Google Git
Sign in
chromium / chromium / src.git / b2f0faef8cd9609eb984bf2e061f6a2e5d1528ae / . / net / socket / ssl_client_socket_unittest.cc
blob: ef870d8173fed6fb7c2c13ce609926d7a98f9776 [file] [log] [blame]
Avi Drissman64595482022-09-14 20:52:29[diff] [blame]1// Copyright 2012 The Chromium Authors
license.botbf09a502008-08-24 00:55:55[diff] [blame]2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]4
[email protected]f7984fc62009-06-22 23:26:44[diff] [blame]5#include "net/socket/ssl_client_socket.h"
6
svaldez2135be52016-04-20 16:34:53[diff] [blame]7#include <errno.h>
8#include <string.h>
9
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]10#include <algorithm>
Peter Boström8a7540692021-04-05 20:48:20[diff] [blame]11#include <memory>
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]12#include <tuple>
dchengc7eeda422015-12-26 03:56:48[diff] [blame]13#include <utility>
14
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]15#include "base/files/file_util.h"
Avi Drissman41c4a412023-01-11 22:45:37[diff] [blame]16#include "base/functional/bind.h"
17#include "base/functional/callback_helpers.h"
skyostil4891b25b2015-06-11 11:43:45[diff] [blame]18#include "base/location.h"
Keishi Hattori0e45c022021-11-27 09:25:52[diff] [blame]19#include "base/memory/raw_ptr.h"
[email protected]515adc22013-01-09 16:01:23[diff] [blame]20#include "base/memory/ref_counted.h"
[email protected]173ef472014-04-16 23:58:20[diff] [blame]21#include "base/run_loop.h"
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]22#include "base/strings/string_number_conversions.h"
Jan Wilken Dörrie14a065b2021-02-12 14:28:32[diff] [blame]23#include "base/strings/string_piece.h"
Daniel McArdleda3fa942019-02-15 16:41:21[diff] [blame]24#include "base/strings/stringprintf.h"
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]25#include "base/synchronization/lock.h"
Patrick Monette643cdf62021-10-15 19:13:42[diff] [blame]26#include "base/task/single_thread_task_runner.h"
David Benjamine992af92021-03-11 20:27:46[diff] [blame]27#include "base/test/bind.h"
Devlin Cronine4bcb40e2018-06-05 18:02:47[diff] [blame]28#include "base/test/metrics/histogram_tester.h"
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]29#include "base/test/scoped_feature_list.h"
[email protected]33d664952014-06-18 10:22:16[diff] [blame]30#include "base/time/time.h"
xunjieli9f8c5fb52016-12-07 22:59:33[diff] [blame]31#include "base/values.h"
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]32#include "build/build_config.h"
davidben8ea6b172017-03-07 23:53:50[diff] [blame]33#include "crypto/rsa_private_key.h"
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]34#include "net/base/address_list.h"
Bence Béky8ddc2492018-06-13 01:02:04[diff] [blame]35#include "net/base/completion_once_callback.h"
David Benjamin570460e2018-10-16 06:01:29[diff] [blame]36#include "net/base/features.h"
[email protected]597cf6e2009-05-29 09:43:26[diff] [blame]37#include "net/base/io_buffer.h"
davidben8ea6b172017-03-07 23:53:50[diff] [blame]38#include "net/base/ip_address.h"
39#include "net/base/ip_endpoint.h"
[email protected]4b187da2012-11-06 00:05:29[diff] [blame]40#include "net/base/net_errors.h"
Brianna Goldsteind22b0642022-10-11 16:30:50[diff] [blame]41#include "net/base/network_anonymization_key.h"
Matt Menke4807a9a2020-11-21 00:14:41[diff] [blame]42#include "net/base/schemeful_site.h"
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]43#include "net/base/test_completion_callback.h"
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]44#include "net/cert/asn1_util.h"
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]45#include "net/cert/cert_and_ct_verifier.h"
estark6f9b3d82016-01-12 21:37:05[diff] [blame]46#include "net/cert/ct_policy_enforcer.h"
estark723b5eeb2016-02-18 21:01:12[diff] [blame]47#include "net/cert/ct_policy_status.h"
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]48#include "net/cert/ct_verifier.h"
rsleevi22cae1672016-12-28 01:53:36[diff] [blame]49#include "net/cert/do_nothing_ct_verifier.h"
[email protected]6e7845ae2013-03-29 21:48:11[diff] [blame]50#include "net/cert/mock_cert_verifier.h"
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]51#include "net/cert/mock_client_cert_verifier.h"
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]52#include "net/cert/sct_auditing_delegate.h"
eranmdcec9632016-10-10 14:16:10[diff] [blame]53#include "net/cert/signed_certificate_timestamp_and_status.h"
[email protected]6e7845ae2013-03-29 21:48:11[diff] [blame]54#include "net/cert/test_root_certs.h"
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]55#include "net/cert/x509_util.h"
nharper52d99ec2016-01-08 20:45:17[diff] [blame]56#include "net/der/input.h"
57#include "net/der/parser.h"
58#include "net/der/tag.h"
[email protected]f2cb3cf2013-03-21 01:40:53[diff] [blame]59#include "net/dns/host_resolver.h"
[email protected]b1c988b2013-06-13 06:48:11[diff] [blame]60#include "net/http/transport_security_state.h"
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]61#include "net/http/transport_security_state_test_util.h"
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]62#include "net/log/net_log_event_type.h"
mikecironef22f9812016-10-04 03:40:19[diff] [blame]63#include "net/log/net_log_source.h"
mmenke16a7cbdd2015-04-24 23:00:56[diff] [blame]64#include "net/log/test_net_log.h"
mmenke43758e62015-05-04 21:09:46[diff] [blame]65#include "net/log/test_net_log_util.h"
[email protected]f7984fc62009-06-22 23:26:44[diff] [blame]66#include "net/socket/client_socket_factory.h"
[email protected]b442da32011-08-16 19:32:28[diff] [blame]67#include "net/socket/client_socket_handle.h"
David Benjamin91900ce52020-02-04 19:25:23[diff] [blame]68#include "net/socket/read_buffering_stream_socket.h"
[email protected]39afe642010-04-29 14:55:18[diff] [blame]69#include "net/socket/socket_test_util.h"
davidben8ea6b172017-03-07 23:53:50[diff] [blame]70#include "net/socket/ssl_server_socket.h"
xunjieli998d2472017-01-12 01:12:28[diff] [blame]71#include "net/socket/stream_socket.h"
[email protected]f7984fc62009-06-22 23:26:44[diff] [blame]72#include "net/socket/tcp_client_socket.h"
davidben8ea6b172017-03-07 23:53:50[diff] [blame]73#include "net/socket/tcp_server_socket.h"
[email protected]536fd0b2013-03-14 17:41:57[diff] [blame]74#include "net/ssl/ssl_cert_request_info.h"
