| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
| 8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 790 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 801 sock->GetSSLCertRequestInfo(request_info.get()); | 801 sock->GetSSLCertRequestInfo(request_info.get()); |
| 802 sock->Disconnect(); | 802 sock->Disconnect(); |
| 803 EXPECT_FALSE(sock->IsConnected()); | 803 EXPECT_FALSE(sock->IsConnected()); |
| 804 EXPECT_TRUE( | 804 EXPECT_TRUE( |
| 805 test_server.host_port_pair().Equals(request_info->host_and_port)); | 805 test_server.host_port_pair().Equals(request_info->host_and_port)); |
| 806 | 806 |
| 807 return request_info; | 807 return request_info; |
| 808 } | 808 } |
| 809 }; | 809 }; |
| 810 | 810 |
| 811 class SSLClientSocketFalseStartTest : public SSLClientSocketTest { | |
| 812 public: | |
| 813 SSLClientSocketFalseStartTest() | |
| 814 : monitor_handshake_callback_(false), | |
| 815 fail_handshake_after_false_start_(false) {} | |
| 816 | |
| 817 protected: | |
| 818 // Creates an SSLClientSocket with |client_config| attached to a | |
| 819 // FakeBlockingStreamSocket, returning both in |*out_raw_transport| and | |
| 820 // |*out_sock|. The FakeBlockingStreamSocket is owned by the SSLClientSocket, | |
| 821 // so |*out_raw_transport| is a raw pointer. | |
| 822 // | |
| 823 // The client socket will begin a connect using |callback| but stop before the | |
| 824 // server's finished message is received. The finished message will be blocked | |
| 825 // in |*out_raw_transport|. To complete the handshake and successfully read | |
| 826 // data, the caller must unblock reads on |*out_raw_transport|. (Note that, if | |
| 827 // the client successfully false started, |callback.WaitForResult()| will | |
| 828 // return OK without unblocking transport reads. But Read() will still block.) | |
| 829 // | |
| 830 // Must be called after StartTestServer is called. | |
| 831 void CreateAndConnectUntilServerFinishedReceived( | |
| 832 const SSLConfig& client_config, | |
| 833 TestCompletionCallback* callback, | |
| 834 FakeBlockingStreamSocket** out_raw_transport, | |
| 835 scoped_ptr<SSLClientSocket>* out_sock) { | |
| 836 CHECK(test_server()); | |
| 837 | |
| 838 scoped_ptr<StreamSocket> real_transport(scoped_ptr<StreamSocket>( | |
| 839 new TCPClientSocket(addr(), NULL, NetLog::Source()))); | |
| 840 real_transport.reset( | |
| 841 new SynchronousErrorStreamSocket(real_transport.Pass())); | |
| 842 | |
| 843 scoped_ptr<FakeBlockingStreamSocket> transport( | |
| 844 new FakeBlockingStreamSocket(real_transport.Pass())); | |
| 845 int rv = callback->GetResult(transport->Connect(callback->callback())); | |
| 846 EXPECT_EQ(OK, rv); | |
| 847 | |
| 848 FakeBlockingStreamSocket* raw_transport = transport.get(); | |
| 849 scoped_ptr<SSLClientSocket> sock = CreateSSLClientSocket( | |
| 850 transport.Pass(), test_server()->host_port_pair(), client_config); | |
| 851 | |
| 852 if (monitor_handshake_callback_) { | |
| 853 sock->SetHandshakeCompletionCallback( | |
| 854 base::Bind(&SSLClientSocketTest::RecordCompletedHandshake, | |
| 855 base::Unretained(this))); | |
| 856 } | |
| 857 | |
| 858 // Connect. Stop before the client processes the first server leg | |
| 859 // (ServerHello, etc.) | |
| 860 raw_transport->BlockReadResult(); | |
| 861 rv = sock->Connect(callback->callback()); | |
| 862 EXPECT_EQ(ERR_IO_PENDING, rv); | |
| 863 raw_transport->WaitForReadResult(); | |
| 864 | |
| 865 // Release the ServerHello and wait for the client to write | |
| 866 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the | |
| 867 // server's leg to complete, since it may span multiple reads.) | |
| 868 EXPECT_FALSE(callback->have_result()); | |
| 869 raw_transport->BlockWrite(); | |
| 870 raw_transport->UnblockReadResult(); | |
| 871 raw_transport->WaitForWrite(); | |
| 872 | |
| 873 if (fail_handshake_after_false_start_) { | |
| 874 SynchronousErrorStreamSocket* error_socket = | |
| 875 static_cast<SynchronousErrorStreamSocket*>( | |
| 876 raw_transport->transport()); | |
| 877 error_socket->SetNextReadError(ERR_CONNECTION_RESET); | |
| 878 } | |
| 879 // And, finally, release that and block the next server leg | |
| 880 // (ChangeCipherSpec, Finished). | |
