search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move declarative api files to extensions/browser/api/declarative.
[chromium-blink-merge.git] / net / socket / ssl_client_socket_unittest.cc
blob4e844cd9daa5d4f00c2fe78b1cf881d59ecd93ec
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_client_socket.h"
6
7 #include "base/callback_helpers.h"
8 #include "base/memory/ref_counted.h"
9 #include "base/run_loop.h"
10 #include "base/time/time.h"
11 #include "net/base/address_list.h"
12 #include "net/base/io_buffer.h"
13 #include "net/base/net_errors.h"
14 #include "net/base/net_log.h"
15 #include "net/base/net_log_unittest.h"
16 #include "net/base/test_completion_callback.h"
17 #include "net/base/test_data_directory.h"
18 #include "net/cert/asn1_util.h"
19 #include "net/cert/ct_verifier.h"
20 #include "net/cert/mock_cert_verifier.h"
21 #include "net/cert/test_root_certs.h"
22 #include "net/dns/host_resolver.h"
23 #include "net/http/transport_security_state.h"
24 #include "net/socket/client_socket_factory.h"
25 #include "net/socket/client_socket_handle.h"
26 #include "net/socket/socket_test_util.h"
27 #include "net/socket/tcp_client_socket.h"
28 #include "net/ssl/channel_id_service.h"
29 #include "net/ssl/default_channel_id_store.h"
30 #include "net/ssl/ssl_cert_request_info.h"
31 #include "net/ssl/ssl_config_service.h"
32 #include "net/test/cert_test_util.h"
33 #include "net/test/spawned_test_server/spawned_test_server.h"
34 #include "testing/gmock/include/gmock/gmock.h"
35 #include "testing/gtest/include/gtest/gtest.h"
36 #include "testing/platform_test.h"
37
38 //-----------------------------------------------------------------------------
39
40 using testing::_;
41 using testing::Return;
42 using testing::Truly;
43
44 namespace net {
45
46 namespace {
47
48 const SSLConfig kDefaultSSLConfig;
49
50 // WrappedStreamSocket is a base class that wraps an existing StreamSocket,
51 // forwarding the Socket and StreamSocket interfaces to the underlying
52 // transport.
53 // This is to provide a common base class for subclasses to override specific
54 // StreamSocket methods for testing, while still communicating with a 'real'
55 // StreamSocket.
56 class WrappedStreamSocket : public StreamSocket {
57 public:
58 explicit WrappedStreamSocket(scoped_ptr<StreamSocket> transport)
59 : transport_(transport.Pass()) {}
60 virtual ~WrappedStreamSocket() {}
61
62 // StreamSocket implementation:
63 virtual int Connect(const CompletionCallback& callback) OVERRIDE {
64 return transport_->Connect(callback);
65 }
66 virtual void Disconnect() OVERRIDE { transport_->Disconnect(); }
67 virtual bool IsConnected() const OVERRIDE {
68 return transport_->IsConnected();
69 }
70 virtual bool IsConnectedAndIdle() const OVERRIDE {
71 return transport_->IsConnectedAndIdle();
72 }
73 virtual int GetPeerAddress(IPEndPoint* address) const OVERRIDE {
74 return transport_->GetPeerAddress(address);
75 }
76 virtual int GetLocalAddress(IPEndPoint* address) const OVERRIDE {
77 return transport_->GetLocalAddress(address);
78 }
79 virtual const BoundNetLog& NetLog() const OVERRIDE {
80 return transport_->NetLog();
81 }
82 virtual void SetSubresourceSpeculation() OVERRIDE {
83 transport_->SetSubresourceSpeculation();
84 }
85 virtual void SetOmniboxSpeculation() OVERRIDE {
86 transport_->SetOmniboxSpeculation();
87 }
88 virtual bool WasEverUsed() const OVERRIDE {
89 return transport_->WasEverUsed();
90 }
91 virtual bool UsingTCPFastOpen() const OVERRIDE {
92 return transport_->UsingTCPFastOpen();
93 }
94 virtual bool WasNpnNegotiated() const OVERRIDE {
95 return transport_->WasNpnNegotiated();
96 }
97 virtual NextProto GetNegotiatedProtocol() const OVERRIDE {
98 return transport_->GetNegotiatedProtocol();
99 }
100 virtual bool GetSSLInfo(SSLInfo* ssl_info) OVERRIDE {
101 return transport_->GetSSLInfo(ssl_info);
102 }
103
104 // Socket implementation:
105 virtual int Read(IOBuffer* buf,
106 int buf_len,
107 const CompletionCallback& callback) OVERRIDE {
108 return transport_->Read(buf, buf_len, callback);
109 }
110 virtual int Write(IOBuffer* buf,
111 int buf_len,
112 const CompletionCallback& callback) OVERRIDE {
113 return transport_->Write(buf, buf_len, callback);
114 }
115 virtual int SetReceiveBufferSize(int32 size) OVERRIDE {
116 return transport_->SetReceiveBufferSize(size);
117 }
118 virtual int SetSendBufferSize(int32 size) OVERRIDE {
119 return transport_->SetSendBufferSize(size);
120 }
121
122 protected:
123 scoped_ptr<StreamSocket> transport_;
124 };
125
126 // ReadBufferingStreamSocket is a wrapper for an existing StreamSocket that
127 // will ensure a certain amount of data is internally buffered before
128 // satisfying a Read() request. It exists to mimic OS-level internal
129 // buffering, but in a way to guarantee that X number of bytes will be
130 // returned to callers of Read(), regardless of how quickly the OS receives
131 // them from the TestServer.
132 class ReadBufferingStreamSocket : public WrappedStreamSocket {
133 public:
134 explicit ReadBufferingStreamSocket(scoped_ptr<StreamSocket> transport);
135 virtual ~ReadBufferingStreamSocket() {}
136
137 // Socket implementation:
138 virtual int Read(IOBuffer* buf,
139 int buf_len,
140 const CompletionCallback& callback) OVERRIDE;
141
142 // Sets the internal buffer to |size|. This must not be greater than
143 // the largest value supplied to Read() - that is, it does not handle
144 // having "leftovers" at the end of Read().
145 // Each call to Read() will be prevented from completion until at least
146 // |size| data has been read.
147 // Set to 0 to turn off buffering, causing Read() to transparently
148 // read via the underlying transport.
149 void SetBufferSize(int size);
150
151 private:
152 enum State {
153 STATE_NONE,
154 STATE_READ,
155 STATE_READ_COMPLETE,
156 };
157
158 int DoLoop(int result);
159 int DoRead();
160 int DoReadComplete(int result);
161 void OnReadCompleted(int result);
162
163 State state_;
164 scoped_refptr<GrowableIOBuffer> read_buffer_;
165 int buffer_size_;
166
167 scoped_refptr<IOBuffer> user_read_buf_;
168 CompletionCallback user_read_callback_;
169 };
170
171 ReadBufferingStreamSocket::ReadBufferingStreamSocket(
172 scoped_ptr<StreamSocket> transport)
173 : WrappedStreamSocket(transport.Pass()),
174 read_buffer_(new GrowableIOBuffer()),
175 buffer_size_(0) {}
176
177 void ReadBufferingStreamSocket::SetBufferSize(int size) {
178 DCHECK(!user_read_buf_.get());
179 buffer_size_ = size;
180 read_buffer_->SetCapacity(size);
181 }
182
183 int ReadBufferingStreamSocket::Read(IOBuffer* buf,
184 int buf_len,
185 const CompletionCallback& callback) {
186 if (buffer_size_ == 0)
187 return transport_->Read(buf, buf_len, callback);
188
189 if (buf_len < buffer_size_)
190 return ERR_UNEXPECTED;
191
192 state_ = STATE_READ;
193 user_read_buf_ = buf;
194 int result = DoLoop(OK);
195 if (result == ERR_IO_PENDING)
196 user_read_callback_ = callback;
197 else
198 user_read_buf_ = NULL;
199 return result;
200 }
201
202 int ReadBufferingStreamSocket::DoLoop(int result) {
203 int rv = result;
204 do {
205 State current_state = state_;
206 state_ = STATE_NONE;
207 switch (current_state) {
208 case STATE_READ:
209 rv = DoRead();
210 break;
211 case STATE_READ_COMPLETE:
212 rv = DoReadComplete(rv);
213 break;
214 case STATE_NONE:
215 default:
216 NOTREACHED() << "Unexpected state: " << current_state;
217 rv = ERR_UNEXPECTED;
218 break;
219 }
220 } while (rv != ERR_IO_PENDING && state_ != STATE_NONE);
221 return rv;
222 }
223
224 int ReadBufferingStreamSocket::DoRead() {
225 state_ = STATE_READ_COMPLETE;
226 int rv =
227 transport_->Read(read_buffer_.get(),
228 read_buffer_->RemainingCapacity(),
229 base::Bind(&ReadBufferingStreamSocket::OnReadCompleted,
230 base::Unretained(this)));
231 return rv;
232 }
233
234 int ReadBufferingStreamSocket::DoReadComplete(int result) {
235 state_ = STATE_NONE;
236 if (result <= 0)
237 return result;
238
239 read_buffer_->set_offset(read_buffer_->offset() + result);
240 if (read_buffer_->RemainingCapacity() > 0) {
241 state_ = STATE_READ;
242 return OK;
243 }
244
245 memcpy(user_read_buf_->data(),
246 read_buffer_->StartOfBuffer(),
247 read_buffer_->capacity());
248 read_buffer_->set_offset(0);
249 return read_buffer_->capacity();
250 }
251
252 void ReadBufferingStreamSocket::OnReadCompleted(int result) {
253 result = DoLoop(result);
254 if (result == ERR_IO_PENDING)
255 return;
256
257 user_read_buf_ = NULL;
258 base::ResetAndReturn(&user_read_callback_).Run(result);
259 }
260
261 // Simulates synchronously receiving an error during Read() or Write()
262 class SynchronousErrorStreamSocket : public WrappedStreamSocket {
263 public:
264 explicit SynchronousErrorStreamSocket(scoped_ptr<StreamSocket> transport);
265 virtual ~SynchronousErrorStreamSocket() {}
266
267 // Socket implementation:
268 virtual int Read(IOBuffer* buf,
269 int buf_len,
270 const CompletionCallback& callback) OVERRIDE;
271 virtual int Write(IOBuffer* buf,
272 int buf_len,
273 const CompletionCallback& callback) OVERRIDE;
274
275 // Sets the next Read() call and all future calls to return |error|.
276 // If there is already a pending asynchronous read, the configured error
277 // will not be returned until that asynchronous read has completed and Read()
278 // is called again.
279 void SetNextReadError(Error error) {
280 DCHECK_GE(0, error);
281 have_read_error_ = true;
282 pending_read_error_ = error;
283 }
284
285 // Sets the next Write() call and all future calls to return |error|.
286 // If there is already a pending asynchronous write, the configured error
287 // will not be returned until that asynchronous write has completed and
288 // Write() is called again.
289 void SetNextWriteError(Error error) {
290 DCHECK_GE(0, error);
291 have_write_error_ = true;
292 pending_write_error_ = error;
293 }
294
295 private:
296 bool have_read_error_;
297 int pending_read_error_;
298
299 bool have_write_error_;
300 int pending_write_error_;
301
302 DISALLOW_COPY_AND_ASSIGN(SynchronousErrorStreamSocket);
303 };
304
305 SynchronousErrorStreamSocket::SynchronousErrorStreamSocket(
306 scoped_ptr<StreamSocket> transport)
307 : WrappedStreamSocket(transport.Pass()),
308 have_read_error_(false),
309 pending_read_error_(OK),
310 have_write_error_(false),
311 pending_write_error_(OK) {}
312
313 int SynchronousErrorStreamSocket::Read(IOBuffer* buf,
314 int buf_len,
315 const CompletionCallback& callback) {
316 if (have_read_error_)
317 return pending_read_error_;
318 return transport_->Read(buf, buf_len, callback);
319 }
320
321 int SynchronousErrorStreamSocket::Write(IOBuffer* buf,
322 int buf_len,
323 const CompletionCallback& callback) {
324 if (have_write_error_)
325 return pending_write_error_;
326 return transport_->Write(buf, buf_len, callback);
327 }
328
329 // FakeBlockingStreamSocket wraps an existing StreamSocket and simulates the
330 // underlying transport needing to complete things asynchronously in a
331 // deterministic manner (e.g.: independent of the TestServer and the OS's
332 // semantics).
333 class FakeBlockingStreamSocket : public WrappedStreamSocket {
334 public:
335 explicit FakeBlockingStreamSocket(scoped_ptr<StreamSocket> transport);
336 virtual ~FakeBlockingStreamSocket() {}
337
338 // Socket implementation:
339 virtual int Read(IOBuffer* buf,
340 int buf_len,
341 const CompletionCallback& callback) OVERRIDE;
342 virtual int Write(IOBuffer* buf,
343 int buf_len,
344 const CompletionCallback& callback) OVERRIDE;
345
346 // Blocks read results on the socket. Reads will not complete until
347 // UnblockReadResult() has been called and a result is ready from the
348 // underlying transport. Note: if BlockReadResult() is called while there is a
349 // hanging asynchronous Read(), that Read is blocked.
350 void BlockReadResult();
351 void UnblockReadResult();
352
353 // Waits for the blocked Read() call to be complete at the underlying
354 // transport.
355 void WaitForReadResult();
356
357 // Causes the next call to Write() to return ERR_IO_PENDING, not beginning the
358 // underlying transport until UnblockWrite() has been called. Note: if there
359 // is a pending asynchronous write, it is NOT blocked. For purposes of
360 // blocking writes, data is considered to have reached the underlying
361 // transport as soon as Write() is called.
362 void BlockWrite();
363 void UnblockWrite();
364
365 // Waits for the blocked Write() call to be scheduled.
366 void WaitForWrite();
367
368 // Returns the wrapped stream socket.
369 StreamSocket* transport() { return transport_.get(); }
370
371 private:
372 // Handles completion from the underlying transport read.
373 void OnReadCompleted(int result);
374
375 // True if read callbacks are blocked.
376 bool should_block_read_;
377
378 // The user callback for the pending read call.
379 CompletionCallback pending_read_callback_;
380
381 // The result for the blocked read callback, or ERR_IO_PENDING if not
382 // completed.
383 int pending_read_result_;
384
385 // WaitForReadResult() wait loop.
386 scoped_ptr<base::RunLoop> read_loop_;
387
388 // True if write calls are blocked.
389 bool should_block_write_;
390
391 // The buffer for the pending write, or NULL if not scheduled.
392 scoped_refptr<IOBuffer> pending_write_buf_;
393
394 // The callback for the pending write call.
395 CompletionCallback pending_write_callback_;
396
397 // The length for the pending write, or -1 if not scheduled.