Daniel McArdle3a663d62019-01-31 00:48:47[diff] [blame]75#include "net/ssl/ssl_client_session_cache.h"
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]76#include "net/ssl/ssl_config.h"
[email protected]536fd0b2013-03-14 17:41:57[diff] [blame]77#include "net/ssl/ssl_config_service.h"
davidben21ea1b42015-02-23 18:00:37[diff] [blame]78#include "net/ssl/ssl_connection_status_flags.h"
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]79#include "net/ssl/ssl_handshake_details.h"
davidben21ea1b42015-02-23 18:00:37[diff] [blame]80#include "net/ssl/ssl_info.h"
davidben8ea6b172017-03-07 23:53:50[diff] [blame]81#include "net/ssl/ssl_server_config.h"
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]82#include "net/ssl/test_ssl_config_service.h"
svaldez2135be52016-04-20 16:34:53[diff] [blame]83#include "net/ssl/test_ssl_private_key.h"
[email protected]6e7845ae2013-03-29 21:48:11[diff] [blame]84#include "net/test/cert_test_util.h"
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]85#include "net/test/embedded_test_server/embedded_test_server.h"
86#include "net/test/embedded_test_server/http_request.h"
87#include "net/test/embedded_test_server/http_response.h"
robpercival214763f2016-07-01 23:27:01[diff] [blame]88#include "net/test/gtest_util.h"
Jesse Selover1d82faf2019-03-20 19:44:35[diff] [blame]89#include "net/test/key_util.h"
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]90#include "net/test/ssl_test_util.h"
rsleevia69c79a2016-06-22 03:28:43[diff] [blame]91#include "net/test/test_data_directory.h"
Gabriel Charettec7108742019-08-23 03:31:40[diff] [blame]92#include "net/test/test_with_task_environment.h"
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]93#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]94#include "testing/gmock/include/gmock/gmock.h"
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]95#include "testing/gtest/include/gtest/gtest.h"
[email protected]23887f04f2008-12-02 19:20:15[diff] [blame]96#include "testing/platform_test.h"
Anton Bikineev068d2912021-05-15 20:43:52[diff] [blame]97#include "third_party/abseil-cpp/absl/types/optional.h"
tfarinae8cb8aa2016-10-21 02:44:01[diff] [blame]98#include "third_party/boringssl/src/include/openssl/bio.h"
99#include "third_party/boringssl/src/include/openssl/evp.h"
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]100#include "third_party/boringssl/src/include/openssl/hpke.h"
tfarinae8cb8aa2016-10-21 02:44:01[diff] [blame]101#include "third_party/boringssl/src/include/openssl/pem.h"
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]102#include "third_party/boringssl/src/include/openssl/ssl.h"
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]103#include "url/gurl.h"
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]104
robpercival214763f2016-07-01 23:27:01[diff] [blame]105using net::test::IsError;
106using net::test::IsOk;
107
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]108using testing::_;
Bence Békycc859862021-02-08 17:26:40[diff] [blame]109using testing::Bool;
110using testing::Combine;
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]111using testing::Return;
Bence Békycc859862021-02-08 17:26:40[diff] [blame]112using testing::Values;
113using testing::ValuesIn;
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]114
[email protected]789aca52013-08-14 06:40:10[diff] [blame]115namespace net {
116
mikecironef22f9812016-10-04 03:40:19[diff] [blame]117class NetLogWithSource;
118
[email protected]4b768562013-02-16 04:10:07[diff] [blame]119namespace {
120
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]121// When passed to |MakeHashValueVector|, this will generate a key pin that is
122// sha256/AA...=, and hence will cause pin validation success with the TestSPKI
123// pin from transport_security_state_static.pins. ("A" is the 0th element of the
124// base-64 alphabet.)
125const uint8_t kGoodHashValueVectorInput = 0;
126
127// When passed to |MakeHashValueVector|, this will generate a key pin that is
128// not sha256/AA...=, and hence will cause pin validation failure with the
129// TestSPKI pin.
130const uint8_t kBadHashValueVectorInput = 3;
131
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]132// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
133constexpr uint16_t kModernTLS12Cipher = 0xc02f;
134// TLS_RSA_WITH_AES_128_GCM_SHA256
135constexpr uint16_t kRSACipher = 0x009c;
136// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
137constexpr uint16_t kCBCCipher = 0xc013;
138// TLS_RSA_WITH_3DES_EDE_CBC_SHA
139constexpr uint16_t k3DESCipher = 0x000a;
140
[email protected]11410f72013-05-09 21:51:27[diff] [blame]141// Simulates synchronously receiving an error during Read() or Write()
142class SynchronousErrorStreamSocket : public WrappedStreamSocket {
143 public:
davidbenfe132d92016-09-27 18:07:21[diff] [blame]144 explicit SynchronousErrorStreamSocket(std::unique_ptr<StreamSocket> transport)
145 : WrappedStreamSocket(std::move(transport)) {}
Peter Boström293b1342021-09-22 17:31:43[diff] [blame]146
147 SynchronousErrorStreamSocket(const SynchronousErrorStreamSocket&) = delete;
148 SynchronousErrorStreamSocket& operator=(const SynchronousErrorStreamSocket&) =
149 delete;
150
Chris Watkins7a41d3552017-12-01 02:13:27[diff] [blame]151 ~SynchronousErrorStreamSocket() override = default;
[email protected]11410f72013-05-09 21:51:27[diff] [blame]152
153 // Socket implementation:
dchengb03027d2014-10-21 12:00:20[diff] [blame]154 int Read(IOBuffer* buf,
155 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]156 CompletionOnceCallback callback) override;
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]157 int ReadIfReady(IOBuffer* buf,
158 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]159 CompletionOnceCallback callback) override;
dchengb03027d2014-10-21 12:00:20[diff] [blame]160 int Write(IOBuffer* buf,
161 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]162 CompletionOnceCallback callback,
[email protected]578968d42017-12-13 15:39:32[diff] [blame]163 const NetworkTrafficAnnotationTag& traffic_annotation) override;
[email protected]11410f72013-05-09 21:51:27[diff] [blame]164
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]165 // Sets the next Read() call and all future calls to return |error|.
