net: Implement new SSL session cache for OpenSSL sockets.

net/socket/ssl_session_cache_openssl_unittest.cc

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/socket/ssl_session_cache_openssl.h"
+
+#include <openssl/ssl.h>
+
+#include "base/lazy_instance.h"
+#include "base/logging.h"
+#include "base/strings/stringprintf.h"
+#include "crypto/openssl_util.h"
+
+#include "testing/gtest/include/gtest/gtest.h"
+
+// This is an internal OpenSSL function that can be used to create a new
+// session for an existing SSL object. This shall force a call to the
+// 'generate_session_id' callback from the SSL's session context.
+// |s| is the target SSL connection handle.
+// |session| is non-0 to ask for the creation of a new session. If 0,
+// this will set an empty session with no ID instead.
+extern "C" int ssl_get_new_session(SSL* s, int session);
+
+// This is an internal OpenSSL function which is used internally to add
+// a new session to the cache. It is normally triggered by a succesful
+// connection. However, this unit test does not use the network at all.
+extern "C" void ssl_update_cache(SSL* s, int mode);
+
+namespace net {
+
+namespace {
+
+typedef crypto::ScopedOpenSSL<SSL, SSL_free> ScopedSSL;
+
+// Helper class used to associate liberal std::string keys with SSL objects.

[agl, 2013/11/27 21:58:33]

liberal?

[digit1, 2013/11/28 10:37:20]

I've changed it to 'arbitrary' which is the meaning I intended. Pardon my
French, English isn't my mother tongue :-)

+class SSLKeyHelper {
+ public:
+  // Return the string associated with a given SSL handle |ssl|, or the
+  // empty string if none exists.
+  static std::string Get(const SSL* ssl) {
+    return GetInstance()->GetValue(ssl);
+  }
+
+  // Associate a string with a given SSL handle |ssl|.
+  static void Set(SSL* ssl, const std::string& value) {
+    GetInstance()->SetValue(ssl, value);
+  }
+
+  static SSLKeyHelper* GetInstance() {
+    static base::LazyInstance<SSLKeyHelper>::Leaky s_instance =

[agl, 2013/11/27 21:58:33]

I'll take your word that this compiles into nothing.

[digit1, 2013/11/28 10:37:20]

I confirm it does (I disassembled the result to manually check too).

Note that even if it did not, this is a unit test class with a single thread, so
I don't think there would be an issue anyway.

+        LAZY_INSTANCE_INITIALIZER;
+    return s_instance.Pointer();
+  }
+
+  SSLKeyHelper() {
+    ex_index_ = SSL_get_ex_new_index(0, NULL, NULL, KeyDup, KeyFree);
+    CHECK_NE(-1, ex_index_);
+  }
+
+  std::string GetValue(const SSL* ssl) {
+    std::string* value =
+        reinterpret_cast<std::string*>(SSL_get_ex_data(ssl, ex_index_));
+    if (!value)
+      return std::string();
+    return *value;
+  }
+
+  void SetValue(SSL* ssl, const std::string& value) {
+    int ret = SSL_set_ex_data(ssl, ex_index_, new std::string(value));
+    CHECK_EQ(1, ret);
+  }
+
+  // Called when a SSL object is copied through SSL_dup(). This needs to copy

[agl, 2013/11/27 21:58:33]

s/a/an/ I think.

[digit1, 2013/11/28 10:37:20]

Done.

+  // the value as well.
+  static int KeyDup(CRYPTO_EX_DATA* to,
+                    CRYPTO_EX_DATA* from,
+                    void* from_fd,
+                    int idx,
+                    long argl,
+                    void* argp) {
+    // |from_fd| is really the address of a temporary pointer. On input, it
+    // points to the value from the original SSL object. The function must
+    // update it to the address of a copy.
+    std::string** ptr = reinterpret_cast<std::string**>(from_fd);
+    std::string* old_string = *ptr;
+    std::string* new_string = new std::string(*old_string);
+    *ptr = new_string;
+    return 0;  // Ignored by the implementation.
+  }
+
+  // Called to destroy the value associated with a SSL object.

[agl, 2013/11/27 21:58:33]

s/a/an/

[digit1, 2013/11/28 10:37:20]

Done.

