Move channel id tests up from OpenSSL and update channelid version.

net/socket/ssl_client_socket_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_client_socket.h"
 
 #include "base/callback_helpers.h"
 #include "base/memory/ref_counted.h"
 #include "base/run_loop.h"
 #include "net/base/address_list.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_log.h"
 #include "net/base/net_log_unittest.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_directory.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/test_root_certs.h"
 #include "net/dns/host_resolver.h"
 #include "net/http/transport_security_state.h"
 #include "net/socket/client_socket_factory.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/socket_test_util.h"
 #include "net/socket/tcp_client_socket.h"
+#include "net/ssl/default_server_bound_cert_store.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_config_service.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/spawned_test_server/spawned_test_server.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
 
 //-----------------------------------------------------------------------------
 
 namespace net {
@@ skipping 515 matching lines @@
     }
     SetResult(result);
   }
 
   StreamSocket* socket_;
   CompletionCallback callback_;
 
   DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback);
 };
 
+// A ServerBoundCertStore that always returns an error when asked for a
+// certificate.
+class FailingServerBoundCertStore : public ServerBoundCertStore {
+  virtual int GetServerBoundCert(const std::string& server_identifier,
+                                 base::Time* expiration_time,
+                                 std::string* private_key_result,
+                                 std::string* cert_result,
+                                 const GetCertCallback& callback) OVERRIDE {
+    return ERR_UNEXPECTED;
+  }
+  virtual void SetServerBoundCert(const std::string& server_identifier,
+                                  base::Time creation_time,
+                                  base::Time expiration_time,
+                                  const std::string& private_key,
+                                  const std::string& cert) OVERRIDE {}
+  virtual void DeleteServerBoundCert(const std::string& server_identifier,
+                                     const base::Closure& completion_callback)
+      OVERRIDE {}
+  virtual void DeleteAllCreatedBetween(base::Time delete_begin,
+                                       base::Time delete_end,
+                                       const base::Closure& completion_callback)
+      OVERRIDE {}
+  virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {}
+  virtual void GetAllServerBoundCerts(const GetCertListCallback& callback)
+      OVERRIDE {}
+  virtual int GetCertCount() OVERRIDE { return 0; }
+  virtual void SetForceKeepSessionState() OVERRIDE {}
+};
+
 class SSLClientSocketTest : public PlatformTest {
  public:
   SSLClientSocketTest()
       : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
         cert_verifier_(new MockCertVerifier),
         transport_security_state_(new TransportSecurityState) {
     cert_verifier_->set_default_result(OK);
     context_.cert_verifier = cert_verifier_.get();
     context_.transport_security_state = transport_security_state_.get();
   }
 
  protected:
   scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
       scoped_ptr<StreamSocket> transport_socket,
       const HostPortPair& host_and_port,
       const SSLConfig& ssl_config) {
     scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
     connection->SetSocket(transport_socket.Pass());
     return socket_factory_->CreateSSLClientSocket(
         connection.Pass(), host_and_port, ssl_config, context_);
   }
 
+  // Connect to a HTTPS test server.

[wtc, 2014/05/07 19:23:24]

Nit: it would be good to point out that this only connects TCP and doesn't do
the SSL handshake.

[haavardm, 2014/05/07 19:42:59]

Done.

+   bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) {
+     test_server_.reset(new SpawnedTestServer(
+         SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath()));
+     if (!test_server_->Start()) {
+       LOG(ERROR) << "Could not start SpawnedTestServer";
+       return false;
+     }
+
+     if (!test_server_->GetAddressList(&addr_)) {
+       LOG(ERROR) << "Could not get SpawnedTestServer address list";
+       return false;
+     }
+
+     transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source()));
+     int rv = callback_.GetResult(transport_->Connect(callback_.callback()));
+     if (rv != OK) {
+       LOG(ERROR) << "Could not connect to SpawnedTestServer";
+       return false;
+     }
+     return true;
+   }
+
+   // Create an SSLClientSocket object and use it to connect to a test
+   // server, then wait for connection results. This must be called after
+   // a successful ConnectToTestServer() call.
+   // |ssl_config| the SSL configuration to use.
+   // |result| will retrieve the ::Connect() result value.
+   // Returns true on success, false otherwise. Success means that the socket
+   // could be created and its Connect() was called, not that the connection
+   // itself was a success.
+   bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) {

[wtc, 2014/05/07 19:23:24]

Nit: this method is closely relaed to the CreateSSLClientSocket method, so I'd
suggest we put it immediately after CreateSSLClientSocket. We can do this by
listing ConnectToTestServer first, in this order:

  ConnectToTestServer
  CreateSSLClientSocket
  CreateAndConnectSSLClientSocket

[haavardm, 2014/05/07 19:42:59]

Done.