[email protected]11410f72013-05-09 21:51:27[diff] [blame]166 // If there is already a pending asynchronous read, the configured error
167 // will not be returned until that asynchronous read has completed and Read()
168 // is called again.
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]169 void SetNextReadError(int error) {
[email protected]11410f72013-05-09 21:51:27[diff] [blame]170 DCHECK_GE(0, error);
171 have_read_error_ = true;
172 pending_read_error_ = error;
173 }
174
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]175 // Sets the next Write() call and all future calls to return |error|.
[email protected]11410f72013-05-09 21:51:27[diff] [blame]176 // If there is already a pending asynchronous write, the configured error
177 // will not be returned until that asynchronous write has completed and
178 // Write() is called again.
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]179 void SetNextWriteError(int error) {
[email protected]11410f72013-05-09 21:51:27[diff] [blame]180 DCHECK_GE(0, error);
181 have_write_error_ = true;
182 pending_write_error_ = error;
183 }
184
185 private:
davidbenfe132d92016-09-27 18:07:21[diff] [blame]186 bool have_read_error_ = false;
187 int pending_read_error_ = OK;
[email protected]11410f72013-05-09 21:51:27[diff] [blame]188
davidbenfe132d92016-09-27 18:07:21[diff] [blame]189 bool have_write_error_ = false;
190 int pending_write_error_ = OK;
[email protected]11410f72013-05-09 21:51:27[diff] [blame]191};
192
[email protected]789aca52013-08-14 06:40:10[diff] [blame]193int SynchronousErrorStreamSocket::Read(IOBuffer* buf,
194 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]195 CompletionOnceCallback callback) {
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]196 if (have_read_error_)
[email protected]11410f72013-05-09 21:51:27[diff] [blame]197 return pending_read_error_;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]198 return transport_->Read(buf, buf_len, std::move(callback));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]199}
200
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]201int SynchronousErrorStreamSocket::ReadIfReady(IOBuffer* buf,
202 int buf_len,
203 CompletionOnceCallback callback) {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]204 if (have_read_error_)
205 return pending_read_error_;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]206 return transport_->ReadIfReady(buf, buf_len, std::move(callback));
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]207}
208
[email protected]a2b2cfc2017-12-06 09:06:08[diff] [blame]209int SynchronousErrorStreamSocket::Write(
210 IOBuffer* buf,
211 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]212 CompletionOnceCallback callback,
[email protected]a2b2cfc2017-12-06 09:06:08[diff] [blame]213 const NetworkTrafficAnnotationTag& traffic_annotation) {
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]214 if (have_write_error_)
[email protected]11410f72013-05-09 21:51:27[diff] [blame]215 return pending_write_error_;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]216 return transport_->Write(buf, buf_len, std::move(callback),
217 traffic_annotation);
[email protected]11410f72013-05-09 21:51:27[diff] [blame]218}
219
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]220// FakeBlockingStreamSocket wraps an existing StreamSocket and simulates the
221// underlying transport needing to complete things asynchronously in a
222// deterministic manner (e.g.: independent of the TestServer and the OS's
223// semantics).
224class FakeBlockingStreamSocket : public WrappedStreamSocket {
225 public:
davidbenfe132d92016-09-27 18:07:21[diff] [blame]226 explicit FakeBlockingStreamSocket(std::unique_ptr<StreamSocket> transport)
227 : WrappedStreamSocket(std::move(transport)) {}
Chris Watkins7a41d3552017-12-01 02:13:27[diff] [blame]228 ~FakeBlockingStreamSocket() override = default;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]229
230 // Socket implementation:
dchengb03027d2014-10-21 12:00:20[diff] [blame]231 int Read(IOBuffer* buf,
232 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]233 CompletionOnceCallback callback) override;
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]234 int ReadIfReady(IOBuffer* buf,
235 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]236 CompletionOnceCallback callback) override;
David Benjamine992af92021-03-11 20:27:46[diff] [blame]237 int CancelReadIfReady() override;
dchengb03027d2014-10-21 12:00:20[diff] [blame]238 int Write(IOBuffer* buf,
239 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]240 CompletionOnceCallback callback,
[email protected]578968d42017-12-13 15:39:32[diff] [blame]241 const NetworkTrafficAnnotationTag& traffic_annotation) override;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]242
davidbendafe4e52015-04-08 22:53:52[diff] [blame]243 int pending_read_result() const { return pending_read_result_; }
244 IOBuffer* pending_read_buf() const { return pending_read_buf_.get(); }
245
[email protected]173ef472014-04-16 23:58:20[diff] [blame]246 // Blocks read results on the socket. Reads will not complete until
247 // UnblockReadResult() has been called and a result is ready from the
248 // underlying transport. Note: if BlockReadResult() is called while there is a
249 // hanging asynchronous Read(), that Read is blocked.
250 void BlockReadResult();
251 void UnblockReadResult();
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]252
davidbenfe132d92016-09-27 18:07:21[diff] [blame]253 // Replaces the pending read with |data|. Returns true on success or false if
254 // the caller's reads were too small.
255 bool ReplaceReadResult(const std::string& data);
256
[email protected]173ef472014-04-16 23:58:20[diff] [blame]257 // Waits for the blocked Read() call to be complete at the underlying
258 // transport.
259 void WaitForReadResult();
260
261 // Causes the next call to Write() to return ERR_IO_PENDING, not beginning the
262 // underlying transport until UnblockWrite() has been called. Note: if there
263 // is a pending asynchronous write, it is NOT blocked. For purposes of
264 // blocking writes, data is considered to have reached the underlying
265 // transport as soon as Write() is called.
266 void BlockWrite();
267 void UnblockWrite();
268
269 // Waits for the blocked Write() call to be scheduled.
270 void WaitForWrite();
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]271
272 private:
[email protected]173ef472014-04-16 23:58:20[diff] [blame]273 // Handles completion from the underlying transport read.
274 void OnReadCompleted(int result);
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]275
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]276 // Handles async completion of ReadIfReady().
