| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/socket/ssl_session_cache_openssl.h" | |
| 6 | |
| 7 #include <openssl/ssl.h> | |
| 8 | |
| 9 #include "base/lazy_instance.h" | |
| 10 #include "base/logging.h" | |
| 11 #include "base/strings/stringprintf.h" | |
| 12 #include "crypto/openssl_util.h" | |
| 13 #include "crypto/scoped_openssl_types.h" | |
| 14 | |
| 15 #include "testing/gtest/include/gtest/gtest.h" | |
| 16 | |
| 17 // This is an internal OpenSSL function that can be used to create a new | |
| 18 // session for an existing SSL object. This shall force a call to the | |
| 19 // 'generate_session_id' callback from the SSL's session context. | |
| 20 // |s| is the target SSL connection handle. | |
| 21 // |session| is non-0 to ask for the creation of a new session. If 0, | |
| 22 // this will set an empty session with no ID instead. | |
| 23 extern "C" OPENSSL_EXPORT int ssl_get_new_session(SSL* s, int session); | |
| 24 | |
| 25 // This is an internal OpenSSL function which is used internally to add | |
| 26 // a new session to the cache. It is normally triggered by a succesful | |
| 27 // connection. However, this unit test does not use the network at all. | |
| 28 extern "C" OPENSSL_EXPORT void ssl_update_cache(SSL* s, int mode); | |
| 29 | |
| 30 namespace net { | |
| 31 | |
| 32 namespace { | |
| 33 | |
| 34 typedef crypto::ScopedOpenSSL<SSL, SSL_free>::Type ScopedSSL; | |
| 35 typedef crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ScopedSSL_CTX; | |
| 36 | |
| 37 // Helper class used to associate arbitrary std::string keys with SSL objects. | |
| 38 class SSLKeyHelper { | |
| 39 public: | |
| 40 // Return the string associated with a given SSL handle |ssl|, or the | |
| 41 // empty string if none exists. | |
| 42 static std::string Get(const SSL* ssl) { | |
| 43 return GetInstance()->GetValue(ssl); | |
| 44 } | |
| 45 | |
| 46 // Associate a string with a given SSL handle |ssl|. | |
| 47 static void Set(SSL* ssl, const std::string& value) { | |
| 48 GetInstance()->SetValue(ssl, value); | |
| 49 } | |
| 50 | |
| 51 static SSLKeyHelper* GetInstance() { | |
| 52 static base::LazyInstance<SSLKeyHelper>::Leaky s_instance = | |
| 53 LAZY_INSTANCE_INITIALIZER; | |
| 54 return s_instance.Pointer(); | |
| 55 } | |
| 56 | |
| 57 SSLKeyHelper() { | |
| 58 ex_index_ = SSL_get_ex_new_index(0, NULL, NULL, KeyDup, KeyFree); | |
| 59 CHECK_NE(-1, ex_index_); | |
| 60 } | |
| 61 | |
| 62 std::string GetValue(const SSL* ssl) { | |
| 63 std::string* value = | |
| 64 reinterpret_cast<std::string*>(SSL_get_ex_data(ssl, ex_index_)); | |
| 65 if (!value) | |
| 66 return std::string(); | |
| 67 return *value; | |
| 68 } | |
| 69 | |
| 70 void SetValue(SSL* ssl, const std::string& value) { | |
| 71 int ret = SSL_set_ex_data(ssl, ex_index_, new std::string(value)); | |
| 72 CHECK_EQ(1, ret); | |
| 73 } | |
| 74 | |
| 75 // Called when an SSL object is copied through SSL_dup(). This needs to copy | |
| 76 // the value as well. | |
| 77 static int KeyDup(CRYPTO_EX_DATA* to, | |
| 78 const CRYPTO_EX_DATA* from, | |
