Chromium Code Reviews Chromium Code Reviews
Issue 947603002:
Shard the SSL session cache by version fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
| 8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 22 #include "net/dns/host_resolver.h" | 22 #include "net/dns/host_resolver.h" |
| 23 #include "net/http/transport_security_state.h" | 23 #include "net/http/transport_security_state.h" |
| 24 #include "net/socket/client_socket_factory.h" | 24 #include "net/socket/client_socket_factory.h" |
| 25 #include "net/socket/client_socket_handle.h" | 25 #include "net/socket/client_socket_handle.h" |
| 26 #include "net/socket/socket_test_util.h" | 26 #include "net/socket/socket_test_util.h" |
| 27 #include "net/socket/tcp_client_socket.h" | 27 #include "net/socket/tcp_client_socket.h" |
| 28 #include "net/ssl/channel_id_service.h" | 28 #include "net/ssl/channel_id_service.h" |
| 29 #include "net/ssl/default_channel_id_store.h" | 29 #include "net/ssl/default_channel_id_store.h" |
| 30 #include "net/ssl/ssl_cert_request_info.h" | 30 #include "net/ssl/ssl_cert_request_info.h" |
| 31 #include "net/ssl/ssl_config_service.h" | 31 #include "net/ssl/ssl_config_service.h" |
| 32 #include "net/ssl/ssl_connection_status_flags.h" | |
| 33 #include "net/ssl/ssl_info.h" | |
| 32 #include "net/test/cert_test_util.h" | 34 #include "net/test/cert_test_util.h" |
| 33 #include "net/test/spawned_test_server/spawned_test_server.h" | 35 #include "net/test/spawned_test_server/spawned_test_server.h" |
| 34 #include "testing/gmock/include/gmock/gmock.h" | 36 #include "testing/gmock/include/gmock/gmock.h" |
| 35 #include "testing/gtest/include/gtest/gtest.h" | 37 #include "testing/gtest/include/gtest/gtest.h" |
| 36 #include "testing/platform_test.h" | 38 #include "testing/platform_test.h" |
| 37 | 39 |
| 38 //----------------------------------------------------------------------------- | 40 //----------------------------------------------------------------------------- |
| 39 | 41 |
| 40 using testing::_; | 42 using testing::_; |
| 41 using testing::Return; | 43 using testing::Return; |
| (...skipping 2741 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2783 EXPECT_TRUE(sock->WasEverUsed()); | 2785 EXPECT_TRUE(sock->WasEverUsed()); |
| 2784 | 2786 |
| 2785 // TODO(davidben): Read one byte to ensure the test server has responded and | 2787 // TODO(davidben): Read one byte to ensure the test server has responded and |
| 2786 // then assert IsConnectedAndIdle is false. This currently doesn't work | 2788 // then assert IsConnectedAndIdle is false. This currently doesn't work |
| 2787 // because neither SSLClientSocketNSS nor SSLClientSocketOpenSSL check their | 2789 // because neither SSLClientSocketNSS nor SSLClientSocketOpenSSL check their |
| 2788 // SSL implementation's internal buffers. Either call PR_Available and | 2790 // SSL implementation's internal buffers. Either call PR_Available and |
| 2789 // SSL_pending, although the former isn't actually implemented or perhaps | 2791 // SSL_pending, although the former isn't actually implemented or perhaps |
| 2790 // attempt to read one byte extra. | 2792 // attempt to read one byte extra. |
| 2791 } | 2793 } |
| 2792 | 2794 |
| 2795 // Tests that session caches are sharded by max_version. | |
| 2796 TEST_F(SSLClientSocketTest, FallbackShardSessionCache) { | |
| 2797 SpawnedTestServer::SSLOptions ssl_options; | |
| 2798 ASSERT_TRUE(StartTestServer(ssl_options)); | |
| 2799 | |
| 2800 // Prepare a normal and fallback SSL config. | |
| 2801 SSLConfig ssl_config; | |
| 2802 SSLConfig fallback_ssl_config; | |
| 2803 fallback_ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1; | |
| 2804 fallback_ssl_config.version_fallback = true; | |
| 2805 | |
| 2806 // Connect with a fallback config from the test server to add an entry to the | |
| 2807 // session cache. | |
| 2808 TestCompletionCallback callback; | |
| 2809 scoped_ptr<StreamSocket> transport( | |
| 2810 new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 2811 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback()))); | |
| 2812 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket( | |
| 2813 transport.Pass(), test_server()->host_port_pair(), fallback_ssl_config)); | |
| 2814 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback()))); | |
| 2815 SSLInfo ssl_info; | |
| 2816 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info)); | |