277 void CompleteReadIfReady(scoped_refptr<IOBuffer> buffer, int rv);
278
davidbenfe132d92016-09-27 18:07:21[diff] [blame]279 // Finishes the current read.
280 void ReturnReadResult();
281
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]282 // Callback for writes.
283 void CallPendingWriteCallback(int result);
284
[email protected]173ef472014-04-16 23:58:20[diff] [blame]285 // True if read callbacks are blocked.
davidbenfe132d92016-09-27 18:07:21[diff] [blame]286 bool should_block_read_ = false;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]287
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]288 // Used to buffer result returned by a completed ReadIfReady().
289 std::string read_if_ready_buf_;
290
291 // Non-null if there is a pending ReadIfReady().
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]292 CompletionOnceCallback read_if_ready_callback_;
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]293
davidbendafe4e52015-04-08 22:53:52[diff] [blame]294 // The buffer for the pending read, or NULL if not consumed.
295 scoped_refptr<IOBuffer> pending_read_buf_;
296
davidbenfe132d92016-09-27 18:07:21[diff] [blame]297 // The size of the pending read buffer, or -1 if not set.
298 int pending_read_buf_len_ = -1;
299
[email protected]173ef472014-04-16 23:58:20[diff] [blame]300 // The user callback for the pending read call.
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]301 CompletionOnceCallback pending_read_callback_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]302
[email protected]173ef472014-04-16 23:58:20[diff] [blame]303 // The result for the blocked read callback, or ERR_IO_PENDING if not
304 // completed.
davidbenfe132d92016-09-27 18:07:21[diff] [blame]305 int pending_read_result_ = ERR_IO_PENDING;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]306
[email protected]173ef472014-04-16 23:58:20[diff] [blame]307 // WaitForReadResult() wait loop.
danakj655b66c2016-04-16 00:51:38[diff] [blame]308 std::unique_ptr<base::RunLoop> read_loop_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]309
[email protected]173ef472014-04-16 23:58:20[diff] [blame]310 // True if write calls are blocked.
davidbenfe132d92016-09-27 18:07:21[diff] [blame]311 bool should_block_write_ = false;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]312
[email protected]173ef472014-04-16 23:58:20[diff] [blame]313 // The buffer for the pending write, or NULL if not scheduled.
314 scoped_refptr<IOBuffer> pending_write_buf_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]315
[email protected]173ef472014-04-16 23:58:20[diff] [blame]316 // The callback for the pending write call.
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]317 CompletionOnceCallback pending_write_callback_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]318
[email protected]173ef472014-04-16 23:58:20[diff] [blame]319 // The length for the pending write, or -1 if not scheduled.
davidbenfe132d92016-09-27 18:07:21[diff] [blame]320 int pending_write_len_ = -1;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]321
322 // WaitForWrite() wait loop.
danakj655b66c2016-04-16 00:51:38[diff] [blame]323 std::unique_ptr<base::RunLoop> write_loop_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]324};
325
[email protected]173ef472014-04-16 23:58:20[diff] [blame]326int FakeBlockingStreamSocket::Read(IOBuffer* buf,
327 int len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]328 CompletionOnceCallback callback) {
davidbendafe4e52015-04-08 22:53:52[diff] [blame]329 DCHECK(!pending_read_buf_);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]330 DCHECK(pending_read_callback_.is_null());
331 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
332 DCHECK(!callback.is_null());
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]333
Yannic Bonenbergercc716d42019-09-04 17:05:36[diff] [blame]334 int rv = transport_->Read(
335 buf, len,
336 base::BindOnce(&FakeBlockingStreamSocket::OnReadCompleted,
337 base::Unretained(this)));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]338 if (rv == ERR_IO_PENDING || should_block_read_) {
[email protected]173ef472014-04-16 23:58:20[diff] [blame]339 // Save the callback to be called later.
davidbendafe4e52015-04-08 22:53:52[diff] [blame]340 pending_read_buf_ = buf;
davidbenfe132d92016-09-27 18:07:21[diff] [blame]341 pending_read_buf_len_ = len;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]342 pending_read_callback_ = std::move(callback);
davidbenfe132d92016-09-27 18:07:21[diff] [blame]343 // Save the read result.
344 if (rv != ERR_IO_PENDING) {
345 OnReadCompleted(rv);
346 rv = ERR_IO_PENDING;
347 }
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]348 }
[email protected]4be80fa2014-04-12 20:44:39[diff] [blame]349 return rv;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]350}
351
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]352int FakeBlockingStreamSocket::ReadIfReady(IOBuffer* buf,
353 int len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]354 CompletionOnceCallback callback) {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]355 if (!read_if_ready_buf_.empty()) {
356 // If ReadIfReady() is used, asynchronous reads with a large enough buffer
357 // and no BlockReadResult() are supported by this class. Explicitly check
358 // that |should_block_read_| doesn't apply and |len| is greater than the
359 // size of the buffered data.
360 CHECK(!should_block_read_);
361 CHECK_GE(len, static_cast<int>(read_if_ready_buf_.size()));
362 int rv = read_if_ready_buf_.size();
363 memcpy(buf->data(), read_if_ready_buf_.data(), rv);
364 read_if_ready_buf_.clear();
365 return rv;
366 }
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]367 scoped_refptr<IOBuffer> buf_copy = base::MakeRefCounted<IOBuffer>(len);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]368 int rv = Read(buf_copy.get(), len,
Yannic Bonenbergercc716d42019-09-04 17:05:36[diff] [blame]369 base::BindOnce(&FakeBlockingStreamSocket::CompleteReadIfReady,
370 base::Unretained(this), buf_copy));
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]371 if (rv > 0)
372 memcpy(buf->data(), buf_copy->data(), rv);
373 if (rv == ERR_IO_PENDING)
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]374 read_if_ready_callback_ = std::move(callback);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]375 return rv;
376}
377
David Benjamine992af92021-03-11 20:27:46[diff] [blame]378int FakeBlockingStreamSocket::CancelReadIfReady() {
379 DCHECK(!read_if_ready_callback_.is_null());
380 read_if_ready_callback_.Reset();
381 return OK;
382}
383
[email protected]a2b2cfc2017-12-06 09:06:08[diff] [blame]384int FakeBlockingStreamSocket::Write(
385 IOBuffer* buf,
386 int len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]387 CompletionOnceCallback callback,
[email protected]a2b2cfc2017-12-06 09:06:08[diff] [blame]388 const NetworkTrafficAnnotationTag& traffic_annotation) {
[email protected]173ef472014-04-16 23:58:20[diff] [blame]389 DCHECK(buf);
390 DCHECK_LE(0, len);
391
392 if (!should_block_write_)
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]393 return transport_->Write(buf, len, std::move(callback), traffic_annotation);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]394
395 // Schedule the write, but do nothing.
dcheng08ea2af02014-08-25 23:38:09[diff] [blame]396 DCHECK(!pending_write_buf_.get());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]397 DCHECK_EQ(-1, pending_write_len_);
398 DCHECK(pending_write_callback_.is_null());
399 DCHECK(!callback.is_null());
400 pending_write_buf_ = buf;
401 pending_write_len_ = len;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]402 pending_write_callback_ = std::move(callback);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]403
404 // Stop the write loop, if any.