| 881 raw_transport->BlockReadResult(); | |
| 882 raw_transport->UnblockWrite(); | |
| 883 | |
| 884 *out_raw_transport = raw_transport; | |
| 885 *out_sock = sock.Pass(); | |
| 886 } | |
| 887 | |
| 888 void TestFalseStart(const SpawnedTestServer::SSLOptions& server_options, | |
| 889 const SSLConfig& client_config, | |
| 890 bool expect_false_start) { | |
| 891 ASSERT_TRUE(StartTestServer(server_options)); | |
| 892 | |
| 893 TestCompletionCallback callback; | |
| 894 FakeBlockingStreamSocket* raw_transport = NULL; | |
| 895 scoped_ptr<SSLClientSocket> sock; | |
| 896 | |
| 897 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | |
| 898 client_config, &callback, &raw_transport, &sock)); | |
| 899 | |
| 900 if (expect_false_start) { | |
| 901 // When False Starting, the handshake should complete before receiving the | |
| 902 // Change Cipher Spec and Finished messages. | |
| 903 // | |
| 904 // Note: callback.have_result() may not be true without waiting. The NSS | |
| 905 // state machine sometimes lives on a separate thread, so this thread may | |
| 906 // not yet have processed the signal that the handshake has completed. | |
| 907 int rv = callback.WaitForResult(); | |
| 908 EXPECT_EQ(OK, rv); | |
| 909 EXPECT_TRUE(sock->IsConnected()); | |
| 910 | |
| 911 const char request_text[] = "GET / HTTP/1.0\r\n\r\n"; | |
| 912 static const int kRequestTextSize = | |
| 913 static_cast<int>(arraysize(request_text) - 1); | |
| 914 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize)); | |
| 915 memcpy(request_buffer->data(), request_text, kRequestTextSize); | |
| 916 | |
| 917 // Write the request. | |
| 918 rv = callback.GetResult(sock->Write(request_buffer.get(), | |
| 919 kRequestTextSize, | |
| 920 callback.callback())); | |
| 921 EXPECT_EQ(kRequestTextSize, rv); | |
| 922 | |
| 923 // The read will hang; it's waiting for the peer to complete the | |
| 924 // handshake, and the handshake is still blocked. | |
| 925 scoped_refptr<IOBuffer> buf(new IOBuffer(4096)); | |
| 926 rv = sock->Read(buf.get(), 4096, callback.callback()); | |
| 927 | |
| 928 // After releasing reads, the connection proceeds. | |
| 929 raw_transport->UnblockReadResult(); | |
| 930 rv = callback.GetResult(rv); | |
| 931 if (fail_handshake_after_false_start_) | |
| 932 EXPECT_EQ(ERR_CONNECTION_RESET, rv); | |
| 933 else | |
| 934 EXPECT_LT(0, rv); | |
| 935 } else { | |
| 936 // False Start is not enabled, so the handshake will not complete because | |
| 937 // the server second leg is blocked. | |
| 938 base::RunLoop().RunUntilIdle(); | |
| 939 EXPECT_FALSE(callback.have_result()); | |
| 940 } | |
| 941 } | |
| 942 | |
| 943 // Indicates that the socket's handshake completion callback should | |
| 944 // be monitored. | |
| 945 bool monitor_handshake_callback_; | |
| 946 // Indicates that this test's handshake should fail after the client | |
| 947 // "finished" message is sent. | |
| 948 bool fail_handshake_after_false_start_; | |
| 949 }; | |
| 950 | 811 |
| 951 class SSLClientSocketChannelIDTest : public SSLClientSocketTest { | 812 class SSLClientSocketChannelIDTest : public SSLClientSocketTest { |
| 952 protected: | 813 protected: |
| 953 void EnableChannelID() { | 814 void EnableChannelID() { |
| 954 channel_id_service_.reset( | 815 channel_id_service_.reset( |
| 955 new ChannelIDService(new DefaultChannelIDStore(NULL), | 816 new ChannelIDService(new DefaultChannelIDStore(NULL), |
| 956 base::MessageLoopProxy::current())); | 817 base::MessageLoopProxy::current())); |
| 957 context_.channel_id_service = channel_id_service_.get(); | 818 context_.channel_id_service = channel_id_service_.get(); |
| 958 } | 819 } |
| 959 | 820 |
| (...skipping 1914 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2874 sock->SetHandshakeCompletionCallback(base::Bind( | 2735 sock->SetHandshakeCompletionCallback(base::Bind( |
| 2875 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this))); | 2736 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this))); |
| 2876 | 2737 |
| 2877 rv = callback.GetResult(sock->Connect(callback.callback())); | 2738 rv = callback.GetResult(sock->Connect(callback.callback())); |
| 2878 | 2739 |
| 2879 EXPECT_EQ(OK, rv); | 2740 EXPECT_EQ(OK, rv); |
