search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll tools/swarming_client/ to b61a1802f5ef4bb8c7b81060cc80add47e6cf302.
[chromium-blink-merge.git] / net / socket / ssl_client_socket_unittest.cc
blob96435c96cc83d7cff052c84ac761f0f81f2e2717
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/socket/ssl_client_socket.h"
6
7 #include "base/callback_helpers.h"
8 #include "base/memory/ref_counted.h"
9 #include "base/run_loop.h"
10 #include "base/time/time.h"
11 #include "net/base/address_list.h"
12 #include "net/base/io_buffer.h"
13 #include "net/base/net_errors.h"
14 #include "net/base/net_log.h"
15 #include "net/base/net_log_unittest.h"
16 #include "net/base/test_completion_callback.h"
17 #include "net/base/test_data_directory.h"
18 #include "net/cert/asn1_util.h"
19 #include "net/cert/ct_verifier.h"
20 #include "net/cert/mock_cert_verifier.h"
21 #include "net/cert/test_root_certs.h"
22 #include "net/dns/host_resolver.h"
23 #include "net/http/transport_security_state.h"
24 #include "net/socket/client_socket_factory.h"
25 #include "net/socket/client_socket_handle.h"
26 #include "net/socket/socket_test_util.h"
27 #include "net/socket/tcp_client_socket.h"
28 #include "net/ssl/channel_id_service.h"
29 #include "net/ssl/default_channel_id_store.h"
30 #include "net/ssl/ssl_cert_request_info.h"
31 #include "net/ssl/ssl_config_service.h"
32 #include "net/ssl/ssl_connection_status_flags.h"
33 #include "net/ssl/ssl_info.h"
34 #include "net/test/cert_test_util.h"
35 #include "net/test/spawned_test_server/spawned_test_server.h"
36 #include "testing/gmock/include/gmock/gmock.h"
37 #include "testing/gtest/include/gtest/gtest.h"
38 #include "testing/platform_test.h"
39
40 #if !defined(USE_OPENSSL)
41 #include <pk11pub.h>
42 #include "crypto/nss_util.h"
43
44 #if !defined(CKM_AES_GCM)
45 #define CKM_AES_GCM 0x00001087
46 #endif
47
48 #if !defined(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)
49 #define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
50 #endif
51 #endif
52
53 //-----------------------------------------------------------------------------
54
55 using testing::_;
56 using testing::Return;
57 using testing::Truly;
58
59 namespace net {
60
61 namespace {
62
63 // WrappedStreamSocket is a base class that wraps an existing StreamSocket,
64 // forwarding the Socket and StreamSocket interfaces to the underlying
65 // transport.
66 // This is to provide a common base class for subclasses to override specific
67 // StreamSocket methods for testing, while still communicating with a 'real'
68 // StreamSocket.
69 class WrappedStreamSocket : public StreamSocket {
70 public:
71 explicit WrappedStreamSocket(scoped_ptr<StreamSocket> transport)
72 : transport_(transport.Pass()) {}
73 ~WrappedStreamSocket() override {}
74
75 // StreamSocket implementation:
76 int Connect(const CompletionCallback& callback) override {
77 return transport_->Connect(callback);
78 }
79 void Disconnect() override { transport_->Disconnect(); }
80 bool IsConnected() const override { return transport_->IsConnected(); }
81 bool IsConnectedAndIdle() const override {
82 return transport_->IsConnectedAndIdle();
83 }
84 int GetPeerAddress(IPEndPoint* address) const override {
85 return transport_->GetPeerAddress(address);
86 }
87 int GetLocalAddress(IPEndPoint* address) const override {
88 return transport_->GetLocalAddress(address);
89 }
90 const BoundNetLog& NetLog() const override { return transport_->NetLog(); }
91 void SetSubresourceSpeculation() override {
92 transport_->SetSubresourceSpeculation();
93 }
94 void SetOmniboxSpeculation() override { transport_->SetOmniboxSpeculation(); }
95 bool WasEverUsed() const override { return transport_->WasEverUsed(); }
96 bool UsingTCPFastOpen() const override {
97 return transport_->UsingTCPFastOpen();
98 }
99 bool WasNpnNegotiated() const override {
100 return transport_->WasNpnNegotiated();
101 }
102 NextProto GetNegotiatedProtocol() const override {
103 return transport_->GetNegotiatedProtocol();
104 }
105 bool GetSSLInfo(SSLInfo* ssl_info) override {
106 return transport_->GetSSLInfo(ssl_info);
107 }
108
109 // Socket implementation:
110 int Read(IOBuffer* buf,
111 int buf_len,
112 const CompletionCallback& callback) override {
113 return transport_->Read(buf, buf_len, callback);
114 }
115 int Write(IOBuffer* buf,
116 int buf_len,
117 const CompletionCallback& callback) override {
118 return transport_->Write(buf, buf_len, callback);
119 }
120 int SetReceiveBufferSize(int32 size) override {
121 return transport_->SetReceiveBufferSize(size);
122 }
123 int SetSendBufferSize(int32 size) override {
124 return transport_->SetSendBufferSize(size);
125 }
126
127 protected:
128 scoped_ptr<StreamSocket> transport_;
129 };
130
131 // ReadBufferingStreamSocket is a wrapper for an existing StreamSocket that
132 // will ensure a certain amount of data is internally buffered before
133 // satisfying a Read() request. It exists to mimic OS-level internal
134 // buffering, but in a way to guarantee that X number of bytes will be
135 // returned to callers of Read(), regardless of how quickly the OS receives
136 // them from the TestServer.
137 class ReadBufferingStreamSocket : public WrappedStreamSocket {
138 public:
139 explicit ReadBufferingStreamSocket(scoped_ptr<StreamSocket> transport);
140 ~ReadBufferingStreamSocket() override {}
141
142 // Socket implementation:
143 int Read(IOBuffer* buf,
144 int buf_len,
145 const CompletionCallback& callback) override;
146
147 // Sets the internal buffer to |size|. This must not be greater than
148 // the largest value supplied to Read() - that is, it does not handle
149 // having "leftovers" at the end of Read().
150 // Each call to Read() will be prevented from completion until at least
151 // |size| data has been read.
152 // Set to 0 to turn off buffering, causing Read() to transparently
153 // read via the underlying transport.
154 void SetBufferSize(int size);
155
156 private:
157 enum State {
158 STATE_NONE,
159 STATE_READ,
160 STATE_READ_COMPLETE,
161 };
162
163 int DoLoop(int result);
164 int DoRead();
165 int DoReadComplete(int result);
166 void OnReadCompleted(int result);
167
168 State state_;
169 scoped_refptr<GrowableIOBuffer> read_buffer_;
170 int buffer_size_;
171
172 scoped_refptr<IOBuffer> user_read_buf_;
173 CompletionCallback user_read_callback_;
174 };
175
176 ReadBufferingStreamSocket::ReadBufferingStreamSocket(
177 scoped_ptr<StreamSocket> transport)
178 : WrappedStreamSocket(transport.Pass()),
179 read_buffer_(new GrowableIOBuffer()),
180 buffer_size_(0) {}
181
182 void ReadBufferingStreamSocket::SetBufferSize(int size) {
183 DCHECK(!user_read_buf_.get());
184 buffer_size_ = size;
185 read_buffer_->SetCapacity(size);
186 }
187
188 int ReadBufferingStreamSocket::Read(IOBuffer* buf,
189 int buf_len,
190 const CompletionCallback& callback) {
191 if (buffer_size_ == 0)
192 return transport_->Read(buf, buf_len, callback);
193
194 if (buf_len < buffer_size_)
195 return ERR_UNEXPECTED;
196
197 state_ = STATE_READ;
198 user_read_buf_ = buf;
199 int result = DoLoop(OK);
200 if (result == ERR_IO_PENDING)
201 user_read_callback_ = callback;
202 else
203 user_read_buf_ = NULL;
204 return result;
205 }
206
207 int ReadBufferingStreamSocket::DoLoop(int result) {
208 int rv = result;
209 do {
210 State current_state = state_;
211 state_ = STATE_NONE;
212 switch (current_state) {
213 case STATE_READ:
214 rv = DoRead();
215 break;
216 case STATE_READ_COMPLETE:
217 rv = DoReadComplete(rv);
218 break;
219 case STATE_NONE:
220 default:
221 NOTREACHED() << "Unexpected state: " << current_state;
222 rv = ERR_UNEXPECTED;
223 break;
224 }
225 } while (rv != ERR_IO_PENDING && state_ != STATE_NONE);
226 return rv;
227 }
228
229 int ReadBufferingStreamSocket::DoRead() {
230 state_ = STATE_READ_COMPLETE;
231 int rv =
232 transport_->Read(read_buffer_.get(),
233 read_buffer_->RemainingCapacity(),
234 base::Bind(&ReadBufferingStreamSocket::OnReadCompleted,
235 base::Unretained(this)));
236 return rv;
237 }
238
239 int ReadBufferingStreamSocket::DoReadComplete(int result) {
240 state_ = STATE_NONE;
241 if (result <= 0)
242 return result;
243
244 read_buffer_->set_offset(read_buffer_->offset() + result);
245 if (read_buffer_->RemainingCapacity() > 0) {
246 state_ = STATE_READ;
247 return OK;
248 }
249
250 memcpy(user_read_buf_->data(),
251 read_buffer_->StartOfBuffer(),
252 read_buffer_->capacity());
253 read_buffer_->set_offset(0);
254 return read_buffer_->capacity();
255 }
256
257 void ReadBufferingStreamSocket::OnReadCompleted(int result) {
258 result = DoLoop(result);
259 if (result == ERR_IO_PENDING)
260 return;
261
262 user_read_buf_ = NULL;
263 base::ResetAndReturn(&user_read_callback_).Run(result);
264 }
265
266 // Simulates synchronously receiving an error during Read() or Write()
267 class SynchronousErrorStreamSocket : public WrappedStreamSocket {
268 public:
269 explicit SynchronousErrorStreamSocket(scoped_ptr<StreamSocket> transport);
270 ~SynchronousErrorStreamSocket() override {}
271
272 // Socket implementation:
273 int Read(IOBuffer* buf,
274 int buf_len,
275 const CompletionCallback& callback) override;
276 int Write(IOBuffer* buf,
277 int buf_len,
278 const CompletionCallback& callback) override;
279
280 // Sets the next Read() call and all future calls to return |error|.
281 // If there is already a pending asynchronous read, the configured error
282 // will not be returned until that asynchronous read has completed and Read()
283 // is called again.
284 void SetNextReadError(int error) {
285 DCHECK_GE(0, error);
286 have_read_error_ = true;
287 pending_read_error_ = error;
288 }
289
290 // Sets the next Write() call and all future calls to return |error|.
291 // If there is already a pending asynchronous write, the configured error
292 // will not be returned until that asynchronous write has completed and
293 // Write() is called again.
294 void SetNextWriteError(int error) {
295 DCHECK_GE(0, error);
296 have_write_error_ = true;
297 pending_write_error_ = error;
298 }
299
300 private:
301 bool have_read_error_;
302 int pending_read_error_;
303
304 bool have_write_error_;
305 int pending_write_error_;
306
307 DISALLOW_COPY_AND_ASSIGN(SynchronousErrorStreamSocket);
308 };
309
310 SynchronousErrorStreamSocket::SynchronousErrorStreamSocket(
311 scoped_ptr<StreamSocket> transport)
312 : WrappedStreamSocket(transport.Pass()),
313 have_read_error_(false),
314 pending_read_error_(OK),
315 have_write_error_(false),
316 pending_write_error_(OK) {}
317
318 int SynchronousErrorStreamSocket::Read(IOBuffer* buf,
319 int buf_len,
320 const CompletionCallback& callback) {
321 if (have_read_error_)
322 return pending_read_error_;
323 return transport_->Read(buf, buf_len, callback);
324 }
325
326 int SynchronousErrorStreamSocket::Write(IOBuffer* buf,
327 int buf_len,
328 const CompletionCallback& callback) {
329 if (have_write_error_)
330 return pending_write_error_;
331 return transport_->Write(buf, buf_len, callback);
332 }
333
334 // FakeBlockingStreamSocket wraps an existing StreamSocket and simulates the
335 // underlying transport needing to complete things asynchronously in a
336 // deterministic manner (e.g.: independent of the TestServer and the OS's
337 // semantics).
338 class FakeBlockingStreamSocket : public WrappedStreamSocket {
339 public:
340 explicit FakeBlockingStreamSocket(scoped_ptr<StreamSocket> transport);
341 ~FakeBlockingStreamSocket() override {}
342
343 // Socket implementation:
344 int Read(IOBuffer* buf,
345 int buf_len,
346 const CompletionCallback& callback) override;
347 int Write(IOBuffer* buf,
348 int buf_len,
349 const CompletionCallback& callback) override;
350
351 // Blocks read results on the socket. Reads will not complete until
352 // UnblockReadResult() has been called and a result is ready from the
353 // underlying transport. Note: if BlockReadResult() is called while there is a
354 // hanging asynchronous Read(), that Read is blocked.
355 void BlockReadResult();
356 void UnblockReadResult();
357
358 // Waits for the blocked Read() call to be complete at the underlying
359 // transport.
360 void WaitForReadResult();
361
362 // Causes the next call to Write() to return ERR_IO_PENDING, not beginning the
363 // underlying transport until UnblockWrite() has been called. Note: if there
364 // is a pending asynchronous write, it is NOT blocked. For purposes of
365 // blocking writes, data is considered to have reached the underlying
366 // transport as soon as Write() is called.
367 void BlockWrite();
368 void UnblockWrite();
369
370 // Waits for the blocked Write() call to be scheduled.
371 void WaitForWrite();
372
373 // Returns the wrapped stream socket.
374 StreamSocket* transport() { return transport_.get(); }
375
376 private:
377 // Handles completion from the underlying transport read.
378 void OnReadCompleted(int result);
379
380 // True if read callbacks are blocked.
381 bool should_block_read_;
382
383 // The user callback for the pending read call.
384 CompletionCallback pending_read_callback_;
385
386 // The result for the blocked read callback, or ERR_IO_PENDING if not
387 // completed.
388 int pending_read_result_;
389
390 // WaitForReadResult() wait loop.
391 scoped_ptr<base::RunLoop> read_loop_;
392
393 // True if write calls are blocked.
394 bool should_block_write_;
395
396 // The buffer for the pending write, or NULL if not scheduled.
397 scoped_refptr<IOBuffer> pending_write_buf_;
398
399 // The callback for the pending write call.
400 CompletionCallback pending_write_callback_;
401
402 // The length for the pending write, or -1 if not scheduled.
403 int pending_write_len_;
404
405 // WaitForWrite() wait loop.
406 scoped_ptr<base::RunLoop> write_loop_;
407 };
408
409 FakeBlockingStreamSocket::FakeBlockingStreamSocket(
410 scoped_ptr<StreamSocket> transport)
411 : WrappedStreamSocket(transport.Pass()),
412 should_block_read_(false),
413 pending_read_result_(ERR_IO_PENDING),
414 should_block_write_(false),
415 pending_write_len_(-1) {}
416
417 int FakeBlockingStreamSocket::Read(IOBuffer* buf,
418 int len,
419 const CompletionCallback& callback) {
420 DCHECK(pending_read_callback_.is_null());
421 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
422 DCHECK(!callback.is_null());
423
424 int rv = transport_->Read(buf, len, base::Bind(
425 &FakeBlockingStreamSocket::OnReadCompleted, base::Unretained(this)));
426 if (rv == ERR_IO_PENDING) {
427 // Save the callback to be called later.
428 pending_read_callback_ = callback;
429 } else if (should_block_read_) {
430 // Save the callback and read result to be called later.
431 pending_read_callback_ = callback;
432 OnReadCompleted(rv);
433 rv = ERR_IO_PENDING;
434 }
435 return rv;
436 }
437
438 int FakeBlockingStreamSocket::Write(IOBuffer* buf,
439 int len,
440 const CompletionCallback& callback) {
441 DCHECK(buf);
442 DCHECK_LE(0, len);
443
444 if (!should_block_write_)
445 return transport_->Write(buf, len, callback);
446
447 // Schedule the write, but do nothing.