398 int pending_write_len_;
399
400 // WaitForWrite() wait loop.
401 scoped_ptr<base::RunLoop> write_loop_;
402 };
403
404 FakeBlockingStreamSocket::FakeBlockingStreamSocket(
405 scoped_ptr<StreamSocket> transport)
406 : WrappedStreamSocket(transport.Pass()),
407 should_block_read_(false),
408 pending_read_result_(ERR_IO_PENDING),
409 should_block_write_(false),
410 pending_write_len_(-1) {}
411
412 int FakeBlockingStreamSocket::Read(IOBuffer* buf,
413 int len,
414 const CompletionCallback& callback) {
415 DCHECK(pending_read_callback_.is_null());
416 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
417 DCHECK(!callback.is_null());
418
419 int rv = transport_->Read(buf, len, base::Bind(
420 &FakeBlockingStreamSocket::OnReadCompleted, base::Unretained(this)));
421 if (rv == ERR_IO_PENDING) {
422 // Save the callback to be called later.
423 pending_read_callback_ = callback;
424 } else if (should_block_read_) {
425 // Save the callback and read result to be called later.
426 pending_read_callback_ = callback;
427 OnReadCompleted(rv);
428 rv = ERR_IO_PENDING;
429 }
430 return rv;
431 }
432
433 int FakeBlockingStreamSocket::Write(IOBuffer* buf,
434 int len,
435 const CompletionCallback& callback) {
436 DCHECK(buf);
437 DCHECK_LE(0, len);
438
439 if (!should_block_write_)
440 return transport_->Write(buf, len, callback);
441
442 // Schedule the write, but do nothing.
443 DCHECK(!pending_write_buf_.get());
444 DCHECK_EQ(-1, pending_write_len_);
445 DCHECK(pending_write_callback_.is_null());
446 DCHECK(!callback.is_null());
447 pending_write_buf_ = buf;
448 pending_write_len_ = len;
449 pending_write_callback_ = callback;
450
451 // Stop the write loop, if any.
452 if (write_loop_)
453 write_loop_->Quit();
454 return ERR_IO_PENDING;
455 }
456
457 void FakeBlockingStreamSocket::BlockReadResult() {
458 DCHECK(!should_block_read_);
459 should_block_read_ = true;
460 }
461
462 void FakeBlockingStreamSocket::UnblockReadResult() {
463 DCHECK(should_block_read_);
464 should_block_read_ = false;
465
466 // If the operation is still pending in the underlying transport, immediately
467 // return - OnReadCompleted() will handle invoking the callback once the
468 // transport has completed.
469 if (pending_read_result_ == ERR_IO_PENDING)
470 return;
471 int result = pending_read_result_;
472 pending_read_result_ = ERR_IO_PENDING;
473 base::ResetAndReturn(&pending_read_callback_).Run(result);
474 }
475
476 void FakeBlockingStreamSocket::WaitForReadResult() {
477 DCHECK(should_block_read_);
478 DCHECK(!read_loop_);
479
480 if (pending_read_result_ != ERR_IO_PENDING)
481 return;
482 read_loop_.reset(new base::RunLoop);
483 read_loop_->Run();
484 read_loop_.reset();
485 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
486 }
487
488 void FakeBlockingStreamSocket::BlockWrite() {
489 DCHECK(!should_block_write_);
490 should_block_write_ = true;
491 }
492
493 void FakeBlockingStreamSocket::UnblockWrite() {
494 DCHECK(should_block_write_);
495 should_block_write_ = false;
496
497 // Do nothing if UnblockWrite() was called after BlockWrite(),
498 // without a Write() in between.
499 if (!pending_write_buf_.get())
500 return;
501
502 int rv = transport_->Write(
503 pending_write_buf_.get(), pending_write_len_, pending_write_callback_);
504 pending_write_buf_ = NULL;
505 pending_write_len_ = -1;
506 if (rv == ERR_IO_PENDING) {
507 pending_write_callback_.Reset();
508 } else {
509 base::ResetAndReturn(&pending_write_callback_).Run(rv);
510 }
511 }
512
513 void FakeBlockingStreamSocket::WaitForWrite() {
514 DCHECK(should_block_write_);
515 DCHECK(!write_loop_);
516
517 if (pending_write_buf_.get())
518 return;
519 write_loop_.reset(new base::RunLoop);
520 write_loop_->Run();
521 write_loop_.reset();
522 DCHECK(pending_write_buf_.get());
523 }
524
525 void FakeBlockingStreamSocket::OnReadCompleted(int result) {
526 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
527 DCHECK(!pending_read_callback_.is_null());
528
529 if (should_block_read_) {
530 // Store the result so that the callback can be invoked once Unblock() is
531 // called.
532 pending_read_result_ = result;
533
534 // Stop the WaitForReadResult() call if any.
535 if (read_loop_)
536 read_loop_->Quit();
537 } else {
538 // Either the Read() was never blocked or UnblockReadResult() was called
539 // before the Read() completed. Either way, run the callback.
540 base::ResetAndReturn(&pending_read_callback_).Run(result);
541 }
542 }
543
544 // CountingStreamSocket wraps an existing StreamSocket and maintains a count of
545 // reads and writes on the socket.
546 class CountingStreamSocket : public WrappedStreamSocket {
547 public:
548 explicit CountingStreamSocket(scoped_ptr<StreamSocket> transport)
549 : WrappedStreamSocket(transport.Pass()),
550 read_count_(0),
551 write_count_(0) {}
552 virtual ~CountingStreamSocket() {}
553
554 // Socket implementation:
555 virtual int Read(IOBuffer* buf,
556 int buf_len,
557 const CompletionCallback& callback) OVERRIDE {
558 read_count_++;
559 return transport_->Read(buf, buf_len, callback);
560 }
561 virtual int Write(IOBuffer* buf,
562 int buf_len,
563 const CompletionCallback& callback) OVERRIDE {
564 write_count_++;
565 return transport_->Write(buf, buf_len, callback);
566 }
567
568 int read_count() const { return read_count_; }
569 int write_count() const { return write_count_; }
570
571 private:
572 int read_count_;
573 int write_count_;
574 };
575
576 // CompletionCallback that will delete the associated StreamSocket when
577 // the callback is invoked.
578 class DeleteSocketCallback : public TestCompletionCallbackBase {
579 public:
580 explicit DeleteSocketCallback(StreamSocket* socket)
581 : socket_(socket),
582 callback_(base::Bind(&DeleteSocketCallback::OnComplete,
583 base::Unretained(this))) {}
584 virtual ~DeleteSocketCallback() {}
585
586 const CompletionCallback& callback() const { return callback_; }
587
588 private:
589 void OnComplete(int result) {
590 if (socket_) {
591 delete socket_;
592 socket_ = NULL;
593 } else {
594 ADD_FAILURE() << "Deleting socket twice";
595 }
596 SetResult(result);
597 }
598
599 StreamSocket* socket_;
600 CompletionCallback callback_;
601
602 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback);
603 };
604
605 // A ChannelIDStore that always returns an error when asked for a
606 // channel id.
607 class FailingChannelIDStore : public ChannelIDStore {
608 virtual int GetChannelID(const std::string& server_identifier,
609 base::Time* expiration_time,
610 std::string* private_key_result,
611 std::string* cert_result,
612 const GetChannelIDCallback& callback) OVERRIDE {
613 return ERR_UNEXPECTED;
614 }
615 virtual void SetChannelID(const std::string& server_identifier,
616 base::Time creation_time,
617 base::Time expiration_time,
618 const std::string& private_key,
619 const std::string& cert) OVERRIDE {}
620 virtual void DeleteChannelID(const std::string& server_identifier,
621 const base::Closure& completion_callback)
622 OVERRIDE {}
623 virtual void DeleteAllCreatedBetween(base::Time delete_begin,
624 base::Time delete_end,
625 const base::Closure& completion_callback)
626 OVERRIDE {}
627 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {}
628 virtual void GetAllChannelIDs(const GetChannelIDListCallback& callback)
629 OVERRIDE {}
630 virtual int GetChannelIDCount() OVERRIDE { return 0; }
631 virtual void SetForceKeepSessionState() OVERRIDE {}
632 };
633
634 // A ChannelIDStore that asynchronously returns an error when asked for a
635 // channel id.
636 class AsyncFailingChannelIDStore : public ChannelIDStore {
637 virtual int GetChannelID(const std::string& server_identifier,
638 base::Time* expiration_time,
639 std::string* private_key_result,
640 std::string* cert_result,
641 const GetChannelIDCallback& callback) OVERRIDE {
642 base::MessageLoop::current()->PostTask(
643 FROM_HERE, base::Bind(callback, ERR_UNEXPECTED,
644 server_identifier, base::Time(), "", ""));
645 return ERR_IO_PENDING;
646 }
647 virtual void SetChannelID(const std::string& server_identifier,
648 base::Time creation_time,
649 base::Time expiration_time,
650 const std::string& private_key,
651 const std::string& cert) OVERRIDE {}
652 virtual void DeleteChannelID(const std::string& server_identifier,
653 const base::Closure& completion_callback)
654 OVERRIDE {}
655 virtual void DeleteAllCreatedBetween(base::Time delete_begin,
656 base::Time delete_end,
657 const base::Closure& completion_callback)
658 OVERRIDE {}
659 virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {}
660 virtual void GetAllChannelIDs(const GetChannelIDListCallback& callback)
661 OVERRIDE {}
662 virtual int GetChannelIDCount() OVERRIDE { return 0; }
663 virtual void SetForceKeepSessionState() OVERRIDE {}
664 };
665
666 // A mock CTVerifier that records every call to Verify but doesn't verify
667 // anything.
668 class MockCTVerifier : public CTVerifier {
669 public:
670 MOCK_METHOD5(Verify, int(X509Certificate*,
671 const std::string&,
672 const std::string&,
673 ct::CTVerifyResult*,
674 const BoundNetLog&));
675 };
676
677 class SSLClientSocketTest : public PlatformTest {
678 public:
679 SSLClientSocketTest()
680 : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
681 cert_verifier_(new MockCertVerifier),
682 transport_security_state_(new TransportSecurityState),
683 ran_handshake_completion_callback_(false) {
684 cert_verifier_->set_default_result(OK);
685 context_.cert_verifier = cert_verifier_.get();
686 context_.transport_security_state = transport_security_state_.get();
687 }
688
689 void RecordCompletedHandshake() { ran_handshake_completion_callback_ = true; }
690
691 protected:
692 // The address of the spawned test server, after calling StartTestServer().
693 const AddressList& addr() const { return addr_; }
694
695 // The SpawnedTestServer object, after calling StartTestServer().
696 const SpawnedTestServer* test_server() const { return test_server_.get(); }
697
698 void SetCTVerifier(CTVerifier* ct_verifier) {
699 context_.cert_transparency_verifier = ct_verifier;
700 }
701
702 // Starts the test server with SSL configuration |ssl_options|. Returns true
703 // on success.
704 bool StartTestServer(const SpawnedTestServer::SSLOptions& ssl_options) {
705 test_server_.reset(new SpawnedTestServer(
706 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath()));
707 if (!test_server_->Start()) {
708 LOG(ERROR) << "Could not start SpawnedTestServer";
709 return false;
710 }
711
712 if (!test_server_->GetAddressList(&addr_)) {
713 LOG(ERROR) << "Could not get SpawnedTestServer address list";
714 return false;
715 }
716 return true;
717 }
718
719 // Sets up a TCP connection to a HTTPS server. To actually do the SSL
720 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below.
721 bool ConnectToTestServer(const SpawnedTestServer::SSLOptions& ssl_options) {
722 if (!StartTestServer(ssl_options))
723 return false;
724
725 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source()));
726 int rv = callback_.GetResult(transport_->Connect(callback_.callback()));
727 if (rv != OK) {
728 LOG(ERROR) << "Could not connect to SpawnedTestServer";
729 return false;
730 }
731 return true;
732 }
733
734 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
735 scoped_ptr<StreamSocket> transport_socket,
736 const HostPortPair& host_and_port,
737 const SSLConfig& ssl_config) {
738 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
739 connection->SetSocket(transport_socket.Pass());
740 return socket_factory_->CreateSSLClientSocket(
741 connection.Pass(), host_and_port, ssl_config, context_);
742 }
743
744 // Create an SSLClientSocket object and use it to connect to a test
745 // server, then wait for connection results. This must be called after
746 // a successful ConnectToTestServer() call.
747 // |ssl_config| the SSL configuration to use.
748 // |result| will retrieve the ::Connect() result value.
749 // Returns true on success, false otherwise. Success means that the socket
750 // could be created and its Connect() was called, not that the connection
751 // itself was a success.
752 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) {
753 sock_ = CreateSSLClientSocket(
754 transport_.Pass(), test_server_->host_port_pair(), ssl_config);
755
756 if (sock_->IsConnected()) {
757 LOG(ERROR) << "SSL Socket prematurely connected";
758 return false;
759 }
760
761 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
762 return true;
763 }
764
765 ClientSocketFactory* socket_factory_;
766 scoped_ptr<MockCertVerifier> cert_verifier_;
767 scoped_ptr<TransportSecurityState> transport_security_state_;
768 SSLClientSocketContext context_;
769 scoped_ptr<SSLClientSocket> sock_;
770 CapturingNetLog log_;
771 bool ran_handshake_completion_callback_;
772
773 private:
774 scoped_ptr<StreamSocket> transport_;
775 scoped_ptr<SpawnedTestServer> test_server_;
776 TestCompletionCallback callback_;
777 AddressList addr_;
778 };
779
780 // Verifies the correctness of GetSSLCertRequestInfo.
781 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest {
782 protected:
783 // Creates a test server with the given SSLOptions, connects to it and returns
784 // the SSLCertRequestInfo reported by the socket.
785 scoped_refptr<SSLCertRequestInfo> GetCertRequest(
786 SpawnedTestServer::SSLOptions ssl_options) {
787 SpawnedTestServer test_server(
788 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
789 if (!test_server.Start())
790 return NULL;
791
792 AddressList addr;
793 if (!test_server.GetAddressList(&addr))
794 return NULL;
795
796 TestCompletionCallback callback;
797 CapturingNetLog log;
798 scoped_ptr<StreamSocket> transport(
799 new TCPClientSocket(addr, &log, NetLog::Source()));
800 int rv = transport->Connect(callback.callback());
801 if (rv == ERR_IO_PENDING)
802 rv = callback.WaitForResult();
803 EXPECT_EQ(OK, rv);
804
805 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
806 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
807 EXPECT_FALSE(sock->IsConnected());
808
809 rv = sock->Connect(callback.callback());
810 if (rv == ERR_IO_PENDING)
811 rv = callback.WaitForResult();
812 scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
813 sock->GetSSLCertRequestInfo(request_info.get());
814 sock->Disconnect();
815 EXPECT_FALSE(sock->IsConnected());
816 EXPECT_TRUE(
817 test_server.host_port_pair().Equals(request_info->host_and_port));
818
819 return request_info;
820 }
821 };
822
823 class SSLClientSocketFalseStartTest : public SSLClientSocketTest {
824 public:
825 SSLClientSocketFalseStartTest()
826 : monitor_handshake_callback_(false),
827 fail_handshake_after_false_start_(false) {}
828
829 protected:
830 // Creates an SSLClientSocket with |client_config| attached to a
831 // FakeBlockingStreamSocket, returning both in |*out_raw_transport| and
832 // |*out_sock|. The FakeBlockingStreamSocket is owned by the SSLClientSocket,
833 // so |*out_raw_transport| is a raw pointer.