| 2880 EXPECT_TRUE(sock->IsConnected()); | 2741 EXPECT_TRUE(sock->IsConnected()); |
| 2881 EXPECT_TRUE(ran_handshake_completion_callback_); | 2742 EXPECT_TRUE(ran_handshake_completion_callback_); |
| 2882 } | 2743 } |
| 2883 | 2744 |
| 2884 TEST_F(SSLClientSocketFalseStartTest, | 2745 #endif // USE_OPENSSL |
| 2885 HandshakeCallbackIsRun_WithFalseStartFailure) { | |
| 2886 // False Start requires NPN and a forward-secret cipher suite. | |
| 2887 SpawnedTestServer::SSLOptions server_options; | |
| 2888 server_options.key_exchanges = | |
| 2889 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2890 server_options.enable_npn = true; | |
| 2891 SSLConfig client_config; | |
| 2892 client_config.next_protos.push_back("http/1.1"); | |
| 2893 monitor_handshake_callback_ = true; | |
| 2894 fail_handshake_after_false_start_ = true; | |
| 2895 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true)); | |
| 2896 ASSERT_TRUE(ran_handshake_completion_callback_); | |
| 2897 } | |
| 2898 | |
| 2899 TEST_F(SSLClientSocketFalseStartTest, | |
| 2900 HandshakeCallbackIsRun_WithFalseStartSuccess) { | |
| 2901 // False Start requires NPN and a forward-secret cipher suite. | |
| 2902 SpawnedTestServer::SSLOptions server_options; | |
| 2903 server_options.key_exchanges = | |
| 2904 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2905 server_options.enable_npn = true; | |
| 2906 SSLConfig client_config; | |
| 2907 client_config.next_protos.push_back("http/1.1"); | |
| 2908 monitor_handshake_callback_ = true; | |
| 2909 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true)); | |
| 2910 ASSERT_TRUE(ran_handshake_completion_callback_); | |
| 2911 } | |
| 2912 #endif // defined(USE_OPENSSL) | |
| 2913 | |
| 2914 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { | |
| 2915 // False Start requires NPN and a forward-secret cipher suite. | |
| 2916 SpawnedTestServer::SSLOptions server_options; | |
| 2917 server_options.key_exchanges = | |
| 2918 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2919 server_options.enable_npn = true; | |
| 2920 SSLConfig client_config; | |
| 2921 client_config.next_protos.push_back("http/1.1"); | |
| 2922 ASSERT_NO_FATAL_FAILURE( | |
| 2923 TestFalseStart(server_options, client_config, true)); | |
| 2924 } | |
| 2925 | |
| 2926 // Test that False Start is disabled without NPN. | |
| 2927 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { | |
| 2928 SpawnedTestServer::SSLOptions server_options; | |
| 2929 server_options.key_exchanges = | |
| 2930 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2931 SSLConfig client_config; | |
| 2932 client_config.next_protos.clear(); | |
| 2933 ASSERT_NO_FATAL_FAILURE( | |
| 2934 TestFalseStart(server_options, client_config, false)); | |
| 2935 } | |
| 2936 | |
| 2937 // Test that False Start is disabled without a forward-secret cipher suite. | |
| 2938 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { | |
| 2939 SpawnedTestServer::SSLOptions server_options; | |
| 2940 server_options.key_exchanges = | |
| 2941 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | |
| 2942 server_options.enable_npn = true; | |
| 2943 SSLConfig client_config; | |
| 2944 client_config.next_protos.push_back("http/1.1"); | |
| 2945 ASSERT_NO_FATAL_FAILURE( | |
| 2946 TestFalseStart(server_options, client_config, false)); | |
| 2947 } | |
| 2948 | |
| 2949 // Test that sessions are resumable after receiving the server Finished message. | |
| 2950 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { | |
| 2951 // Start a server. | |
| 2952 SpawnedTestServer::SSLOptions server_options; | |
| 2953 server_options.key_exchanges = | |
| 2954 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2955 server_options.enable_npn = true; | |
| 2956 SSLConfig client_config; | |
| 2957 client_config.next_protos.push_back("http/1.1"); | |
| 2958 | |
| 2959 // Let a full handshake complete with False Start. | |
| 2960 ASSERT_NO_FATAL_FAILURE( | |
| 2961 TestFalseStart(server_options, client_config, true)); | |
| 2962 | |
| 2963 // Make a second connection. | |
| 2964 TestCompletionCallback callback; | |
| 2965 scoped_ptr<StreamSocket> transport2( | |
