OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
10 #include "net/base/address_list.h" | 10 #include "net/base/address_list.h" |
(...skipping 581 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
592 SSLClientSocketTest() | 592 SSLClientSocketTest() |
593 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), | 593 : socket_factory_(ClientSocketFactory::GetDefaultFactory()), |
594 cert_verifier_(new MockCertVerifier), | 594 cert_verifier_(new MockCertVerifier), |
595 transport_security_state_(new TransportSecurityState) { | 595 transport_security_state_(new TransportSecurityState) { |
596 cert_verifier_->set_default_result(OK); | 596 cert_verifier_->set_default_result(OK); |
597 context_.cert_verifier = cert_verifier_.get(); | 597 context_.cert_verifier = cert_verifier_.get(); |
598 context_.transport_security_state = transport_security_state_.get(); | 598 context_.transport_security_state = transport_security_state_.get(); |
599 } | 599 } |
600 | 600 |
601 protected: | 601 protected: |
602 // The address of the spawned test server, after calling StartTestServer(). | 602 // Sets up a TCP connection to a HTTPS server. To actually do the SSL |
603 const AddressList& addr() const { return addr_; } | 603 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below. |
604 | 604 bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { |
605 // The SpawnedTestServer object, after calling StartTestServer(). | |
606 const SpawnedTestServer* test_server() const { return test_server_.get(); } | |
607 | |
608 // Starts the test server with SSL configuration |ssl_options|. Returns true | |
609 // on success. | |
610 bool StartTestServer(const SpawnedTestServer::SSLOptions& ssl_options) { | |
611 test_server_.reset(new SpawnedTestServer( | 605 test_server_.reset(new SpawnedTestServer( |
612 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); | 606 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); |
613 if (!test_server_->Start()) { | 607 if (!test_server_->Start()) { |
614 LOG(ERROR) << "Could not start SpawnedTestServer"; | 608 LOG(ERROR) << "Could not start SpawnedTestServer"; |
615 return false; | 609 return false; |
616 } | 610 } |
617 | 611 |
618 if (!test_server_->GetAddressList(&addr_)) { | 612 if (!test_server_->GetAddressList(&addr_)) { |
619 LOG(ERROR) << "Could not get SpawnedTestServer address list"; | 613 LOG(ERROR) << "Could not get SpawnedTestServer address list"; |
620 return false; | 614 return false; |
621 } | 615 } |
622 return true; | |
623 } | |
624 | |
625 // Sets up a TCP connection to a HTTPS server. To actually do the SSL | |
626 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below. | |
627 bool ConnectToTestServer(const SpawnedTestServer::SSLOptions& ssl_options) { | |
628 if (!StartTestServer(ssl_options)) | |
629 return false; | |
630 | 616 |
631 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source())); | 617 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source())); |
632 int rv = callback_.GetResult(transport_->Connect(callback_.callback())); | 618 int rv = callback_.GetResult(transport_->Connect(callback_.callback())); |
633 if (rv != OK) { | 619 if (rv != OK) { |
634 LOG(ERROR) << "Could not connect to SpawnedTestServer"; | 620 LOG(ERROR) << "Could not connect to SpawnedTestServer"; |
635 return false; | 621 return false; |
636 } | 622 } |
637 return true; | 623 return true; |
638 } | 624 } |
639 | 625 |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
720 EXPECT_FALSE(sock->IsConnected()); | 706 EXPECT_FALSE(sock->IsConnected()); |
721 EXPECT_TRUE( | 707 EXPECT_TRUE( |
722 test_server.host_port_pair().Equals(request_info->host_and_port)); | 708 test_server.host_port_pair().Equals(request_info->host_and_port)); |
723 | 709 |
724 return request_info; | 710 return request_info; |
725 } | 711 } |
726 }; | 712 }; |
727 | 713 |
728 class SSLClientSocketFalseStartTest : public SSLClientSocketTest { | 714 class SSLClientSocketFalseStartTest : public SSLClientSocketTest { |
729 protected: | 715 protected: |
730 // Creates an SSLClientSocket with |client_config| attached to a | 716 void TestFalseStart(const SpawnedTestServer::SSLOptions& server_options, |
731 // FakeBlockingStreamSocket, returning both in |*out_raw_transport| and | 717 const SSLConfig& client_config, |
732 // |*out_sock|. The FakeBlockingStreamSocket is owned by the SSLClientSocket, | 718 bool expect_false_start) { |
733 // so |*out_raw_transport| is a raw pointer. | 719 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS, |
734 // | 720 server_options, |
735 // The client socket will begin a connect using |callback| but stop before the | 721 base::FilePath()); |