448 DCHECK(!pending_write_buf_.get());
449 DCHECK_EQ(-1, pending_write_len_);
450 DCHECK(pending_write_callback_.is_null());
451 DCHECK(!callback.is_null());
452 pending_write_buf_ = buf;
453 pending_write_len_ = len;
454 pending_write_callback_ = callback;
455
456 // Stop the write loop, if any.
457 if (write_loop_)
458 write_loop_->Quit();
459 return ERR_IO_PENDING;
460 }
461
462 void FakeBlockingStreamSocket::BlockReadResult() {
463 DCHECK(!should_block_read_);
464 should_block_read_ = true;
465 }
466
467 void FakeBlockingStreamSocket::UnblockReadResult() {
468 DCHECK(should_block_read_);
469 should_block_read_ = false;
470
471 // If the operation is still pending in the underlying transport, immediately
472 // return - OnReadCompleted() will handle invoking the callback once the
473 // transport has completed.
474 if (pending_read_result_ == ERR_IO_PENDING)
475 return;
476 int result = pending_read_result_;
477 pending_read_result_ = ERR_IO_PENDING;
478 base::ResetAndReturn(&pending_read_callback_).Run(result);
479 }
480
481 void FakeBlockingStreamSocket::WaitForReadResult() {
482 DCHECK(should_block_read_);
483 DCHECK(!read_loop_);
484
485 if (pending_read_result_ != ERR_IO_PENDING)
486 return;
487 read_loop_.reset(new base::RunLoop);
488 read_loop_->Run();
489 read_loop_.reset();
490 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
491 }
492
493 void FakeBlockingStreamSocket::BlockWrite() {
494 DCHECK(!should_block_write_);
495 should_block_write_ = true;
496 }
497
498 void FakeBlockingStreamSocket::UnblockWrite() {
499 DCHECK(should_block_write_);
500 should_block_write_ = false;
501
502 // Do nothing if UnblockWrite() was called after BlockWrite(),
503 // without a Write() in between.
504 if (!pending_write_buf_.get())
505 return;
506
507 int rv = transport_->Write(
508 pending_write_buf_.get(), pending_write_len_, pending_write_callback_);
509 pending_write_buf_ = NULL;
510 pending_write_len_ = -1;
511 if (rv == ERR_IO_PENDING) {
512 pending_write_callback_.Reset();
513 } else {
514 base::ResetAndReturn(&pending_write_callback_).Run(rv);
515 }
516 }
517
518 void FakeBlockingStreamSocket::WaitForWrite() {
519 DCHECK(should_block_write_);
520 DCHECK(!write_loop_);
521
522 if (pending_write_buf_.get())
523 return;
524 write_loop_.reset(new base::RunLoop);
525 write_loop_->Run();
526 write_loop_.reset();
527 DCHECK(pending_write_buf_.get());
528 }
529
530 void FakeBlockingStreamSocket::OnReadCompleted(int result) {
531 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
532 DCHECK(!pending_read_callback_.is_null());
533
534 if (should_block_read_) {
535 // Store the result so that the callback can be invoked once Unblock() is
536 // called.
537 pending_read_result_ = result;
538
539 // Stop the WaitForReadResult() call if any.
540 if (read_loop_)
541 read_loop_->Quit();
542 } else {
543 // Either the Read() was never blocked or UnblockReadResult() was called
544 // before the Read() completed. Either way, run the callback.
545 base::ResetAndReturn(&pending_read_callback_).Run(result);
546 }
547 }
548
549 // CountingStreamSocket wraps an existing StreamSocket and maintains a count of
550 // reads and writes on the socket.
551 class CountingStreamSocket : public WrappedStreamSocket {
552 public:
553 explicit CountingStreamSocket(scoped_ptr<StreamSocket> transport)
554 : WrappedStreamSocket(transport.Pass()),
555 read_count_(0),
556 write_count_(0) {}
557 ~CountingStreamSocket() override {}
558
559 // Socket implementation:
560 int Read(IOBuffer* buf,
561 int buf_len,
562 const CompletionCallback& callback) override {
563 read_count_++;
564 return transport_->Read(buf, buf_len, callback);
565 }
566 int Write(IOBuffer* buf,
567 int buf_len,
568 const CompletionCallback& callback) override {
569 write_count_++;
570 return transport_->Write(buf, buf_len, callback);
571 }
572
573 int read_count() const { return read_count_; }
574 int write_count() const { return write_count_; }
575
576 private:
577 int read_count_;
578 int write_count_;
579 };
580
581 // CompletionCallback that will delete the associated StreamSocket when
582 // the callback is invoked.
583 class DeleteSocketCallback : public TestCompletionCallbackBase {
584 public:
585 explicit DeleteSocketCallback(StreamSocket* socket)
586 : socket_(socket),
587 callback_(base::Bind(&DeleteSocketCallback::OnComplete,
588 base::Unretained(this))) {}
589 ~DeleteSocketCallback() override {}
590
591 const CompletionCallback& callback() const { return callback_; }
592
593 private:
594 void OnComplete(int result) {
595 if (socket_) {
596 delete socket_;
597 socket_ = NULL;
598 } else {
599 ADD_FAILURE() << "Deleting socket twice";
600 }
601 SetResult(result);
602 }
603
604 StreamSocket* socket_;
605 CompletionCallback callback_;
606
607 DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback);
608 };
609
610 // A ChannelIDStore that always returns an error when asked for a
611 // channel id.
612 class FailingChannelIDStore : public ChannelIDStore {
613 int GetChannelID(const std::string& server_identifier,
614 base::Time* expiration_time,
615 std::string* private_key_result,
616 std::string* cert_result,
617 const GetChannelIDCallback& callback) override {
618 return ERR_UNEXPECTED;
619 }
620 void SetChannelID(const std::string& server_identifier,
621 base::Time creation_time,
622 base::Time expiration_time,
623 const std::string& private_key,
624 const std::string& cert) override {}
625 void DeleteChannelID(const std::string& server_identifier,
626 const base::Closure& completion_callback) override {}
627 void DeleteAllCreatedBetween(
628 base::Time delete_begin,
629 base::Time delete_end,
630 const base::Closure& completion_callback) override {}
631 void DeleteAll(const base::Closure& completion_callback) override {}
632 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {}
633 int GetChannelIDCount() override { return 0; }
634 void SetForceKeepSessionState() override {}
635 };
636
637 // A ChannelIDStore that asynchronously returns an error when asked for a
638 // channel id.
639 class AsyncFailingChannelIDStore : public ChannelIDStore {
640 int GetChannelID(const std::string& server_identifier,
641 base::Time* expiration_time,
642 std::string* private_key_result,
643 std::string* cert_result,
644 const GetChannelIDCallback& callback) override {
645 base::MessageLoop::current()->PostTask(
646 FROM_HERE, base::Bind(callback, ERR_UNEXPECTED,
647 server_identifier, base::Time(), "", ""));
648 return ERR_IO_PENDING;
649 }
650 void SetChannelID(const std::string& server_identifier,
651 base::Time creation_time,
652 base::Time expiration_time,
653 const std::string& private_key,
654 const std::string& cert) override {}
655 void DeleteChannelID(const std::string& server_identifier,
656 const base::Closure& completion_callback) override {}
657 void DeleteAllCreatedBetween(
658 base::Time delete_begin,
659 base::Time delete_end,
660 const base::Closure& completion_callback) override {}
661 void DeleteAll(const base::Closure& completion_callback) override {}
662 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {}
663 int GetChannelIDCount() override { return 0; }
664 void SetForceKeepSessionState() override {}
665 };
666
667 // A mock CTVerifier that records every call to Verify but doesn't verify
668 // anything.
669 class MockCTVerifier : public CTVerifier {
670 public:
671 MOCK_METHOD5(Verify, int(X509Certificate*,
672 const std::string&,
673 const std::string&,
674 ct::CTVerifyResult*,
675 const BoundNetLog&));
676 };
677
678 class SSLClientSocketTest : public PlatformTest {
679 public:
680 SSLClientSocketTest()
681 : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
682 cert_verifier_(new MockCertVerifier),
683 transport_security_state_(new TransportSecurityState),
684 ran_handshake_completion_callback_(false) {
685 cert_verifier_->set_default_result(OK);
686 context_.cert_verifier = cert_verifier_.get();
687 context_.transport_security_state = transport_security_state_.get();
688 }
689
690 void RecordCompletedHandshake() { ran_handshake_completion_callback_ = true; }
691
692 protected:
693 // The address of the spawned test server, after calling StartTestServer().
694 const AddressList& addr() const { return addr_; }
695
696 // The SpawnedTestServer object, after calling StartTestServer().
697 const SpawnedTestServer* test_server() const { return test_server_.get(); }
698
699 void SetCTVerifier(CTVerifier* ct_verifier) {
700 context_.cert_transparency_verifier = ct_verifier;
701 }
702
703 // Starts the test server with SSL configuration |ssl_options|. Returns true
704 // on success.
705 bool StartTestServer(const SpawnedTestServer::SSLOptions& ssl_options) {
706 test_server_.reset(new SpawnedTestServer(
707 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath()));
708 if (!test_server_->Start()) {
709 LOG(ERROR) << "Could not start SpawnedTestServer";
710 return false;
711 }
712
713 if (!test_server_->GetAddressList(&addr_)) {
714 LOG(ERROR) << "Could not get SpawnedTestServer address list";
715 return false;
716 }
717 return true;
718 }
719
720 // Sets up a TCP connection to a HTTPS server. To actually do the SSL
721 // handshake, follow up with call to CreateAndConnectSSLClientSocket() below.
722 bool ConnectToTestServer(const SpawnedTestServer::SSLOptions& ssl_options) {
723 if (!StartTestServer(ssl_options))
724 return false;
725
726 transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source()));
727 int rv = callback_.GetResult(transport_->Connect(callback_.callback()));
728 if (rv != OK) {
729 LOG(ERROR) << "Could not connect to SpawnedTestServer";
730 return false;
731 }
732 return true;
733 }
734
735 scoped_ptr<SSLClientSocket> CreateSSLClientSocket(
736 scoped_ptr<StreamSocket> transport_socket,
737 const HostPortPair& host_and_port,
738 const SSLConfig& ssl_config) {
739 scoped_ptr<ClientSocketHandle> connection(new ClientSocketHandle);
740 connection->SetSocket(transport_socket.Pass());
741 return socket_factory_->CreateSSLClientSocket(
742 connection.Pass(), host_and_port, ssl_config, context_);
743 }
744
745 // Create an SSLClientSocket object and use it to connect to a test
746 // server, then wait for connection results. This must be called after
747 // a successful ConnectToTestServer() call.
748 // |ssl_config| the SSL configuration to use.
749 // |result| will retrieve the ::Connect() result value.
750 // Returns true on success, false otherwise. Success means that the socket
751 // could be created and its Connect() was called, not that the connection
752 // itself was a success.
753 bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) {
754 sock_ = CreateSSLClientSocket(
755 transport_.Pass(), test_server_->host_port_pair(), ssl_config);
756
757 if (sock_->IsConnected()) {
758 LOG(ERROR) << "SSL Socket prematurely connected";
759 return false;
760 }
761
762 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
763 return true;
764 }
765
766 ClientSocketFactory* socket_factory_;
767 scoped_ptr<MockCertVerifier> cert_verifier_;
768 scoped_ptr<TransportSecurityState> transport_security_state_;
769 SSLClientSocketContext context_;
770 scoped_ptr<SSLClientSocket> sock_;
771 CapturingNetLog log_;
772 bool ran_handshake_completion_callback_;
773
774 private:
775 scoped_ptr<StreamSocket> transport_;
776 scoped_ptr<SpawnedTestServer> test_server_;
777 TestCompletionCallback callback_;
778 AddressList addr_;
779 };
780
781 // Verifies the correctness of GetSSLCertRequestInfo.
782 class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest {
783 protected:
784 // Creates a test server with the given SSLOptions, connects to it and returns
785 // the SSLCertRequestInfo reported by the socket.
786 scoped_refptr<SSLCertRequestInfo> GetCertRequest(
787 SpawnedTestServer::SSLOptions ssl_options) {
788 SpawnedTestServer test_server(
789 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
790 if (!test_server.Start())
791 return NULL;
792
793 AddressList addr;
794 if (!test_server.GetAddressList(&addr))
795 return NULL;
796
797 TestCompletionCallback callback;
798 CapturingNetLog log;
799 scoped_ptr<StreamSocket> transport(
800 new TCPClientSocket(addr, &log, NetLog::Source()));
801 int rv = transport->Connect(callback.callback());
802 if (rv == ERR_IO_PENDING)
803 rv = callback.WaitForResult();
804 EXPECT_EQ(OK, rv);
805
806 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
807 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
808 EXPECT_FALSE(sock->IsConnected());
809
810 rv = sock->Connect(callback.callback());
811 if (rv == ERR_IO_PENDING)
812 rv = callback.WaitForResult();
813 scoped_refptr<SSLCertRequestInfo> request_info = new SSLCertRequestInfo();
814 sock->GetSSLCertRequestInfo(request_info.get());
815 sock->Disconnect();
816 EXPECT_FALSE(sock->IsConnected());
817 EXPECT_TRUE(
818 test_server.host_port_pair().Equals(request_info->host_and_port));
819
820 return request_info;
821 }
822 };
823
824 class SSLClientSocketFalseStartTest : public SSLClientSocketTest {
825 public:
826 SSLClientSocketFalseStartTest()
827 : monitor_handshake_callback_(false),
828 fail_handshake_after_false_start_(false) {}
829
830 protected:
831 // Creates an SSLClientSocket with |client_config| attached to a
832 // FakeBlockingStreamSocket, returning both in |*out_raw_transport| and
833 // |*out_sock|. The FakeBlockingStreamSocket is owned by the SSLClientSocket,
834 // so |*out_raw_transport| is a raw pointer.
835 //
836 // The client socket will begin a connect using |callback| but stop before the
837 // server's finished message is received. The finished message will be blocked
838 // in |*out_raw_transport|. To complete the handshake and successfully read
839 // data, the caller must unblock reads on |*out_raw_transport|. (Note that, if
840 // the client successfully false started, |callback.WaitForResult()| will
841 // return OK without unblocking transport reads. But Read() will still block.)
842 //
843 // Must be called after StartTestServer is called.
844 void CreateAndConnectUntilServerFinishedReceived(
845 const SSLConfig& client_config,
846 TestCompletionCallback* callback,
847 FakeBlockingStreamSocket** out_raw_transport,
848 scoped_ptr<SSLClientSocket>* out_sock) {
849 CHECK(test_server());
850
851 scoped_ptr<StreamSocket> real_transport(scoped_ptr<StreamSocket>(
852 new TCPClientSocket(addr(), NULL, NetLog::Source())));
853 real_transport.reset(
854 new SynchronousErrorStreamSocket(real_transport.Pass()));
855
856 scoped_ptr<FakeBlockingStreamSocket> transport(
857 new FakeBlockingStreamSocket(real_transport.Pass()));
858 int rv = callback->GetResult(transport->Connect(callback->callback()));
859 EXPECT_EQ(OK, rv);
860
861 FakeBlockingStreamSocket* raw_transport = transport.get();
862 scoped_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
863 transport.Pass(), test_server()->host_port_pair(), client_config);
864
865 if (monitor_handshake_callback_) {
866 sock->SetHandshakeCompletionCallback(
867 base::Bind(&SSLClientSocketTest::RecordCompletedHandshake,
868 base::Unretained(this)));
869 }
870
871 // Connect. Stop before the client processes the first server leg
872 // (ServerHello, etc.)
873 raw_transport->BlockReadResult();
874 rv = sock->Connect(callback->callback());
875 EXPECT_EQ(ERR_IO_PENDING, rv);
876 raw_transport->WaitForReadResult();
877
878 // Release the ServerHello and wait for the client to write
879 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the
880 // server's leg to complete, since it may span multiple reads.)
881 EXPECT_FALSE(callback->have_result());
882 raw_transport->BlockWrite();
883 raw_transport->UnblockReadResult();
884 raw_transport->WaitForWrite();
885
886 if (fail_handshake_after_false_start_) {
887 SynchronousErrorStreamSocket* error_socket =
888 static_cast<SynchronousErrorStreamSocket*>(
889 raw_transport->transport());
890 error_socket->SetNextReadError(ERR_CONNECTION_RESET);
891 }
892 // And, finally, release that and block the next server leg
893 // (ChangeCipherSpec, Finished).