834 //
835 // The client socket will begin a connect using |callback| but stop before the
836 // server's finished message is received. The finished message will be blocked
837 // in |*out_raw_transport|. To complete the handshake and successfully read
838 // data, the caller must unblock reads on |*out_raw_transport|. (Note that, if
839 // the client successfully false started, |callback.WaitForResult()| will
840 // return OK without unblocking transport reads. But Read() will still block.)
841 //
842 // Must be called after StartTestServer is called.
843 void CreateAndConnectUntilServerFinishedReceived(
844 const SSLConfig& client_config,
845 TestCompletionCallback* callback,
846 FakeBlockingStreamSocket** out_raw_transport,
847 scoped_ptr<SSLClientSocket>* out_sock) {
848 CHECK(test_server());
849
850 scoped_ptr<StreamSocket> real_transport(scoped_ptr<StreamSocket>(
851 new TCPClientSocket(addr(), NULL, NetLog::Source())));
852 real_transport.reset(
853 new SynchronousErrorStreamSocket(real_transport.Pass()));
854
855 scoped_ptr<FakeBlockingStreamSocket> transport(
856 new FakeBlockingStreamSocket(real_transport.Pass()));
857 int rv = callback->GetResult(transport->Connect(callback->callback()));
858 EXPECT_EQ(OK, rv);
859
860 FakeBlockingStreamSocket* raw_transport = transport.get();
861 scoped_ptr<SSLClientSocket> sock =
862 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
863 test_server()->host_port_pair(),
864 client_config);
865
866 if (monitor_handshake_callback_) {
867 sock->SetHandshakeCompletionCallback(
868 base::Bind(&SSLClientSocketTest::RecordCompletedHandshake,
869 base::Unretained(this)));
870 }
871
872 // Connect. Stop before the client processes the first server leg
873 // (ServerHello, etc.)
874 raw_transport->BlockReadResult();
875 rv = sock->Connect(callback->callback());
876 EXPECT_EQ(ERR_IO_PENDING, rv);
877 raw_transport->WaitForReadResult();
878
879 // Release the ServerHello and wait for the client to write
880 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the
881 // server's leg to complete, since it may span multiple reads.)
882 EXPECT_FALSE(callback->have_result());
883 raw_transport->BlockWrite();
884 raw_transport->UnblockReadResult();
885 raw_transport->WaitForWrite();
886
887 if (fail_handshake_after_false_start_) {
888 SynchronousErrorStreamSocket* error_socket =
889 static_cast<SynchronousErrorStreamSocket*>(
890 raw_transport->transport());
891 error_socket->SetNextReadError(ERR_CONNECTION_RESET);
892 }
893 // And, finally, release that and block the next server leg
894 // (ChangeCipherSpec, Finished).
895 raw_transport->BlockReadResult();
896 raw_transport->UnblockWrite();
897
898 *out_raw_transport = raw_transport;
899 *out_sock = sock.Pass();
900 }
901
902 void TestFalseStart(const SpawnedTestServer::SSLOptions& server_options,
903 const SSLConfig& client_config,
904 bool expect_false_start) {
905 ASSERT_TRUE(StartTestServer(server_options));
906
907 TestCompletionCallback callback;
908 FakeBlockingStreamSocket* raw_transport = NULL;
909 scoped_ptr<SSLClientSocket> sock;
910
911 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
912 client_config, &callback, &raw_transport, &sock));
913
914 if (expect_false_start) {
915 // When False Starting, the handshake should complete before receiving the
916 // Change Cipher Spec and Finished messages.
917 //
918 // Note: callback.have_result() may not be true without waiting. The NSS
919 // state machine sometimes lives on a separate thread, so this thread may
920 // not yet have processed the signal that the handshake has completed.
921 int rv = callback.WaitForResult();
922 EXPECT_EQ(OK, rv);
923 EXPECT_TRUE(sock->IsConnected());
924
925 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
926 static const int kRequestTextSize =
927 static_cast<int>(arraysize(request_text) - 1);
928 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
929 memcpy(request_buffer->data(), request_text, kRequestTextSize);
930
931 // Write the request.
932 rv = callback.GetResult(sock->Write(request_buffer.get(),
933 kRequestTextSize,
934 callback.callback()));
935 EXPECT_EQ(kRequestTextSize, rv);
936
937 // The read will hang; it's waiting for the peer to complete the
938 // handshake, and the handshake is still blocked.
939 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
940 rv = sock->Read(buf.get(), 4096, callback.callback());
941
942 // After releasing reads, the connection proceeds.
943 raw_transport->UnblockReadResult();
944 rv = callback.GetResult(rv);
945 if (fail_handshake_after_false_start_)
946 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
947 else
948 EXPECT_LT(0, rv);
949 } else {
950 // False Start is not enabled, so the handshake will not complete because
951 // the server second leg is blocked.
952 base::RunLoop().RunUntilIdle();
953 EXPECT_FALSE(callback.have_result());
954 }
955 }
956
957 // Indicates that the socket's handshake completion callback should
958 // be monitored.
959 bool monitor_handshake_callback_;
960 // Indicates that this test's handshake should fail after the client
961 // "finished" message is sent.
962 bool fail_handshake_after_false_start_;
963 };
964
965 class SSLClientSocketChannelIDTest : public SSLClientSocketTest {
966 protected:
967 void EnableChannelID() {
968 channel_id_service_.reset(
969 new ChannelIDService(new DefaultChannelIDStore(NULL),
970 base::MessageLoopProxy::current()));
971 context_.channel_id_service = channel_id_service_.get();
972 }
973
974 void EnableFailingChannelID() {
975 channel_id_service_.reset(new ChannelIDService(
976 new FailingChannelIDStore(), base::MessageLoopProxy::current()));
977 context_.channel_id_service = channel_id_service_.get();
978 }
979
980 void EnableAsyncFailingChannelID() {
981 channel_id_service_.reset(new ChannelIDService(
982 new AsyncFailingChannelIDStore(),
983 base::MessageLoopProxy::current()));
984 context_.channel_id_service = channel_id_service_.get();
985 }
986
987 private:
988 scoped_ptr<ChannelIDService> channel_id_service_;
989 };
990
991 //-----------------------------------------------------------------------------
992
993 // LogContainsSSLConnectEndEvent returns true if the given index in the given
994 // log is an SSL connect end event. The NSS sockets will cork in an attempt to
995 // merge the first application data record with the Finished message when false
996 // starting. However, in order to avoid the server timing out the handshake,
997 // they'll give up waiting for application data and send the Finished after a
998 // timeout. This means that an SSL connect end event may appear as a socket
999 // write.
1000 static bool LogContainsSSLConnectEndEvent(
1001 const CapturingNetLog::CapturedEntryList& log,
1002 int i) {
1003 return LogContainsEndEvent(log, i, NetLog::TYPE_SSL_CONNECT) ||
1004 LogContainsEvent(
1005 log, i, NetLog::TYPE_SOCKET_BYTES_SENT, NetLog::PHASE_NONE);
1006 }
1007
1008 } // namespace
1009
1010 TEST_F(SSLClientSocketTest, Connect) {
1011 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1012 SpawnedTestServer::kLocalhost,
1013 base::FilePath());
1014 ASSERT_TRUE(test_server.Start());
1015
1016 AddressList addr;
1017 ASSERT_TRUE(test_server.GetAddressList(&addr));
1018
1019 TestCompletionCallback callback;
1020 CapturingNetLog log;
1021 scoped_ptr<StreamSocket> transport(
1022 new TCPClientSocket(addr, &log, NetLog::Source()));
1023 int rv = transport->Connect(callback.callback());
1024 if (rv == ERR_IO_PENDING)
1025 rv = callback.WaitForResult();
1026 EXPECT_EQ(OK, rv);
1027
1028 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1029 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1030
1031 EXPECT_FALSE(sock->IsConnected());
1032
1033 rv = sock->Connect(callback.callback());
1034
1035 CapturingNetLog::CapturedEntryList entries;
1036 log.GetEntries(&entries);
1037 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1038 if (rv == ERR_IO_PENDING)
1039 rv = callback.WaitForResult();
1040 EXPECT_EQ(OK, rv);
1041 EXPECT_TRUE(sock->IsConnected());
1042 log.GetEntries(&entries);
1043 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1044
1045 sock->Disconnect();
1046 EXPECT_FALSE(sock->IsConnected());
1047 }
1048
1049 TEST_F(SSLClientSocketTest, ConnectExpired) {
1050 SpawnedTestServer::SSLOptions ssl_options(
1051 SpawnedTestServer::SSLOptions::CERT_EXPIRED);
1052 SpawnedTestServer test_server(
1053 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1054 ASSERT_TRUE(test_server.Start());
1055
1056 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
1057
1058 AddressList addr;
1059 ASSERT_TRUE(test_server.GetAddressList(&addr));
1060
1061 TestCompletionCallback callback;
1062 CapturingNetLog log;
1063 scoped_ptr<StreamSocket> transport(
1064 new TCPClientSocket(addr, &log, NetLog::Source()));
1065 int rv = transport->Connect(callback.callback());
1066 if (rv == ERR_IO_PENDING)
1067 rv = callback.WaitForResult();
1068 EXPECT_EQ(OK, rv);
1069
1070 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1071 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1072
1073 EXPECT_FALSE(sock->IsConnected());
1074
1075 rv = sock->Connect(callback.callback());
1076
1077 CapturingNetLog::CapturedEntryList entries;
1078 log.GetEntries(&entries);
1079 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1080 if (rv == ERR_IO_PENDING)
1081 rv = callback.WaitForResult();
1082
1083 EXPECT_EQ(ERR_CERT_DATE_INVALID, rv);
1084
1085 // Rather than testing whether or not the underlying socket is connected,
1086 // test that the handshake has finished. This is because it may be
1087 // desirable to disconnect the socket before showing a user prompt, since
1088 // the user may take indefinitely long to respond.
1089 log.GetEntries(&entries);
1090 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1091 }
1092
1093 TEST_F(SSLClientSocketTest, ConnectMismatched) {
1094 SpawnedTestServer::SSLOptions ssl_options(
1095 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME);
1096 SpawnedTestServer test_server(
1097 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1098 ASSERT_TRUE(test_server.Start());
1099
1100 cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
1101
1102 AddressList addr;
1103 ASSERT_TRUE(test_server.GetAddressList(&addr));
1104
1105 TestCompletionCallback callback;
1106 CapturingNetLog log;
1107 scoped_ptr<StreamSocket> transport(
1108 new TCPClientSocket(addr, &log, NetLog::Source()));
1109 int rv = transport->Connect(callback.callback());
1110 if (rv == ERR_IO_PENDING)
1111 rv = callback.WaitForResult();
1112 EXPECT_EQ(OK, rv);
1113
1114 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1115 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1116
1117 EXPECT_FALSE(sock->IsConnected());
1118
1119 rv = sock->Connect(callback.callback());
1120
1121 CapturingNetLog::CapturedEntryList entries;
1122 log.GetEntries(&entries);
1123 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1124 if (rv == ERR_IO_PENDING)
1125 rv = callback.WaitForResult();
1126
1127 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, rv);
1128
1129 // Rather than testing whether or not the underlying socket is connected,
1130 // test that the handshake has finished. This is because it may be
1131 // desirable to disconnect the socket before showing a user prompt, since
1132 // the user may take indefinitely long to respond.
1133 log.GetEntries(&entries);
1134 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1135 }
1136
1137 // Attempt to connect to a page which requests a client certificate. It should
1138 // return an error code on connect.
1139 TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
1140 SpawnedTestServer::SSLOptions ssl_options;
1141 ssl_options.request_client_certificate = true;
1142 SpawnedTestServer test_server(
1143 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1144 ASSERT_TRUE(test_server.Start());
1145
1146 AddressList addr;
1147 ASSERT_TRUE(test_server.GetAddressList(&addr));
1148
1149 TestCompletionCallback callback;
1150 CapturingNetLog log;
1151 scoped_ptr<StreamSocket> transport(
1152 new TCPClientSocket(addr, &log, NetLog::Source()));
1153 int rv = transport->Connect(callback.callback());
1154 if (rv == ERR_IO_PENDING)
1155 rv = callback.WaitForResult();
1156 EXPECT_EQ(OK, rv);
1157
1158 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1159 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1160
1161 EXPECT_FALSE(sock->IsConnected());
1162
1163 rv = sock->Connect(callback.callback());
1164
1165 CapturingNetLog::CapturedEntryList entries;
1166 log.GetEntries(&entries);
1167 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1168 if (rv == ERR_IO_PENDING)
1169 rv = callback.WaitForResult();
1170
1171 log.GetEntries(&entries);
1172 // Because we prematurely kill the handshake at CertificateRequest,
1173 // the server may still send data (notably the ServerHelloDone)
1174 // after the error is returned. As a result, the SSL_CONNECT may not
1175 // be the last entry. See http://crbug.com/54445. We use
1176 // ExpectLogContainsSomewhere instead of
1177 // LogContainsSSLConnectEndEvent to avoid assuming, e.g., only one
1178 // extra read instead of two. This occurs before the handshake ends,
1179 // so the corking logic of LogContainsSSLConnectEndEvent isn't
1180 // necessary.
1181 //
1182 // TODO(davidben): When SSL_RestartHandshakeAfterCertReq in NSS is
1183 // fixed and we can respond to the first CertificateRequest
1184 // without closing the socket, add a unit test for sending the
1185 // certificate. This test may still be useful as we'll want to close
1186 // the socket on a timeout if the user takes a long time to pick a
1187 // cert. Related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=542832
1188 ExpectLogContainsSomewhere(
1189 entries, 0, NetLog::TYPE_SSL_CONNECT, NetLog::PHASE_END);
1190 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
1191 EXPECT_FALSE(sock->IsConnected());
1192 }
1193
1194 // Connect to a server requesting optional client authentication. Send it a
1195 // null certificate. It should allow the connection.