405 if (write_loop_)
406 write_loop_->Quit();
407 return ERR_IO_PENDING;
408}
409
410void FakeBlockingStreamSocket::BlockReadResult() {
411 DCHECK(!should_block_read_);
412 should_block_read_ = true;
413}
414
415void FakeBlockingStreamSocket::UnblockReadResult() {
416 DCHECK(should_block_read_);
417 should_block_read_ = false;
418
davidbenfe132d92016-09-27 18:07:21[diff] [blame]419 // If the operation has since completed, return the result to the caller.
420 if (pending_read_result_ != ERR_IO_PENDING)
421 ReturnReadResult();
422}
423
424bool FakeBlockingStreamSocket::ReplaceReadResult(const std::string& data) {
425 DCHECK(should_block_read_);
426 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
427 DCHECK(pending_read_buf_);
428 DCHECK_NE(-1, pending_read_buf_len_);
429
430 if (static_cast<size_t>(pending_read_buf_len_) < data.size())
431 return false;
432
433 memcpy(pending_read_buf_->data(), data.data(), data.size());
434 pending_read_result_ = data.size();
435 return true;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]436}
437
438void FakeBlockingStreamSocket::WaitForReadResult() {
439 DCHECK(should_block_read_);
440 DCHECK(!read_loop_);
441
442 if (pending_read_result_ != ERR_IO_PENDING)
443 return;
Peter Boström8a7540692021-04-05 20:48:20[diff] [blame]444 read_loop_ = std::make_unique<base::RunLoop>();
[email protected]173ef472014-04-16 23:58:20[diff] [blame]445 read_loop_->Run();
446 read_loop_.reset();
447 DCHECK_NE(ERR_IO_PENDING, pending_read_result_);
448}
449
450void FakeBlockingStreamSocket::BlockWrite() {
451 DCHECK(!should_block_write_);
452 should_block_write_ = true;
453}
454
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]455void FakeBlockingStreamSocket::CallPendingWriteCallback(int rv) {
456 std::move(pending_write_callback_).Run(rv);
457}
458
[email protected]173ef472014-04-16 23:58:20[diff] [blame]459void FakeBlockingStreamSocket::UnblockWrite() {
460 DCHECK(should_block_write_);
461 should_block_write_ = false;
462
463 // Do nothing if UnblockWrite() was called after BlockWrite(),
464 // without a Write() in between.
dcheng08ea2af02014-08-25 23:38:09[diff] [blame]465 if (!pending_write_buf_.get())
[email protected]173ef472014-04-16 23:58:20[diff] [blame]466 return;
467
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]468 int rv = transport_->Write(
469 pending_write_buf_.get(), pending_write_len_,
470 base::BindOnce(&FakeBlockingStreamSocket::CallPendingWriteCallback,
471 base::Unretained(this)),
472 TRAFFIC_ANNOTATION_FOR_TESTS);
473
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]474 pending_write_buf_ = nullptr;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]475 pending_write_len_ = -1;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]476 if (rv != ERR_IO_PENDING) {
477 std::move(pending_write_callback_).Run(rv);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]478 }
479}
480
481void FakeBlockingStreamSocket::WaitForWrite() {
482 DCHECK(should_block_write_);
483 DCHECK(!write_loop_);
484
dcheng08ea2af02014-08-25 23:38:09[diff] [blame]485 if (pending_write_buf_.get())
[email protected]173ef472014-04-16 23:58:20[diff] [blame]486 return;
Peter Boström8a7540692021-04-05 20:48:20[diff] [blame]487 write_loop_ = std::make_unique<base::RunLoop>();
[email protected]173ef472014-04-16 23:58:20[diff] [blame]488 write_loop_->Run();
489 write_loop_.reset();
dcheng08ea2af02014-08-25 23:38:09[diff] [blame]490 DCHECK(pending_write_buf_.get());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]491}
492
493void FakeBlockingStreamSocket::OnReadCompleted(int result) {
494 DCHECK_EQ(ERR_IO_PENDING, pending_read_result_);
495 DCHECK(!pending_read_callback_.is_null());
496
davidbenfe132d92016-09-27 18:07:21[diff] [blame]497 pending_read_result_ = result;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]498
davidbenfe132d92016-09-27 18:07:21[diff] [blame]499 if (should_block_read_) {
500 // Defer the result until UnblockReadResult is called.
[email protected]173ef472014-04-16 23:58:20[diff] [blame]501 if (read_loop_)
502 read_loop_->Quit();
davidbenfe132d92016-09-27 18:07:21[diff] [blame]503 return;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]504 }
davidbenfe132d92016-09-27 18:07:21[diff] [blame]505
506 ReturnReadResult();
507}
508
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]509void FakeBlockingStreamSocket::CompleteReadIfReady(scoped_refptr<IOBuffer> buf,
510 int rv) {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]511 DCHECK(read_if_ready_buf_.empty());
512 DCHECK(!should_block_read_);
513 if (rv > 0)
514 read_if_ready_buf_ = std::string(buf->data(), buf->data() + rv);
David Benjamine992af92021-03-11 20:27:46[diff] [blame]515 // The callback may be null if CancelReadIfReady() was called.