894 raw_transport->BlockReadResult();
895 raw_transport->UnblockWrite();
896
897 *out_raw_transport = raw_transport;
898 *out_sock = sock.Pass();
899 }
900
901 void TestFalseStart(const SpawnedTestServer::SSLOptions& server_options,
902 const SSLConfig& client_config,
903 bool expect_false_start) {
904 ASSERT_TRUE(StartTestServer(server_options));
905
906 TestCompletionCallback callback;
907 FakeBlockingStreamSocket* raw_transport = NULL;
908 scoped_ptr<SSLClientSocket> sock;
909
910 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
911 client_config, &callback, &raw_transport, &sock));
912
913 if (expect_false_start) {
914 // When False Starting, the handshake should complete before receiving the
915 // Change Cipher Spec and Finished messages.
916 //
917 // Note: callback.have_result() may not be true without waiting. The NSS
918 // state machine sometimes lives on a separate thread, so this thread may
919 // not yet have processed the signal that the handshake has completed.
920 int rv = callback.WaitForResult();
921 EXPECT_EQ(OK, rv);
922 EXPECT_TRUE(sock->IsConnected());
923
924 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
925 static const int kRequestTextSize =
926 static_cast<int>(arraysize(request_text) - 1);
927 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
928 memcpy(request_buffer->data(), request_text, kRequestTextSize);
929
930 // Write the request.
931 rv = callback.GetResult(sock->Write(request_buffer.get(),
932 kRequestTextSize,
933 callback.callback()));
934 EXPECT_EQ(kRequestTextSize, rv);
935
936 // The read will hang; it's waiting for the peer to complete the
937 // handshake, and the handshake is still blocked.
938 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
939 rv = sock->Read(buf.get(), 4096, callback.callback());
940
941 // After releasing reads, the connection proceeds.
942 raw_transport->UnblockReadResult();
943 rv = callback.GetResult(rv);
944 if (fail_handshake_after_false_start_)
945 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
946 else
947 EXPECT_LT(0, rv);
948 } else {
949 // False Start is not enabled, so the handshake will not complete because
950 // the server second leg is blocked.
951 base::RunLoop().RunUntilIdle();
952 EXPECT_FALSE(callback.have_result());
953 }
954 }
955
956 // Indicates that the socket's handshake completion callback should
957 // be monitored.
958 bool monitor_handshake_callback_;
959 // Indicates that this test's handshake should fail after the client
960 // "finished" message is sent.
961 bool fail_handshake_after_false_start_;
962 };
963
964 class SSLClientSocketChannelIDTest : public SSLClientSocketTest {
965 protected:
966 void EnableChannelID() {
967 channel_id_service_.reset(
968 new ChannelIDService(new DefaultChannelIDStore(NULL),
969 base::MessageLoopProxy::current()));
970 context_.channel_id_service = channel_id_service_.get();
971 }
972
973 void EnableFailingChannelID() {
974 channel_id_service_.reset(new ChannelIDService(
975 new FailingChannelIDStore(), base::MessageLoopProxy::current()));
976 context_.channel_id_service = channel_id_service_.get();
977 }
978
979 void EnableAsyncFailingChannelID() {
980 channel_id_service_.reset(new ChannelIDService(
981 new AsyncFailingChannelIDStore(),
982 base::MessageLoopProxy::current()));
983 context_.channel_id_service = channel_id_service_.get();
984 }
985
986 private:
987 scoped_ptr<ChannelIDService> channel_id_service_;
988 };
989
990 //-----------------------------------------------------------------------------
991
992 // LogContainsSSLConnectEndEvent returns true if the given index in the given
993 // log is an SSL connect end event. The NSS sockets will cork in an attempt to
994 // merge the first application data record with the Finished message when false
995 // starting. However, in order to avoid the server timing out the handshake,
996 // they'll give up waiting for application data and send the Finished after a
997 // timeout. This means that an SSL connect end event may appear as a socket
998 // write.
999 static bool LogContainsSSLConnectEndEvent(
1000 const CapturingNetLog::CapturedEntryList& log,
1001 int i) {
1002 return LogContainsEndEvent(log, i, NetLog::TYPE_SSL_CONNECT) ||
1003 LogContainsEvent(
1004 log, i, NetLog::TYPE_SOCKET_BYTES_SENT, NetLog::PHASE_NONE);
1005 }
1006
1007 bool SupportsAESGCM() {
1008 #if defined(USE_OPENSSL)
1009 return true;
1010 #else
1011 crypto::EnsureNSSInit();
1012 return PK11_TokenExists(CKM_AES_GCM) &&
1013 PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256);
1014 #endif
1015 }
1016
1017 } // namespace
1018
1019 TEST_F(SSLClientSocketTest, Connect) {
1020 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1021 SpawnedTestServer::kLocalhost,
1022 base::FilePath());
1023 ASSERT_TRUE(test_server.Start());
1024
1025 AddressList addr;
1026 ASSERT_TRUE(test_server.GetAddressList(&addr));
1027
1028 TestCompletionCallback callback;
1029 CapturingNetLog log;
1030 scoped_ptr<StreamSocket> transport(
1031 new TCPClientSocket(addr, &log, NetLog::Source()));
1032 int rv = transport->Connect(callback.callback());
1033 if (rv == ERR_IO_PENDING)
1034 rv = callback.WaitForResult();
1035 EXPECT_EQ(OK, rv);
1036
1037 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1038 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1039
1040 EXPECT_FALSE(sock->IsConnected());
1041
1042 rv = sock->Connect(callback.callback());
1043
1044 CapturingNetLog::CapturedEntryList entries;
1045 log.GetEntries(&entries);
1046 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1047 if (rv == ERR_IO_PENDING)
1048 rv = callback.WaitForResult();
1049 EXPECT_EQ(OK, rv);
1050 EXPECT_TRUE(sock->IsConnected());
1051 log.GetEntries(&entries);
1052 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1053
1054 sock->Disconnect();
1055 EXPECT_FALSE(sock->IsConnected());
1056 }
1057
1058 TEST_F(SSLClientSocketTest, ConnectExpired) {
1059 SpawnedTestServer::SSLOptions ssl_options(
1060 SpawnedTestServer::SSLOptions::CERT_EXPIRED);
1061 SpawnedTestServer test_server(
1062 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1063 ASSERT_TRUE(test_server.Start());
1064
1065 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
1066
1067 AddressList addr;
1068 ASSERT_TRUE(test_server.GetAddressList(&addr));
1069
1070 TestCompletionCallback callback;
1071 CapturingNetLog log;
1072 scoped_ptr<StreamSocket> transport(
1073 new TCPClientSocket(addr, &log, NetLog::Source()));
1074 int rv = transport->Connect(callback.callback());
1075 if (rv == ERR_IO_PENDING)
1076 rv = callback.WaitForResult();
1077 EXPECT_EQ(OK, rv);
1078
1079 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1080 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1081
1082 EXPECT_FALSE(sock->IsConnected());
1083
1084 rv = sock->Connect(callback.callback());
1085
1086 CapturingNetLog::CapturedEntryList entries;
1087 log.GetEntries(&entries);
1088 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1089 if (rv == ERR_IO_PENDING)
1090 rv = callback.WaitForResult();
1091
1092 EXPECT_EQ(ERR_CERT_DATE_INVALID, rv);
1093
1094 // Rather than testing whether or not the underlying socket is connected,
1095 // test that the handshake has finished. This is because it may be
1096 // desirable to disconnect the socket before showing a user prompt, since
1097 // the user may take indefinitely long to respond.
1098 log.GetEntries(&entries);
1099 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1100 }
1101
1102 TEST_F(SSLClientSocketTest, ConnectMismatched) {
1103 SpawnedTestServer::SSLOptions ssl_options(
1104 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME);
1105 SpawnedTestServer test_server(
1106 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1107 ASSERT_TRUE(test_server.Start());
1108
1109 cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
1110
1111 AddressList addr;
1112 ASSERT_TRUE(test_server.GetAddressList(&addr));
1113
1114 TestCompletionCallback callback;
1115 CapturingNetLog log;
1116 scoped_ptr<StreamSocket> transport(
1117 new TCPClientSocket(addr, &log, NetLog::Source()));
1118 int rv = transport->Connect(callback.callback());
1119 if (rv == ERR_IO_PENDING)
1120 rv = callback.WaitForResult();
1121 EXPECT_EQ(OK, rv);
1122
1123 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1124 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1125
1126 EXPECT_FALSE(sock->IsConnected());
1127
1128 rv = sock->Connect(callback.callback());
1129
1130 CapturingNetLog::CapturedEntryList entries;
1131 log.GetEntries(&entries);
1132 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1133 if (rv == ERR_IO_PENDING)
1134 rv = callback.WaitForResult();
1135
1136 EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, rv);
1137
1138 // Rather than testing whether or not the underlying socket is connected,
1139 // test that the handshake has finished. This is because it may be
1140 // desirable to disconnect the socket before showing a user prompt, since
1141 // the user may take indefinitely long to respond.
1142 log.GetEntries(&entries);
1143 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1144 }
1145
1146 // Attempt to connect to a page which requests a client certificate. It should
1147 // return an error code on connect.
1148 TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
1149 SpawnedTestServer::SSLOptions ssl_options;
1150 ssl_options.request_client_certificate = true;
1151 SpawnedTestServer test_server(
1152 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1153 ASSERT_TRUE(test_server.Start());
1154
1155 AddressList addr;
1156 ASSERT_TRUE(test_server.GetAddressList(&addr));
1157
1158 TestCompletionCallback callback;
1159 CapturingNetLog log;
1160 scoped_ptr<StreamSocket> transport(
1161 new TCPClientSocket(addr, &log, NetLog::Source()));
1162 int rv = transport->Connect(callback.callback());
1163 if (rv == ERR_IO_PENDING)
1164 rv = callback.WaitForResult();
1165 EXPECT_EQ(OK, rv);
1166
1167 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1168 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1169
1170 EXPECT_FALSE(sock->IsConnected());
1171
1172 rv = sock->Connect(callback.callback());
1173
1174 CapturingNetLog::CapturedEntryList entries;
1175 log.GetEntries(&entries);
1176 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1177 if (rv == ERR_IO_PENDING)
1178 rv = callback.WaitForResult();
1179
1180 log.GetEntries(&entries);
1181 // Because we prematurely kill the handshake at CertificateRequest,
1182 // the server may still send data (notably the ServerHelloDone)
1183 // after the error is returned. As a result, the SSL_CONNECT may not
1184 // be the last entry. See http://crbug.com/54445. We use
1185 // ExpectLogContainsSomewhere instead of
1186 // LogContainsSSLConnectEndEvent to avoid assuming, e.g., only one
1187 // extra read instead of two. This occurs before the handshake ends,
1188 // so the corking logic of LogContainsSSLConnectEndEvent isn't
1189 // necessary.
1190 //
1191 // TODO(davidben): When SSL_RestartHandshakeAfterCertReq in NSS is
1192 // fixed and we can respond to the first CertificateRequest
1193 // without closing the socket, add a unit test for sending the
1194 // certificate. This test may still be useful as we'll want to close
1195 // the socket on a timeout if the user takes a long time to pick a
1196 // cert. Related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=542832
1197 ExpectLogContainsSomewhere(
1198 entries, 0, NetLog::TYPE_SSL_CONNECT, NetLog::PHASE_END);
1199 EXPECT_EQ(ERR_SSL_CLIENT_AUTH_CERT_NEEDED, rv);
1200 EXPECT_FALSE(sock->IsConnected());
1201 }
1202
1203 // Connect to a server requesting optional client authentication. Send it a
1204 // null certificate. It should allow the connection.
1205 //
1206 // TODO(davidben): Also test providing an actual certificate.
1207 TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) {
1208 SpawnedTestServer::SSLOptions ssl_options;
1209 ssl_options.request_client_certificate = true;
1210 SpawnedTestServer test_server(
1211 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
1212 ASSERT_TRUE(test_server.Start());
1213
1214 AddressList addr;
1215 ASSERT_TRUE(test_server.GetAddressList(&addr));
1216
1217 TestCompletionCallback callback;
1218 CapturingNetLog log;
1219 scoped_ptr<StreamSocket> transport(
1220 new TCPClientSocket(addr, &log, NetLog::Source()));
1221 int rv = transport->Connect(callback.callback());
1222 if (rv == ERR_IO_PENDING)
1223 rv = callback.WaitForResult();
1224 EXPECT_EQ(OK, rv);
1225
1226 SSLConfig ssl_config;
1227 ssl_config.send_client_cert = true;
1228 ssl_config.client_cert = NULL;
1229
1230 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1231 transport.Pass(), test_server.host_port_pair(), ssl_config));
1232
1233 EXPECT_FALSE(sock->IsConnected());
1234
1235 // Our test server accepts certificate-less connections.
1236 // TODO(davidben): Add a test which requires them and verify the error.
1237 rv = sock->Connect(callback.callback());
1238
1239 CapturingNetLog::CapturedEntryList entries;
1240 log.GetEntries(&entries);
1241 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
1242 if (rv == ERR_IO_PENDING)
1243 rv = callback.WaitForResult();
1244
1245 EXPECT_EQ(OK, rv);
1246 EXPECT_TRUE(sock->IsConnected());
1247 log.GetEntries(&entries);
1248 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
1249
1250 // We responded to the server's certificate request with a Certificate
1251 // message with no client certificate in it. ssl_info.client_cert_sent
1252 // should be false in this case.
1253 SSLInfo ssl_info;
1254 sock->GetSSLInfo(&ssl_info);
1255 EXPECT_FALSE(ssl_info.client_cert_sent);
1256
1257 sock->Disconnect();
1258 EXPECT_FALSE(sock->IsConnected());
1259 }
1260
1261 // TODO(wtc): Add unit tests for IsConnectedAndIdle:
1262 // - Server closes an SSL connection (with a close_notify alert message).
1263 // - Server closes the underlying TCP connection directly.
1264 // - Server sends data unexpectedly.
1265
1266 TEST_F(SSLClientSocketTest, Read) {
1267 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1268 SpawnedTestServer::kLocalhost,
1269 base::FilePath());
1270 ASSERT_TRUE(test_server.Start());
1271
1272 AddressList addr;
1273 ASSERT_TRUE(test_server.GetAddressList(&addr));
1274
1275 TestCompletionCallback callback;
1276 scoped_ptr<StreamSocket> transport(
1277 new TCPClientSocket(addr, NULL, NetLog::Source()));
1278 int rv = transport->Connect(callback.callback());
1279 if (rv == ERR_IO_PENDING)
1280 rv = callback.WaitForResult();
1281 EXPECT_EQ(OK, rv);
1282
1283 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1284 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1285
1286 rv = sock->Connect(callback.callback());
1287 if (rv == ERR_IO_PENDING)
1288 rv = callback.WaitForResult();
1289 EXPECT_EQ(OK, rv);
1290 EXPECT_TRUE(sock->IsConnected());
1291
1292 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1293 scoped_refptr<IOBuffer> request_buffer(
1294 new IOBuffer(arraysize(request_text) - 1));
1295 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1296
1297 rv = sock->Write(
1298 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
1299 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1300
1301 if (rv == ERR_IO_PENDING)
1302 rv = callback.WaitForResult();
1303 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1304
1305 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1306 for (;;) {
1307 rv = sock->Read(buf.get(), 4096, callback.callback());
1308 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1309
1310 if (rv == ERR_IO_PENDING)
1311 rv = callback.WaitForResult();
1312
1313 EXPECT_GE(rv, 0);
1314 if (rv <= 0)
1315 break;
1316 }
1317 }
1318
1319 // Tests that SSLClientSocket properly handles when the underlying transport
1320 // synchronously fails a transport read in during the handshake. The error code
1321 // should be preserved so SSLv3 fallback logic can condition on it.
1322 TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
1323 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1324 SpawnedTestServer::kLocalhost,
1325 base::FilePath());
1326 ASSERT_TRUE(test_server.Start());
1327
1328 AddressList addr;
1329 ASSERT_TRUE(test_server.GetAddressList(&addr));
1330
1331 TestCompletionCallback callback;
1332 scoped_ptr<StreamSocket> real_transport(
1333 new TCPClientSocket(addr, NULL, NetLog::Source()));
1334 scoped_ptr<SynchronousErrorStreamSocket> transport(
1335 new SynchronousErrorStreamSocket(real_transport.Pass()));
1336 int rv = callback.GetResult(transport->Connect(callback.callback()));
1337 EXPECT_EQ(OK, rv);
1338
1339 // Disable TLS False Start to avoid handshake non-determinism.