1196 //
1197 // TODO(davidben): Also test providing an actual certificate.
1198 TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) {
1199 SpawnedTestServer::SSLOptions ssl_options;
1200 ssl_options.request_client_certificate = true;
1201 SpawnedTestServer test_server(
1202 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1203 ASSERT_TRUE(test_server.Start());
1204
1205 AddressList addr;
1206 ASSERT_TRUE(test_server.GetAddressList(&addr));
1207
1208 TestCompletionCallback callback;
1209 CapturingNetLog log;
1210 scoped_ptr<StreamSocket> transport(
1211 new TCPClientSocket(addr, &log, NetLog::Source()));
1212 int rv = transport->Connect(callback.callback());
1213 if (rv == ERR_IO_PENDING)
1214 rv = callback.WaitForResult();
1215 EXPECT_EQ(OK, rv);
1216
1217 SSLConfig ssl_config = kDefaultSSLConfig;
1218 ssl_config.send_client_cert = true;
1219 ssl_config.client_cert = NULL;
1220
1221 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1222 transport.Pass(), test_server.host_port_pair(), ssl_config));
1223
1224 EXPECT_FALSE(sock->IsConnected());
1225
1226 // Our test server accepts certificate-less connections.
1227 // TODO(davidben): Add a test which requires them and verify the error.
1228 rv = sock->Connect(callback.callback());
1229
1230 CapturingNetLog::CapturedEntryList entries;
1231 log.GetEntries(&entries);
1232 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1233 if (rv == ERR_IO_PENDING)
1234 rv = callback.WaitForResult();
1235
1236 EXPECT_EQ(OK, rv);
1237 EXPECT_TRUE(sock->IsConnected());
1238 log.GetEntries(&entries);
1239 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1240
1241 // We responded to the server's certificate request with a Certificate
1242 // message with no client certificate in it. ssl_info.client_cert_sent
1243 // should be false in this case.
1244 SSLInfo ssl_info;
1245 sock->GetSSLInfo(&ssl_info);
1246 EXPECT_FALSE(ssl_info.client_cert_sent);
1247
1248 sock->Disconnect();
1249 EXPECT_FALSE(sock->IsConnected());
1250 }
1251
1252 // TODO(wtc): Add unit tests for IsConnectedAndIdle:
1253 // - Server closes an SSL connection (with a close_notify alert message).
1254 // - Server closes the underlying TCP connection directly.
1255 // - Server sends data unexpectedly.
1256
1257 TEST_F(SSLClientSocketTest, Read) {
1258 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1259 SpawnedTestServer::kLocalhost,
1260 base::FilePath());
1261 ASSERT_TRUE(test_server.Start());
1262
1263 AddressList addr;
1264 ASSERT_TRUE(test_server.GetAddressList(&addr));
1265
1266 TestCompletionCallback callback;
1267 scoped_ptr<StreamSocket> transport(
1268 new TCPClientSocket(addr, NULL, NetLog::Source()));
1269 int rv = transport->Connect(callback.callback());
1270 if (rv == ERR_IO_PENDING)
1271 rv = callback.WaitForResult();
1272 EXPECT_EQ(OK, rv);
1273
1274 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1275 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1276
1277 rv = sock->Connect(callback.callback());
1278 if (rv == ERR_IO_PENDING)
1279 rv = callback.WaitForResult();
1280 EXPECT_EQ(OK, rv);
1281 EXPECT_TRUE(sock->IsConnected());
1282
1283 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1284 scoped_refptr<IOBuffer> request_buffer(
1285 new IOBuffer(arraysize(request_text) - 1));
1286 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1287
1288 rv = sock->Write(
1289 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
1290 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1291
1292 if (rv == ERR_IO_PENDING)
1293 rv = callback.WaitForResult();
1294 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1295
1296 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1297 for (;;) {
1298 rv = sock->Read(buf.get(), 4096, callback.callback());
1299 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1300
1301 if (rv == ERR_IO_PENDING)
1302 rv = callback.WaitForResult();
1303
1304 EXPECT_GE(rv, 0);
1305 if (rv <= 0)
1306 break;
1307 }
1308 }
1309
1310 // Tests that SSLClientSocket properly handles when the underlying transport
1311 // synchronously fails a transport read in during the handshake. The error code
1312 // should be preserved so SSLv3 fallback logic can condition on it.
1313 TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
1314 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1315 SpawnedTestServer::kLocalhost,
1316 base::FilePath());
1317 ASSERT_TRUE(test_server.Start());
1318
1319 AddressList addr;
1320 ASSERT_TRUE(test_server.GetAddressList(&addr));
1321
1322 TestCompletionCallback callback;
1323 scoped_ptr<StreamSocket> real_transport(
1324 new TCPClientSocket(addr, NULL, NetLog::Source()));
1325 scoped_ptr<SynchronousErrorStreamSocket> transport(
1326 new SynchronousErrorStreamSocket(real_transport.Pass()));
1327 int rv = callback.GetResult(transport->Connect(callback.callback()));
1328 EXPECT_EQ(OK, rv);
1329
1330 // Disable TLS False Start to avoid handshake non-determinism.
1331 SSLConfig ssl_config;
1332 ssl_config.false_start_enabled = false;
1333
1334 SynchronousErrorStreamSocket* raw_transport = transport.get();
1335 scoped_ptr<SSLClientSocket> sock(
1336 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1337 test_server.host_port_pair(),
1338 ssl_config));
1339
1340 raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
1341
1342 rv = callback.GetResult(sock->Connect(callback.callback()));
1343 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1344 EXPECT_FALSE(sock->IsConnected());
1345 }
1346
1347 // Tests that the SSLClientSocket properly handles when the underlying transport
1348 // synchronously returns an error code - such as if an intermediary terminates
1349 // the socket connection uncleanly.
1350 // This is a regression test for http://crbug.com/238536
1351 TEST_F(SSLClientSocketTest, Read_WithSynchronousError) {
1352 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1353 SpawnedTestServer::kLocalhost,
1354 base::FilePath());
1355 ASSERT_TRUE(test_server.Start());
1356
1357 AddressList addr;
1358 ASSERT_TRUE(test_server.GetAddressList(&addr));
1359
1360 TestCompletionCallback callback;
1361 scoped_ptr<StreamSocket> real_transport(
1362 new TCPClientSocket(addr, NULL, NetLog::Source()));
1363 scoped_ptr<SynchronousErrorStreamSocket> transport(
1364 new SynchronousErrorStreamSocket(real_transport.Pass()));
1365 int rv = callback.GetResult(transport->Connect(callback.callback()));
1366 EXPECT_EQ(OK, rv);
1367
1368 // Disable TLS False Start to avoid handshake non-determinism.
1369 SSLConfig ssl_config;
1370 ssl_config.false_start_enabled = false;
1371
1372 SynchronousErrorStreamSocket* raw_transport = transport.get();
1373 scoped_ptr<SSLClientSocket> sock(
1374 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1375 test_server.host_port_pair(),
1376 ssl_config));
1377
1378 rv = callback.GetResult(sock->Connect(callback.callback()));
1379 EXPECT_EQ(OK, rv);
1380 EXPECT_TRUE(sock->IsConnected());
1381
1382 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1383 static const int kRequestTextSize =
1384 static_cast<int>(arraysize(request_text) - 1);
1385 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1386 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1387
1388 rv = callback.GetResult(
1389 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1390 EXPECT_EQ(kRequestTextSize, rv);
1391
1392 // Simulate an unclean/forcible shutdown.
1393 raw_transport->SetNextReadError(ERR_CONNECTION_RESET);
1394
1395 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1396
1397 // Note: This test will hang if this bug has regressed. Simply checking that
1398 // rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING is a legitimate
1399 // result when using a dedicated task runner for NSS.
1400 rv = callback.GetResult(sock->Read(buf.get(), 4096, callback.callback()));
1401 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1402 }
1403
1404 // Tests that the SSLClientSocket properly handles when the underlying transport
1405 // asynchronously returns an error code while writing data - such as if an
1406 // intermediary terminates the socket connection uncleanly.
1407 // This is a regression test for http://crbug.com/249848
1408 TEST_F(SSLClientSocketTest, Write_WithSynchronousError) {
1409 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1410 SpawnedTestServer::kLocalhost,
1411 base::FilePath());
1412 ASSERT_TRUE(test_server.Start());
1413
1414 AddressList addr;
1415 ASSERT_TRUE(test_server.GetAddressList(&addr));
1416
1417 TestCompletionCallback callback;
1418 scoped_ptr<StreamSocket> real_transport(
1419 new TCPClientSocket(addr, NULL, NetLog::Source()));
1420 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1421 // is retained in order to configure additional errors.
1422 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1423 new SynchronousErrorStreamSocket(real_transport.Pass()));
1424 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1425 scoped_ptr<FakeBlockingStreamSocket> transport(
1426 new FakeBlockingStreamSocket(error_socket.PassAs<StreamSocket>()));
1427 FakeBlockingStreamSocket* raw_transport = transport.get();
1428 int rv = callback.GetResult(transport->Connect(callback.callback()));
1429 EXPECT_EQ(OK, rv);
1430
1431 // Disable TLS False Start to avoid handshake non-determinism.
1432 SSLConfig ssl_config;
1433 ssl_config.false_start_enabled = false;
1434
1435 scoped_ptr<SSLClientSocket> sock(
1436 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1437 test_server.host_port_pair(),
1438 ssl_config));
1439
1440 rv = callback.GetResult(sock->Connect(callback.callback()));
1441 EXPECT_EQ(OK, rv);
1442 EXPECT_TRUE(sock->IsConnected());
1443
1444 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1445 static const int kRequestTextSize =
1446 static_cast<int>(arraysize(request_text) - 1);
1447 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1448 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1449
1450 // Simulate an unclean/forcible shutdown on the underlying socket.
1451 // However, simulate this error asynchronously.
1452 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1453 raw_transport->BlockWrite();
1454
1455 // This write should complete synchronously, because the TLS ciphertext
1456 // can be created and placed into the outgoing buffers independent of the
1457 // underlying transport.
1458 rv = callback.GetResult(
1459 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1460 EXPECT_EQ(kRequestTextSize, rv);
1461
1462 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1463
1464 rv = sock->Read(buf.get(), 4096, callback.callback());
1465 EXPECT_EQ(ERR_IO_PENDING, rv);
1466
1467 // Now unblock the outgoing request, having it fail with the connection
1468 // being reset.
1469 raw_transport->UnblockWrite();
1470
1471 // Note: This will cause an inifite loop if this bug has regressed. Simply
1472 // checking that rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING
1473 // is a legitimate result when using a dedicated task runner for NSS.
1474 rv = callback.GetResult(rv);
1475 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1476 }
1477
1478 // If there is a Write failure at the transport with no follow-up Read, although
1479 // the write error will not be returned to the client until a future Read or
1480 // Write operation, SSLClientSocket should not spin attempting to re-write on
1481 // the socket. This is a regression test for part of https://crbug.com/381160.
1482 TEST_F(SSLClientSocketTest, Write_WithSynchronousErrorNoRead) {
1483 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1484 SpawnedTestServer::kLocalhost,
1485 base::FilePath());
1486 ASSERT_TRUE(test_server.Start());
1487
1488 AddressList addr;
1489 ASSERT_TRUE(test_server.GetAddressList(&addr));
1490
1491 TestCompletionCallback callback;
1492 scoped_ptr<StreamSocket> real_transport(
1493 new TCPClientSocket(addr, NULL, NetLog::Source()));
1494 // Note: intermediate sockets' ownership are handed to |sock|, but a pointer
1495 // is retained in order to query them.
1496 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1497 new SynchronousErrorStreamSocket(real_transport.Pass()));
1498 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1499 scoped_ptr<CountingStreamSocket> counting_socket(
1500 new CountingStreamSocket(error_socket.PassAs<StreamSocket>()));
1501 CountingStreamSocket* raw_counting_socket = counting_socket.get();
1502 int rv = callback.GetResult(counting_socket->Connect(callback.callback()));
1503 ASSERT_EQ(OK, rv);
1504
1505 // Disable TLS False Start to avoid handshake non-determinism.
1506 SSLConfig ssl_config;
1507 ssl_config.false_start_enabled = false;
1508
1509 scoped_ptr<SSLClientSocket> sock(
1510 CreateSSLClientSocket(counting_socket.PassAs<StreamSocket>(),
1511 test_server.host_port_pair(),
1512 ssl_config));
1513
1514 rv = callback.GetResult(sock->Connect(callback.callback()));
1515 ASSERT_EQ(OK, rv);
1516 ASSERT_TRUE(sock->IsConnected());
1517
1518 // Simulate an unclean/forcible shutdown on the underlying socket.
1519 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1520
1521 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1522 static const int kRequestTextSize =
1523 static_cast<int>(arraysize(request_text) - 1);
1524 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1525 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1526
1527 // This write should complete synchronously, because the TLS ciphertext
1528 // can be created and placed into the outgoing buffers independent of the
1529 // underlying transport.
1530 rv = callback.GetResult(
1531 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1532 ASSERT_EQ(kRequestTextSize, rv);
1533
1534 // Let the event loop spin for a little bit of time. Even on platforms where
1535 // pumping the state machine involve thread hops, there should be no further
1536 // writes on the transport socket.
1537 //
1538 // TODO(davidben): Avoid the arbitrary timeout?
1539 int old_write_count = raw_counting_socket->write_count();
1540 base::RunLoop loop;
1541 base::MessageLoop::current()->PostDelayedTask(
1542 FROM_HERE, loop.QuitClosure(), base::TimeDelta::FromMilliseconds(100));
1543 loop.Run();
1544 EXPECT_EQ(old_write_count, raw_counting_socket->write_count());
1545 }
1546
1547 // Test the full duplex mode, with Read and Write pending at the same time.
1548 // This test also serves as a regression test for http://crbug.com/29815.
1549 TEST_F(SSLClientSocketTest, Read_FullDuplex) {
1550 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1551 SpawnedTestServer::kLocalhost,
1552 base::FilePath());
1553 ASSERT_TRUE(test_server.Start());
1554
1555 AddressList addr;
1556 ASSERT_TRUE(test_server.GetAddressList(&addr));
1557
1558 TestCompletionCallback callback; // Used for everything except Write.
1559
1560 scoped_ptr<StreamSocket> transport(
1561 new TCPClientSocket(addr, NULL, NetLog::Source()));
1562 int rv = transport->Connect(callback.callback());
1563 if (rv == ERR_IO_PENDING)
1564 rv = callback.WaitForResult();
1565 EXPECT_EQ(OK, rv);
1566
1567 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1568 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1569
1570 rv = sock->Connect(callback.callback());
1571 if (rv == ERR_IO_PENDING)
1572 rv = callback.WaitForResult();
1573 EXPECT_EQ(OK, rv);
1574 EXPECT_TRUE(sock->IsConnected());
1575
1576 // Issue a "hanging" Read first.