| 79 void** from_fd, | |
| 80 int idx, | |
| 81 long argl, | |
| 82 void* argp) { | |
| 83 // |from_fd| is really the address of a temporary pointer. On input, it | |
| 84 // points to the value from the original SSL object. The function must | |
| 85 // update it to the address of a copy. | |
| 86 std::string** ptr = reinterpret_cast<std::string**>(from_fd); | |
| 87 std::string* old_string = *ptr; | |
| 88 std::string* new_string = new std::string(*old_string); | |
| 89 *ptr = new_string; | |
| 90 return 0; // Ignored by the implementation. | |
| 91 } | |
| 92 | |
| 93 // Called to destroy the value associated with an SSL object. | |
| 94 static void KeyFree(void* parent, | |
| 95 void* ptr, | |
| 96 CRYPTO_EX_DATA* ad, | |
| 97 int index, | |
| 98 long argl, | |
| 99 void* argp) { | |
| 100 std::string* value = reinterpret_cast<std::string*>(ptr); | |
| 101 delete value; | |
| 102 } | |
| 103 | |
| 104 int ex_index_; | |
| 105 }; | |
| 106 | |
| 107 } // namespace | |
| 108 | |
| 109 class SSLSessionCacheOpenSSLTest : public testing::Test { | |
| 110 public: | |
| 111 SSLSessionCacheOpenSSLTest() { | |
| 112 crypto::EnsureOpenSSLInit(); | |
| 113 ctx_.reset(SSL_CTX_new(SSLv23_client_method())); | |
| 114 cache_.Reset(ctx_.get(), kDefaultConfig); | |
| 115 } | |
| 116 | |
| 117 // Reset cache configuration. | |
| 118 void ResetConfig(const SSLSessionCacheOpenSSL::Config& config) { | |
| 119 cache_.Reset(ctx_.get(), config); | |
| 120 } | |
| 121 | |
| 122 // Helper function to create a new SSL connection object associated with | |
| 123 // a given unique |cache_key|. This does _not_ add the session to the cache. | |
| 124 // Caller must free the object with SSL_free(). | |
| 125 SSL* NewSSL(const std::string& cache_key) { | |
| 126 SSL* ssl = SSL_new(ctx_.get()); | |
| 127 if (!ssl) | |
| 128 return NULL; | |
| 129 | |
| 130 SSLKeyHelper::Set(ssl, cache_key); // associate cache key. | |
| 131 ResetSessionID(ssl); // create new unique session ID. | |
| 132 return ssl; | |
| 133 } | |
| 134 | |
| 135 // Reset the session ID of a given SSL object. This creates a new session | |
| 136 // with a new unique random ID. Does not add it to the cache. | |
| 137 static void ResetSessionID(SSL* ssl) { ssl_get_new_session(ssl, 1); } | |
| 138 | |
| 139 // Add a given SSL object and its session to the cache. | |
| 140 void AddToCache(SSL* ssl) { | |
| 141 ssl_update_cache(ssl, ctx_.get()->session_cache_mode); | |
| 142 } | |
| 143 | |
| 144 static const SSLSessionCacheOpenSSL::Config kDefaultConfig; | |
| 145 | |
| 146 protected: | |
| 147 ScopedSSL_CTX ctx_; | |
| 148 // |cache_| must be destroyed before |ctx_| and thus appears after it. | |
| 149 SSLSessionCacheOpenSSL cache_; | |
| 150 }; | |
| 151 | |
| 152 // static | |
| 153 const SSLSessionCacheOpenSSL::Config | |
| 154 SSLSessionCacheOpenSSLTest::kDefaultConfig = { | |
| 155 &SSLKeyHelper::Get, // key_func | |
| 156 1024, // max_entries | |
| 157 256, // expiration_check_count | |
| 158 60 * 60, // timeout_seconds | |
| 159 }; | |
| 160 | |