736 // server's finished message is received. The finished message will be blocked | 722 ASSERT_TRUE(test_server.Start()); |
737 // in |*out_raw_transport|. To complete the handshake and successfully read | |
738 // data, the caller must unblock reads on |*out_raw_transport|. (Note that, if | |
739 // the client successfully false started, |callback.WaitForResult()| will | |
740 // return OK without unblocking transport reads. But Read() will still block.) | |
741 // | |
742 // Must be called after StartTestServer is called. | |
743 void CreateAndConnectUntilServerFinishedReceived( | |
744 const SSLConfig& client_config, | |
745 TestCompletionCallback* callback, | |
746 FakeBlockingStreamSocket** out_raw_transport, | |
747 scoped_ptr<SSLClientSocket>* out_sock) { | |
748 CHECK(test_server()); | |
749 | 723 |
| 724 AddressList addr; |
| 725 ASSERT_TRUE(test_server.GetAddressList(&addr)); |
| 726 |
| 727 TestCompletionCallback callback; |
750 scoped_ptr<StreamSocket> real_transport( | 728 scoped_ptr<StreamSocket> real_transport( |
751 new TCPClientSocket(addr(), NULL, NetLog::Source())); | 729 new TCPClientSocket(addr, NULL, NetLog::Source())); |
752 scoped_ptr<FakeBlockingStreamSocket> transport( | 730 scoped_ptr<FakeBlockingStreamSocket> transport( |
753 new FakeBlockingStreamSocket(real_transport.Pass())); | 731 new FakeBlockingStreamSocket(real_transport.Pass())); |
754 int rv = callback->GetResult(transport->Connect(callback->callback())); | 732 int rv = callback.GetResult(transport->Connect(callback.callback())); |
755 EXPECT_EQ(OK, rv); | 733 EXPECT_EQ(OK, rv); |
756 | 734 |
757 FakeBlockingStreamSocket* raw_transport = transport.get(); | 735 FakeBlockingStreamSocket* raw_transport = transport.get(); |
758 scoped_ptr<SSLClientSocket> sock = | 736 scoped_ptr<SSLClientSocket> sock( |
759 CreateSSLClientSocket(transport.PassAs<StreamSocket>(), | 737 CreateSSLClientSocket(transport.PassAs<StreamSocket>(), |
760 test_server()->host_port_pair(), | 738 test_server.host_port_pair(), |
761 client_config); | 739 client_config)); |
762 | 740 |
763 // Connect. Stop before the client processes the first server leg | 741 // Connect. Stop before the client processes the first server leg |
764 // (ServerHello, etc.) | 742 // (ServerHello, etc.) |
765 raw_transport->BlockReadResult(); | 743 raw_transport->BlockReadResult(); |
766 rv = sock->Connect(callback->callback()); | 744 rv = sock->Connect(callback.callback()); |
767 EXPECT_EQ(ERR_IO_PENDING, rv); | 745 EXPECT_EQ(ERR_IO_PENDING, rv); |
768 raw_transport->WaitForReadResult(); | 746 raw_transport->WaitForReadResult(); |
769 | 747 |
770 // Release the ServerHello and wait for the client to write | 748 // Release the ServerHello and wait for the client to write |
771 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the | 749 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the |
772 // server's leg to complete, since it may span multiple reads.) | 750 // server's leg to complete, since it may span multiple reads.) |
773 EXPECT_FALSE(callback->have_result()); | 751 EXPECT_FALSE(callback.have_result()); |
774 raw_transport->BlockWrite(); | 752 raw_transport->BlockWrite(); |
775 raw_transport->UnblockReadResult(); | 753 raw_transport->UnblockReadResult(); |
776 raw_transport->WaitForWrite(); | 754 raw_transport->WaitForWrite(); |
777 | 755 |
778 // And, finally, release that and block the next server leg | 756 // And, finally, release that and block the next server leg |
779 // (ChangeCipherSpec, Finished). | 757 // (ChangeCipherSpec, Finished). Note: callback.have_result() may or may not |
| 758 // be true at this point depending on whether the SSL implementation waits |
| 759 // for the client second leg to clear the internal write buffer and hit the |
| 760 // network. |
780 raw_transport->BlockReadResult(); | 761 raw_transport->BlockReadResult(); |
781 raw_transport->UnblockWrite(); | 762 raw_transport->UnblockWrite(); |
782 | 763 |
783 *out_raw_transport = raw_transport; | |
784 *out_sock = sock.Pass(); | |
785 } | |
786 | |
787 void TestFalseStart(const SpawnedTestServer::SSLOptions& server_options, | |
788 const SSLConfig& client_config, | |
789 bool expect_false_start) { | |
790 ASSERT_TRUE(StartTestServer(server_options)); | |
791 | |
792 TestCompletionCallback callback; | |
793 FakeBlockingStreamSocket* raw_transport = NULL; | |
794 scoped_ptr<SSLClientSocket> sock; | |
795 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | |
796 client_config, &callback, &raw_transport, &sock)); | |
797 | |