| 2966 new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 2967 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback()))); | |
| 2968 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket( | |
| 2969 transport2.Pass(), test_server()->host_port_pair(), client_config); | |
| 2970 ASSERT_TRUE(sock2.get()); | |
| 2971 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback()))); | |
| 2972 | |
| 2973 // It should resume the session. | |
| 2974 SSLInfo ssl_info; | |
| 2975 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info)); | |
| 2976 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type); | |
| 2977 } | |
| 2978 | |
| 2979 // Test that sessions are not resumable before receiving the server Finished | |
| 2980 // message. | |
| 2981 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) { | |
| 2982 // Start a server. | |
| 2983 SpawnedTestServer::SSLOptions server_options; | |
| 2984 server_options.key_exchanges = | |
| 2985 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2986 server_options.enable_npn = true; | |
| 2987 ASSERT_TRUE(StartTestServer(server_options)); | |
| 2988 | |
| 2989 SSLConfig client_config; | |
| 2990 client_config.next_protos.push_back("http/1.1"); | |
| 2991 | |
| 2992 // Start a handshake up to the server Finished message. | |
| 2993 TestCompletionCallback callback; | |
| 2994 FakeBlockingStreamSocket* raw_transport1; | |
| 2995 scoped_ptr<SSLClientSocket> sock1; | |
| 2996 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived( | |
| 2997 client_config, &callback, &raw_transport1, &sock1)); | |
| 2998 // Although raw_transport1 has the server Finished blocked, the handshake | |
| 2999 // still completes. | |
| 3000 EXPECT_EQ(OK, callback.WaitForResult()); | |
| 3001 | |
| 3002 // Drop the old socket. This is needed because the Python test server can't | |
| 3003 // service two sockets in parallel. | |
| 3004 sock1.reset(); | |
| 3005 | |
| 3006 // Start a second connection. | |
| 3007 scoped_ptr<StreamSocket> transport2( | |
| 3008 new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 3009 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback()))); | |
| 3010 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket( | |
| 3011 transport2.Pass(), test_server()->host_port_pair(), client_config); | |
| 3012 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback()))); | |
| 3013 | |
| 3014 // No session resumption because the first connection never received a server | |
| 3015 // Finished message. | |
| 3016 SSLInfo ssl_info; | |
| 3017 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info)); | |
| 3018 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type); | |
| 3019 } | |
| 3020 | 2746 |
| 3021 // Connect to a server using channel id. It should allow the connection. | 2747 // Connect to a server using channel id. It should allow the connection. |
| 3022 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { | 2748 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { |
| 3023 SpawnedTestServer::SSLOptions ssl_options; | 2749 SpawnedTestServer::SSLOptions ssl_options; |
| 3024 | 2750 |
| 3025 ASSERT_TRUE(ConnectToTestServer(ssl_options)); | 2751 ASSERT_TRUE(ConnectToTestServer(ssl_options)); |
| 3026 | 2752 |
| 3027 EnableChannelID(); | 2753 EnableChannelID(); |
| 3028 SSLConfig ssl_config = kDefaultSSLConfig; | 2754 SSLConfig ssl_config = kDefaultSSLConfig; |
| 3029 ssl_config.channel_id_enabled = true; | 2755 ssl_config.channel_id_enabled = true; |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3073 ssl_config.channel_id_enabled = true; | 2799 ssl_config.channel_id_enabled = true; |
| 3074 | 2800 |
| 3075 int rv; | 2801 int rv; |
| 3076 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 2802 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3077 | 2803 |
| 3078 EXPECT_EQ(ERR_UNEXPECTED, rv); | 2804 EXPECT_EQ(ERR_UNEXPECTED, rv); |
| 3079 EXPECT_FALSE(sock_->IsConnected()); | 2805 EXPECT_FALSE(sock_->IsConnected()); |
| 3080 } | 2806 } |
| 3081 | 2807 |
| 3082 } // namespace net | 2808 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 662543005:
net: allow False Start only for >= TLS 1.2 && AEAD && forward-secure && ALPN/NPN. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git/+/master