1340 SSLConfig ssl_config;
1341 ssl_config.false_start_enabled = false;
1342
1343 SynchronousErrorStreamSocket* raw_transport = transport.get();
1344 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1345 transport.Pass(), test_server.host_port_pair(), ssl_config));
1346
1347 raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
1348
1349 rv = callback.GetResult(sock->Connect(callback.callback()));
1350 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1351 EXPECT_FALSE(sock->IsConnected());
1352 }
1353
1354 // Tests that the SSLClientSocket properly handles when the underlying transport
1355 // synchronously returns an error code - such as if an intermediary terminates
1356 // the socket connection uncleanly.
1357 // This is a regression test for http://crbug.com/238536
1358 TEST_F(SSLClientSocketTest, Read_WithSynchronousError) {
1359 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1360 SpawnedTestServer::kLocalhost,
1361 base::FilePath());
1362 ASSERT_TRUE(test_server.Start());
1363
1364 AddressList addr;
1365 ASSERT_TRUE(test_server.GetAddressList(&addr));
1366
1367 TestCompletionCallback callback;
1368 scoped_ptr<StreamSocket> real_transport(
1369 new TCPClientSocket(addr, NULL, NetLog::Source()));
1370 scoped_ptr<SynchronousErrorStreamSocket> transport(
1371 new SynchronousErrorStreamSocket(real_transport.Pass()));
1372 int rv = callback.GetResult(transport->Connect(callback.callback()));
1373 EXPECT_EQ(OK, rv);
1374
1375 // Disable TLS False Start to avoid handshake non-determinism.
1376 SSLConfig ssl_config;
1377 ssl_config.false_start_enabled = false;
1378
1379 SynchronousErrorStreamSocket* raw_transport = transport.get();
1380 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1381 transport.Pass(), test_server.host_port_pair(), ssl_config));
1382
1383 rv = callback.GetResult(sock->Connect(callback.callback()));
1384 EXPECT_EQ(OK, rv);
1385 EXPECT_TRUE(sock->IsConnected());
1386
1387 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1388 static const int kRequestTextSize =
1389 static_cast<int>(arraysize(request_text) - 1);
1390 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1391 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1392
1393 rv = callback.GetResult(
1394 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1395 EXPECT_EQ(kRequestTextSize, rv);
1396
1397 // Simulate an unclean/forcible shutdown.
1398 raw_transport->SetNextReadError(ERR_CONNECTION_RESET);
1399
1400 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1401
1402 // Note: This test will hang if this bug has regressed. Simply checking that
1403 // rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING is a legitimate
1404 // result when using a dedicated task runner for NSS.
1405 rv = callback.GetResult(sock->Read(buf.get(), 4096, callback.callback()));
1406 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1407 }
1408
1409 // Tests that the SSLClientSocket properly handles when the underlying transport
1410 // asynchronously returns an error code while writing data - such as if an
1411 // intermediary terminates the socket connection uncleanly.
1412 // This is a regression test for http://crbug.com/249848
1413 TEST_F(SSLClientSocketTest, Write_WithSynchronousError) {
1414 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1415 SpawnedTestServer::kLocalhost,
1416 base::FilePath());
1417 ASSERT_TRUE(test_server.Start());
1418
1419 AddressList addr;
1420 ASSERT_TRUE(test_server.GetAddressList(&addr));
1421
1422 TestCompletionCallback callback;
1423 scoped_ptr<StreamSocket> real_transport(
1424 new TCPClientSocket(addr, NULL, NetLog::Source()));
1425 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1426 // is retained in order to configure additional errors.
1427 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1428 new SynchronousErrorStreamSocket(real_transport.Pass()));
1429 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1430 scoped_ptr<FakeBlockingStreamSocket> transport(
1431 new FakeBlockingStreamSocket(error_socket.Pass()));
1432 FakeBlockingStreamSocket* raw_transport = transport.get();
1433 int rv = callback.GetResult(transport->Connect(callback.callback()));
1434 EXPECT_EQ(OK, rv);
1435
1436 // Disable TLS False Start to avoid handshake non-determinism.
1437 SSLConfig ssl_config;
1438 ssl_config.false_start_enabled = false;
1439
1440 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1441 transport.Pass(), test_server.host_port_pair(), ssl_config));
1442
1443 rv = callback.GetResult(sock->Connect(callback.callback()));
1444 EXPECT_EQ(OK, rv);
1445 EXPECT_TRUE(sock->IsConnected());
1446
1447 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1448 static const int kRequestTextSize =
1449 static_cast<int>(arraysize(request_text) - 1);
1450 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1451 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1452
1453 // Simulate an unclean/forcible shutdown on the underlying socket.
1454 // However, simulate this error asynchronously.
1455 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1456 raw_transport->BlockWrite();
1457
1458 // This write should complete synchronously, because the TLS ciphertext
1459 // can be created and placed into the outgoing buffers independent of the
1460 // underlying transport.
1461 rv = callback.GetResult(
1462 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1463 EXPECT_EQ(kRequestTextSize, rv);
1464
1465 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1466
1467 rv = sock->Read(buf.get(), 4096, callback.callback());
1468 EXPECT_EQ(ERR_IO_PENDING, rv);
1469
1470 // Now unblock the outgoing request, having it fail with the connection
1471 // being reset.
1472 raw_transport->UnblockWrite();
1473
1474 // Note: This will cause an inifite loop if this bug has regressed. Simply
1475 // checking that rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING
1476 // is a legitimate result when using a dedicated task runner for NSS.
1477 rv = callback.GetResult(rv);
1478 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1479 }
1480
1481 // If there is a Write failure at the transport with no follow-up Read, although
1482 // the write error will not be returned to the client until a future Read or
1483 // Write operation, SSLClientSocket should not spin attempting to re-write on
1484 // the socket. This is a regression test for part of https://crbug.com/381160.
1485 TEST_F(SSLClientSocketTest, Write_WithSynchronousErrorNoRead) {
1486 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1487 SpawnedTestServer::kLocalhost,
1488 base::FilePath());
1489 ASSERT_TRUE(test_server.Start());
1490
1491 AddressList addr;
1492 ASSERT_TRUE(test_server.GetAddressList(&addr));
1493
1494 TestCompletionCallback callback;
1495 scoped_ptr<StreamSocket> real_transport(
1496 new TCPClientSocket(addr, NULL, NetLog::Source()));
1497 // Note: intermediate sockets' ownership are handed to |sock|, but a pointer
1498 // is retained in order to query them.
1499 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1500 new SynchronousErrorStreamSocket(real_transport.Pass()));
1501 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1502 scoped_ptr<CountingStreamSocket> counting_socket(
1503 new CountingStreamSocket(error_socket.Pass()));
1504 CountingStreamSocket* raw_counting_socket = counting_socket.get();
1505 int rv = callback.GetResult(counting_socket->Connect(callback.callback()));
1506 ASSERT_EQ(OK, rv);
1507
1508 // Disable TLS False Start to avoid handshake non-determinism.
1509 SSLConfig ssl_config;
1510 ssl_config.false_start_enabled = false;
1511
1512 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1513 counting_socket.Pass(), test_server.host_port_pair(), ssl_config));
1514
1515 rv = callback.GetResult(sock->Connect(callback.callback()));
1516 ASSERT_EQ(OK, rv);
1517 ASSERT_TRUE(sock->IsConnected());
1518
1519 // Simulate an unclean/forcible shutdown on the underlying socket.
1520 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1521
1522 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1523 static const int kRequestTextSize =
1524 static_cast<int>(arraysize(request_text) - 1);
1525 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1526 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1527
1528 // This write should complete synchronously, because the TLS ciphertext
1529 // can be created and placed into the outgoing buffers independent of the
1530 // underlying transport.
1531 rv = callback.GetResult(
1532 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1533 ASSERT_EQ(kRequestTextSize, rv);
1534
1535 // Let the event loop spin for a little bit of time. Even on platforms where
1536 // pumping the state machine involve thread hops, there should be no further
1537 // writes on the transport socket.
1538 //
1539 // TODO(davidben): Avoid the arbitrary timeout?
1540 int old_write_count = raw_counting_socket->write_count();
1541 base::RunLoop loop;
1542 base::MessageLoop::current()->PostDelayedTask(
1543 FROM_HERE, loop.QuitClosure(), base::TimeDelta::FromMilliseconds(100));
1544 loop.Run();
1545 EXPECT_EQ(old_write_count, raw_counting_socket->write_count());
1546 }
1547
1548 // Test the full duplex mode, with Read and Write pending at the same time.
1549 // This test also serves as a regression test for http://crbug.com/29815.
1550 TEST_F(SSLClientSocketTest, Read_FullDuplex) {
1551 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1552 SpawnedTestServer::kLocalhost,
1553 base::FilePath());
1554 ASSERT_TRUE(test_server.Start());
1555
1556 AddressList addr;
1557 ASSERT_TRUE(test_server.GetAddressList(&addr));
1558
1559 TestCompletionCallback callback; // Used for everything except Write.
1560
1561 scoped_ptr<StreamSocket> transport(
1562 new TCPClientSocket(addr, NULL, NetLog::Source()));
1563 int rv = transport->Connect(callback.callback());
1564 if (rv == ERR_IO_PENDING)
1565 rv = callback.WaitForResult();
1566 EXPECT_EQ(OK, rv);
1567
1568 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1569 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1570
1571 rv = sock->Connect(callback.callback());
1572 if (rv == ERR_IO_PENDING)
1573 rv = callback.WaitForResult();
1574 EXPECT_EQ(OK, rv);
1575 EXPECT_TRUE(sock->IsConnected());
1576
1577 // Issue a "hanging" Read first.
1578 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1579 rv = sock->Read(buf.get(), 4096, callback.callback());
1580 // We haven't written the request, so there should be no response yet.
1581 ASSERT_EQ(ERR_IO_PENDING, rv);
1582
1583 // Write the request.
1584 // The request is padded with a User-Agent header to a size that causes the
1585 // memio circular buffer (4k bytes) in SSLClientSocketNSS to wrap around.
1586 // This tests the fix for http://crbug.com/29815.
1587 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1588 for (int i = 0; i < 3770; ++i)
1589 request_text.push_back('*');
1590 request_text.append("\r\n\r\n");
1591 scoped_refptr<IOBuffer> request_buffer(new StringIOBuffer(request_text));
1592
1593 TestCompletionCallback callback2; // Used for Write only.
1594 rv = sock->Write(
1595 request_buffer.get(), request_text.size(), callback2.callback());
1596 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1597
1598 if (rv == ERR_IO_PENDING)
1599 rv = callback2.WaitForResult();
1600 EXPECT_EQ(static_cast<int>(request_text.size()), rv);
1601
1602 // Now get the Read result.
1603 rv = callback.WaitForResult();
1604 EXPECT_GT(rv, 0);
1605 }
1606
1607 // Attempts to Read() and Write() from an SSLClientSocketNSS in full duplex
1608 // mode when the underlying transport is blocked on sending data. When the
1609 // underlying transport completes due to an error, it should invoke both the
1610 // Read() and Write() callbacks. If the socket is deleted by the Read()
1611 // callback, the Write() callback should not be invoked.
1612 // Regression test for http://crbug.com/232633
1613 TEST_F(SSLClientSocketTest, Read_DeleteWhilePendingFullDuplex) {
1614 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1615 SpawnedTestServer::kLocalhost,
1616 base::FilePath());
1617 ASSERT_TRUE(test_server.Start());
1618
1619 AddressList addr;
1620 ASSERT_TRUE(test_server.GetAddressList(&addr));
1621
1622 TestCompletionCallback callback;
1623 scoped_ptr<StreamSocket> real_transport(
1624 new TCPClientSocket(addr, NULL, NetLog::Source()));
1625 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1626 // is retained in order to configure additional errors.
1627 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1628 new SynchronousErrorStreamSocket(real_transport.Pass()));
1629 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1630 scoped_ptr<FakeBlockingStreamSocket> transport(
1631 new FakeBlockingStreamSocket(error_socket.Pass()));
1632 FakeBlockingStreamSocket* raw_transport = transport.get();
1633
1634 int rv = callback.GetResult(transport->Connect(callback.callback()));
1635 EXPECT_EQ(OK, rv);
1636
1637 // Disable TLS False Start to avoid handshake non-determinism.
1638 SSLConfig ssl_config;
1639 ssl_config.false_start_enabled = false;
1640
1641 scoped_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
1642 transport.Pass(), test_server.host_port_pair(), ssl_config);
1643
1644 rv = callback.GetResult(sock->Connect(callback.callback()));
1645 EXPECT_EQ(OK, rv);
1646 EXPECT_TRUE(sock->IsConnected());
1647
1648 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1649 request_text.append(20 * 1024, '*');
1650 request_text.append("\r\n\r\n");
1651 scoped_refptr<DrainableIOBuffer> request_buffer(new DrainableIOBuffer(
1652 new StringIOBuffer(request_text), request_text.size()));
1653
1654 // Simulate errors being returned from the underlying Read() and Write() ...
1655 raw_error_socket->SetNextReadError(ERR_CONNECTION_RESET);
1656 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1657 // ... but have those errors returned asynchronously. Because the Write() will
1658 // return first, this will trigger the error.
1659 raw_transport->BlockReadResult();
1660 raw_transport->BlockWrite();
1661
1662 // Enqueue a Read() before calling Write(), which should "hang" due to
1663 // the ERR_IO_PENDING caused by SetReadShouldBlock() and thus return.
1664 SSLClientSocket* raw_sock = sock.get();
1665 DeleteSocketCallback read_callback(sock.release());
1666 scoped_refptr<IOBuffer> read_buf(new IOBuffer(4096));
1667 rv = raw_sock->Read(read_buf.get(), 4096, read_callback.callback());
1668
1669 // Ensure things didn't complete synchronously, otherwise |sock| is invalid.
1670 ASSERT_EQ(ERR_IO_PENDING, rv);
1671 ASSERT_FALSE(read_callback.have_result());
1672
1673 #if !defined(USE_OPENSSL)
1674 // NSS follows a pattern where a call to PR_Write will only consume as
1675 // much data as it can encode into application data records before the
1676 // internal memio buffer is full, which should only fill if writing a large
1677 // amount of data and the underlying transport is blocked. Once this happens,
1678 // NSS will return (total size of all application data records it wrote) - 1,
1679 // with the caller expected to resume with the remaining unsent data.
1680 //
1681 // This causes SSLClientSocketNSS::Write to return that it wrote some data
1682 // before it will return ERR_IO_PENDING, so make an extra call to Write() to
1683 // get the socket in the state needed for the test below.
1684 //
1685 // This is not needed for OpenSSL, because for OpenSSL,
1686 // SSL_MODE_ENABLE_PARTIAL_WRITE is not specified - thus
1687 // SSLClientSocketOpenSSL::Write() will not return until all of
1688 // |request_buffer| has been written to the underlying BIO (although not
1689 // necessarily the underlying transport).
1690 rv = callback.GetResult(raw_sock->Write(request_buffer.get(),
1691 request_buffer->BytesRemaining(),
1692 callback.callback()));
1693 ASSERT_LT(0, rv);
1694 request_buffer->DidConsume(rv);
1695
1696 // Guard to ensure that |request_buffer| was larger than all of the internal
1697 // buffers (transport, memio, NSS) along the way - otherwise the next call
1698 // to Write() will crash with an invalid buffer.
1699 ASSERT_LT(0, request_buffer->BytesRemaining());
1700 #endif
1701
1702 // Attempt to write the remaining data. NSS will not be able to consume the
1703 // application data because the internal buffers are full, while OpenSSL will
1704 // return that its blocked because the underlying transport is blocked.
1705 rv = raw_sock->Write(request_buffer.get(),
1706 request_buffer->BytesRemaining(),
1707 callback.callback());
1708 ASSERT_EQ(ERR_IO_PENDING, rv);
1709 ASSERT_FALSE(callback.have_result());
1710
1711 // Now unblock Write(), which will invoke OnSendComplete and (eventually)
1712 // call the Read() callback, deleting the socket and thus aborting calling
1713 // the Write() callback.