| 2817 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type); | |
| 2818 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1, | |
| 2819 SSLConnectionStatusToVersion(ssl_info.connection_status)); | |
| 2820 | |
| 2821 // A non-fallback connection needs a full handshake. | |
| 2822 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 2823 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback()))); | |
| 2824 sock = CreateSSLClientSocket(transport.Pass(), | |
| 2825 test_server()->host_port_pair(), ssl_config); | |
| 2826 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback()))); | |
| 2827 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info)); | |
| 2828 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type); | |
| 2829 // This does not check for equality because TLS 1.2 support is conditional on | |
| 2830 // system NSS features. | |
| 2831 EXPECT_LT(SSL_CONNECTION_VERSION_TLS1, | |
| 2832 SSLConnectionStatusToVersion(ssl_info.connection_status)); | |
| 2833 | |
| 2834 // Note: if the server (correctly) declines to resume a TLS 1.0 session at TLS | |
| 2835 // 1.2, the above test would not be sufficient to prove the session caches are | |
| 2836 // sharded. Implementations vary here, so, to avoid being sensitive to this, | |
| 2837 // attempt to resume with two more connections. | |
|
davidben
2015/02/20 22:57:56
Ideally, this test should function correctly under
| |
| 2838 | |
| 2839 // The non-fallback connection added a > TLS 1.0 entry to the session cache. | |
| 2840 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 2841 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback()))); | |
| 2842 sock = CreateSSLClientSocket(transport.Pass(), | |
| 2843 test_server()->host_port_pair(), ssl_config); | |
| 2844 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback()))); | |
| 2845 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info)); | |
| 2846 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type); | |
| 2847 // This does not check for equality because TLS 1.2 support is conditional on | |
| 2848 // system NSS features. | |
| 2849 EXPECT_LT(SSL_CONNECTION_VERSION_TLS1, | |
| 2850 SSLConnectionStatusToVersion(ssl_info.connection_status)); | |
| 2851 | |
| 2852 // The fallback connection still resumes from its session cache. It cannot | |
| 2853 // offer the > TLS 1.0 session, so this must have been the session from the | |
| 2854 // first fallback connection. | |
| 2855 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source())); | |
| 2856 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback()))); | |
| 2857 sock = CreateSSLClientSocket( | |
| 2858 transport.Pass(), test_server()->host_port_pair(), fallback_ssl_config); | |
| 2859 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback()))); | |
| 2860 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info)); | |
| 2861 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type); | |
| 2862 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1, | |
| 2863 SSLConnectionStatusToVersion(ssl_info.connection_status)); | |
| 2864 } | |
| 2865 | |
| 2793 #if defined(USE_OPENSSL) | 2866 #if defined(USE_OPENSSL) |
| 2794 | 2867 |
| 2795 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithFailure) { | 2868 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithFailure) { |
| 2796 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS, | 2869 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS, |
| 2797 SpawnedTestServer::kLocalhost, | 2870 SpawnedTestServer::kLocalhost, |
| 2798 base::FilePath()); | 2871 base::FilePath()); |
| 2799 ASSERT_TRUE(test_server.Start()); | 2872 ASSERT_TRUE(test_server.Start()); |
| 2800 | 2873 |
| 2801 AddressList addr; | 2874 AddressList addr; |
| 2802 ASSERT_TRUE(test_server.GetAddressList(&addr)); | 2875 ASSERT_TRUE(test_server.GetAddressList(&addr)); |
| (...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3113 ssl_config.channel_id_enabled = true; | 3186 ssl_config.channel_id_enabled = true; |
| 3114 | 3187 |
| 3115 int rv; | 3188 int rv; |
| 3116 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 3189 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3117 | 3190 |
| 3118 EXPECT_EQ(ERR_UNEXPECTED, rv); | 3191 EXPECT_EQ(ERR_UNEXPECTED, rv); |
| 3119 EXPECT_FALSE(sock_->IsConnected()); | 3192 EXPECT_FALSE(sock_->IsConnected()); |
| 3120 } | 3193 } |
| 3121 | 3194 |
| 3122 } // namespace net | 3195 } // namespace net |
| OLD | NEW |