1577 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1578 rv = sock->Read(buf.get(), 4096, callback.callback());
1579 // We haven't written the request, so there should be no response yet.
1580 ASSERT_EQ(ERR_IO_PENDING, rv);
1581
1582 // Write the request.
1583 // The request is padded with a User-Agent header to a size that causes the
1584 // memio circular buffer (4k bytes) in SSLClientSocketNSS to wrap around.
1585 // This tests the fix for http://crbug.com/29815.
1586 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1587 for (int i = 0; i < 3770; ++i)
1588 request_text.push_back('*');
1589 request_text.append("\r\n\r\n");
1590 scoped_refptr<IOBuffer> request_buffer(new StringIOBuffer(request_text));
1591
1592 TestCompletionCallback callback2; // Used for Write only.
1593 rv = sock->Write(
1594 request_buffer.get(), request_text.size(), callback2.callback());
1595 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1596
1597 if (rv == ERR_IO_PENDING)
1598 rv = callback2.WaitForResult();
1599 EXPECT_EQ(static_cast<int>(request_text.size()), rv);
1600
1601 // Now get the Read result.
1602 rv = callback.WaitForResult();
1603 EXPECT_GT(rv, 0);
1604 }
1605
1606 // Attempts to Read() and Write() from an SSLClientSocketNSS in full duplex
1607 // mode when the underlying transport is blocked on sending data. When the
1608 // underlying transport completes due to an error, it should invoke both the
1609 // Read() and Write() callbacks. If the socket is deleted by the Read()
1610 // callback, the Write() callback should not be invoked.
1611 // Regression test for http://crbug.com/232633
1612 TEST_F(SSLClientSocketTest, Read_DeleteWhilePendingFullDuplex) {
1613 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1614 SpawnedTestServer::kLocalhost,
1615 base::FilePath());
1616 ASSERT_TRUE(test_server.Start());
1617
1618 AddressList addr;
1619 ASSERT_TRUE(test_server.GetAddressList(&addr));
1620
1621 TestCompletionCallback callback;
1622 scoped_ptr<StreamSocket> real_transport(
1623 new TCPClientSocket(addr, NULL, NetLog::Source()));
1624 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1625 // is retained in order to configure additional errors.
1626 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1627 new SynchronousErrorStreamSocket(real_transport.Pass()));
1628 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1629 scoped_ptr<FakeBlockingStreamSocket> transport(
1630 new FakeBlockingStreamSocket(error_socket.PassAs<StreamSocket>()));
1631 FakeBlockingStreamSocket* raw_transport = transport.get();
1632
1633 int rv = callback.GetResult(transport->Connect(callback.callback()));
1634 EXPECT_EQ(OK, rv);
1635
1636 // Disable TLS False Start to avoid handshake non-determinism.
1637 SSLConfig ssl_config;
1638 ssl_config.false_start_enabled = false;
1639
1640 scoped_ptr<SSLClientSocket> sock =
1641 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1642 test_server.host_port_pair(),
1643 ssl_config);
1644
1645 rv = callback.GetResult(sock->Connect(callback.callback()));
1646 EXPECT_EQ(OK, rv);
1647 EXPECT_TRUE(sock->IsConnected());
1648
1649 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1650 request_text.append(20 * 1024, '*');
1651 request_text.append("\r\n\r\n");
1652 scoped_refptr<DrainableIOBuffer> request_buffer(new DrainableIOBuffer(
1653 new StringIOBuffer(request_text), request_text.size()));
1654
1655 // Simulate errors being returned from the underlying Read() and Write() ...
1656 raw_error_socket->SetNextReadError(ERR_CONNECTION_RESET);
1657 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1658 // ... but have those errors returned asynchronously. Because the Write() will
1659 // return first, this will trigger the error.
1660 raw_transport->BlockReadResult();
1661 raw_transport->BlockWrite();
1662
1663 // Enqueue a Read() before calling Write(), which should "hang" due to
1664 // the ERR_IO_PENDING caused by SetReadShouldBlock() and thus return.
1665 SSLClientSocket* raw_sock = sock.get();
1666 DeleteSocketCallback read_callback(sock.release());
1667 scoped_refptr<IOBuffer> read_buf(new IOBuffer(4096));
1668 rv = raw_sock->Read(read_buf.get(), 4096, read_callback.callback());
1669
1670 // Ensure things didn't complete synchronously, otherwise |sock| is invalid.
1671 ASSERT_EQ(ERR_IO_PENDING, rv);
1672 ASSERT_FALSE(read_callback.have_result());
1673
1674 #if !defined(USE_OPENSSL)
1675 // NSS follows a pattern where a call to PR_Write will only consume as
1676 // much data as it can encode into application data records before the
1677 // internal memio buffer is full, which should only fill if writing a large
1678 // amount of data and the underlying transport is blocked. Once this happens,
1679 // NSS will return (total size of all application data records it wrote) - 1,
1680 // with the caller expected to resume with the remaining unsent data.
1681 //
1682 // This causes SSLClientSocketNSS::Write to return that it wrote some data
1683 // before it will return ERR_IO_PENDING, so make an extra call to Write() to
1684 // get the socket in the state needed for the test below.
1685 //
1686 // This is not needed for OpenSSL, because for OpenSSL,
1687 // SSL_MODE_ENABLE_PARTIAL_WRITE is not specified - thus
1688 // SSLClientSocketOpenSSL::Write() will not return until all of
1689 // |request_buffer| has been written to the underlying BIO (although not
1690 // necessarily the underlying transport).
1691 rv = callback.GetResult(raw_sock->Write(request_buffer.get(),
1692 request_buffer->BytesRemaining(),
1693 callback.callback()));
1694 ASSERT_LT(0, rv);
1695 request_buffer->DidConsume(rv);
1696
1697 // Guard to ensure that |request_buffer| was larger than all of the internal
1698 // buffers (transport, memio, NSS) along the way - otherwise the next call
1699 // to Write() will crash with an invalid buffer.
1700 ASSERT_LT(0, request_buffer->BytesRemaining());
1701 #endif
1702
1703 // Attempt to write the remaining data. NSS will not be able to consume the
1704 // application data because the internal buffers are full, while OpenSSL will
1705 // return that its blocked because the underlying transport is blocked.
1706 rv = raw_sock->Write(request_buffer.get(),
1707 request_buffer->BytesRemaining(),
1708 callback.callback());
1709 ASSERT_EQ(ERR_IO_PENDING, rv);
1710 ASSERT_FALSE(callback.have_result());
1711
1712 // Now unblock Write(), which will invoke OnSendComplete and (eventually)
1713 // call the Read() callback, deleting the socket and thus aborting calling
1714 // the Write() callback.
1715 raw_transport->UnblockWrite();
1716
1717 rv = read_callback.WaitForResult();
1718 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1719
1720 // The Write callback should not have been called.
1721 EXPECT_FALSE(callback.have_result());
1722 }
1723
1724 // Tests that the SSLClientSocket does not crash if data is received on the
1725 // transport socket after a failing write. This can occur if we have a Write
1726 // error in a SPDY socket.
1727 // Regression test for http://crbug.com/335557
1728 TEST_F(SSLClientSocketTest, Read_WithWriteError) {
1729 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1730 SpawnedTestServer::kLocalhost,
1731 base::FilePath());
1732 ASSERT_TRUE(test_server.Start());
1733
1734 AddressList addr;
1735 ASSERT_TRUE(test_server.GetAddressList(&addr));
1736
1737 TestCompletionCallback callback;
1738 scoped_ptr<StreamSocket> real_transport(
1739 new TCPClientSocket(addr, NULL, NetLog::Source()));
1740 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1741 // is retained in order to configure additional errors.
1742 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1743 new SynchronousErrorStreamSocket(real_transport.Pass()));
1744 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1745 scoped_ptr<FakeBlockingStreamSocket> transport(
1746 new FakeBlockingStreamSocket(error_socket.PassAs<StreamSocket>()));
1747 FakeBlockingStreamSocket* raw_transport = transport.get();
1748
1749 int rv = callback.GetResult(transport->Connect(callback.callback()));
1750 EXPECT_EQ(OK, rv);
1751
1752 // Disable TLS False Start to avoid handshake non-determinism.
1753 SSLConfig ssl_config;
1754 ssl_config.false_start_enabled = false;
1755
1756 scoped_ptr<SSLClientSocket> sock(
1757 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1758 test_server.host_port_pair(),
1759 ssl_config));
1760
1761 rv = callback.GetResult(sock->Connect(callback.callback()));
1762 EXPECT_EQ(OK, rv);
1763 EXPECT_TRUE(sock->IsConnected());
1764
1765 // Send a request so there is something to read from the socket.
1766 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1767 static const int kRequestTextSize =
1768 static_cast<int>(arraysize(request_text) - 1);
1769 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1770 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1771
1772 rv = callback.GetResult(
1773 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1774 EXPECT_EQ(kRequestTextSize, rv);
1775
1776 // Start a hanging read.
1777 TestCompletionCallback read_callback;
1778 raw_transport->BlockReadResult();
1779 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1780 rv = sock->Read(buf.get(), 4096, read_callback.callback());
1781 EXPECT_EQ(ERR_IO_PENDING, rv);
1782
1783 // Perform another write, but have it fail. Write a request larger than the
1784 // internal socket buffers so that the request hits the underlying transport
1785 // socket and detects the error.
1786 std::string long_request_text =
1787 "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1788 long_request_text.append(20 * 1024, '*');
1789 long_request_text.append("\r\n\r\n");
1790 scoped_refptr<DrainableIOBuffer> long_request_buffer(new DrainableIOBuffer(
1791 new StringIOBuffer(long_request_text), long_request_text.size()));
1792
1793 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1794
1795 // Write as much data as possible until hitting an error. This is necessary
1796 // for NSS. PR_Write will only consume as much data as it can encode into
1797 // application data records before the internal memio buffer is full, which
1798 // should only fill if writing a large amount of data and the underlying
1799 // transport is blocked. Once this happens, NSS will return (total size of all
1800 // application data records it wrote) - 1, with the caller expected to resume
1801 // with the remaining unsent data.
1802 do {
1803 rv = callback.GetResult(sock->Write(long_request_buffer.get(),
1804 long_request_buffer->BytesRemaining(),
1805 callback.callback()));
1806 if (rv > 0) {
1807 long_request_buffer->DidConsume(rv);
1808 // Abort if the entire buffer is ever consumed.
1809 ASSERT_LT(0, long_request_buffer->BytesRemaining());
1810 }
1811 } while (rv > 0);
1812
1813 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1814
1815 // Release the read.
1816 raw_transport->UnblockReadResult();
1817 rv = read_callback.WaitForResult();
1818
1819 #if defined(USE_OPENSSL)
1820 // Should still read bytes despite the write error.
1821 EXPECT_LT(0, rv);
1822 #else
1823 // NSS attempts to flush the write buffer in PR_Read on an SSL socket before
1824 // pumping the read state machine, unless configured with SSL_ENABLE_FDX, so
1825 // the write error stops future reads.
1826 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1827 #endif
1828 }
1829
1830 TEST_F(SSLClientSocketTest, Read_SmallChunks) {
1831 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1832 SpawnedTestServer::kLocalhost,
1833 base::FilePath());
1834 ASSERT_TRUE(test_server.Start());
1835
1836 AddressList addr;
1837 ASSERT_TRUE(test_server.GetAddressList(&addr));
1838
1839 TestCompletionCallback callback;
1840 scoped_ptr<StreamSocket> transport(
1841 new TCPClientSocket(addr, NULL, NetLog::Source()));
1842 int rv = transport->Connect(callback.callback());
1843 if (rv == ERR_IO_PENDING)
1844 rv = callback.WaitForResult();
1845 EXPECT_EQ(OK, rv);
1846
1847 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1848 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1849
1850 rv = sock->Connect(callback.callback());
1851 if (rv == ERR_IO_PENDING)
1852 rv = callback.WaitForResult();
1853 EXPECT_EQ(OK, rv);
1854
1855 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1856 scoped_refptr<IOBuffer> request_buffer(
1857 new IOBuffer(arraysize(request_text) - 1));
1858 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1859
1860 rv = sock->Write(
1861 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
1862 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1863
1864 if (rv == ERR_IO_PENDING)
1865 rv = callback.WaitForResult();
1866 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1867
1868 scoped_refptr<IOBuffer> buf(new IOBuffer(1));
1869 for (;;) {
1870 rv = sock->Read(buf.get(), 1, callback.callback());
1871 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1872
1873 if (rv == ERR_IO_PENDING)
1874 rv = callback.WaitForResult();
1875
1876 EXPECT_GE(rv, 0);
1877 if (rv <= 0)
1878 break;
1879 }
1880 }
1881
1882 TEST_F(SSLClientSocketTest, Read_ManySmallRecords) {
1883 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1884 SpawnedTestServer::kLocalhost,
1885 base::FilePath());
1886 ASSERT_TRUE(test_server.Start());
1887
1888 AddressList addr;
1889 ASSERT_TRUE(test_server.GetAddressList(&addr));
1890
1891 TestCompletionCallback callback;
1892
1893 scoped_ptr<StreamSocket> real_transport(
1894 new TCPClientSocket(addr, NULL, NetLog::Source()));
1895 scoped_ptr<ReadBufferingStreamSocket> transport(
1896 new ReadBufferingStreamSocket(real_transport.Pass()));
1897 ReadBufferingStreamSocket* raw_transport = transport.get();
1898 int rv = callback.GetResult(transport->Connect(callback.callback()));
1899 ASSERT_EQ(OK, rv);
1900
1901 scoped_ptr<SSLClientSocket> sock(
1902 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
1903 test_server.host_port_pair(),
1904 kDefaultSSLConfig));
1905
1906 rv = callback.GetResult(sock->Connect(callback.callback()));
1907 ASSERT_EQ(OK, rv);
1908 ASSERT_TRUE(sock->IsConnected());
1909
1910 const char request_text[] = "GET /ssl-many-small-records HTTP/1.0\r\n\r\n";
1911 scoped_refptr<IOBuffer> request_buffer(
1912 new IOBuffer(arraysize(request_text) - 1));
1913 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1914
1915 rv = callback.GetResult(sock->Write(
1916 request_buffer.get(), arraysize(request_text) - 1, callback.callback()));
1917 ASSERT_GT(rv, 0);
1918 ASSERT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1919
1920 // Note: This relies on SSLClientSocketNSS attempting to read up to 17K of
1921 // data (the max SSL record size) at a time. Ensure that at least 15K worth
1922 // of SSL data is buffered first. The 15K of buffered data is made up of
1923 // many smaller SSL records (the TestServer writes along 1350 byte
1924 // plaintext boundaries), although there may also be a few records that are
1925 // smaller or larger, due to timing and SSL False Start.