1714 raw_transport->UnblockWrite();
1715
1716 rv = read_callback.WaitForResult();
1717 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1718
1719 // The Write callback should not have been called.
1720 EXPECT_FALSE(callback.have_result());
1721 }
1722
1723 // Tests that the SSLClientSocket does not crash if data is received on the
1724 // transport socket after a failing write. This can occur if we have a Write
1725 // error in a SPDY socket.
1726 // Regression test for http://crbug.com/335557
1727 TEST_F(SSLClientSocketTest, Read_WithWriteError) {
1728 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1729 SpawnedTestServer::kLocalhost,
1730 base::FilePath());
1731 ASSERT_TRUE(test_server.Start());
1732
1733 AddressList addr;
1734 ASSERT_TRUE(test_server.GetAddressList(&addr));
1735
1736 TestCompletionCallback callback;
1737 scoped_ptr<StreamSocket> real_transport(
1738 new TCPClientSocket(addr, NULL, NetLog::Source()));
1739 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1740 // is retained in order to configure additional errors.
1741 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1742 new SynchronousErrorStreamSocket(real_transport.Pass()));
1743 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1744 scoped_ptr<FakeBlockingStreamSocket> transport(
1745 new FakeBlockingStreamSocket(error_socket.Pass()));
1746 FakeBlockingStreamSocket* raw_transport = transport.get();
1747
1748 int rv = callback.GetResult(transport->Connect(callback.callback()));
1749 EXPECT_EQ(OK, rv);
1750
1751 // Disable TLS False Start to avoid handshake non-determinism.
1752 SSLConfig ssl_config;
1753 ssl_config.false_start_enabled = false;
1754
1755 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1756 transport.Pass(), test_server.host_port_pair(), ssl_config));
1757
1758 rv = callback.GetResult(sock->Connect(callback.callback()));
1759 EXPECT_EQ(OK, rv);
1760 EXPECT_TRUE(sock->IsConnected());
1761
1762 // Send a request so there is something to read from the socket.
1763 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1764 static const int kRequestTextSize =
1765 static_cast<int>(arraysize(request_text) - 1);
1766 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestTextSize));
1767 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1768
1769 rv = callback.GetResult(
1770 sock->Write(request_buffer.get(), kRequestTextSize, callback.callback()));
1771 EXPECT_EQ(kRequestTextSize, rv);
1772
1773 // Start a hanging read.
1774 TestCompletionCallback read_callback;
1775 raw_transport->BlockReadResult();
1776 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1777 rv = sock->Read(buf.get(), 4096, read_callback.callback());
1778 EXPECT_EQ(ERR_IO_PENDING, rv);
1779
1780 // Perform another write, but have it fail. Write a request larger than the
1781 // internal socket buffers so that the request hits the underlying transport
1782 // socket and detects the error.
1783 std::string long_request_text =
1784 "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1785 long_request_text.append(20 * 1024, '*');
1786 long_request_text.append("\r\n\r\n");
1787 scoped_refptr<DrainableIOBuffer> long_request_buffer(new DrainableIOBuffer(
1788 new StringIOBuffer(long_request_text), long_request_text.size()));
1789
1790 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1791
1792 // Write as much data as possible until hitting an error. This is necessary
1793 // for NSS. PR_Write will only consume as much data as it can encode into
1794 // application data records before the internal memio buffer is full, which
1795 // should only fill if writing a large amount of data and the underlying
1796 // transport is blocked. Once this happens, NSS will return (total size of all
1797 // application data records it wrote) - 1, with the caller expected to resume
1798 // with the remaining unsent data.
1799 do {
1800 rv = callback.GetResult(sock->Write(long_request_buffer.get(),
1801 long_request_buffer->BytesRemaining(),
1802 callback.callback()));
1803 if (rv > 0) {
1804 long_request_buffer->DidConsume(rv);
1805 // Abort if the entire buffer is ever consumed.
1806 ASSERT_LT(0, long_request_buffer->BytesRemaining());
1807 }
1808 } while (rv > 0);
1809
1810 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1811
1812 // Release the read.
1813 raw_transport->UnblockReadResult();
1814 rv = read_callback.WaitForResult();
1815
1816 #if defined(USE_OPENSSL)
1817 // Should still read bytes despite the write error.
1818 EXPECT_LT(0, rv);
1819 #else
1820 // NSS attempts to flush the write buffer in PR_Read on an SSL socket before
1821 // pumping the read state machine, unless configured with SSL_ENABLE_FDX, so
1822 // the write error stops future reads.
1823 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
1824 #endif
1825 }
1826
1827 // Tests that SSLClientSocket fails the handshake if the underlying
1828 // transport is cleanly closed.
1829 TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) {
1830 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1831 SpawnedTestServer::kLocalhost,
1832 base::FilePath());
1833 ASSERT_TRUE(test_server.Start());
1834
1835 AddressList addr;
1836 ASSERT_TRUE(test_server.GetAddressList(&addr));
1837
1838 TestCompletionCallback callback;
1839 scoped_ptr<StreamSocket> real_transport(
1840 new TCPClientSocket(addr, NULL, NetLog::Source()));
1841 scoped_ptr<SynchronousErrorStreamSocket> transport(
1842 new SynchronousErrorStreamSocket(real_transport.Pass()));
1843 int rv = callback.GetResult(transport->Connect(callback.callback()));
1844 EXPECT_EQ(OK, rv);
1845
1846 SynchronousErrorStreamSocket* raw_transport = transport.get();
1847 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1848 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1849
1850 raw_transport->SetNextReadError(0);
1851
1852 rv = callback.GetResult(sock->Connect(callback.callback()));
1853 EXPECT_EQ(ERR_CONNECTION_CLOSED, rv);
1854 EXPECT_FALSE(sock->IsConnected());
1855 }
1856
1857 // Tests that SSLClientSocket cleanly returns a Read of size 0 if the
1858 // underlying socket is cleanly closed.
1859 // This is a regression test for https://crbug.com/422246
1860 TEST_F(SSLClientSocketTest, Read_WithZeroReturn) {
1861 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1862 SpawnedTestServer::kLocalhost,
1863 base::FilePath());
1864 ASSERT_TRUE(test_server.Start());
1865
1866 AddressList addr;
1867 ASSERT_TRUE(test_server.GetAddressList(&addr));
1868
1869 TestCompletionCallback callback;
1870 scoped_ptr<StreamSocket> real_transport(
1871 new TCPClientSocket(addr, NULL, NetLog::Source()));
1872 scoped_ptr<SynchronousErrorStreamSocket> transport(
1873 new SynchronousErrorStreamSocket(real_transport.Pass()));
1874 int rv = callback.GetResult(transport->Connect(callback.callback()));
1875 EXPECT_EQ(OK, rv);
1876
1877 // Disable TLS False Start to ensure the handshake has completed.
1878 SSLConfig ssl_config;
1879 ssl_config.false_start_enabled = false;
1880
1881 SynchronousErrorStreamSocket* raw_transport = transport.get();
1882 scoped_ptr<SSLClientSocket> sock(
1883 CreateSSLClientSocket(transport.Pass(),
1884 test_server.host_port_pair(),
1885 ssl_config));
1886
1887 rv = callback.GetResult(sock->Connect(callback.callback()));
1888 EXPECT_EQ(OK, rv);
1889 EXPECT_TRUE(sock->IsConnected());
1890
1891 raw_transport->SetNextReadError(0);
1892 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1893 rv = callback.GetResult(sock->Read(buf.get(), 4096, callback.callback()));
1894 EXPECT_EQ(0, rv);
1895 }
1896
1897 // Tests that SSLClientSocket cleanly returns a Read of size 0 if the
1898 // underlying socket is cleanly closed asynchronously.
1899 // This is a regression test for https://crbug.com/422246
1900 TEST_F(SSLClientSocketTest, Read_WithAsyncZeroReturn) {
1901 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1902 SpawnedTestServer::kLocalhost,
1903 base::FilePath());
1904 ASSERT_TRUE(test_server.Start());
1905
1906 AddressList addr;
1907 ASSERT_TRUE(test_server.GetAddressList(&addr));
1908
1909 TestCompletionCallback callback;
1910 scoped_ptr<StreamSocket> real_transport(
1911 new TCPClientSocket(addr, NULL, NetLog::Source()));
1912 scoped_ptr<SynchronousErrorStreamSocket> error_socket(
1913 new SynchronousErrorStreamSocket(real_transport.Pass()));
1914 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
1915 scoped_ptr<FakeBlockingStreamSocket> transport(
1916 new FakeBlockingStreamSocket(error_socket.Pass()));
1917 FakeBlockingStreamSocket* raw_transport = transport.get();
1918 int rv = callback.GetResult(transport->Connect(callback.callback()));
1919 EXPECT_EQ(OK, rv);
1920
1921 // Disable TLS False Start to ensure the handshake has completed.
1922 SSLConfig ssl_config;
1923 ssl_config.false_start_enabled = false;
1924
1925 scoped_ptr<SSLClientSocket> sock(
1926 CreateSSLClientSocket(transport.Pass(),
1927 test_server.host_port_pair(),
1928 ssl_config));
1929
1930 rv = callback.GetResult(sock->Connect(callback.callback()));
1931 EXPECT_EQ(OK, rv);
1932 EXPECT_TRUE(sock->IsConnected());
1933
1934 raw_error_socket->SetNextReadError(0);
1935 raw_transport->BlockReadResult();
1936 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
1937 rv = sock->Read(buf.get(), 4096, callback.callback());
1938 EXPECT_EQ(ERR_IO_PENDING, rv);
1939
1940 raw_transport->UnblockReadResult();
1941 rv = callback.GetResult(rv);
1942 EXPECT_EQ(0, rv);
1943 }
1944
1945 TEST_F(SSLClientSocketTest, Read_SmallChunks) {
1946 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1947 SpawnedTestServer::kLocalhost,
1948 base::FilePath());
1949 ASSERT_TRUE(test_server.Start());
1950
1951 AddressList addr;
1952 ASSERT_TRUE(test_server.GetAddressList(&addr));
1953
1954 TestCompletionCallback callback;
1955 scoped_ptr<StreamSocket> transport(
1956 new TCPClientSocket(addr, NULL, NetLog::Source()));
1957 int rv = transport->Connect(callback.callback());
1958 if (rv == ERR_IO_PENDING)
1959 rv = callback.WaitForResult();
1960 EXPECT_EQ(OK, rv);
1961
1962 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
1963 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
1964
1965 rv = sock->Connect(callback.callback());
1966 if (rv == ERR_IO_PENDING)
1967 rv = callback.WaitForResult();
1968 EXPECT_EQ(OK, rv);
1969
1970 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1971 scoped_refptr<IOBuffer> request_buffer(
1972 new IOBuffer(arraysize(request_text) - 1));
1973 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
1974
1975 rv = sock->Write(
1976 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
1977 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1978
1979 if (rv == ERR_IO_PENDING)
1980 rv = callback.WaitForResult();
1981 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
1982
1983 scoped_refptr<IOBuffer> buf(new IOBuffer(1));
1984 for (;;) {
1985 rv = sock->Read(buf.get(), 1, callback.callback());
1986 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
1987
1988 if (rv == ERR_IO_PENDING)
1989 rv = callback.WaitForResult();
1990
1991 EXPECT_GE(rv, 0);
1992 if (rv <= 0)
1993 break;
1994 }
1995 }
1996
1997 TEST_F(SSLClientSocketTest, Read_ManySmallRecords) {
1998 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
1999 SpawnedTestServer::kLocalhost,
2000 base::FilePath());
2001 ASSERT_TRUE(test_server.Start());
2002
2003 AddressList addr;
2004 ASSERT_TRUE(test_server.GetAddressList(&addr));
2005
2006 TestCompletionCallback callback;
2007
2008 scoped_ptr<StreamSocket> real_transport(
2009 new TCPClientSocket(addr, NULL, NetLog::Source()));
2010 scoped_ptr<ReadBufferingStreamSocket> transport(
2011 new ReadBufferingStreamSocket(real_transport.Pass()));
2012 ReadBufferingStreamSocket* raw_transport = transport.get();
2013 int rv = callback.GetResult(transport->Connect(callback.callback()));
2014 ASSERT_EQ(OK, rv);
2015
2016 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2017 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2018
2019 rv = callback.GetResult(sock->Connect(callback.callback()));
2020 ASSERT_EQ(OK, rv);
2021 ASSERT_TRUE(sock->IsConnected());
2022
2023 const char request_text[] = "GET /ssl-many-small-records HTTP/1.0\r\n\r\n";
2024 scoped_refptr<IOBuffer> request_buffer(
2025 new IOBuffer(arraysize(request_text) - 1));
2026 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
2027
2028 rv = callback.GetResult(sock->Write(
2029 request_buffer.get(), arraysize(request_text) - 1, callback.callback()));
2030 ASSERT_GT(rv, 0);
2031 ASSERT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
2032
2033 // Note: This relies on SSLClientSocketNSS attempting to read up to 17K of
2034 // data (the max SSL record size) at a time. Ensure that at least 15K worth
2035 // of SSL data is buffered first. The 15K of buffered data is made up of
2036 // many smaller SSL records (the TestServer writes along 1350 byte
2037 // plaintext boundaries), although there may also be a few records that are
2038 // smaller or larger, due to timing and SSL False Start.
2039 // 15K was chosen because 15K is smaller than the 17K (max) read issued by
2040 // the SSLClientSocket implementation, and larger than the minimum amount
2041 // of ciphertext necessary to contain the 8K of plaintext requested below.
2042 raw_transport->SetBufferSize(15000);
2043
2044 scoped_refptr<IOBuffer> buffer(new IOBuffer(8192));
2045 rv = callback.GetResult(sock->Read(buffer.get(), 8192, callback.callback()));
2046 ASSERT_EQ(rv, 8192);
2047 }
2048
2049 TEST_F(SSLClientSocketTest, Read_Interrupted) {
2050 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2051 SpawnedTestServer::kLocalhost,
2052 base::FilePath());
2053 ASSERT_TRUE(test_server.Start());
2054
2055 AddressList addr;
2056 ASSERT_TRUE(test_server.GetAddressList(&addr));
2057
2058 TestCompletionCallback callback;
2059 scoped_ptr<StreamSocket> transport(
2060 new TCPClientSocket(addr, NULL, NetLog::Source()));
2061 int rv = transport->Connect(callback.callback());
2062 if (rv == ERR_IO_PENDING)
2063 rv = callback.WaitForResult();
2064 EXPECT_EQ(OK, rv);
2065
2066 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2067 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2068
2069 rv = sock->Connect(callback.callback());
2070 if (rv == ERR_IO_PENDING)
2071 rv = callback.WaitForResult();
2072 EXPECT_EQ(OK, rv);
2073
2074 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
2075 scoped_refptr<IOBuffer> request_buffer(
2076 new IOBuffer(arraysize(request_text) - 1));
2077 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
2078
2079 rv = sock->Write(
2080 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
2081 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2082
2083 if (rv == ERR_IO_PENDING)
2084 rv = callback.WaitForResult();
2085 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
2086
2087 // Do a partial read and then exit. This test should not crash!