798 if (expect_false_start) { | 764 if (expect_false_start) { |
799 // When False Starting, the handshake should complete before receiving the | 765 // When False Starting, the handshake should complete before receiving the |
800 // Change Cipher Spec and Finished messages. | 766 // Change Cipher Spec and Finished messages. |
801 // | 767 rv = callback.GetResult(rv); |
802 // Note: callback.have_result() may not be true without waiting. The NSS | |
803 // state machine sometimes lives on a separate thread, so this thread may | |
804 // not yet have processed the signal that the handshake has completed. | |
805 int rv = callback.WaitForResult(); | |
806 EXPECT_EQ(OK, rv); | 768 EXPECT_EQ(OK, rv); |
807 EXPECT_TRUE(sock->IsConnected()); | 769 EXPECT_TRUE(sock->IsConnected()); |
808 | 770 |
809 const char request_text[] = "GET / HTTP/1.0\r\n\r\n"; | 771 const char request_text[] = "GET / HTTP/1.0\r\n\r\n"; |
810 static const int kRequestTextSize = | 772 static const int kRequestTextSize = |
811 static_cast<int>(arraysize(request_text) - 1); | 773 static_cast<int>(arraysize(request_text) - 1); |
812 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize)); | 774 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize)); |
813 memcpy(request_buffer->data(), request_text, kRequestTextSize); | 775 memcpy(request_buffer->data(), request_text, kRequestTextSize); |
814 | 776 |
815 // Write the request. | 777 // Write the request. |
(...skipping 1673 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2489 } | 2451 } |
2490 | 2452 |
2491 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { | 2453 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { |
2492 // False Start requires NPN and a forward-secret cipher suite. | 2454 // False Start requires NPN and a forward-secret cipher suite. |
2493 SpawnedTestServer::SSLOptions server_options; | 2455 SpawnedTestServer::SSLOptions server_options; |
2494 server_options.key_exchanges = | 2456 server_options.key_exchanges = |
2495 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2457 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; |
2496 server_options.enable_npn = true; | 2458 server_options.enable_npn = true; |
2497 SSLConfig client_config; | 2459 SSLConfig client_config; |
2498 client_config.next_protos.push_back("http/1.1"); | 2460 client_config.next_protos.push_back("http/1.1"); |
2499 ASSERT_NO_FATAL_FAILURE( | 2461 TestFalseStart(server_options, client_config, true); |
2500 TestFalseStart(server_options, client_config, true)); | |
2501 } | 2462 } |
2502 | 2463 |
2503 // Test that False Start is disabled without NPN. | 2464 // Test that False Start is disabled without NPN. |
2504 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { | 2465 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { |
2505 SpawnedTestServer::SSLOptions server_options; | 2466 SpawnedTestServer::SSLOptions server_options; |
2506 server_options.key_exchanges = | 2467 server_options.key_exchanges = |
2507 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2468 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; |
2508 SSLConfig client_config; | 2469 SSLConfig client_config; |
2509 client_config.next_protos.clear(); | 2470 client_config.next_protos.clear(); |
2510 ASSERT_NO_FATAL_FAILURE( | 2471 TestFalseStart(server_options, client_config, false); |
2511 TestFalseStart(server_options, client_config, false)); | |
2512 } | 2472 } |
2513 | 2473 |
2514 // Test that False Start is disabled without a forward-secret cipher suite. | 2474 // Test that False Start is disabled without a forward-secret cipher suite. |
2515 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { | 2475 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { |
2516 SpawnedTestServer::SSLOptions server_options; | 2476 SpawnedTestServer::SSLOptions server_options; |
2517 server_options.key_exchanges = | 2477 server_options.key_exchanges = |
2518 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | 2478 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; |
2519 server_options.enable_npn = true; | 2479 server_options.enable_npn = true; |
2520 SSLConfig client_config; | 2480 SSLConfig client_config; |
2521 client_config.next_protos.push_back("http/1.1"); | 2481 client_config.next_protos.push_back("http/1.1"); |
2522 ASSERT_NO_FATAL_FAILURE( | 2482 TestFalseStart(server_options, client_config, false); |
2523 TestFalseStart(server_options, client_config, false)); | |
2524 } | |
2525 | |
2526 // Test that sessions are resumable after receiving the server Finished message. | |
2527 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { | |
2528 // Start a server. | |
