // the SSLCertRequestInfo reported by the socket. |
593 scoped_refptr<SSLCertRequestInfo> GetCertRequest( | 676 scoped_refptr<SSLCertRequestInfo> GetCertRequest( |
594 SpawnedTestServer::SSLOptions ssl_options) { | 677 SpawnedTestServer::SSLOptions ssl_options) { |
595 SpawnedTestServer test_server( | 678 SpawnedTestServer test_server( |
(...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
706 EXPECT_LT(0, rv); | 789 EXPECT_LT(0, rv); |
707 } else { | 790 } else { |
708 // False Start is not enabled, so the handshake will not complete because | 791 // False Start is not enabled, so the handshake will not complete because |
709 // the server second leg is blocked. | 792 // the server second leg is blocked. |
710 base::RunLoop().RunUntilIdle(); | 793 base::RunLoop().RunUntilIdle(); |
711 EXPECT_FALSE(callback.have_result()); | 794 EXPECT_FALSE(callback.have_result()); |
712 } | 795 } |
713 } | 796 } |
714 }; | 797 }; |
715 | 798 |
| 799 class SSLClientSocketChannelIDTest : public SSLClientSocketTest { |
| 800 protected: |
| 801 void EnableChannelID() { |
| 802 cert_service_.reset( |
| 803 new ServerBoundCertService(new DefaultServerBoundCertStore(NULL), |
| 804 base::MessageLoopProxy::current())); |
| 805 context_.server_bound_cert_service = cert_service_.get(); |
| 806 } |
| 807 |
| 808 void EnableFailingChannelID() { |
| 809 cert_service_.reset(new ServerBoundCertService( |
| 810 new FailingServerBoundCertStore(), base::MessageLoopProxy::current())); |
| 811 context_.server_bound_cert_service = cert_service_.get(); |
| 812 } |
| 813 |
| 814 private: |
| 815 scoped_ptr<ServerBoundCertService> cert_service_; |
| 816 }; |
| 817 |
716 //----------------------------------------------------------------------------- | 818 //----------------------------------------------------------------------------- |
717 | 819 |
718 // LogContainsSSLConnectEndEvent returns true if the given index in the given | 820 // LogContainsSSLConnectEndEvent returns true if the given index in the given |
719 // log is an SSL connect end event. The NSS sockets will cork in an attempt to | 821 // log is an SSL connect end event. The NSS sockets will cork in an attempt to |
720 // merge the first application data record with the Finished message when false | 822 // merge the first application data record with the Finished message when false |
721 // starting. However, in order to avoid the server timing out the handshake, | 823 // starting. However, in order to avoid the server timing out the handshake, |
722 // they'll give up waiting for application data and send the Finished after a | 824 // they'll give up waiting for application data and send the Finished after a |
723 // timeout. This means that an SSL connect end event may appear as a socket | 825 // timeout. This means that an SSL connect end event may appear as a socket |
724 // write. | 826 // write. |
725 static bool LogContainsSSLConnectEndEvent( | 827 static bool LogContainsSSLConnectEndEvent( |
(...skipping 1630 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2356 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { | 2458 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { |
2357 SpawnedTestServer::SSLOptions server_options; | 2459 SpawnedTestServer::SSLOptions server_options; |
2358 server_options.key_exchanges = | 2460 server_options.key_exchanges = |
2359 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | 2461 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; |
2360 server_options.enable_npn = true; | 2462 server_options.enable_npn = true; |
2361 SSLConfig client_config; | 2463 SSLConfig client_config; |
2362 client_config.next_protos.push_back("http/1.1"); | 2464 client_config.next_protos.push_back("http/1.1"); |
2363 TestFalseStart(server_options, client_config, false); | 2465 TestFalseStart(server_options, client_config, false); |
2364 } | 2466 } |
2365 | 2467 |
| 2468 // Connect to a server using channel id. It should allow the connection. |
| 2469 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { |
| 2470 SpawnedTestServer::SSLOptions ssl_options; |
| 2471 |
| 2472 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
| 2473 |
| 2474 EnableChannelID(); |
| 2475 SSLConfig ssl_config = kDefaultSSLConfig; |
| 2476 ssl_config.channel_id_enabled = true; |
| 2477 |
| 2478 int rv; |
| 2479 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2480 |
| 2481 EXPECT_EQ(OK, rv); |
| 2482 EXPECT_TRUE(sock_->IsConnected()); |
| 2483 EXPECT_TRUE(sock_->WasChannelIDSent()); |
| 2484 |
| 2485 sock_->Disconnect(); |
| 2486 EXPECT_FALSE(sock_->IsConnected()); |
| 2487 } |
| 2488 |
| 2489 // Connect to a server using channel id but without sending a key. It should |
| 2490 // fail. |
| 2491 TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) { |
| 2492 SpawnedTestServer::SSLOptions ssl_options; |
| 2493 |
| 2494 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
| 2495 |
| 2496 EnableFailingChannelID(); |
| 2497 SSLConfig ssl_config = kDefaultSSLConfig; |
| 2498 ssl_config.channel_id_enabled = true; |
| 2499 |
| 2500 int rv; |
| 2501 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 2502 |
| 2503 // TODO(haavardm@opera.com): Due to differences in threading, Linux returns |
| 2504 // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all |
| 2505 // error codes for now. |
| 2506 // http://crbug.com/373670 |
| 2507 EXPECT_NE(OK, rv); |
| 2508 EXPECT_FALSE(sock_->IsConnected()); |
| 2509 } |
| 2510 |
2366 } // namespace net | 2511 } // namespace net |
OLD | NEW |