2088 scoped_refptr<IOBuffer> buf(new IOBuffer(512));
2089 rv = sock->Read(buf.get(), 512, callback.callback());
2090 EXPECT_TRUE(rv > 0 || rv == ERR_IO_PENDING);
2091
2092 if (rv == ERR_IO_PENDING)
2093 rv = callback.WaitForResult();
2094
2095 EXPECT_GT(rv, 0);
2096 }
2097
2098 TEST_F(SSLClientSocketTest, Read_FullLogging) {
2099 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2100 SpawnedTestServer::kLocalhost,
2101 base::FilePath());
2102 ASSERT_TRUE(test_server.Start());
2103
2104 AddressList addr;
2105 ASSERT_TRUE(test_server.GetAddressList(&addr));
2106
2107 TestCompletionCallback callback;
2108 CapturingNetLog log;
2109 log.SetLogLevel(NetLog::LOG_ALL);
2110 scoped_ptr<StreamSocket> transport(
2111 new TCPClientSocket(addr, &log, NetLog::Source()));
2112 int rv = transport->Connect(callback.callback());
2113 if (rv == ERR_IO_PENDING)
2114 rv = callback.WaitForResult();
2115 EXPECT_EQ(OK, rv);
2116
2117 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2118 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2119
2120 rv = sock->Connect(callback.callback());
2121 if (rv == ERR_IO_PENDING)
2122 rv = callback.WaitForResult();
2123 EXPECT_EQ(OK, rv);
2124 EXPECT_TRUE(sock->IsConnected());
2125
2126 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
2127 scoped_refptr<IOBuffer> request_buffer(
2128 new IOBuffer(arraysize(request_text) - 1));
2129 memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1);
2130
2131 rv = sock->Write(
2132 request_buffer.get(), arraysize(request_text) - 1, callback.callback());
2133 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2134
2135 if (rv == ERR_IO_PENDING)
2136 rv = callback.WaitForResult();
2137 EXPECT_EQ(static_cast<int>(arraysize(request_text) - 1), rv);
2138
2139 CapturingNetLog::CapturedEntryList entries;
2140 log.GetEntries(&entries);
2141 size_t last_index = ExpectLogContainsSomewhereAfter(
2142 entries, 5, NetLog::TYPE_SSL_SOCKET_BYTES_SENT, NetLog::PHASE_NONE);
2143
2144 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
2145 for (;;) {
2146 rv = sock->Read(buf.get(), 4096, callback.callback());
2147 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2148
2149 if (rv == ERR_IO_PENDING)
2150 rv = callback.WaitForResult();
2151
2152 EXPECT_GE(rv, 0);
2153 if (rv <= 0)
2154 break;
2155
2156 log.GetEntries(&entries);
2157 last_index =
2158 ExpectLogContainsSomewhereAfter(entries,
2159 last_index + 1,
2160 NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED,
2161 NetLog::PHASE_NONE);
2162 }
2163 }
2164
2165 // Regression test for http://crbug.com/42538
2166 TEST_F(SSLClientSocketTest, PrematureApplicationData) {
2167 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2168 SpawnedTestServer::kLocalhost,
2169 base::FilePath());
2170 ASSERT_TRUE(test_server.Start());
2171
2172 AddressList addr;
2173 TestCompletionCallback callback;
2174
2175 static const unsigned char application_data[] = {
2176 0x17, 0x03, 0x01, 0x00, 0x4a, 0x02, 0x00, 0x00, 0x46, 0x03, 0x01, 0x4b,
2177 0xc2, 0xf8, 0xb2, 0xc1, 0x56, 0x42, 0xb9, 0x57, 0x7f, 0xde, 0x87, 0x46,
2178 0xf7, 0xa3, 0x52, 0x42, 0x21, 0xf0, 0x13, 0x1c, 0x9c, 0x83, 0x88, 0xd6,
2179 0x93, 0x0c, 0xf6, 0x36, 0x30, 0x05, 0x7e, 0x20, 0xb5, 0xb5, 0x73, 0x36,
2180 0x53, 0x83, 0x0a, 0xfc, 0x17, 0x63, 0xbf, 0xa0, 0xe4, 0x42, 0x90, 0x0d,
2181 0x2f, 0x18, 0x6d, 0x20, 0xd8, 0x36, 0x3f, 0xfc, 0xe6, 0x01, 0xfa, 0x0f,
2182 0xa5, 0x75, 0x7f, 0x09, 0x00, 0x04, 0x00, 0x16, 0x03, 0x01, 0x11, 0x57,
2183 0x0b, 0x00, 0x11, 0x53, 0x00, 0x11, 0x50, 0x00, 0x06, 0x22, 0x30, 0x82,
2184 0x06, 0x1e, 0x30, 0x82, 0x05, 0x06, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
2185 0x0a};
2186
2187 // All reads and writes complete synchronously (async=false).
2188 MockRead data_reads[] = {
2189 MockRead(SYNCHRONOUS,
2190 reinterpret_cast<const char*>(application_data),
2191 arraysize(application_data)),
2192 MockRead(SYNCHRONOUS, OK), };
2193
2194 StaticSocketDataProvider data(data_reads, arraysize(data_reads), NULL, 0);
2195
2196 scoped_ptr<StreamSocket> transport(
2197 new MockTCPClientSocket(addr, NULL, &data));
2198 int rv = transport->Connect(callback.callback());
2199 if (rv == ERR_IO_PENDING)
2200 rv = callback.WaitForResult();
2201 EXPECT_EQ(OK, rv);
2202
2203 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2204 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2205
2206 rv = sock->Connect(callback.callback());
2207 if (rv == ERR_IO_PENDING)
2208 rv = callback.WaitForResult();
2209 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
2210 }
2211
2212 TEST_F(SSLClientSocketTest, CipherSuiteDisables) {
2213 // Rather than exhaustively disabling every RC4 ciphersuite defined at
2214 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml,
2215 // only disabling those cipher suites that the test server actually
2216 // implements.
2217 const uint16 kCiphersToDisable[] = {0x0005, // TLS_RSA_WITH_RC4_128_SHA
2218 };
2219
2220 SpawnedTestServer::SSLOptions ssl_options;
2221 // Enable only RC4 on the test server.
2222 ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4;
2223 SpawnedTestServer test_server(
2224 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2225 ASSERT_TRUE(test_server.Start());
2226
2227 AddressList addr;
2228 ASSERT_TRUE(test_server.GetAddressList(&addr));
2229
2230 TestCompletionCallback callback;
2231 CapturingNetLog log;
2232 scoped_ptr<StreamSocket> transport(
2233 new TCPClientSocket(addr, &log, NetLog::Source()));
2234 int rv = transport->Connect(callback.callback());
2235 if (rv == ERR_IO_PENDING)
2236 rv = callback.WaitForResult();
2237 EXPECT_EQ(OK, rv);
2238
2239 SSLConfig ssl_config;
2240 for (size_t i = 0; i < arraysize(kCiphersToDisable); ++i)
2241 ssl_config.disabled_cipher_suites.push_back(kCiphersToDisable[i]);
2242
2243 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2244 transport.Pass(), test_server.host_port_pair(), ssl_config));
2245
2246 EXPECT_FALSE(sock->IsConnected());
2247
2248 rv = sock->Connect(callback.callback());
2249 CapturingNetLog::CapturedEntryList entries;
2250 log.GetEntries(&entries);
2251 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
2252
2253 // NSS has special handling that maps a handshake_failure alert received
2254 // immediately after a client_hello to be a mismatched cipher suite error,
2255 // leading to ERR_SSL_VERSION_OR_CIPHER_MISMATCH. When using OpenSSL or
2256 // Secure Transport (OS X), the handshake_failure is bubbled up without any
2257 // interpretation, leading to ERR_SSL_PROTOCOL_ERROR. Either way, a failure
2258 // indicates that no cipher suite was negotiated with the test server.
2259 if (rv == ERR_IO_PENDING)
2260 rv = callback.WaitForResult();
2261 EXPECT_TRUE(rv == ERR_SSL_VERSION_OR_CIPHER_MISMATCH ||
2262 rv == ERR_SSL_PROTOCOL_ERROR);
2263 // The exact ordering differs between SSLClientSocketNSS (which issues an
2264 // extra read) and SSLClientSocketMac (which does not). Just make sure the
2265 // error appears somewhere in the log.
2266 log.GetEntries(&entries);
2267 ExpectLogContainsSomewhere(
2268 entries, 0, NetLog::TYPE_SSL_HANDSHAKE_ERROR, NetLog::PHASE_NONE);
2269
2270 // We cannot test sock->IsConnected(), as the NSS implementation disconnects
2271 // the socket when it encounters an error, whereas other implementations
2272 // leave it connected.
2273 // Because this an error that the test server is mutually aware of, as opposed
2274 // to being an error such as a certificate name mismatch, which is
2275 // client-only, the exact index of the SSL connect end depends on how
2276 // quickly the test server closes the underlying socket. If the test server
2277 // closes before the IO message loop pumps messages, there may be a 0-byte
2278 // Read event in the NetLog due to TCPClientSocket picking up the EOF. As a
2279 // result, the SSL connect end event will be the second-to-last entry,
2280 // rather than the last entry.
2281 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1) ||
2282 LogContainsSSLConnectEndEvent(entries, -2));
2283 }
2284
2285 // When creating an SSLClientSocket, it is allowed to pass in a
2286 // ClientSocketHandle that is not obtained from a client socket pool.
2287 // Here we verify that such a simple ClientSocketHandle, not associated with any
2288 // client socket pool, can be destroyed safely.
2289 TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
2290 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2291 SpawnedTestServer::kLocalhost,
2292 base::FilePath());
2293 ASSERT_TRUE(test_server.Start());
2294
2295 AddressList addr;
2296 ASSERT_TRUE(test_server.GetAddressList(&addr));
2297
2298 TestCompletionCallback callback;
2299 scoped_ptr<StreamSocket> transport(
2300 new TCPClientSocket(addr, NULL, NetLog::Source()));
2301 int rv = transport->Connect(callback.callback());
2302 if (rv == ERR_IO_PENDING)
2303 rv = callback.WaitForResult();
2304 EXPECT_EQ(OK, rv);
2305
2306 scoped_ptr<ClientSocketHandle> socket_handle(new ClientSocketHandle());
2307 socket_handle->SetSocket(transport.Pass());
2308
2309 scoped_ptr<SSLClientSocket> sock(socket_factory_->CreateSSLClientSocket(
2310 socket_handle.Pass(), test_server.host_port_pair(), SSLConfig(),
2311 context_));
2312
2313 EXPECT_FALSE(sock->IsConnected());
2314 rv = sock->Connect(callback.callback());
2315 if (rv == ERR_IO_PENDING)
2316 rv = callback.WaitForResult();
2317 EXPECT_EQ(OK, rv);
2318 }
2319
2320 // Verifies that SSLClientSocket::ExportKeyingMaterial return a success
2321 // code and different keying label results in different keying material.
2322 TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
2323 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2324 SpawnedTestServer::kLocalhost,
2325 base::FilePath());
2326 ASSERT_TRUE(test_server.Start());
2327
2328 AddressList addr;
2329 ASSERT_TRUE(test_server.GetAddressList(&addr));
2330
2331 TestCompletionCallback callback;
2332
2333 scoped_ptr<StreamSocket> transport(
2334 new TCPClientSocket(addr, NULL, NetLog::Source()));
2335 int rv = transport->Connect(callback.callback());
2336 if (rv == ERR_IO_PENDING)
2337 rv = callback.WaitForResult();
2338 EXPECT_EQ(OK, rv);
2339
2340 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2341 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2342
2343 rv = sock->Connect(callback.callback());
2344 if (rv == ERR_IO_PENDING)
2345 rv = callback.WaitForResult();
2346 EXPECT_EQ(OK, rv);
2347 EXPECT_TRUE(sock->IsConnected());
2348
2349 const int kKeyingMaterialSize = 32;
2350 const char kKeyingLabel1[] = "client-socket-test-1";
2351 const char kKeyingContext[] = "";
2352 unsigned char client_out1[kKeyingMaterialSize];
2353 memset(client_out1, 0, sizeof(client_out1));
2354 rv = sock->ExportKeyingMaterial(
2355 kKeyingLabel1, false, kKeyingContext, client_out1, sizeof(client_out1));
2356 EXPECT_EQ(rv, OK);
2357
2358 const char kKeyingLabel2[] = "client-socket-test-2";
2359 unsigned char client_out2[kKeyingMaterialSize];
2360 memset(client_out2, 0, sizeof(client_out2));
2361 rv = sock->ExportKeyingMaterial(
2362 kKeyingLabel2, false, kKeyingContext, client_out2, sizeof(client_out2));
2363 EXPECT_EQ(rv, OK);
2364 EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2365 }
2366
2367 // Verifies that SSLClientSocket::ClearSessionCache can be called without
2368 // explicit NSS initialization.
2369 TEST(SSLClientSocket, ClearSessionCache) {
2370 SSLClientSocket::ClearSessionCache();
2371 }
2372
2373 TEST(SSLClientSocket, SerializeNextProtos) {
2374 NextProtoVector next_protos;
2375 next_protos.push_back(kProtoHTTP11);
2376 next_protos.push_back(kProtoSPDY31);
2377 static std::vector<uint8_t> serialized =
2378 SSLClientSocket::SerializeNextProtos(next_protos, true);
2379 ASSERT_EQ(18u, serialized.size());
2380 EXPECT_EQ(8, serialized[0]); // length("http/1.1")
2381 EXPECT_EQ('h', serialized[1]);
2382 EXPECT_EQ('t', serialized[2]);
2383 EXPECT_EQ('t', serialized[3]);
2384 EXPECT_EQ('p', serialized[4]);
2385 EXPECT_EQ('/', serialized[5]);
2386 EXPECT_EQ('1', serialized[6]);
2387 EXPECT_EQ('.', serialized[7]);
2388 EXPECT_EQ('1', serialized[8]);
2389 EXPECT_EQ(8, serialized[9]); // length("spdy/3.1")
2390 EXPECT_EQ('s', serialized[10]);
2391 EXPECT_EQ('p', serialized[11]);
2392 EXPECT_EQ('d', serialized[12]);
2393 EXPECT_EQ('y', serialized[13]);
2394 EXPECT_EQ('/', serialized[14]);
2395 EXPECT_EQ('3', serialized[15]);
2396 EXPECT_EQ('.', serialized[16]);
2397 EXPECT_EQ('1', serialized[17]);
2398 }
2399
2400 // Test that the server certificates are properly retrieved from the underlying
2401 // SSL stack.
2402 TEST_F(SSLClientSocketTest, VerifyServerChainProperlyOrdered) {
2403 // The connection does not have to be successful.
2404 cert_verifier_->set_default_result(ERR_CERT_INVALID);
2405
2406 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
2407 // This makes the server present redundant-server-chain.pem, which contains
2408 // intermediate certificates.
2409 SpawnedTestServer::SSLOptions ssl_options(
2410 SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
2411 SpawnedTestServer test_server(
2412 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2413 ASSERT_TRUE(test_server.Start());
2414
2415 AddressList addr;
2416 ASSERT_TRUE(test_server.GetAddressList(&addr));
2417
2418 TestCompletionCallback callback;
2419 scoped_ptr<StreamSocket> transport(
2420 new TCPClientSocket(addr, NULL, NetLog::Source()));
2421 int rv = transport->Connect(callback.callback());
2422 rv = callback.GetResult(rv);
2423 EXPECT_EQ(OK, rv);
2424
2425 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2426 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2427 EXPECT_FALSE(sock->IsConnected());
2428 rv = sock->Connect(callback.callback());
2429 rv = callback.GetResult(rv);
2430
2431 EXPECT_EQ(ERR_CERT_INVALID, rv);
2432 EXPECT_TRUE(sock->IsConnected());
2433
2434 // When given option CERT_CHAIN_WRONG_ROOT, SpawnedTestServer will present
2435 // certs from redundant-server-chain.pem.
2436 CertificateList server_certs =
2437 CreateCertificateListFromFile(GetTestCertsDirectory(),
2438 "redundant-server-chain.pem",
2439 X509Certificate::FORMAT_AUTO);
2440
2441 // Get the server certificate as received client side.
2442 scoped_refptr<X509Certificate> server_certificate =
2443 sock->GetUnverifiedServerCertificateChain();
2444
2445 // Get the intermediates as received client side.
2446 const X509Certificate::OSCertHandles& server_intermediates =
2447 server_certificate->GetIntermediateCertificates();
2448
2449 // Check that the unverified server certificate chain is properly retrieved
2450 // from the underlying ssl stack.
2451 ASSERT_EQ(4U, server_certs.size());
2452
2453 EXPECT_TRUE(X509Certificate::IsSameOSCert(
2454 server_certificate->os_cert_handle(), server_certs[0]->os_cert_handle()));
2455
2456 ASSERT_EQ(3U, server_intermediates.size());
2457
2458 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[0],
2459 server_certs[1]->os_cert_handle()));
2460 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[1],
2461 server_certs[2]->os_cert_handle()));
2462 EXPECT_TRUE(X509Certificate::IsSameOSCert(server_intermediates[2],
2463 server_certs[3]->os_cert_handle()));
2464
2465 sock->Disconnect();
2466 EXPECT_FALSE(sock->IsConnected());
2467 }
2468
2469 // This tests that SSLInfo contains a properly re-constructed certificate
2470 // chain. That, in turn, verifies that GetSSLInfo is giving us the chain as
2471 // verified, not the chain as served by the server. (They may be different.)