516 if (!read_if_ready_callback_.is_null())
517 std::move(read_if_ready_callback_).Run(rv > 0 ? OK : rv);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]518}
519
davidbenfe132d92016-09-27 18:07:21[diff] [blame]520void FakeBlockingStreamSocket::ReturnReadResult() {
521 int result = pending_read_result_;
522 pending_read_result_ = ERR_IO_PENDING;
523 pending_read_buf_ = nullptr;
524 pending_read_buf_len_ = -1;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]525 std::move(pending_read_callback_).Run(result);
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]526}
527
[email protected]33d664952014-06-18 10:22:16[diff] [blame]528// CountingStreamSocket wraps an existing StreamSocket and maintains a count of
529// reads and writes on the socket.
530class CountingStreamSocket : public WrappedStreamSocket {
531 public:
danakj655b66c2016-04-16 00:51:38[diff] [blame]532 explicit CountingStreamSocket(std::unique_ptr<StreamSocket> transport)
Tsuyoshi Horo2ec06e002022-06-09 01:38:59[diff] [blame]533 : WrappedStreamSocket(std::move(transport)) {}
Chris Watkins7a41d3552017-12-01 02:13:27[diff] [blame]534 ~CountingStreamSocket() override = default;
[email protected]33d664952014-06-18 10:22:16[diff] [blame]535
536 // Socket implementation:
dchengb03027d2014-10-21 12:00:20[diff] [blame]537 int Read(IOBuffer* buf,
538 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]539 CompletionOnceCallback callback) override {
[email protected]33d664952014-06-18 10:22:16[diff] [blame]540 read_count_++;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]541 return transport_->Read(buf, buf_len, std::move(callback));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]542 }
dchengb03027d2014-10-21 12:00:20[diff] [blame]543 int Write(IOBuffer* buf,
544 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]545 CompletionOnceCallback callback,
[email protected]a2b2cfc2017-12-06 09:06:08[diff] [blame]546 const NetworkTrafficAnnotationTag& traffic_annotation) override {
[email protected]33d664952014-06-18 10:22:16[diff] [blame]547 write_count_++;
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]548 return transport_->Write(buf, buf_len, std::move(callback),
549 traffic_annotation);
[email protected]33d664952014-06-18 10:22:16[diff] [blame]550 }
551
552 int read_count() const { return read_count_; }
553 int write_count() const { return write_count_; }
554
555 private:
Tsuyoshi Horo2ec06e002022-06-09 01:38:59[diff] [blame]556 int read_count_ = 0;
557 int write_count_ = 0;
[email protected]33d664952014-06-18 10:22:16[diff] [blame]558};
559
Bence Béky8ddc2492018-06-13 01:02:04[diff] [blame]560// A helper class that will delete |socket| when the callback is invoked.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]561class DeleteSocketCallback : public TestCompletionCallbackBase {
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]562 public:
Bence Béky8ddc2492018-06-13 01:02:04[diff] [blame]563 explicit DeleteSocketCallback(StreamSocket* socket) : socket_(socket) {}
Peter Boström293b1342021-09-22 17:31:43[diff] [blame]564
565 DeleteSocketCallback(const DeleteSocketCallback&) = delete;
566 DeleteSocketCallback& operator=(const DeleteSocketCallback&) = delete;
567
Chris Watkins7a41d3552017-12-01 02:13:27[diff] [blame]568 ~DeleteSocketCallback() override = default;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]569
Bence Béky8ddc2492018-06-13 01:02:04[diff] [blame]570 CompletionOnceCallback callback() {
571 return base::BindOnce(&DeleteSocketCallback::OnComplete,
572 base::Unretained(this));
573 }
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]574
575 private:
576 void OnComplete(int result) {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]577 if (socket_) {
578 delete socket_;
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]579 socket_ = nullptr;
[email protected]789aca52013-08-14 06:40:10[diff] [blame]580 } else {
581 ADD_FAILURE() << "Deleting socket twice";
582 }
583 SetResult(result);
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]584 }
585
Keishi Hattori0e45c022021-11-27 09:25:52[diff] [blame]586 raw_ptr<StreamSocket> socket_;
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]587};
588
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]589// A mock CTVerifier that records every call to Verify but doesn't verify
590// anything.
591class MockCTVerifier : public CTVerifier {
592 public:
Rob Percivalbc658a22017-12-13 08:24:42[diff] [blame]593 MOCK_METHOD6(Verify,
594 void(base::StringPiece,
595 X509Certificate*,
rsleevi22cae1672016-12-28 01:53:36[diff] [blame]596 base::StringPiece,
597 base::StringPiece,
598 SignedCertificateTimestampAndStatusList*,
599 const NetLogWithSource&));
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]600};
601
estark6f9b3d82016-01-12 21:37:05[diff] [blame]602// A mock CTPolicyEnforcer that returns a custom verification result.
603class MockCTPolicyEnforcer : public CTPolicyEnforcer {
eranm0d92230e2015-12-16 20:59:04[diff] [blame]604 public:
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]605 MOCK_METHOD3(CheckCompliance,
606 ct::CTPolicyCompliance(X509Certificate* cert,
607 const ct::SCTList&,
608 const NetLogWithSource&));
eranm0d92230e2015-12-16 20:59:04[diff] [blame]609};
610
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]611class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
612 public:
Ryan Sleevi3dabe0b2018-04-05 03:59:01[diff] [blame]613 MOCK_METHOD3(IsCTRequiredForHost,
614 CTRequirementLevel(const std::string& host,
615 const X509Certificate* chain,
616 const HashValueVector& hashes));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]617};
618
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]619class MockSCTAuditingDelegate : public SCTAuditingDelegate {
620 public:
621 MOCK_METHOD(bool, IsSCTAuditingEnabled, ());
622 MOCK_METHOD(void,
623 MaybeEnqueueReport,
624 (const net::HostPortPair&,
625 const net::X509Certificate*,
626 const net::SignedCertificateTimestampAndStatusList&));
627};
628
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]629class ManySmallRecordsHttpResponse : public test_server::HttpResponse {
630 public:
631 static std::unique_ptr<test_server::HttpResponse> HandleRequest(
632 const test_server::HttpRequest& request) {
633 if (request.relative_url != "/ssl-many-small-records") {
634 return nullptr;
635 }
636
637 // Write ~26K of data, in 1350 byte chunks
638 return std::make_unique<ManySmallRecordsHttpResponse>(/*chunk_size=*/1350,
639 /*chunk_count=*/20);
640 }
641
642 ManySmallRecordsHttpResponse(size_t chunk_size, size_t chunk_count)
643 : chunk_size_(chunk_size), chunk_count_(chunk_count) {}
644
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]645 void SendResponse(
646 base::WeakPtr<test_server::HttpResponseDelegate> delegate) override {
647 base::StringPairs headers = {
648 {"Connection", "close"},
649 {"Content-Length", base::NumberToString(chunk_size_ * chunk_count_)},
650 {"Content-Type", "text/plain"}};
651 delegate->SendResponseHeaders(HTTP_OK, "OK", headers);
652 SendChunks(chunk_size_, chunk_count_, delegate);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]653 }
654
655 private:
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]656 static void SendChunks(
657 size_t chunk_size,
658 size_t chunk_count,
659 base::WeakPtr<test_server::HttpResponseDelegate> delegate) {
660 if (!delegate)
661 return;
662
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]663 if (chunk_count == 0) {
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]664 delegate->FinishResponse();
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]665 return;
666 }
667
668 std::string chunk(chunk_size, '*');
669 // This assumes that splitting output into separate |send| calls will
670 // produce separate TLS records.