1926 // 15K was chosen because 15K is smaller than the 17K (max) read issued by
1927 // the SSLClientSocket implementation, and larger than the minimum amount
1928 // of ciphertext necessary to contain the 8K of plaintext requested below.
1929 raw_transport->SetBufferSize(15000);
1930
1931 scoped_refptr<IOBuffer> buffer(new IOBuffer(8192));
1932 rv = callback.GetResult(sock->Read(buffer.get(), 8192, callback.callback()));
1933 ASSERT_EQ(rv, 8192);
1934 }
1935
1936 TEST_F(SSLClientSocketTest, Read_Interrupted) {
1937 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1938 SpawnedTestServer::kLocalhost,
1939 base::FilePath());
1940 ASSERT_TRUE(test_server.Start());
1941
1942 AddressList addr;
1943 ASSERT_TRUE(test_server.GetAddressList(&addr));
1944
1945 TestCompletionCallback callback;
1946 scoped_ptr<StreamSocket> transport(
1947 new TCPClientSocket(addr, NULL, NetLog::Source()));
1948 int rv = transport->Connect(callback.callback());
1949 if (rv == ERR_IO_PENDING)
1950 rv = callback.WaitForResult();
1951 EXPECT_EQ(OK, rv);
1952
1953 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1954 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
1955
1956 rv = sock->Connect(callback.callback());
1957 if (rv == ERR_IO_PENDING)
1958 rv = callback.WaitForResult();
1959 EXPECT_EQ(OK, rv);
1960
1961 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1962 scoped_refptr<IOBuffer> request_buffer(
1963 new IOBuffer(arraysize(request_text) - 1));
1964 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1965
1966 rv = sock->Write(
1967 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
1968 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1969
1970 if (rv == ERR_IO_PENDING)
1971 rv = callback.WaitForResult();
1972 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1973
1974 // Do a partial read and then exit. This test should not crash!
1975 scoped_refptr<IOBuffer> buf(new IOBuffer(512));
1976 rv = sock->Read(buf.get(), 512, callback.callback());
1977 EXPECT_TRUE(rv > 0 || rv == ERR_IO_PENDING);
1978
1979 if (rv == ERR_IO_PENDING)
1980 rv = callback.WaitForResult();
1981
1982 EXPECT_GT(rv, 0);
1983 }
1984
1985 TEST_F(SSLClientSocketTest, Read_FullLogging) {
1986 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1987 SpawnedTestServer::kLocalhost,
1988 base::FilePath());
1989 ASSERT_TRUE(test_server.Start());
1990
1991 AddressList addr;
1992 ASSERT_TRUE(test_server.GetAddressList(&addr));
1993
1994 TestCompletionCallback callback;
1995 CapturingNetLog log;
1996 log.SetLogLevel(NetLog::LOG_ALL);
1997 scoped_ptr<StreamSocket> transport(
1998 new TCPClientSocket(addr, &log, NetLog::Source()));
1999 int rv = transport->Connect(callback.callback());
2000 if (rv == ERR_IO_PENDING)
2001 rv = callback.WaitForResult();
2002 EXPECT_EQ(OK, rv);
2003
2004 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2005 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2006
2007 rv = sock->Connect(callback.callback());
2008 if (rv == ERR_IO_PENDING)
2009 rv = callback.WaitForResult();
2010 EXPECT_EQ(OK, rv);
2011 EXPECT_TRUE(sock->IsConnected());
2012
2013 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
2014 scoped_refptr<IOBuffer> request_buffer(
2015 new IOBuffer(arraysize(request_text) - 1));
2016 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
2017
2018 rv = sock->Write(
2019 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
2020 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2021
2022 if (rv == ERR_IO_PENDING)
2023 rv = callback.WaitForResult();
2024 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
2025
2026 CapturingNetLog::CapturedEntryList entries;
2027 log.GetEntries(&entries);
2028 size_t last_index = ExpectLogContainsSomewhereAfter(
2029 entries, 5, NetLog::TYPE_SSL_SOCKET_BYTES_SENT, NetLog::PHASE_NONE);
2030
2031 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
2032 for (;;) {
2033 rv = sock->Read(buf.get(), 4096, callback.callback());
2034 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2035
2036 if (rv == ERR_IO_PENDING)
2037 rv = callback.WaitForResult();
2038
2039 EXPECT_GE(rv, 0);
2040 if (rv <= 0)
2041 break;
2042
2043 log.GetEntries(&entries);
2044 last_index =
2045 ExpectLogContainsSomewhereAfter(entries,
2046 last_index + 1,
2047 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
2048 NetLog::PHASE_NONE);
2049 }
2050 }
2051
2052 // Regression test for http://crbug.com/42538
2053 TEST_F(SSLClientSocketTest, PrematureApplicationData) {
2054 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2055 SpawnedTestServer::kLocalhost,
2056 base::FilePath());
2057 ASSERT_TRUE(test_server.Start());
2058
2059 AddressList addr;
2060 TestCompletionCallback callback;
2061
2062 static const unsigned char application_data[] = {
2063 0x17, 0x03, 0x01, 0x00, 0x4a, 0x02, 0x00, 0x00, 0x46, 0x03, 0x01, 0x4b,
2064 0xc2, 0xf8, 0xb2, 0xc1, 0x56, 0x42, 0xb9, 0x57, 0x7f, 0xde, 0x87, 0x46,
2065 0xf7, 0xa3, 0x52, 0x42, 0x21, 0xf0, 0x13, 0x1c, 0x9c, 0x83, 0x88, 0xd6,
2066 0x93, 0x0c, 0xf6, 0x36, 0x30, 0x05, 0x7e, 0x20, 0xb5, 0xb5, 0x73, 0x36,
2067 0x53, 0x83, 0x0a, 0xfc, 0x17, 0x63, 0xbf, 0xa0, 0xe4, 0x42, 0x90, 0x0d,
2068 0x2f, 0x18, 0x6d, 0x20, 0xd8, 0x36, 0x3f, 0xfc, 0xe6, 0x01, 0xfa, 0x0f,
2069 0xa5, 0x75, 0x7f, 0x09, 0x00, 0x04, 0x00, 0x16, 0x03, 0x01, 0x11, 0x57,
2070 0x0b, 0x00, 0x11, 0x53, 0x00, 0x11, 0x50, 0x00, 0x06, 0x22, 0x30, 0x82,
2071 0x06, 0x1e, 0x30, 0x82, 0x05, 0x06, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
2072 0x0a};
2073
2074 // All reads and writes complete synchronously (async=false).
2075 MockRead data_reads[] = {
2076 MockRead(SYNCHRONOUS,
2077 reinterpret_cast<const char*>(application_data),
2078 arraysize(application_data)),
2079 MockRead(SYNCHRONOUS, OK), };
2080
2081 StaticSocketDataProvider data(data_reads, arraysize(data_reads), NULL, 0);
2082
2083 scoped_ptr<StreamSocket> transport(
2084 new MockTCPClientSocket(addr, NULL, &data));
2085 int rv = transport->Connect(callback.callback());
2086 if (rv == ERR_IO_PENDING)
2087 rv = callback.WaitForResult();
2088 EXPECT_EQ(OK, rv);
2089
2090 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2091 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2092
2093 rv = sock->Connect(callback.callback());
2094 if (rv == ERR_IO_PENDING)
2095 rv = callback.WaitForResult();
2096 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
2097 }
2098
2099 TEST_F(SSLClientSocketTest, CipherSuiteDisables) {
2100 // Rather than exhaustively disabling every RC4 ciphersuite defined at
2101 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml,
2102 // only disabling those cipher suites that the test server actually
2103 // implements.
2104 const uint16 kCiphersToDisable[] = {0x0005, // TLS_RSA_WITH_RC4_128_SHA
2105 };
2106
2107 SpawnedTestServer::SSLOptions ssl_options;
2108 // Enable only RC4 on the test server.
2109 ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4;
2110 SpawnedTestServer test_server(
2111 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2112 ASSERT_TRUE(test_server.Start());
2113
2114 AddressList addr;
2115 ASSERT_TRUE(test_server.GetAddressList(&addr));
2116
2117 TestCompletionCallback callback;
2118 CapturingNetLog log;
2119 scoped_ptr<StreamSocket> transport(
2120 new TCPClientSocket(addr, &log, NetLog::Source()));
2121 int rv = transport->Connect(callback.callback());
2122 if (rv == ERR_IO_PENDING)
2123 rv = callback.WaitForResult();
2124 EXPECT_EQ(OK, rv);
2125
2126 SSLConfig ssl_config;
2127 for (size_t i = 0; i < arraysize(kCiphersToDisable); ++i)
2128 ssl_config.disabled_cipher_suites.push_back(kCiphersToDisable[i]);
2129
2130 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2131 transport.Pass(), test_server.host_port_pair(), ssl_config));
2132
2133 EXPECT_FALSE(sock->IsConnected());
2134
2135 rv = sock->Connect(callback.callback());
2136 CapturingNetLog::CapturedEntryList entries;
2137 log.GetEntries(&entries);
2138 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
2139
2140 // NSS has special handling that maps a handshake_failure alert received
2141 // immediately after a client_hello to be a mismatched cipher suite error,
2142 // leading to ERR_SSL_VERSION_OR_CIPHER_MISMATCH. When using OpenSSL or
2143 // Secure Transport (OS X), the handshake_failure is bubbled up without any
2144 // interpretation, leading to ERR_SSL_PROTOCOL_ERROR. Either way, a failure
2145 // indicates that no cipher suite was negotiated with the test server.
2146 if (rv == ERR_IO_PENDING)
2147 rv = callback.WaitForResult();
2148 EXPECT_TRUE(rv == ERR_SSL_VERSION_OR_CIPHER_MISMATCH ||
2149 rv == ERR_SSL_PROTOCOL_ERROR);
2150 // The exact ordering differs between SSLClientSocketNSS (which issues an
2151 // extra read) and SSLClientSocketMac (which does not). Just make sure the
2152 // error appears somewhere in the log.
2153 log.GetEntries(&entries);
2154 ExpectLogContainsSomewhere(
2155 entries, 0, NetLog::TYPE_SSL_HANDSHAKE_ERROR, NetLog::PHASE_NONE);
2156
2157 // We cannot test sock->IsConnected(), as the NSS implementation disconnects
2158 // the socket when it encounters an error, whereas other implementations
2159 // leave it connected.
2160 // Because this an error that the test server is mutually aware of, as opposed
2161 // to being an error such as a certificate name mismatch, which is
2162 // client-only, the exact index of the SSL connect end depends on how
2163 // quickly the test server closes the underlying socket. If the test server
2164 // closes before the IO message loop pumps messages, there may be a 0-byte
2165 // Read event in the NetLog due to TCPClientSocket picking up the EOF. As a
2166 // result, the SSL connect end event will be the second-to-last entry,
2167 // rather than the last entry.
2168 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1) ||
2169 LogContainsSSLConnectEndEvent(entries, -2));
2170 }
2171
2172 // When creating an SSLClientSocket, it is allowed to pass in a
2173 // ClientSocketHandle that is not obtained from a client socket pool.
2174 // Here we verify that such a simple ClientSocketHandle, not associated with any
2175 // client socket pool, can be destroyed safely.
2176 TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
2177 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2178 SpawnedTestServer::kLocalhost,
2179 base::FilePath());
2180 ASSERT_TRUE(test_server.Start());
2181
2182 AddressList addr;
2183 ASSERT_TRUE(test_server.GetAddressList(&addr));
2184
2185 TestCompletionCallback callback;
2186 scoped_ptr<StreamSocket> transport(
2187 new TCPClientSocket(addr, NULL, NetLog::Source()));
2188 int rv = transport->Connect(callback.callback());
2189 if (rv == ERR_IO_PENDING)
2190 rv = callback.WaitForResult();
2191 EXPECT_EQ(OK, rv);
2192
2193 scoped_ptr<ClientSocketHandle> socket_handle(new ClientSocketHandle());
2194 socket_handle->SetSocket(transport.Pass());
2195
2196 scoped_ptr<SSLClientSocket> sock(
2197 socket_factory_->CreateSSLClientSocket(socket_handle.Pass(),
2198 test_server.host_port_pair(),
2199 kDefaultSSLConfig,
2200 context_));
2201
2202 EXPECT_FALSE(sock->IsConnected());
2203 rv = sock->Connect(callback.callback());
2204 if (rv == ERR_IO_PENDING)
2205 rv = callback.WaitForResult();
2206 EXPECT_EQ(OK, rv);
2207 }
2208
2209 // Verifies that SSLClientSocket::ExportKeyingMaterial return a success
2210 // code and different keying label results in different keying material.
2211 TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
2212 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2213 SpawnedTestServer::kLocalhost,
2214 base::FilePath());
2215 ASSERT_TRUE(test_server.Start());
2216
2217 AddressList addr;
2218 ASSERT_TRUE(test_server.GetAddressList(&addr));
2219
2220 TestCompletionCallback callback;
2221
2222 scoped_ptr<StreamSocket> transport(
2223 new TCPClientSocket(addr, NULL, NetLog::Source()));
2224 int rv = transport->Connect(callback.callback());
2225 if (rv == ERR_IO_PENDING)
2226 rv = callback.WaitForResult();
2227 EXPECT_EQ(OK, rv);
2228
2229 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2230 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2231
2232 rv = sock->Connect(callback.callback());
2233 if (rv == ERR_IO_PENDING)
2234 rv = callback.WaitForResult();
2235 EXPECT_EQ(OK, rv);
2236 EXPECT_TRUE(sock->IsConnected());
2237
2238 const int kKeyingMaterialSize = 32;
2239 const char* kKeyingLabel1 = "client-socket-test-1";
2240 const char* kKeyingContext = "";
2241 unsigned char client_out1[kKeyingMaterialSize];
2242 memset(client_out1, 0, sizeof(client_out1));
2243 rv = sock->ExportKeyingMaterial(
2244 kKeyingLabel1, false, kKeyingContext, client_out1, sizeof(client_out1));
2245 EXPECT_EQ(rv, OK);
2246
2247 const char* kKeyingLabel2 = "client-socket-test-2";
2248 unsigned char client_out2[kKeyingMaterialSize];
2249 memset(client_out2, 0, sizeof(client_out2));
2250 rv = sock->ExportKeyingMaterial(
2251 kKeyingLabel2, false, kKeyingContext, client_out2, sizeof(client_out2));
2252 EXPECT_EQ(rv, OK);
2253 EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2254 }
2255
2256 // Verifies that SSLClientSocket::ClearSessionCache can be called without
2257 // explicit NSS initialization.