2472 //
2473 // CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
2474 // (end-entity) -> B -> C, and C is signed by D. redundant-validated-chain.pem
2475 // contains a chain of A -> B -> C2, where C2 is the same public key as C, but
2476 // a self-signed root. Such a situation can occur when a new root (C2) is
2477 // cross-certified by an old root (D) and has two different versions of its
2478 // floating around. Servers may supply C2 as an intermediate, but the
2479 // SSLClientSocket should return the chain that was verified, from
2480 // verify_result, instead.
2481 TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
2482 // By default, cause the CertVerifier to treat all certificates as
2483 // expired.
2484 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
2485
2486 // We will expect SSLInfo to ultimately contain this chain.
2487 CertificateList certs =
2488 CreateCertificateListFromFile(GetTestCertsDirectory(),
2489 "redundant-validated-chain.pem",
2490 X509Certificate::FORMAT_AUTO);
2491 ASSERT_EQ(3U, certs.size());
2492
2493 X509Certificate::OSCertHandles temp_intermediates;
2494 temp_intermediates.push_back(certs[1]->os_cert_handle());
2495 temp_intermediates.push_back(certs[2]->os_cert_handle());
2496
2497 CertVerifyResult verify_result;
2498 verify_result.verified_cert = X509Certificate::CreateFromHandle(
2499 certs[0]->os_cert_handle(), temp_intermediates);
2500
2501 // Add a rule that maps the server cert (A) to the chain of A->B->C2
2502 // rather than A->B->C.
2503 cert_verifier_->AddResultForCert(certs[0].get(), verify_result, OK);
2504
2505 // Load and install the root for the validated chain.
2506 scoped_refptr<X509Certificate> root_cert = ImportCertFromFile(
2507 GetTestCertsDirectory(), "redundant-validated-chain-root.pem");
2508 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
2509 ScopedTestRoot scoped_root(root_cert.get());
2510
2511 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
2512 SpawnedTestServer::SSLOptions ssl_options(
2513 SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
2514 SpawnedTestServer test_server(
2515 SpawnedTestServer::TYPE_HTTPS,
2516 ssl_options,
2517 base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
2518 ASSERT_TRUE(test_server.Start());
2519
2520 AddressList addr;
2521 ASSERT_TRUE(test_server.GetAddressList(&addr));
2522
2523 TestCompletionCallback callback;
2524 CapturingNetLog log;
2525 scoped_ptr<StreamSocket> transport(
2526 new TCPClientSocket(addr, &log, NetLog::Source()));
2527 int rv = transport->Connect(callback.callback());
2528 if (rv == ERR_IO_PENDING)
2529 rv = callback.WaitForResult();
2530 EXPECT_EQ(OK, rv);
2531
2532 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2533 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2534 EXPECT_FALSE(sock->IsConnected());
2535 rv = sock->Connect(callback.callback());
2536
2537 CapturingNetLog::CapturedEntryList entries;
2538 log.GetEntries(&entries);
2539 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLog::TYPE_SSL_CONNECT));
2540 if (rv == ERR_IO_PENDING)
2541 rv = callback.WaitForResult();
2542
2543 EXPECT_EQ(OK, rv);
2544 EXPECT_TRUE(sock->IsConnected());
2545 log.GetEntries(&entries);
2546 EXPECT_TRUE(LogContainsSSLConnectEndEvent(entries, -1));
2547
2548 SSLInfo ssl_info;
2549 sock->GetSSLInfo(&ssl_info);
2550
2551 // Verify that SSLInfo contains the corrected re-constructed chain A -> B
2552 // -> C2.
2553 const X509Certificate::OSCertHandles& intermediates =
2554 ssl_info.cert->GetIntermediateCertificates();
2555 ASSERT_EQ(2U, intermediates.size());
2556 EXPECT_TRUE(X509Certificate::IsSameOSCert(ssl_info.cert->os_cert_handle(),
2557 certs[0]->os_cert_handle()));
2558 EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[0],
2559 certs[1]->os_cert_handle()));
2560 EXPECT_TRUE(X509Certificate::IsSameOSCert(intermediates[1],
2561 certs[2]->os_cert_handle()));
2562
2563 sock->Disconnect();
2564 EXPECT_FALSE(sock->IsConnected());
2565 }
2566
2567 TEST_F(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
2568 SpawnedTestServer::SSLOptions ssl_options;
2569 ssl_options.request_client_certificate = true;
2570 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2571 ASSERT_TRUE(request_info.get());
2572 EXPECT_EQ(0u, request_info->cert_authorities.size());
2573 }
2574
2575 TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
2576 const base::FilePath::CharType kThawteFile[] =
2577 FILE_PATH_LITERAL("thawte.single.pem");
2578 const unsigned char kThawteDN[] = {
2579 0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2580 0x02, 0x5a, 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a,
2581 0x13, 0x1c, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6f, 0x6e,
2582 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79,
2583 0x29, 0x20, 0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
2584 0x55, 0x04, 0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20,
2585 0x53, 0x47, 0x43, 0x20, 0x43, 0x41};
2586 const size_t kThawteLen = sizeof(kThawteDN);
2587
2588 const base::FilePath::CharType kDiginotarFile[] =
2589 FILE_PATH_LITERAL("diginotar_root_ca.pem");
2590 const unsigned char kDiginotarDN[] = {
2591 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2592 0x02, 0x4e, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
2593 0x13, 0x09, 0x44, 0x69, 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x31,
2594 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x44, 0x69,
2595 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x20, 0x52, 0x6f, 0x6f, 0x74,
2596 0x20, 0x43, 0x41, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48,
2597 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x11, 0x69, 0x6e, 0x66, 0x6f,
2598 0x40, 0x64, 0x69, 0x67, 0x69, 0x6e, 0x6f, 0x74, 0x61, 0x72, 0x2e, 0x6e,
2599 0x6c};
2600 const size_t kDiginotarLen = sizeof(kDiginotarDN);
2601
2602 SpawnedTestServer::SSLOptions ssl_options;
2603 ssl_options.request_client_certificate = true;
2604 ssl_options.client_authorities.push_back(
2605 GetTestClientCertsDirectory().Append(kThawteFile));
2606 ssl_options.client_authorities.push_back(
2607 GetTestClientCertsDirectory().Append(kDiginotarFile));
2608 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2609 ASSERT_TRUE(request_info.get());
2610 ASSERT_EQ(2u, request_info->cert_authorities.size());
2611 EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen),
2612 request_info->cert_authorities[0]);
2613 EXPECT_EQ(
2614 std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen),
2615 request_info->cert_authorities[1]);
2616 }
2617
2618 // cert_key_types is currently only populated on OpenSSL.
2619 #if defined(USE_OPENSSL)
2620 TEST_F(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
2621 SpawnedTestServer::SSLOptions ssl_options;
2622 ssl_options.request_client_certificate = true;
2623 ssl_options.client_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
2624 ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
2625 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
2626 ASSERT_TRUE(request_info.get());
2627 ASSERT_EQ(2u, request_info->cert_key_types.size());
2628 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]);
2629 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]);
2630 }
2631 #endif // defined(USE_OPENSSL)
2632
2633 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledTLSExtension) {
2634 SpawnedTestServer::SSLOptions ssl_options;
2635 ssl_options.signed_cert_timestamps_tls_ext = "test";
2636
2637 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2638 ssl_options,
2639 base::FilePath());
2640 ASSERT_TRUE(test_server.Start());
2641
2642 AddressList addr;
2643 ASSERT_TRUE(test_server.GetAddressList(&addr));
2644
2645 TestCompletionCallback callback;
2646 scoped_ptr<StreamSocket> transport(
2647 new TCPClientSocket(addr, &log_, NetLog::Source()));
2648 int rv = callback.GetResult(transport->Connect(callback.callback()));
2649 EXPECT_EQ(OK, rv);
2650
2651 SSLConfig ssl_config;
2652 ssl_config.signed_cert_timestamps_enabled = true;
2653
2654 MockCTVerifier ct_verifier;
2655 SetCTVerifier(&ct_verifier);
2656
2657 // Check that the SCT list is extracted as expected.
2658 EXPECT_CALL(ct_verifier, Verify(_, "", "test", _, _)).WillRepeatedly(
2659 Return(ERR_CT_NO_SCTS_VERIFIED_OK));
2660
2661 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2662 transport.Pass(), test_server.host_port_pair(), ssl_config));
2663 rv = callback.GetResult(sock->Connect(callback.callback()));
2664 EXPECT_EQ(OK, rv);
2665
2666 EXPECT_TRUE(sock->signed_cert_timestamps_received_);
2667 }
2668
2669 namespace {
2670
2671 bool IsValidOCSPResponse(const base::StringPiece& input) {
2672 base::StringPiece ocsp_response = input;
2673 base::StringPiece sequence, response_status, response_bytes;
2674 return asn1::GetElement(&ocsp_response, asn1::kSEQUENCE, &sequence) &&
2675 ocsp_response.empty() &&
2676 asn1::GetElement(&sequence, asn1::kENUMERATED, &response_status) &&
2677 asn1::GetElement(&sequence,
2678 asn1::kContextSpecific | asn1::kConstructed | 0,
2679 &response_status) &&
2680 sequence.empty();
2681 }
2682
2683 } // namespace
2684
2685 // Test that enabling Signed Certificate Timestamps enables OCSP stapling.
2686 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnabledOCSP) {
2687 SpawnedTestServer::SSLOptions ssl_options;
2688 ssl_options.staple_ocsp_response = true;
2689 // The test server currently only knows how to generate OCSP responses
2690 // for a freshly minted certificate.
2691 ssl_options.server_certificate = SpawnedTestServer::SSLOptions::CERT_AUTO;
2692
2693 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2694 ssl_options,
2695 base::FilePath());
2696 ASSERT_TRUE(test_server.Start());
2697
2698 AddressList addr;
2699 ASSERT_TRUE(test_server.GetAddressList(&addr));
2700
2701 TestCompletionCallback callback;
2702 scoped_ptr<StreamSocket> transport(
2703 new TCPClientSocket(addr, &log_, NetLog::Source()));
2704 int rv = callback.GetResult(transport->Connect(callback.callback()));
2705 EXPECT_EQ(OK, rv);
2706
2707 SSLConfig ssl_config;
2708 // Enabling Signed Cert Timestamps ensures we request OCSP stapling for
2709 // Certificate Transparency verification regardless of whether the platform
2710 // is able to process the OCSP status itself.
2711 ssl_config.signed_cert_timestamps_enabled = true;
2712
2713 MockCTVerifier ct_verifier;
2714 SetCTVerifier(&ct_verifier);
2715
2716 // Check that the OCSP response is extracted and well-formed. It should be the
2717 // DER encoding of an OCSPResponse (RFC 2560), so check that it consists of a
2718 // SEQUENCE of an ENUMERATED type and an element tagged with [0] EXPLICIT. In
2719 // particular, it should not include the overall two-byte length prefix from
2720 // TLS.
2721 EXPECT_CALL(ct_verifier,
2722 Verify(_, Truly(IsValidOCSPResponse), "", _, _)).WillRepeatedly(
2723 Return(ERR_CT_NO_SCTS_VERIFIED_OK));
2724
2725 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2726 transport.Pass(), test_server.host_port_pair(), ssl_config));
2727 rv = callback.GetResult(sock->Connect(callback.callback()));
2728 EXPECT_EQ(OK, rv);
2729
2730 EXPECT_TRUE(sock->stapled_ocsp_response_received_);
2731 }
2732
2733 TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
2734 SpawnedTestServer::SSLOptions ssl_options;
2735 ssl_options.signed_cert_timestamps_tls_ext = "test";
2736
2737 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2738 ssl_options,
2739 base::FilePath());
2740 ASSERT_TRUE(test_server.Start());
2741
2742 AddressList addr;
2743 ASSERT_TRUE(test_server.GetAddressList(&addr));
2744
2745 TestCompletionCallback callback;
2746 scoped_ptr<StreamSocket> transport(
2747 new TCPClientSocket(addr, &log_, NetLog::Source()));
2748 int rv = callback.GetResult(transport->Connect(callback.callback()));
2749 EXPECT_EQ(OK, rv);
2750
2751 SSLConfig ssl_config;
2752 ssl_config.signed_cert_timestamps_enabled = false;
2753
2754 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2755 transport.Pass(), test_server.host_port_pair(), ssl_config));
2756 rv = callback.GetResult(sock->Connect(callback.callback()));
2757 EXPECT_EQ(OK, rv);
2758
2759 EXPECT_FALSE(sock->signed_cert_timestamps_received_);
2760 }
2761
2762 // Tests that IsConnectedAndIdle and WasEverUsed behave as expected.
2763 TEST_F(SSLClientSocketTest, ReuseStates) {
2764 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2765 SpawnedTestServer::kLocalhost,
2766 base::FilePath());
2767 ASSERT_TRUE(test_server.Start());
2768
2769 AddressList addr;
2770 ASSERT_TRUE(test_server.GetAddressList(&addr));
2771
2772 TestCompletionCallback callback;
2773 scoped_ptr<StreamSocket> transport(
2774 new TCPClientSocket(addr, NULL, NetLog::Source()));
2775 int rv = transport->Connect(callback.callback());
2776 if (rv == ERR_IO_PENDING)
2777 rv = callback.WaitForResult();
2778 EXPECT_EQ(OK, rv);
2779
2780 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2781 transport.Pass(), test_server.host_port_pair(), SSLConfig()));
2782
2783 rv = sock->Connect(callback.callback());
2784 if (rv == ERR_IO_PENDING)
2785 rv = callback.WaitForResult();
2786 EXPECT_EQ(OK, rv);
2787
2788 // The socket was just connected. It should be idle because it is speaking
2789 // HTTP. Although the transport has been used for the handshake, WasEverUsed()
2790 // returns false.
2791 EXPECT_TRUE(sock->IsConnected());
2792 EXPECT_TRUE(sock->IsConnectedAndIdle());
2793 EXPECT_FALSE(sock->WasEverUsed());
2794
2795 const char kRequestText[] = "GET / HTTP/1.0\r\n\r\n";
2796 const size_t kRequestLen = arraysize(kRequestText) - 1;
2797 scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestLen));
2798 memcpy(request_buffer->data(), kRequestText, kRequestLen);
2799
2800 rv = sock->Write(request_buffer.get(), kRequestLen, callback.callback());
2801 EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
2802
2803 if (rv == ERR_IO_PENDING)
2804 rv = callback.WaitForResult();
2805 EXPECT_EQ(static_cast<int>(kRequestLen), rv);
2806
2807 // The socket has now been used.
2808 EXPECT_TRUE(sock->WasEverUsed());
2809
2810 // TODO(davidben): Read one byte to ensure the test server has responded and
2811 // then assert IsConnectedAndIdle is false. This currently doesn't work
2812 // because neither SSLClientSocketNSS nor SSLClientSocketOpenSSL check their
2813 // SSL implementation's internal buffers. Either call PR_Available and
2814 // SSL_pending, although the former isn't actually implemented or perhaps
2815 // attempt to read one byte extra.
2816 }
2817
2818 // Tests that session caches are sharded by max_version.
2819 TEST_F(SSLClientSocketTest, FallbackShardSessionCache) {
2820 SpawnedTestServer::SSLOptions ssl_options;
2821 ASSERT_TRUE(StartTestServer(ssl_options));
2822
2823 // Prepare a normal and fallback SSL config.
2824 SSLConfig ssl_config;
2825 SSLConfig fallback_ssl_config;
2826 fallback_ssl_config.version_max = SSL_PROTOCOL_VERSION_TLS1;
2827 fallback_ssl_config.version_fallback = true;
2828
2829 // Connect with a fallback config from the test server to add an entry to the
2830 // session cache.
2831 TestCompletionCallback callback;
2832 scoped_ptr<StreamSocket> transport(
2833 new TCPClientSocket(addr(), &log_, NetLog::Source()));
2834 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
2835 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2836 transport.Pass(), test_server()->host_port_pair(), fallback_ssl_config));
2837 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
2838 SSLInfo ssl_info;
2839 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
2840 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
2841 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1,
2842 SSLConnectionStatusToVersion(ssl_info.connection_status));
2843
2844 // A non-fallback connection needs a full handshake.