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]671 delegate->SendContents(chunk, base::BindOnce(&SendChunks, chunk_size,
672 chunk_count - 1, delegate));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]673 }
674
675 size_t chunk_size_;
676 size_t chunk_count_;
677};
678
Gabriel Charette694c3c332019-08-19 14:53:05[diff] [blame]679class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
[email protected]aaead502008-10-15 00:20:11[diff] [blame]680 public:
681 SSLClientSocketTest()
[email protected]789aca52013-08-14 06:40:10[diff] [blame]682 : socket_factory_(ClientSocketFactory::GetDefaultFactory()),
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]683 ssl_config_service_(
684 std::make_unique<TestSSLConfigService>(SSLContextConfig())),
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]685 cert_verifier_(std::make_unique<MockCertVerifier>()),
686 transport_security_state_(std::make_unique<TransportSecurityState>()),
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]687 ct_policy_enforcer_(std::make_unique<MockCTPolicyEnforcer>()),
688 ssl_client_session_cache_(std::make_unique<SSLClientSessionCache>(
689 SSLClientSessionCache::Config())),
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]690 context_(
691 std::make_unique<SSLClientContext>(ssl_config_service_.get(),
692 cert_verifier_.get(),
693 transport_security_state_.get(),
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]694 ct_policy_enforcer_.get(),
695 ssl_client_session_cache_.get(),
696 nullptr)) {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]697 cert_verifier_->set_default_result(OK);
Matt Muellerd6b136682019-08-21 20:58:15[diff] [blame]698 cert_verifier_->set_async(true);
rsleevid6de8302016-06-21 01:33:20[diff] [blame]699
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]700 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
rsleevid6de8302016-06-21 01:33:20[diff] [blame]701 .WillRepeatedly(
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]702 Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]703 }
704
[email protected]aaead502008-10-15 00:20:11[diff] [blame]705 protected:
David Benjamin778627292021-11-17 19:29:20[diff] [blame]706 // The address of the test server, after calling StartEmbeddedTestServer().
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]707 const AddressList& addr() const { return addr_; }
708
David Benjamin778627292021-11-17 19:29:20[diff] [blame]709 // The hostname of the test server, after calling StartEmbeddedTestServer().
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]710 const HostPortPair& host_port_pair() const { return host_port_pair_; }
711
712 // The EmbeddedTestServer object, after calling StartEmbeddedTestServer().
713 EmbeddedTestServer* embedded_test_server() {
714 return embedded_test_server_.get();
715 }
716
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]717 // Starts the embedded test server with the specified parameters. Returns true
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]718 // on success.
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]719 bool StartEmbeddedTestServer(EmbeddedTestServer::ServerCertificate cert,
720 const SSLServerConfig& server_config) {
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]721 embedded_test_server_ =
722 std::make_unique<EmbeddedTestServer>(EmbeddedTestServer::TYPE_HTTPS);
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]723 embedded_test_server_->SetSSLConfig(cert, server_config);
Matt Muellerf566f0e52020-05-06 00:52:25[diff] [blame]724 return FinishStartingEmbeddedTestServer();
725 }
726
727 // Starts the embedded test server with the specified parameters. Returns true
728 // on success.
729 bool StartEmbeddedTestServer(
730 const EmbeddedTestServer::ServerCertificateConfig& cert_config,
731 const SSLServerConfig& server_config) {
Matt Muellerf566f0e52020-05-06 00:52:25[diff] [blame]732 embedded_test_server_ =
733 std::make_unique<EmbeddedTestServer>(EmbeddedTestServer::TYPE_HTTPS);
734 embedded_test_server_->SetSSLConfig(cert_config, server_config);
735 return FinishStartingEmbeddedTestServer();
736 }
737
738 bool FinishStartingEmbeddedTestServer() {
739 RegisterEmbeddedTestServerHandlers(embedded_test_server_.get());
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]740 if (!embedded_test_server_->Start()) {
741 LOG(ERROR) << "Could not start EmbeddedTestServer";
742 return false;
743 }
744
745 if (!embedded_test_server_->GetAddressList(&addr_)) {
746 LOG(ERROR) << "Could not get EmbeddedTestServer address list";
747 return false;
748 }
749 host_port_pair_ = embedded_test_server_->host_port_pair();
750 return true;
751 }
752
753 // May be overridden by the subclass to customize the EmbeddedTestServer.
754 virtual void RegisterEmbeddedTestServerHandlers(EmbeddedTestServer* server) {
755 server->AddDefaultHandlers(base::FilePath());
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]756 server->RegisterRequestHandler(
757 base::BindRepeating(&ManySmallRecordsHttpResponse::HandleRequest));
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]758 server->RegisterRequestHandler(
759 base::BindRepeating(&HandleSSLInfoRequest, base::Unretained(this)));
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]760 }
761
danakj655b66c2016-04-16 00:51:38[diff] [blame]762 std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
763 std::unique_ptr<StreamSocket> transport_socket,
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]764 const HostPortPair& host_and_port,
765 const SSLConfig& ssl_config) {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]766 return socket_factory_->CreateSSLClientSocket(
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]767 context_.get(), std::move(transport_socket), host_and_port, ssl_config);
[email protected]822581d2010-12-16 17:27:15[diff] [blame]768 }
769
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]770 // Create an SSLClientSocket object and use it to connect to a test server,
771 // then wait for connection results. This must be called after a successful
David Benjamin778627292021-11-17 19:29:20[diff] [blame]772 // StartEmbeddedTestServer() call.