2529 SpawnedTestServer::SSLOptions server_options; | |
2530 server_options.key_exchanges = | |
2531 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
2532 server_options.enable_npn = true; | |
2533 SSLConfig client_config; | |
2534 client_config.next_protos.push_back("http/1.1"); | |
2535 | |
2536 // Let a full handshake complete with False Start. | |
2537 ASSERT_NO_FATAL_FAILURE( | |
2538 TestFalseStart(server_options, client_config, true)); | |
2539 | |
2540 // Make a second connection. | |
2541 TestCompletionCallback callback; | |
2542 scoped_ptr<StreamSocket> transport2( | |
2543 new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
2544 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback()))); | |
2545 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket( | |
2546 transport2.Pass(), test_server()->host_port_pair(), client_config); | |
2547 ASSERT_TRUE(sock2.get()); | |
2548 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback()))); | |
2549 | |
2550 // It should resume the session. | |
2551 SSLInfo ssl_info; | |
2552 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info)); | |
2553 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type); | |
2554 } | |
2555 | |
2556 // Test that sessions are not resumable before receiving the server Finished | |
2557 // message. | |
2558 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) { | |
2559 // Start a server. | |
2560 SpawnedTestServer::SSLOptions server_options; | |
2561 server_options.key_exchanges = | |
2562 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
2563 server_options.enable_npn = true; | |
2564 ASSERT_TRUE(StartTestServer(server_options)); | |
2565 | |
2566 SSLConfig client_config; | |
2567 client_config.next_protos.push_back("http/1.1"); | |
2568 | |
2569 // Start a handshake up to the server Finished message. | |
2570 TestCompletionCallback callback; | |
2571 FakeBlockingStreamSocket* raw_transport1; | |
2572 scoped_ptr<SSLClientSocket> sock1; | |
2573 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | |
2574 client_config, &callback, &raw_transport1, &sock1)); | |
2575 // Although raw_transport1 has the server Finished blocked, the handshake | |
2576 // still completes. | |
2577 EXPECT_EQ(OK, callback.WaitForResult()); | |
2578 | |
2579 // Drop the old socket. This is needed because the Python test server can't | |
2580 // service two sockets in parallel. | |
2581 sock1.reset(); | |
2582 | |
2583 // Start a second connection. | |
2584 scoped_ptr<StreamSocket> transport2( | |
2585 new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
2586 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback()))); | |
2587 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket( | |
2588 transport2.Pass(), test_server()->host_port_pair(), client_config); | |
2589 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback()))); | |
2590 | |
2591 // No session resumption because the first connection never received a server | |
2592 // Finished message. | |
2593 SSLInfo ssl_info; | |
2594 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info)); | |
2595 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type); | |
2596 } | 2483 } |
2597 | 2484 |
2598 // Connect to a server using channel id. It should allow the connection. | 2485 // Connect to a server using channel id. It should allow the connection. |
2599 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { | 2486 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { |
2600 SpawnedTestServer::SSLOptions ssl_options; | 2487 SpawnedTestServer::SSLOptions ssl_options; |
2601 | 2488 |
2602 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | 2489 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
2603 | 2490 |
2604 EnableChannelID(); | 2491 EnableChannelID(); |
2605 SSLConfig ssl_config = kDefaultSSLConfig; | 2492 SSLConfig ssl_config = kDefaultSSLConfig; |
(...skipping 26 matching lines...) Expand all Loading... |
2632 | 2519 |
2633 // TODO(haavardm@opera.com): Due to differences in threading, Linux returns | 2520 // TODO(haavardm@opera.com): Due to differences in threading, Linux returns |
2634 // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all | 2521 // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all |
2635 // error codes for now. | 2522 // error codes for now. |
2636 // http://crbug.com/373670 | 2523 // http://crbug.com/373670 |
2637 EXPECT_NE(OK, rv); | 2524 EXPECT_NE(OK, rv); |
2638 EXPECT_FALSE(sock_->IsConnected()); | 2525 EXPECT_FALSE(sock_->IsConnected()); |
2639 } | 2526 } |
2640 | 2527 |
2641 } // namespace net | 2528 } // namespace net |
OLD | NEW |