| 161 TEST_F(SSLSessionCacheOpenSSLTest, EmptyCacheCreation) { | |
| 162 EXPECT_EQ(0U, cache_.size()); | |
| 163 } | |
| 164 | |
| 165 TEST_F(SSLSessionCacheOpenSSLTest, CacheOneSession) { | |
| 166 ScopedSSL ssl(NewSSL("hello")); | |
| 167 | |
| 168 EXPECT_EQ(0U, cache_.size()); | |
| 169 AddToCache(ssl.get()); | |
| 170 EXPECT_EQ(1U, cache_.size()); | |
| 171 ssl.reset(NULL); | |
| 172 EXPECT_EQ(1U, cache_.size()); | |
| 173 } | |
| 174 | |
| 175 TEST_F(SSLSessionCacheOpenSSLTest, CacheMultipleSessions) { | |
| 176 const size_t kNumItems = 100; | |
| 177 int local_id = 1; | |
| 178 | |
| 179 // Add kNumItems to the cache. | |
| 180 for (size_t n = 0; n < kNumItems; ++n) { | |
| 181 std::string local_id_string = base::StringPrintf("%d", local_id++); | |
| 182 ScopedSSL ssl(NewSSL(local_id_string)); | |
| 183 AddToCache(ssl.get()); | |
| 184 EXPECT_EQ(n + 1, cache_.size()); | |
| 185 } | |
| 186 } | |
| 187 | |
| 188 TEST_F(SSLSessionCacheOpenSSLTest, Flush) { | |
| 189 const size_t kNumItems = 100; | |
| 190 int local_id = 1; | |
| 191 | |
| 192 // Add kNumItems to the cache. | |
| 193 for (size_t n = 0; n < kNumItems; ++n) { | |
| 194 std::string local_id_string = base::StringPrintf("%d", local_id++); | |
| 195 ScopedSSL ssl(NewSSL(local_id_string)); | |
| 196 AddToCache(ssl.get()); | |
| 197 } | |
| 198 EXPECT_EQ(kNumItems, cache_.size()); | |
| 199 | |
| 200 cache_.Flush(); | |
| 201 EXPECT_EQ(0U, cache_.size()); | |
| 202 } | |
| 203 | |
| 204 TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSession) { | |
| 205 const std::string key("hello"); | |
| 206 ScopedSSL ssl(NewSSL(key)); | |
| 207 | |
| 208 // First call should fail because the session is not in the cache. | |
| 209 EXPECT_FALSE(cache_.SetSSLSession(ssl.get())); | |
| 210 SSL_SESSION* session = ssl.get()->session; | |
| 211 EXPECT_TRUE(session); | |
| 212 EXPECT_EQ(1, session->references); | |
| 213 | |
| 214 AddToCache(ssl.get()); | |
| 215 EXPECT_EQ(2, session->references); | |
| 216 | |
| 217 // Mark the session as good, so that it is re-used for the second connection. | |
| 218 cache_.MarkSSLSessionAsGood(ssl.get()); | |
| 219 | |
| 220 ssl.reset(NULL); | |
| 221 EXPECT_EQ(1, session->references); | |
| 222 | |
| 223 // Second call should find the session ID and associate it with |ssl2|. | |
| 224 ScopedSSL ssl2(NewSSL(key)); | |
| 225 EXPECT_TRUE(cache_.SetSSLSession(ssl2.get())); | |
| 226 | |
| 227 EXPECT_EQ(session, ssl2.get()->session); | |
| 228 EXPECT_EQ(2, session->references); | |
| 229 } | |
| 230 | |
| 231 TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSessionWithKey) { | |
| 232 const std::string key("hello"); | |
| 233 ScopedSSL ssl(NewSSL(key)); | |
| 234 AddToCache(ssl.get()); | |
| 235 cache_.MarkSSLSessionAsGood(ssl.get()); | |
| 236 ssl.reset(NULL); | |
| 237 | |
| 238 ScopedSSL ssl2(NewSSL(key)); | |
| 239 EXPECT_TRUE(cache_.SetSSLSessionWithKey(ssl2.get(), key)); | |
| 240 } | |
| 241 | |
| 242 TEST_F(SSLSessionCacheOpenSSLTest, CheckSessionReplacement) { | |
| 243 // Check that if two SSL connections have the same key, only one | |