+  static void KeyFree(void* parent,
+                      void* ptr,
+                      CRYPTO_EX_DATA* ad,
+                      int index,
+                      long argl,
+                      void* argp) {
+    std::string* value = reinterpret_cast<std::string*>(ptr);
+    delete value;
+  }
+
+  int ex_index_;
+};
+
+}  // namespace
+
+class SSLSessionCacheOpenSSLTest : public testing::Test {
+ public:
+  SSLSessionCacheOpenSSLTest() {
+    crypto::EnsureOpenSSLInit();
+    ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
+    cache_.Reset(ctx_.get(), kDefaultConfig);
+  }
+
+  // Reset cache configuration.
+  void ResetConfig(const SSLSessionCacheOpenSSL::Config& config) {
+    cache_.Reset(ctx_.get(), config);
+  }
+
+  // Helper function to create a new SSL connection object associated with
+  // a given unique |cache_key|. This does _not_ add the session to the cache.
+  // Caller must free the object with SSL_free().
+  SSL* NewSSL(const std::string& cache_key) {
+    SSL* ssl = SSL_new(ctx_.get());
+    if (!ssl)
+      return NULL;
+
+    SSLKeyHelper::Set(ssl, cache_key);  // associate cache key.
+    ResetSessionID(ssl);                // create new unique session ID.
+    return ssl;
+  }
+
+  // Reset the session ID of a given SSL object. This creates a new session
+  // with a new unique random ID. Does not add it to the cache.
+  static void ResetSessionID(SSL* ssl) { ssl_get_new_session(ssl, 1); }
+
+  // Add a given SSL object and its session to the cache.
+  void AddToCache(SSL* ssl) {
+    ssl_update_cache(ssl, ctx_.get()->session_cache_mode);
+  }
+
+  static const SSLSessionCacheOpenSSL::Config kDefaultConfig;
+
+ protected:
+  crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free> ctx_;
+  // |cache_| must be destroyed before |ctx_| and thus appears after it.
+  SSLSessionCacheOpenSSL cache_;
+};
+
+// static
+const SSLSessionCacheOpenSSL::Config
+    SSLSessionCacheOpenSSLTest::kDefaultConfig = {
+        &SSLKeyHelper::Get,  // key_func
+        1024,                // max_entries
+        256,                 // expiration_check_count
+        60 * 60,             // timeout_seconds
+};
+
+TEST_F(SSLSessionCacheOpenSSLTest, EmptyCacheCreation) {
+  EXPECT_EQ(0U, cache_.size());
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, CacheOneSession) {
+  ScopedSSL ssl(NewSSL("hello"));
+
+  EXPECT_EQ(0U, cache_.size());
+  AddToCache(ssl.get());
+  EXPECT_EQ(1U, cache_.size());
+  ssl.reset(NULL);
+  EXPECT_EQ(1U, cache_.size());
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, CacheMultipleSessions) {
+  const size_t kNumItems = 100;
+  int local_id = 1;
+
+  // Add kNumItems to the cache.
+  for (size_t n = 0; n < kNumItems; ++n) {
+    std::string local_id_string = base::StringPrintf("%d", local_id++);
+    ScopedSSL ssl(NewSSL(local_id_string));
+    AddToCache(ssl.get());
+    EXPECT_EQ(n + 1, cache_.size());
+  }
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, Flush) {
+  const size_t kNumItems = 100;
+  int local_id = 1;
+
+  // Add kNumItems to the cache.
+  for (size_t n = 0; n < kNumItems; ++n) {
+    std::string local_id_string = base::StringPrintf("%d", local_id++);
+    ScopedSSL ssl(NewSSL(local_id_string));
+    AddToCache(ssl.get());
+  }
+  EXPECT_EQ(kNumItems, cache_.size());
+
+  cache_.Flush();
+  EXPECT_EQ(0U, cache_.size());
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSession) {
+  const std::string key("hello");
+  ScopedSSL ssl(NewSSL(key));
+
+  // First call should fail because the session is not in the cache.
+  EXPECT_FALSE(cache_.SetSSLSession(ssl.get()));
+  SSL_SESSION* session = ssl.get()->session;
+  EXPECT_TRUE(session);
+  EXPECT_EQ(1, session->references);
+
+  AddToCache(ssl.get());
+  EXPECT_EQ(2, session->references);
+
+  ssl.reset(NULL);
+  EXPECT_EQ(1, session->references);