2258 TEST(SSLClientSocket, ClearSessionCache) {
2259 SSLClientSocket::ClearSessionCache();
2260 }
2261
2262 // Test that the server certificates are properly retrieved from the underlying
2263 // SSL stack.
2264 TEST_F(SSLClientSocketTest, VerifyServerChainProperlyOrdered) {
2265 // The connection does not have to be successful.
2266 cert_verifier_->set_default_result(ERR_CERT_INVALID);
2267
2268 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
2269 // This makes the server present redundant-server-chain.pem, which contains
2270 // intermediate certificates.
2271 SpawnedTestServer::SSLOptions ssl_options(
2272 SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
2273 SpawnedTestServer test_server(
2274 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2275 ASSERT_TRUE(test_server.Start());
2276
2277 AddressList addr;
2278 ASSERT_TRUE(test_server.GetAddressList(&addr));
2279
2280 TestCompletionCallback callback;
2281 scoped_ptr<StreamSocket> transport(
2282 new TCPClientSocket(addr, NULL, NetLog::Source()));
2283 int rv = transport->Connect(callback.callback());
2284 rv = callback.GetResult(rv);
2285 EXPECT_EQ(OK, rv);
2286
2287 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2288 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2289 EXPECT_FALSE(sock->IsConnected());
2290 rv = sock->Connect(callback.callback());
2291 rv = callback.GetResult(rv);
2292
2293 EXPECT_EQ(ERR_CERT_INVALID, rv);
2294 EXPECT_TRUE(sock->IsConnected());
2295
2296 // When given option CERT_CHAIN_WRONG_ROOT, SpawnedTestServer will present
2297 // certs from redundant-server-chain.pem.
2298 CertificateList server_certs =
2299 CreateCertificateListFromFile(GetTestCertsDirectory(),
2300 "redundant-server-chain.pem",
2301 X509Certificate::FORMAT_AUTO);
2302
2303 // Get the server certificate as received client side.
2304 scoped_refptr<X509Certificate> server_certificate =
2305 sock->GetUnverifiedServerCertificateChain();
2306
2307 // Get the intermediates as received client side.
2308 const X509Certificate::OSCertHandles& server_intermediates =
2309 server_certificate->GetIntermediateCertificates();
2310
2311 // Check that the unverified server certificate chain is properly retrieved
2312 // from the underlying ssl stack.
2313 ASSERT_EQ(4U, server_certs.size());
2314
2315 EXPECT_TRUE(X509Certificate::IsSameOSCert(
2316 server_certificate->os_cert_handle(), server_certs[0]->os_cert_handle()));
2317
2318 ASSERT_EQ(3U, server_intermediates.size());
2319
2320 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[0],
2321 server_certs[1]->os_cert_handle()));
2322 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[1],
2323 server_certs[2]->os_cert_handle()));
2324 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[2],
2325 server_certs[3]->os_cert_handle()));
2326
2327 sock->Disconnect();
2328 EXPECT_FALSE(sock->IsConnected());
2329 }
2330
2331 // This tests that SSLInfo contains a properly re-constructed certificate
2332 // chain. That, in turn, verifies that GetSSLInfo is giving us the chain as
2333 // verified, not the chain as served by the server. (They may be different.)
2334 //
2335 // CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
2336 // (end-entity) -> B -> C, and C is signed by D. redundant-validated-chain.pem
2337 // contains a chain of A -> B -> C2, where C2 is the same public key as C, but
2338 // a self-signed root. Such a situation can occur when a new root (C2) is
2339 // cross-certified by an old root (D) and has two different versions of its
2340 // floating around. Servers may supply C2 as an intermediate, but the
2341 // SSLClientSocket should return the chain that was verified, from
2342 // verify_result, instead.
2343 TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
2344 // By default, cause the CertVerifier to treat all certificates as
2345 // expired.
2346 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
2347
2348 // We will expect SSLInfo to ultimately contain this chain.
2349 CertificateList certs =
2350 CreateCertificateListFromFile(GetTestCertsDirectory(),
2351 "redundant-validated-chain.pem",
2352 X509Certificate::FORMAT_AUTO);
2353 ASSERT_EQ(3U, certs.size());
2354
2355 X509Certificate::OSCertHandles temp_intermediates;
2356 temp_intermediates.push_back(certs[1]->os_cert_handle());
2357 temp_intermediates.push_back(certs[2]->os_cert_handle());
2358
2359 CertVerifyResult verify_result;
2360 verify_result.verified_cert = X509Certificate::CreateFromHandle(
2361 certs[0]->os_cert_handle(), temp_intermediates);
2362
2363 // Add a rule that maps the server cert (A) to the chain of A->B->C2
2364 // rather than A->B->C.
2365 cert_verifier_->AddResultForCert(certs[0].get(), verify_result, OK);
2366
2367 // Load and install the root for the validated chain.
2368 scoped_refptr<X509Certificate> root_cert = ImportCertFromFile(
2369 GetTestCertsDirectory(), "redundant-validated-chain-root.pem");
2370 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
2371 ScopedTestRoot scoped_root(root_cert.get());
2372
2373 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
2374 SpawnedTestServer::SSLOptions ssl_options(
2375 SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
2376 SpawnedTestServer test_server(
2377 SpawnedTestServer::TYPE_HTTPS,
2378 ssl_options,
2379 base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
2380 ASSERT_TRUE(test_server.Start());
2381
2382 AddressList addr;
2383 ASSERT_TRUE(test_server.GetAddressList(&addr));
2384
2385 TestCompletionCallback callback;
2386 CapturingNetLog log;
2387 scoped_ptr<StreamSocket> transport(
2388 new TCPClientSocket(addr, &log, NetLog::Source()));
2389 int rv = transport->Connect(callback.callback());
2390 if (rv == ERR_IO_PENDING)
2391 rv = callback.WaitForResult();
2392 EXPECT_EQ(OK, rv);
2393
2394 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2395 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2396 EXPECT_FALSE(sock->IsConnected());
2397 rv = sock->Connect(callback.callback());
2398
2399 CapturingNetLog::CapturedEntryList entries;
2400 log.GetEntries(&entries);
2401 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
2402 if (rv == ERR_IO_PENDING)
2403 rv = callback.WaitForResult();
2404
2405 EXPECT_EQ(OK, rv);
2406 EXPECT_TRUE(sock->IsConnected());
2407 log.GetEntries(&entries);
2408 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
2409
2410 SSLInfo ssl_info;
2411 sock->GetSSLInfo(&ssl_info);
2412
2413 // Verify that SSLInfo contains the corrected re-constructed chain A -> B
2414 // -> C2.
2415 const X509Certificate::OSCertHandles& intermediates =
2416 ssl_info.cert->GetIntermediateCertificates();
2417 ASSERT_EQ(2U, intermediates.size());
2418 EXPECT_TRUE(X509Certificate::IsSameOSCert(ssl_info.cert->os_cert_handle(),
2419 certs[0]->os_cert_handle()));
2420 EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[0],
2421 certs[1]->os_cert_handle()));
2422 EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[1],
2423 certs[2]->os_cert_handle()));
2424
2425 sock->Disconnect();
2426 EXPECT_FALSE(sock->IsConnected());
2427 }
2428
2429 TEST_F(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
2430 SpawnedTestServer::SSLOptions ssl_options;
2431 ssl_options.request_client_certificate = true;
2432 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2433 ASSERT_TRUE(request_info.get());
2434 EXPECT_EQ(0u, request_info->cert_authorities.size());
2435 }
2436
2437 TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
2438 const base::FilePath::CharType kThawteFile[] =
2439 FILE_PATH_LITERAL("thawte.single.pem");
2440 const unsigned char kThawteDN[] = {
2441 0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2442 0x02, 0x5a, 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a,
2443 0x13, 0x1c, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6f, 0x6e,
2444 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79,
2445 0x29, 0x20, 0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
2446 0x55, 0x04, 0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20,
2447 0x53, 0x47, 0x43, 0x20, 0x43, 0x41};
2448 const size_t kThawteLen = sizeof(kThawteDN);
2449
2450 const base::FilePath::CharType kDiginotarFile[] =
2451 FILE_PATH_LITERAL("diginotar_root_ca.pem");
2452 const unsigned char kDiginotarDN[] = {
2453 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2454 0x02, 0x4e, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
2455 0x13, 0x09, 0x44, 0x69, 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x31,
2456 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x44, 0x69,
2457 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x20, 0x52, 0x6f, 0x6f, 0x74,
2458 0x20, 0x43, 0x41, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48,
2459 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x11, 0x69, 0x6e, 0x66, 0x6f,
2460 0x40, 0x64, 0x69, 0x67, 0x69, 0x6e, 0x6f, 0x74, 0x61, 0x72, 0x2e, 0x6e,
2461 0x6c};
2462 const size_t kDiginotarLen = sizeof(kDiginotarDN);
2463
2464 SpawnedTestServer::SSLOptions ssl_options;
2465 ssl_options.request_client_certificate = true;
2466 ssl_options.client_authorities.push_back(
2467 GetTestClientCertsDirectory().Append(kThawteFile));
2468 ssl_options.client_authorities.push_back(
2469 GetTestClientCertsDirectory().Append(kDiginotarFile));
2470 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2471 ASSERT_TRUE(request_info.get());
2472 ASSERT_EQ(2u, request_info->cert_authorities.size());
2473 EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen),
2474 request_info->cert_authorities[0]);
2475 EXPECT_EQ(
2476 std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen),
2477 request_info->cert_authorities[1]);
2478 }
2479
2480 // cert_key_types is currently only populated on OpenSSL.
2481 #if defined(USE_OPENSSL)
2482 TEST_F(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
2483 SpawnedTestServer::SSLOptions ssl_options;
2484 ssl_options.request_client_certificate = true;
2485 ssl_options.client_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
2486 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
2487 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2488 ASSERT_TRUE(request_info.get());
2489 ASSERT_EQ(2u, request_info->cert_key_types.size());
2490 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]);
2491 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]);
2492 }
2493 #endif // defined(USE_OPENSSL)
2494
2495 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {
2496 SpawnedTestServer::SSLOptions ssl_options;
2497 ssl_options.signed_cert_timestamps_tls_ext = "test";
2498
2499 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2500 ssl_options,
2501 base::FilePath());
2502 ASSERT_TRUE(test_server.Start());
2503
2504 AddressList addr;
2505 ASSERT_TRUE(test_server.GetAddressList(&addr));
2506
2507 TestCompletionCallback callback;
2508 scoped_ptr<StreamSocket> transport(
2509 new TCPClientSocket(addr, &log_, NetLog::Source()));
2510 int rv = callback.GetResult(transport->Connect(callback.callback()));
2511 EXPECT_EQ(OK, rv);
2512
2513 SSLConfig ssl_config;
2514 ssl_config.signed_cert_timestamps_enabled = true;
2515
2516 MockCTVerifier ct_verifier;
2517 SetCTVerifier(&ct_verifier);
2518
2519 // Check that the SCT list is extracted as expected.
2520 EXPECT_CALL(ct_verifier, Verify(_, "", "test", _, _)).WillRepeatedly(
2521 Return(ERR_CT_NO_SCTS_VERIFIED_OK));
2522
2523 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2524 transport.Pass(), test_server.host_port_pair(), ssl_config));
2525 rv = callback.GetResult(sock->Connect(callback.callback()));
2526 EXPECT_EQ(OK, rv);
2527
2528 EXPECT_TRUE(sock->signed_cert_timestamps_received_);
2529 }
2530
2531 namespace {
2532
2533 bool IsValidOCSPResponse(const base::StringPiece& input) {
2534 base::StringPiece ocsp_response = input;
2535 base::StringPiece sequence, response_status, response_bytes;
2536 return asn1::GetElement(&ocsp_response, asn1::kSEQUENCE, &sequence) &&
2537 ocsp_response.empty() &&
2538 asn1::GetElement(&sequence, asn1::kENUMERATED, &response_status) &&
2539 asn1::GetElement(&sequence,
2540 asn1::kContextSpecific | asn1::kConstructed | 0,
2541 &response_status) &&
2542 sequence.empty();
2543 }
2544
2545 } // namespace
2546
2547 // Test that enabling Signed Certificate Timestamps enables OCSP stapling.
2548 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
2549 SpawnedTestServer::SSLOptions ssl_options;
2550 ssl_options.staple_ocsp_response = true;
2551 // The test server currently only knows how to generate OCSP responses
2552 // for a freshly minted certificate.
2553 ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO;
2554
2555 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2556 ssl_options,
2557 base::FilePath());
2558 ASSERT_TRUE(test_server.Start());
2559
2560 AddressList addr;
2561 ASSERT_TRUE(test_server.GetAddressList(&addr));
2562
2563 TestCompletionCallback callback;
2564 scoped_ptr<StreamSocket> transport(
2565 new TCPClientSocket(addr, &log_, NetLog::Source()));
2566 int rv = callback.GetResult(transport->Connect(callback.callback()));
2567 EXPECT_EQ(OK, rv);
2568
2569 SSLConfig ssl_config;
2570 // Enabling Signed Cert Timestamps ensures we request OCSP stapling for
2571 // Certificate Transparency verification regardless of whether the platform
2572 // is able to process the OCSP status itself.
2573 ssl_config.signed_cert_timestamps_enabled = true;
2574
2575 MockCTVerifier ct_verifier;
2576 SetCTVerifier(&ct_verifier);
2577
2578 // Check that the OCSP response is extracted and well-formed. It should be the
2579 // DER encoding of an OCSPResponse (RFC 2560), so check that it consists of a
2580 // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT. In
2581 // particular, it should not include the overall two-byte length prefix from
2582 // TLS.
2583 EXPECT_CALL(ct_verifier,
2584 Verify(_, Truly(IsValidOCSPResponse), "", _, _)).WillRepeatedly(
2585 Return(ERR_CT_NO_SCTS_VERIFIED_OK));
2586
2587 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2588 transport.Pass(), test_server.host_port_pair(), ssl_config));
2589 rv = callback.GetResult(sock->Connect(callback.callback()));
2590 EXPECT_EQ(OK, rv);
2591
2592 EXPECT_TRUE(sock->stapled_ocsp_response_received_);
2593 }
2594
2595 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
2596 SpawnedTestServer::SSLOptions ssl_options;
2597 ssl_options.signed_cert_timestamps_tls_ext = "test";
2598
2599 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2600 ssl_options,
2601 base::FilePath());
2602 ASSERT_TRUE(test_server.Start());
2603
2604 AddressList addr;
2605 ASSERT_TRUE(test_server.GetAddressList(&addr));
2606
2607 TestCompletionCallback callback;
2608 scoped_ptr<StreamSocket> transport(
2609 new TCPClientSocket(addr, &log_, NetLog::Source()));
2610 int rv = callback.GetResult(transport->Connect(callback.callback()));
2611 EXPECT_EQ(OK, rv);
2612
2613 SSLConfig ssl_config;
2614 ssl_config.signed_cert_timestamps_enabled = false;
2615
2616 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2617 transport.Pass(), test_server.host_port_pair(), ssl_config));
2618 rv = callback.GetResult(sock->Connect(callback.callback()));
2619 EXPECT_EQ(OK, rv);
2620
2621 EXPECT_FALSE(sock->signed_cert_timestamps_received_);
2622 }
2623
2624 // Tests that IsConnectedAndIdle and WasEverUsed behave as expected.