| 244 // corresponding session can be stored in the cache. | |
| 245 const std::string common_key("common-key"); | |
| 246 ScopedSSL ssl1(NewSSL(common_key)); | |
| 247 ScopedSSL ssl2(NewSSL(common_key)); | |
| 248 | |
| 249 AddToCache(ssl1.get()); | |
| 250 EXPECT_EQ(1U, cache_.size()); | |
| 251 EXPECT_EQ(2, ssl1.get()->session->references); | |
| 252 | |
| 253 // This ends up calling OnSessionAdded which will discover that there is | |
| 254 // already one session ID associated with the key, and will replace it. | |
| 255 AddToCache(ssl2.get()); | |
| 256 EXPECT_EQ(1U, cache_.size()); | |
| 257 EXPECT_EQ(1, ssl1.get()->session->references); | |
| 258 EXPECT_EQ(2, ssl2.get()->session->references); | |
| 259 } | |
| 260 | |
| 261 // Check that when two connections have the same key, a new session is created | |
| 262 // if the existing session has not yet been marked "good". Further, after the | |
| 263 // first session completes, if the second session has replaced it in the cache, | |
| 264 // new sessions should continue to fail until the currently cached session | |
| 265 // succeeds. | |
| 266 TEST_F(SSLSessionCacheOpenSSLTest, CheckSessionReplacementWhenNotGood) { | |
| 267 const std::string key("hello"); | |
| 268 ScopedSSL ssl(NewSSL(key)); | |
| 269 | |
| 270 // First call should fail because the session is not in the cache. | |
| 271 EXPECT_FALSE(cache_.SetSSLSession(ssl.get())); | |
| 272 SSL_SESSION* session = ssl.get()->session; | |
| 273 ASSERT_TRUE(session); | |
| 274 EXPECT_EQ(1, session->references); | |
| 275 | |
| 276 AddToCache(ssl.get()); | |
| 277 EXPECT_EQ(2, session->references); | |
| 278 | |
| 279 // Second call should find the session ID, but because it is not yet good, | |
| 280 // fail to associate it with |ssl2|. | |
| 281 ScopedSSL ssl2(NewSSL(key)); | |
| 282 EXPECT_FALSE(cache_.SetSSLSession(ssl2.get())); | |
| 283 SSL_SESSION* session2 = ssl2.get()->session; | |
| 284 ASSERT_TRUE(session2); | |
| 285 EXPECT_EQ(1, session2->references); | |
| 286 | |
| 287 EXPECT_NE(session, session2); | |
| 288 | |
| 289 // Add the second connection to the cache. It should replace the first | |
| 290 // session, and the cache should hold on to the second session. | |
| 291 AddToCache(ssl2.get()); | |
| 292 EXPECT_EQ(1, session->references); | |
| 293 EXPECT_EQ(2, session2->references); | |
| 294 | |
| 295 // Mark the first session as good, simulating it completing. | |
| 296 cache_.MarkSSLSessionAsGood(ssl.get()); | |
| 297 | |
| 298 // Third call should find the session ID, but because the second session (the | |
| 299 // current cache entry) is not yet good, fail to associate it with |ssl3|. | |
| 300 ScopedSSL ssl3(NewSSL(key)); | |
| 301 EXPECT_FALSE(cache_.SetSSLSession(ssl3.get())); | |
| 302 EXPECT_NE(session, ssl3.get()->session); | |
| 303 EXPECT_NE(session2, ssl3.get()->session); | |
| 304 EXPECT_EQ(1, ssl3.get()->session->references); | |
| 305 } | |
| 306 | |
| 307 TEST_F(SSLSessionCacheOpenSSLTest, CheckEviction) { | |
| 308 const size_t kMaxItems = 20; | |
| 309 int local_id = 1; | |
| 310 | |