+
+  // Second call should find the session ID and associate it with |ssl2|.
+  ScopedSSL ssl2(NewSSL(key));
+  EXPECT_TRUE(cache_.SetSSLSession(ssl2.get()));
+
+  EXPECT_EQ(session, ssl2.get()->session);
+  EXPECT_EQ(2, session->references);
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSessionWithKey) {
+  const std::string key("hello");
+  ScopedSSL ssl(NewSSL(key));
+  AddToCache(ssl.get());
+  ssl.reset(NULL);
+
+  ScopedSSL ssl2(NewSSL(key));
+  EXPECT_TRUE(cache_.SetSSLSessionWithKey(ssl2.get(), key));
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, CheckSessionReplacement) {
+  // Check that if two SSL connections have the same key, only one
+  // corresponding session can be stored in the cache.
+  const std::string common_key("common-key");
+  ScopedSSL ssl1(NewSSL(common_key));
+  ScopedSSL ssl2(NewSSL(common_key));
+
+  AddToCache(ssl1.get());
+  EXPECT_EQ(1U, cache_.size());
+  EXPECT_EQ(2, ssl1.get()->session->references);
+
+  // This ends up calling OnSessionAdded which will discover that there is
+  // already one session ID associated with the key, and will replace it.
+  AddToCache(ssl2.get());
+  EXPECT_EQ(1U, cache_.size());
+  EXPECT_EQ(1, ssl1.get()->session->references);
+  EXPECT_EQ(2, ssl2.get()->session->references);
+}
+
+TEST_F(SSLSessionCacheOpenSSLTest, CheckEviction) {
+  const size_t kMaxItems = 20;
+  int local_id = 1;
+
+  SSLSessionCacheOpenSSL::Config config = kDefaultConfig;
+  config.max_entries = kMaxItems;
+  ResetConfig(config);
+
+  // Add kMaxItems to the cache.
+  for (size_t n = 0; n < kMaxItems; ++n) {
+    std::string local_id_string = base::StringPrintf("%d", local_id++);
+    ScopedSSL ssl(NewSSL(local_id_string));
+
+    AddToCache(ssl.get());
+    EXPECT_EQ(n + 1, cache_.size());
+  }
+
+  // Continue adding new items to the cache, check that old ones are
+  // evicted.
+  for (size_t n = 0; n < kMaxItems; ++n) {
+    std::string local_id_string = base::StringPrintf("%d", local_id++);
+    ScopedSSL ssl(NewSSL(local_id_string));
+
+    AddToCache(ssl.get());
+    EXPECT_EQ(kMaxItems, cache_.size());
+  }
+}
+
+// Check that session expiration works properly.
+TEST_F(SSLSessionCacheOpenSSLTest, CheckExpiration) {
+  const size_t kMaxCheckCount = 10;
+  const size_t kNumEntries = 20;
+
+  SSLSessionCacheOpenSSL::Config config = kDefaultConfig;
+  config.expiration_check_count = kMaxCheckCount;
+  config.timeout_seconds = 1000;
+  ResetConfig(config);
+
+  // Add |kNumItems - 1| session entries with crafted time values.
+  for (size_t n = 0; n < kNumEntries - 1U; ++n) {
+    std::string key = base::StringPrintf("%d", static_cast<int>(n));
+    ScopedSSL ssl(NewSSL(key));
+    // Cheat a little: Force the session |time| value, this guarantees that they
+    // are expired, given that ::time() will always return a value that is
+    // past the first 100 seconds after the Unix epoch.
+    ssl.get()->session->time = static_cast<long>(n);
+    AddToCache(ssl.get());
+  }
+  EXPECT_EQ(kNumEntries - 1U, cache_.size());
+
+  // Add nother session which will get the current time, and thus not be
+  // expirable until 1000 seconds have passed.
+  ScopedSSL good_ssl(NewSSL("good-key"));
+  AddToCache(good_ssl.get());
+  good_ssl.reset(NULL);
+  EXPECT_EQ(kNumEntries, cache_.size());
+
+  // Call SetSSLSession() |kMaxCheckCount - 1| times, this shall not expire
+  // any session
+  for (size_t n = 0; n < kMaxCheckCount - 1U; ++n) {
+    ScopedSSL ssl(NewSSL("unknown-key"));
+    cache_.SetSSLSession(ssl.get());
+    EXPECT_EQ(kNumEntries, cache_.size());
+  }
+
+  // Call SetSSLSession another time, this shall expire all sessions except
+  // the last one.
+  ScopedSSL bad_ssl(NewSSL("unknown-key"));
+  cache_.SetSSLSession(bad_ssl.get());
+  bad_ssl.reset(NULL);
+  EXPECT_EQ(1U, cache_.size());
+}
+
+}  // namespace net