+     sock_ = CreateSSLClientSocket(
+         transport_.Pass(), test_server_->host_port_pair(), ssl_config);
+
+     if (sock_->IsConnected()) {
+       LOG(ERROR) << "SSL Socket prematurely connected";
+       return false;
+     }
+
+     *result = callback_.GetResult(sock_->Connect(callback_.callback()));
+     return true;
+   }

[wtc, 2014/05/07 19:19:01]

The indentation of lines 613-654) is off by one. Line 612 (a comment) is
correctly indented.

[haavardm, 2014/05/07 19:42:59]

Done.

+
   ClientSocketFactory* socket_factory_;
   scoped_ptr<MockCertVerifier> cert_verifier_;
   scoped_ptr<TransportSecurityState> transport_security_state_;
   SSLClientSocketContext context_;
+  scoped_ptr<SSLClientSocket> sock_;
+  CapturingNetLog log_;

[wtc, 2014/05/07 19:19:01]

Do you think log_ needs to be a protected member? Right now it doesn't seem to
be accessed by unit tests.

[haavardm, 2014/05/07 19:42:59]

Many of the the tests below could easily be converted to use
ConnectToTestServer() and CreateAndConnectSSLClientSocket(), and they would need
access to the log_ member. I was about to do that, but found it to be scope
creep for this CL. Keeping it makes the conversion easier in a possible follow
up CL.

+
+ private:
+  scoped_ptr<StreamSocket> transport_;
+  scoped_ptr<SpawnedTestServer> test_server_;
+  TestCompletionCallback callback_;
+  AddressList addr_;
 };
 
 // Verifies the correctness of GetSSLCertRequestInfo.
 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest {
  protected:
   // Creates a test server with the given SSLOptions, connects to it and returns
   // the SSLCertRequestInfo reported by the socket.
   scoped_refptr<SSLCertRequestInfo> GetCertRequest(
       SpawnedTestServer::SSLOptions ssl_options) {
     SpawnedTestServer test_server(
@@ skipping 110 matching lines @@
       EXPECT_LT(0, rv);
     } else {
       // False Start is not enabled, so the handshake will not complete because
       // the server second leg is blocked.
       base::RunLoop().RunUntilIdle();
       EXPECT_FALSE(callback.have_result());
     }
   }
 };
 
+class SSLClientSocketChannelIDTest : public SSLClientSocketTest {
+ protected:
+  void EnableChannelID() {
+    cert_service_.reset(
+        new ServerBoundCertService(new DefaultServerBoundCertStore(NULL),
+                                   base::MessageLoopProxy::current()));
+    context_.server_bound_cert_service = cert_service_.get();
+  }
+
+  void EnableFailingChannelID() {
+    cert_service_.reset(new ServerBoundCertService(
+        new FailingServerBoundCertStore(), base::MessageLoopProxy::current()));
+    context_.server_bound_cert_service = cert_service_.get();
+  }
+
+ private:
+  scoped_ptr<ServerBoundCertService> cert_service_;
+};
+
 //-----------------------------------------------------------------------------
 
 // LogContainsSSLConnectEndEvent returns true if the given index in the given
 // log is an SSL connect end event. The NSS sockets will cork in an attempt to
 // merge the first application data record with the Finished message when false
 // starting. However, in order to avoid the server timing out the handshake,
 // they'll give up waiting for application data and send the Finished after a
 // timeout. This means that an SSL connect end event may appear as a socket
 // write.
 static bool LogContainsSSLConnectEndEvent(
@@ skipping 1630 matching lines @@
 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) {
   SpawnedTestServer::SSLOptions server_options;
   server_options.key_exchanges =
       SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA;
   server_options.enable_npn = true;
   SSLConfig client_config;
   client_config.next_protos.push_back("http/1.1");
   TestFalseStart(server_options, client_config, false);
 }
 
+// Connect to a server using channel id. It should allow the connection.
+TEST_F(SSLClientSocketChannelIDTest, SendChannelID) {
+  SpawnedTestServer::SSLOptions ssl_options;
+
+  ASSERT_TRUE(ConnectToTestServer(ssl_options));
+
+  EnableChannelID();
+  SSLConfig ssl_config = kDefaultSSLConfig;
+  ssl_config.channel_id_enabled = true;
+
+  int rv;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+
+  EXPECT_EQ(OK, rv);
+  EXPECT_TRUE(sock_->IsConnected());
+  EXPECT_TRUE(sock_->WasChannelIDSent());
+
+  sock_->Disconnect();
+  EXPECT_FALSE(sock_->IsConnected());
+}
+
+// Connect to a server using channel id but without sending a key. It should
+// fail.
+TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) {
+  SpawnedTestServer::SSLOptions ssl_options;
+
+  ASSERT_TRUE(ConnectToTestServer(ssl_options));
+
+  EnableFailingChannelID();
+  SSLConfig ssl_config = kDefaultSSLConfig;
+  ssl_config.channel_id_enabled = true;
+
+  int rv;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+
+  EXPECT_EQ(ERR_UNEXPECTED, rv);
+  EXPECT_FALSE(sock_->IsConnected());
+}
+
 }  // namespace net