2845 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
2846 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
2847 sock = CreateSSLClientSocket(transport.Pass(),
2848 test_server()->host_port_pair(), ssl_config);
2849 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
2850 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
2851 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
2852 // This does not check for equality because TLS 1.2 support is conditional on
2853 // system NSS features.
2854 EXPECT_LT(SSL_CONNECTION_VERSION_TLS1,
2855 SSLConnectionStatusToVersion(ssl_info.connection_status));
2856
2857 // Note: if the server (correctly) declines to resume a TLS 1.0 session at TLS
2858 // 1.2, the above test would not be sufficient to prove the session caches are
2859 // sharded. Implementations vary here, so, to avoid being sensitive to this,
2860 // attempt to resume with two more connections.
2861
2862 // The non-fallback connection added a > TLS 1.0 entry to the session cache.
2863 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
2864 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
2865 sock = CreateSSLClientSocket(transport.Pass(),
2866 test_server()->host_port_pair(), ssl_config);
2867 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
2868 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
2869 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
2870 // This does not check for equality because TLS 1.2 support is conditional on
2871 // system NSS features.
2872 EXPECT_LT(SSL_CONNECTION_VERSION_TLS1,
2873 SSLConnectionStatusToVersion(ssl_info.connection_status));
2874
2875 // The fallback connection still resumes from its session cache. It cannot
2876 // offer the > TLS 1.0 session, so this must have been the session from the
2877 // first fallback connection.
2878 transport.reset(new TCPClientSocket(addr(), &log_, NetLog::Source()));
2879 EXPECT_EQ(OK, callback.GetResult(transport->Connect(callback.callback())));
2880 sock = CreateSSLClientSocket(
2881 transport.Pass(), test_server()->host_port_pair(), fallback_ssl_config);
2882 EXPECT_EQ(OK, callback.GetResult(sock->Connect(callback.callback())));
2883 EXPECT_TRUE(sock->GetSSLInfo(&ssl_info));
2884 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
2885 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1,
2886 SSLConnectionStatusToVersion(ssl_info.connection_status));
2887 }
2888
2889 #if defined(USE_OPENSSL)
2890
2891 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithFailure) {
2892 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2893 SpawnedTestServer::kLocalhost,
2894 base::FilePath());
2895 ASSERT_TRUE(test_server.Start());
2896
2897 AddressList addr;
2898 ASSERT_TRUE(test_server.GetAddressList(&addr));
2899
2900 TestCompletionCallback callback;
2901 scoped_ptr<StreamSocket> real_transport(
2902 new TCPClientSocket(addr, NULL, NetLog::Source()));
2903 scoped_ptr<SynchronousErrorStreamSocket> transport(
2904 new SynchronousErrorStreamSocket(real_transport.Pass()));
2905 int rv = callback.GetResult(transport->Connect(callback.callback()));
2906 EXPECT_EQ(OK, rv);
2907
2908 // Disable TLS False Start to avoid handshake non-determinism.
2909 SSLConfig ssl_config;
2910 ssl_config.false_start_enabled = false;
2911
2912 SynchronousErrorStreamSocket* raw_transport = transport.get();
2913 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2914 transport.Pass(), test_server.host_port_pair(), ssl_config));
2915
2916 sock->SetHandshakeCompletionCallback(base::Bind(
2917 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2918
2919 raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
2920
2921 rv = callback.GetResult(sock->Connect(callback.callback()));
2922 EXPECT_EQ(ERR_CONNECTION_RESET, rv);
2923 EXPECT_FALSE(sock->IsConnected());
2924
2925 EXPECT_TRUE(ran_handshake_completion_callback_);
2926 }
2927
2928 // Tests that the completion callback is run when an SSL connection
2929 // completes successfully.
2930 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithSuccess) {
2931 SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
2932 SpawnedTestServer::kLocalhost,
2933 base::FilePath());
2934 ASSERT_TRUE(test_server.Start());
2935
2936 AddressList addr;
2937 ASSERT_TRUE(test_server.GetAddressList(&addr));
2938
2939 scoped_ptr<StreamSocket> transport(
2940 new TCPClientSocket(addr, NULL, NetLog::Source()));
2941
2942 TestCompletionCallback callback;
2943 int rv = transport->Connect(callback.callback());
2944 if (rv == ERR_IO_PENDING)
2945 rv = callback.WaitForResult();
2946 EXPECT_EQ(OK, rv);
2947
2948 SSLConfig ssl_config;
2949 ssl_config.false_start_enabled = false;
2950
2951 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2952 transport.Pass(), test_server.host_port_pair(), ssl_config));
2953
2954 sock->SetHandshakeCompletionCallback(base::Bind(
2955 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2956
2957 rv = callback.GetResult(sock->Connect(callback.callback()));
2958
2959 EXPECT_EQ(OK, rv);
2960 EXPECT_TRUE(sock->IsConnected());
2961 EXPECT_TRUE(ran_handshake_completion_callback_);
2962 }
2963
2964 // Tests that the completion callback is run with a server that doesn't cache
2965 // sessions.
2966 TEST_F(SSLClientSocketTest, HandshakeCallbackIsRun_WithDisabledSessionCache) {
2967 SpawnedTestServer::SSLOptions ssl_options;
2968 ssl_options.disable_session_cache = true;
2969 SpawnedTestServer test_server(
2970 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath());
2971 ASSERT_TRUE(test_server.Start());
2972
2973 AddressList addr;
2974 ASSERT_TRUE(test_server.GetAddressList(&addr));
2975
2976 scoped_ptr<StreamSocket> transport(
2977 new TCPClientSocket(addr, NULL, NetLog::Source()));
2978
2979 TestCompletionCallback callback;
2980 int rv = transport->Connect(callback.callback());
2981 if (rv == ERR_IO_PENDING)
2982 rv = callback.WaitForResult();
2983 EXPECT_EQ(OK, rv);
2984
2985 SSLConfig ssl_config;
2986 ssl_config.false_start_enabled = false;
2987
2988 scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
2989 transport.Pass(), test_server.host_port_pair(), ssl_config));
2990
2991 sock->SetHandshakeCompletionCallback(base::Bind(
2992 &SSLClientSocketTest::RecordCompletedHandshake, base::Unretained(this)));
2993
2994 rv = callback.GetResult(sock->Connect(callback.callback()));
2995
2996 EXPECT_EQ(OK, rv);
2997 EXPECT_TRUE(sock->IsConnected());
2998 EXPECT_TRUE(ran_handshake_completion_callback_);
2999 }
3000
3001 TEST_F(SSLClientSocketFalseStartTest,
3002 HandshakeCallbackIsRun_WithFalseStartFailure) {
3003 if (!SupportsAESGCM()) {
3004 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3005 return;
3006 }
3007
3008 // False Start requires NPN and a forward-secret cipher suite.
3009 SpawnedTestServer::SSLOptions server_options;
3010 server_options.key_exchanges =
3011 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3012 server_options.bulk_ciphers =
3013 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3014 server_options.enable_npn = true;
3015 SSLConfig client_config;
3016 client_config.next_protos.push_back(kProtoHTTP11);
3017 monitor_handshake_callback_ = true;
3018 fail_handshake_after_false_start_ = true;
3019 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true));
3020 ASSERT_TRUE(ran_handshake_completion_callback_);
3021 }
3022
3023 TEST_F(SSLClientSocketFalseStartTest,
3024 HandshakeCallbackIsRun_WithFalseStartSuccess) {
3025 if (!SupportsAESGCM()) {
3026 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3027 return;
3028 }
3029
3030 // False Start requires NPN and a forward-secret cipher suite.
3031 SpawnedTestServer::SSLOptions server_options;
3032 server_options.key_exchanges =
3033 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3034 server_options.bulk_ciphers =
3035 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3036 server_options.enable_npn = true;
3037 SSLConfig client_config;
3038 client_config.next_protos.push_back(kProtoHTTP11);
3039 monitor_handshake_callback_ = true;
3040 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, true));
3041 ASSERT_TRUE(ran_handshake_completion_callback_);
3042 }
3043 #endif // defined(USE_OPENSSL)
3044
3045 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) {
3046 if (!SupportsAESGCM()) {
3047 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3048 return;
3049 }
3050
3051 // False Start requires NPN/ALPN, perfect forward secrecy, and an AEAD.
3052 SpawnedTestServer::SSLOptions server_options;
3053 server_options.key_exchanges =
3054 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3055 server_options.bulk_ciphers =
3056 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3057 server_options.enable_npn = true;
3058 SSLConfig client_config;
3059 client_config.next_protos.push_back(kProtoHTTP11);
3060 ASSERT_NO_FATAL_FAILURE(
3061 TestFalseStart(server_options, client_config, true));
3062 }
3063
3064 // Test that False Start is disabled without NPN.
3065 TEST_F(SSLClientSocketFalseStartTest, NoNPN) {
3066 if (!SupportsAESGCM()) {
3067 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3068 return;
3069 }
3070
3071 SpawnedTestServer::SSLOptions server_options;
3072 server_options.key_exchanges =
3073 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3074 server_options.bulk_ciphers =
3075 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3076 SSLConfig client_config;
3077 client_config.next_protos.clear();
3078 ASSERT_NO_FATAL_FAILURE(
3079 TestFalseStart(server_options, client_config, false));
3080 }
3081
3082 // Test that False Start is disabled without perfect forward secrecy.
3083 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) {
3084 if (!SupportsAESGCM()) {
3085 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3086 return;
3087 }
3088
3089 SpawnedTestServer::SSLOptions server_options;
3090 server_options.key_exchanges =
3091 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA;
3092 server_options.bulk_ciphers =
3093 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3094 server_options.enable_npn = true;
3095 SSLConfig client_config;
3096 client_config.next_protos.push_back(kProtoHTTP11);
3097 ASSERT_NO_FATAL_FAILURE(
3098 TestFalseStart(server_options, client_config, false));
3099 }
3100
3101 // Test that False Start is disabled without an AEAD.
3102 TEST_F(SSLClientSocketFalseStartTest, NoAEAD) {
3103 SpawnedTestServer::SSLOptions server_options;
3104 server_options.key_exchanges =
3105 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3106 server_options.bulk_ciphers =
3107 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128;
3108 server_options.enable_npn = true;
3109 SSLConfig client_config;
3110 client_config.next_protos.push_back(kProtoHTTP11);
3111 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false));
3112 }
3113
3114 // Test that sessions are resumable after receiving the server Finished message.
3115 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) {
3116 if (!SupportsAESGCM()) {
3117 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3118 return;
3119 }
3120
3121 // Start a server.
3122 SpawnedTestServer::SSLOptions server_options;
3123 server_options.key_exchanges =
3124 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3125 server_options.bulk_ciphers =
3126 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3127 server_options.enable_npn = true;
3128 SSLConfig client_config;
3129 client_config.next_protos.push_back(kProtoHTTP11);
3130
3131 // Let a full handshake complete with False Start.
3132 ASSERT_NO_FATAL_FAILURE(
3133 TestFalseStart(server_options, client_config, true));
3134
3135 // Make a second connection.
3136 TestCompletionCallback callback;
3137 scoped_ptr<StreamSocket> transport2(
3138 new TCPClientSocket(addr(), &log_, NetLog::Source()));
3139 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback())));
3140 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket(
3141 transport2.Pass(), test_server()->host_port_pair(), client_config);
3142 ASSERT_TRUE(sock2.get());
3143 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback())));
3144
3145 // It should resume the session.
3146 SSLInfo ssl_info;
3147 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info));
3148 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
3149 }
3150
3151 // Test that sessions are not resumable before receiving the server Finished
3152 // message.
3153 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) {
3154 if (!SupportsAESGCM()) {
3155 LOG(WARNING) << "Skipping test because AES-GCM is not supported.";
3156 return;
3157 }
3158
3159 // Start a server.
3160 SpawnedTestServer::SSLOptions server_options;
3161 server_options.key_exchanges =
3162 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA;
3163 server_options.bulk_ciphers =
3164 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM;
3165 server_options.enable_npn = true;
3166 ASSERT_TRUE(StartTestServer(server_options));
3167
3168 SSLConfig client_config;
3169 client_config.next_protos.push_back(kProtoHTTP11);
3170
3171 // Start a handshake up to the server Finished message.
3172 TestCompletionCallback callback;
3173 FakeBlockingStreamSocket* raw_transport1 = NULL;
3174 scoped_ptr<SSLClientSocket> sock1;
3175 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
3176 client_config, &callback, &raw_transport1, &sock1));
3177 // Although raw_transport1 has the server Finished blocked, the handshake
3178 // still completes.
3179 EXPECT_EQ(OK, callback.WaitForResult());
3180
3181 // Continue to block the client (|sock1|) from processing the Finished
3182 // message, but allow it to arrive on the socket. This ensures that, from the
3183 // server's point of view, it has completed the handshake and added the
3184 // session to its session cache.
3185 //
3186 // The actual read on |sock1| will not complete until the Finished message is
3187 // processed; however, pump the underlying transport so that it is read from
3188 // the socket. This still has the potential to race, but is generally unlikely
3189 // due to socket buffer sizes.
3190 scoped_refptr<IOBuffer> buf(new IOBuffer(4096));
3191 int rv = sock1->Read(buf.get(), 4096, callback.callback());
3192 EXPECT_EQ(ERR_IO_PENDING, rv);
3193 raw_transport1->WaitForReadResult();
3194
3195 // Drop the old socket. This is needed because the Python test server can't
3196 // service two sockets in parallel.
3197 sock1.reset();
3198
3199 // Start a second connection.
3200 scoped_ptr<StreamSocket> transport2(
3201 new TCPClientSocket(addr(), &log_, NetLog::Source()));
3202 EXPECT_EQ(OK, callback.GetResult(transport2->Connect(callback.callback())));
3203 scoped_ptr<SSLClientSocket> sock2 = CreateSSLClientSocket(
3204 transport2.Pass(), test_server()->host_port_pair(), client_config);
3205 EXPECT_EQ(OK, callback.GetResult(sock2->Connect(callback.callback())));
3206
3207 // No session resumption because the first connection never received a server
3208 // Finished message.
3209 SSLInfo ssl_info;
3210 EXPECT_TRUE(sock2->GetSSLInfo(&ssl_info));
3211 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3212 }
3213
3214 // Connect to a server using channel id. It should allow the connection.
3215 TEST_F(SSLClientSocketChannelIDTest, SendChannelID) {
3216 SpawnedTestServer::SSLOptions ssl_options;
3217
3218 ASSERT_TRUE(ConnectToTestServer(ssl_options));
3219
3220 EnableChannelID();
3221 SSLConfig ssl_config;
3222 ssl_config.channel_id_enabled = true;
3223
3224 int rv;
3225 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3226
3227 EXPECT_EQ(OK, rv);
3228 EXPECT_TRUE(sock_->IsConnected());
3229 EXPECT_TRUE(sock_->WasChannelIDSent());
3230
3231 sock_->Disconnect();
3232 EXPECT_FALSE(sock_->IsConnected());
3233 }
3234
3235 // Connect to a server using Channel ID but failing to look up the Channel
3236 // ID. It should fail.
3237 TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) {
3238 SpawnedTestServer::SSLOptions ssl_options;
3239
3240 ASSERT_TRUE(ConnectToTestServer(ssl_options));
3241
3242 EnableFailingChannelID();
3243 SSLConfig ssl_config;
3244 ssl_config.channel_id_enabled = true;
3245
3246 int rv;
3247 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3248
3249 // TODO(haavardm@opera.com): Due to differences in threading, Linux returns
3250 // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all
3251 // error codes for now.
3252 // http://crbug.com/373670
3253 EXPECT_NE(OK, rv);
3254 EXPECT_FALSE(sock_->IsConnected());
3255 }
3256
3257 // Connect to a server using Channel ID but asynchronously failing to look up
3258 // the Channel ID. It should fail.
3259 TEST_F(SSLClientSocketChannelIDTest, FailingChannelIDAsync) {
3260 SpawnedTestServer::SSLOptions ssl_options;
3261
3262 ASSERT_TRUE(ConnectToTestServer(ssl_options));
3263
3264 EnableAsyncFailingChannelID();
3265 SSLConfig ssl_config;
3266 ssl_config.channel_id_enabled = true;
3267
3268 int rv;
3269 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3270
3271 EXPECT_EQ(ERR_UNEXPECTED, rv);
3272 EXPECT_FALSE(sock_->IsConnected());
3273 }
3274
3275 } // namespace net