| 311 SSLSessionCacheOpenSSL::Config config = kDefaultConfig; | |
| 312 config.max_entries = kMaxItems; | |
| 313 ResetConfig(config); | |
| 314 | |
| 315 // Add kMaxItems to the cache. | |
| 316 for (size_t n = 0; n < kMaxItems; ++n) { | |
| 317 std::string local_id_string = base::StringPrintf("%d", local_id++); | |
| 318 ScopedSSL ssl(NewSSL(local_id_string)); | |
| 319 | |
| 320 AddToCache(ssl.get()); | |
| 321 EXPECT_EQ(n + 1, cache_.size()); | |
| 322 } | |
| 323 | |
| 324 // Continue adding new items to the cache, check that old ones are | |
| 325 // evicted. | |
| 326 for (size_t n = 0; n < kMaxItems; ++n) { | |
| 327 std::string local_id_string = base::StringPrintf("%d", local_id++); | |
| 328 ScopedSSL ssl(NewSSL(local_id_string)); | |
| 329 | |
| 330 AddToCache(ssl.get()); | |
| 331 EXPECT_EQ(kMaxItems, cache_.size()); | |
| 332 } | |
| 333 } | |
| 334 | |
| 335 // Check that session expiration works properly. | |
| 336 TEST_F(SSLSessionCacheOpenSSLTest, CheckExpiration) { | |
| 337 const size_t kMaxCheckCount = 10; | |
| 338 const size_t kNumEntries = 20; | |
| 339 | |
| 340 SSLSessionCacheOpenSSL::Config config = kDefaultConfig; | |
| 341 config.expiration_check_count = kMaxCheckCount; | |
| 342 config.timeout_seconds = 1000; | |
| 343 ResetConfig(config); | |
| 344 | |
| 345 // Add |kNumItems - 1| session entries with crafted time values. | |
| 346 for (size_t n = 0; n < kNumEntries - 1U; ++n) { | |
| 347 std::string key = base::StringPrintf("%d", static_cast<int>(n)); | |
| 348 ScopedSSL ssl(NewSSL(key)); | |
| 349 // Cheat a little: Force the session |time| value, this guarantees that they | |
| 350 // are expired, given that ::time() will always return a value that is | |
| 351 // past the first 100 seconds after the Unix epoch. | |
| 352 ssl.get()->session->time = static_cast<long>(n); | |
| 353 AddToCache(ssl.get()); | |
| 354 } | |
| 355 EXPECT_EQ(kNumEntries - 1U, cache_.size()); | |
| 356 | |
| 357 // Add nother session which will get the current time, and thus not be | |
| 358 // expirable until 1000 seconds have passed. | |
| 359 ScopedSSL good_ssl(NewSSL("good-key")); | |
| 360 AddToCache(good_ssl.get()); | |
| 361 good_ssl.reset(NULL); | |
| 362 EXPECT_EQ(kNumEntries, cache_.size()); | |
| 363 | |
| 364 // Call SetSSLSession() |kMaxCheckCount - 1| times, this shall not expire | |
| 365 // any session | |
| 366 for (size_t n = 0; n < kMaxCheckCount - 1U; ++n) { | |
| 367 ScopedSSL ssl(NewSSL("unknown-key")); | |
| 368 cache_.SetSSLSession(ssl.get()); | |
| 369 EXPECT_EQ(kNumEntries, cache_.size()); | |
| 370 } | |
| 371 | |
| 372 // Call SetSSLSession another time, this shall expire all sessions except | |
| 373 // the last one. | |
| 374 ScopedSSL bad_ssl(NewSSL("unknown-key")); | |
| 375 cache_.SetSSLSession(bad_ssl.get()); | |
| 376 bad_ssl.reset(NULL); | |
| 377 EXPECT_EQ(1U, cache_.size()); | |
| 378 } | |
| 379 | |
| 380 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 992733002:
Remove //net (except for Android test stuff) and sdch (Closed)
Base URL: git@github.com:domokit/mojo.git@master