2625 TEST_F(SSLClientSocketTest, ReuseStates) {
2626 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2627 SpawnedTestServer::kLocalhost,
2628 base::FilePath());
2629 ASSERT_TRUE(test_server.Start());
2630
2631 AddressList addr;
2632 ASSERT_TRUE(test_server.GetAddressList(&addr));
2633
2634 TestCompletionCallback callback;
2635 scoped_ptr<StreamSocket> transport(
2636 new TCPClientSocket(addr, NULL, NetLog::Source()));
2637 int rv = transport->Connect(callback.callback());
2638 if (rv == ERR_IO_PENDING)
2639 rv = callback.WaitForResult();
2640 EXPECT_EQ(OK, rv);
2641
2642 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2643 transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
2644
2645 rv = sock->Connect(callback.callback());
2646 if (rv == ERR_IO_PENDING)
2647 rv = callback.WaitForResult();
2648 EXPECT_EQ(OK, rv);
2649
2650 // The socket was just connected. It should be idle because it is speaking
2651 // HTTP. Although the transport has been used for the handshake, WasEverUsed()
2652 // returns false.
2653 EXPECT_TRUE(sock->IsConnected());
2654 EXPECT_TRUE(sock->IsConnectedAndIdle());
2655 EXPECT_FALSE(sock->WasEverUsed());
2656
2657 const char kRequestText[] = "GET / HTTP/1.0\r\n\r\n";
2658 const size_t kRequestLen = arraysize(kRequestText) - 1;
2659 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestLen));
2660 memcpy(request_buffer->data(), kRequestText, kRequestLen);
2661
2662 rv = sock->Write(request_buffer.get(), kRequestLen, callback.callback());
2663 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2664
2665 if (rv == ERR_IO_PENDING)
2666 rv = callback.WaitForResult();
2667 EXPECT_EQ(static_cast<int>(kRequestLen), rv);
2668
2669 // The socket has now been used.
2670 EXPECT_TRUE(sock->WasEverUsed());
2671
2672 // TODO(davidben): Read one byte to ensure the test server has responded and
2673 // then assert IsConnectedAndIdle is false. This currently doesn't work
2674 // because neither SSLClientSocketNSS nor SSLClientSocketOpenSSL check their
2675 // SSL implementation's internal buffers. Either call PR_Available and
2676 // SSL_pending, although the former isn't actually implemented or perhaps
2677 // attempt to read one byte extra.
2678 }
2679
2680 #if defined(USE_OPENSSL)
2681
2682 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithFailure) {
2683 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2684 SpawnedTestServer::kLocalhost,
2685 base::FilePath());
2686 ASSERT_TRUE(test_server.Start());
2687
2688 AddressList addr;
2689 ASSERT_TRUE(test_server.GetAddressList(&addr));
2690
2691 TestCompletionCallback callback;
2692 scoped_ptr<StreamSocket> real_transport(
2693 new TCPClientSocket(addr, NULL, NetLog::Source()));
2694 scoped_ptr<SynchronousErrorStreamSocket> transport(
2695 new SynchronousErrorStreamSocket(real_transport.Pass()));
2696 int rv = callback.GetResult(transport->Connect(callback.callback()));
2697 EXPECT_EQ(OK, rv);
2698
2699 // Disable TLS False Start to avoid handshake non-determinism.
2700 SSLConfig ssl_config;
2701 ssl_config.false_start_enabled = false;
2702
2703 SynchronousErrorStreamSocket* raw_transport = transport.get();
2704 scoped_ptr<SSLClientSocket> sock(
2705 CreateSSLClientSocket(transport.PassAs<StreamSocket>(),
2706 test_server.host_port_pair(),
2707 ssl_config));
2708
2709 sock->SetHandshakeCompletionCallback(base::Bind(
2710 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2711
2712 raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
2713
2714 rv = callback.GetResult(sock->Connect(callback.callback()));
2715 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
2716 EXPECT_FALSE(sock->IsConnected());
2717
2718 EXPECT_TRUE(ran_handshake_completion_callback_);
2719 }
2720
2721 // Tests that the completion callback is run when an SSL connection
2722 // completes successfully.
2723 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithSuccess) {
2724 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2725 SpawnedTestServer::kLocalhost,
2726 base::FilePath());
2727 ASSERT_TRUE(test_server.Start());
2728
2729 AddressList addr;
2730 ASSERT_TRUE(test_server.GetAddressList(&addr));
2731
2732 scoped_ptr<StreamSocket> transport(
2733 new TCPClientSocket(addr, NULL, NetLog::Source()));
2734
2735 TestCompletionCallback callback;
2736 int rv = transport->Connect(callback.callback());
2737 if (rv == ERR_IO_PENDING)
2738 rv = callback.WaitForResult();
2739 EXPECT_EQ(OK, rv);
2740
2741 SSLConfig ssl_config = kDefaultSSLConfig;
2742 ssl_config.false_start_enabled = false;
2743
2744 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2745 transport.Pass(), test_server.host_port_pair(), ssl_config));
2746
2747 sock->SetHandshakeCompletionCallback(base::Bind(
2748 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2749
2750 rv = callback.GetResult(sock->Connect(callback.callback()));
2751
2752 EXPECT_EQ(OK, rv);
2753 EXPECT_TRUE(sock->IsConnected());
2754 EXPECT_TRUE(ran_handshake_completion_callback_);
2755 }
2756
2757 // Tests that the completion callback is run with a server that doesn't cache
2758 // sessions.
2759 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithDisabledSessionCache) {
2760 SpawnedTestServer::SSLOptions ssl_options;
2761 ssl_options.disable_session_cache = true;
2762 SpawnedTestServer test_server(
2763 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2764 ASSERT_TRUE(test_server.Start());
2765
2766 AddressList addr;
2767 ASSERT_TRUE(test_server.GetAddressList(&addr));
2768
2769 scoped_ptr<StreamSocket> transport(
2770 new TCPClientSocket(addr, NULL, NetLog::Source()));
2771
2772 TestCompletionCallback callback;
2773 int rv = transport->Connect(callback.callback());
2774 if (rv == ERR_IO_PENDING)
2775 rv = callback.WaitForResult();
2776 EXPECT_EQ(OK, rv);
2777
2778 SSLConfig ssl_config = kDefaultSSLConfig;
2779 ssl_config.false_start_enabled = false;
2780
2781 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2782 transport.Pass(), test_server.host_port_pair(), ssl_config));
2783
2784 sock->SetHandshakeCompletionCallback(base::Bind(
2785 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2786
2787 rv = callback.GetResult(sock->Connect(callback.callback()));
2788
2789 EXPECT_EQ(OK, rv);
2790 EXPECT_TRUE(sock->IsConnected());
2791 EXPECT_TRUE(ran_handshake_completion_callback_);
2792 }
2793
2794 TEST_F(SSLClientSocketFalseStartTest,
2795 HandshakeCallbackIsRun_WithFalseStartFailure) {
2796 // False Start requires NPN and a forward-secret cipher suite.
2797 SpawnedTestServer::SSLOptions server_options;
2798 server_options.key_exchanges =
2799 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2800 server_options.enable_npn = true;
2801 SSLConfig client_config;
2802 client_config.next_protos.push_back("http/1.1");
2803 monitor_handshake_callback_ = true;
2804 fail_handshake_after_false_start_ = true;
2805 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true));
2806 ASSERT_TRUE(ran_handshake_completion_callback_);
2807 }
2808
2809 TEST_F(SSLClientSocketFalseStartTest,
2810 HandshakeCallbackIsRun_WithFalseStartSuccess) {
2811 // False Start requires NPN and a forward-secret cipher suite.
2812 SpawnedTestServer::SSLOptions server_options;
2813 server_options.key_exchanges =
2814 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2815 server_options.enable_npn = true;
2816 SSLConfig client_config;
2817 client_config.next_protos.push_back("http/1.1");
2818 monitor_handshake_callback_ = true;
2819 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true));
2820 ASSERT_TRUE(ran_handshake_completion_callback_);
2821 }
2822 #endif // defined(USE_OPENSSL)
2823
2824 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) {
2825 // False Start requires NPN and a forward-secret cipher suite.
2826 SpawnedTestServer::SSLOptions server_options;
2827 server_options.key_exchanges =
2828 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2829 server_options.enable_npn = true;
2830 SSLConfig client_config;
2831 client_config.next_protos.push_back("http/1.1");
2832 ASSERT_NO_FATAL_FAILURE(
2833 TestFalseStart(server_options, client_config, true));
2834 }
2835
2836 // Test that False Start is disabled without NPN.
2837 TEST_F(SSLClientSocketFalseStartTest, NoNPN) {
2838 SpawnedTestServer::SSLOptions server_options;
2839 server_options.key_exchanges =
2840 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2841 SSLConfig client_config;
2842 client_config.next_protos.clear();
2843 ASSERT_NO_FATAL_FAILURE(
2844 TestFalseStart(server_options, client_config, false));
2845 }
2846
2847 // Test that False Start is disabled without a forward-secret cipher suite.
2848 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) {
2849 SpawnedTestServer::SSLOptions server_options;
2850 server_options.key_exchanges =
2851 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA;
2852 server_options.enable_npn = true;
2853 SSLConfig client_config;
2854 client_config.next_protos.push_back("http/1.1");
2855 ASSERT_NO_FATAL_FAILURE(
2856 TestFalseStart(server_options, client_config, false));
2857 }
2858
2859 // Test that sessions are resumable after receiving the server Finished message.
2860 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) {
2861 // Start a server.
2862 SpawnedTestServer::SSLOptions server_options;
2863 server_options.key_exchanges =
2864 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2865 server_options.enable_npn = true;
2866 SSLConfig client_config;
2867 client_config.next_protos.push_back("http/1.1");
2868
2869 // Let a full handshake complete with False Start.
2870 ASSERT_NO_FATAL_FAILURE(
2871 TestFalseStart(server_options, client_config, true));
2872
2873 // Make a second connection.
2874 TestCompletionCallback callback;
2875 scoped_ptr<StreamSocket> transport2(
2876 new TCPClientSocket(addr(), &log_, NetLog::Source()));
2877 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback())));
2878 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket(
2879 transport2.Pass(), test_server()->host_port_pair(), client_config);
2880 ASSERT_TRUE(sock2.get());
2881 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback())));
2882
2883 // It should resume the session.
2884 SSLInfo ssl_info;
2885 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info));
2886 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
2887 }
2888
2889 // Test that sessions are not resumable before receiving the server Finished
2890 // message.
2891 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) {
2892 // Start a server.
2893 SpawnedTestServer::SSLOptions server_options;
2894 server_options.key_exchanges =
2895 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
2896 server_options.enable_npn = true;
2897 ASSERT_TRUE(StartTestServer(server_options));
2898
2899 SSLConfig client_config;
2900 client_config.next_protos.push_back("http/1.1");
2901
2902 // Start a handshake up to the server Finished message.
2903 TestCompletionCallback callback;
2904 FakeBlockingStreamSocket* raw_transport1;
2905 scoped_ptr<SSLClientSocket> sock1;
2906 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
2907 client_config, &callback, &raw_transport1, &sock1));
2908 // Although raw_transport1 has the server Finished blocked, the handshake
2909 // still completes.
2910 EXPECT_EQ(OK, callback.WaitForResult());
2911
2912 // Drop the old socket. This is needed because the Python test server can't
2913 // service two sockets in parallel.
2914 sock1.reset();
2915
2916 // Start a second connection.
2917 scoped_ptr<StreamSocket> transport2(
2918 new TCPClientSocket(addr(), &log_, NetLog::Source()));
2919 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback())));
2920 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket(
2921 transport2.Pass(), test_server()->host_port_pair(), client_config);
2922 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback())));
2923
2924 // No session resumption because the first connection never received a server
2925 // Finished message.
2926 SSLInfo ssl_info;
2927 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info));
2928 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
2929 }
2930
2931 // Connect to a server using channel id. It should allow the connection.
2932 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) {
2933 SpawnedTestServer::SSLOptions ssl_options;
2934
2935 ASSERT_TRUE(ConnectToTestServer(ssl_options));
2936
2937 EnableChannelID();
2938 SSLConfig ssl_config = kDefaultSSLConfig;
2939 ssl_config.channel_id_enabled = true;
2940
2941 int rv;
2942 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
2943
2944 EXPECT_EQ(OK, rv);
2945 EXPECT_TRUE(sock_->IsConnected());
2946 EXPECT_TRUE(sock_->WasChannelIDSent());
2947
2948 sock_->Disconnect();
2949 EXPECT_FALSE(sock_->IsConnected());
2950 }
2951
2952 // Connect to a server using Channel ID but failing to look up the Channel
2953 // ID. It should fail.
2954 TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) {
2955 SpawnedTestServer::SSLOptions ssl_options;
2956
2957 ASSERT_TRUE(ConnectToTestServer(ssl_options));
2958
2959 EnableFailingChannelID();
2960 SSLConfig ssl_config = kDefaultSSLConfig;
2961 ssl_config.channel_id_enabled = true;
2962
2963 int rv;
2964 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
2965
2966 // TODO(haavardm@opera.com): Due to differences in threading, Linux returns
2967 // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all
2968 // error codes for now.
2969 // http://crbug.com/373670
2970 EXPECT_NE(OK, rv);
2971 EXPECT_FALSE(sock_->IsConnected());
2972 }
2973
2974 // Connect to a server using Channel ID but asynchronously failing to look up
2975 // the Channel ID. It should fail.
2976 TEST_F(SSLClientSocketChannelIDTest, FailingChannelIDAsync) {
2977 SpawnedTestServer::SSLOptions ssl_options;
2978
2979 ASSERT_TRUE(ConnectToTestServer(ssl_options));
2980
2981 EnableAsyncFailingChannelID();
2982 SSLConfig ssl_config = kDefaultSSLConfig;
2983 ssl_config.channel_id_enabled = true;
2984
2985 int rv;
2986 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
2987
2988 EXPECT_EQ(ERR_UNEXPECTED, rv);
2989 EXPECT_FALSE(sock_->IsConnected());
2990 }
2991
2992 } // namespace net