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]773 //
774 // |ssl_config| The SSL configuration to use.
775 // |host_port_pair| The hostname and port to use at the SSL layer. (The
David Benjamin778627292021-11-17 19:29:20[diff] [blame]776 // socket connection will still be made to |embedded_test_server_|.)
[email protected]df3db7a2014-05-15 16:30:33[diff] [blame]777 // |result| will retrieve the ::Connect() result value.
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]778 //
779 // Returns true on success, false otherwise. Success means that the SSL
780 // socket could be created and its Connect() was called, not that the
781 // connection itself was a success.
782 bool CreateAndConnectSSLClientSocketWithHost(
783 const SSLConfig& ssl_config,
784 const HostPortPair& host_port_pair,
785 int* result) {
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]786 auto transport = std::make_unique<TCPClientSocket>(
787 addr_, nullptr, nullptr, NetLog::Get(), NetLogSource());
davidbenee39de02015-10-16 19:53:18[diff] [blame]788 int rv = callback_.GetResult(transport->Connect(callback_.callback()));
789 if (rv != OK) {
David Benjamin778627292021-11-17 19:29:20[diff] [blame]790 LOG(ERROR) << "Could not connect to test server";
[email protected]df3db7a2014-05-15 16:30:33[diff] [blame]791 return false;
792 }
793
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]794 sock_ =
795 CreateSSLClientSocket(std::move(transport), host_port_pair, ssl_config);
davidbenee39de02015-10-16 19:53:18[diff] [blame]796 EXPECT_FALSE(sock_->IsConnected());
797
[email protected]df3db7a2014-05-15 16:30:33[diff] [blame]798 *result = callback_.GetResult(sock_->Connect(callback_.callback()));
799 return true;
800 }
801
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]802 bool CreateAndConnectSSLClientSocket(const SSLConfig& ssl_config,
803 int* result) {
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]804 return CreateAndConnectSSLClientSocketWithHost(ssl_config, host_port_pair(),
805 result);
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]806 }
807
eranm0d92230e2015-12-16 20:59:04[diff] [blame]808 // Adds the server certificate with provided cert status.
David Benjamin50c88f92021-11-16 23:26:09[diff] [blame]809 // Must be called after StartEmbeddedTestServer has been called.
eranm0d92230e2015-12-16 20:59:04[diff] [blame]810 void AddServerCertStatusToSSLConfig(CertStatus status,
811 SSLConfig* ssl_config) {
David Benjamin50c88f92021-11-16 23:26:09[diff] [blame]812 ASSERT_TRUE(embedded_test_server());
813 scoped_refptr<X509Certificate> server_cert =
814 embedded_test_server()->GetCertificate();
eranm0d92230e2015-12-16 20:59:04[diff] [blame]815 CertVerifyResult verify_result;
816 verify_result.cert_status = status;
817 verify_result.verified_cert = server_cert;
818 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
819 }
820
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]821 absl::optional<SSLInfo> LastSSLInfoFromServer() {
822 // EmbeddedTestServer callbacks run on another thread, so protect this
823 // with a lock.
824 base::AutoLock lock(server_ssl_info_lock_);
825 auto result = server_ssl_info_;
826 server_ssl_info_ = absl::nullopt;
827 return result;
828 }
829
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]830 RecordingNetLogObserver log_observer_;
Keishi Hattori0e45c022021-11-27 09:25:52[diff] [blame]831 raw_ptr<ClientSocketFactory> socket_factory_;
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]832 std::unique_ptr<TestSSLConfigService> ssl_config_service_;
danakj655b66c2016-04-16 00:51:38[diff] [blame]833 std::unique_ptr<MockCertVerifier> cert_verifier_;
834 std::unique_ptr<TransportSecurityState> transport_security_state_;
rsleevid6de8302016-06-21 01:33:20[diff] [blame]835 std::unique_ptr<MockCTPolicyEnforcer> ct_policy_enforcer_;
Daniel McArdle3a663d62019-01-31 00:48:47[diff] [blame]836 std::unique_ptr<SSLClientSessionCache> ssl_client_session_cache_;
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]837 std::unique_ptr<SSLClientContext> context_;
danakj655b66c2016-04-16 00:51:38[diff] [blame]838 std::unique_ptr<SSLClientSocket> sock_;
[email protected]df3db7a2014-05-15 16:30:33[diff] [blame]839
840 private:
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]841 static std::unique_ptr<test_server::HttpResponse> HandleSSLInfoRequest(
842 SSLClientSocketTest* test,
843 const test_server::HttpRequest& request) {
844 if (request.relative_url != "/ssl-info") {
845 return nullptr;
846 }
847 {
848 // EmbeddedTestServer callbacks run on another thread, so protect this
849 // with a lock.
850 base::AutoLock lock(test->server_ssl_info_lock_);
851 test->server_ssl_info_ = request.ssl_info;
852 }
853 return std::make_unique<test_server::BasicHttpResponse>();
854 }
855
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]856 std::unique_ptr<EmbeddedTestServer> embedded_test_server_;
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]857 base::Lock server_ssl_info_lock_;
858 absl::optional<SSLInfo> server_ssl_info_ GUARDED_BY(server_ssl_info_lock_);
[email protected]df3db7a2014-05-15 16:30:33[diff] [blame]859 TestCompletionCallback callback_;
860 AddressList addr_;
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]861 HostPortPair host_port_pair_;
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]862};
863
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]864enum ReadIfReadyTransport {
865 // ReadIfReady() is implemented by the underlying transport.
866 READ_IF_READY_SUPPORTED,
867 // ReadIfReady() is not implemented by the underlying transport.
868 READ_IF_READY_NOT_SUPPORTED,
869};
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]870
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]871enum ReadIfReadySSL {
872 // Test reads by calling ReadIfReady() on the SSL socket.
873 TEST_SSL_READ_IF_READY,
874 // Test reads by calling Read() on the SSL socket.
875 TEST_SSL_READ,
876};
877
878class StreamSocketWithoutReadIfReady : public WrappedStreamSocket {
879 public:
880 explicit StreamSocketWithoutReadIfReady(
881 std::unique_ptr<StreamSocket> transport)
882 : WrappedStreamSocket(std::move(transport)) {}
883
884 int ReadIfReady(IOBuffer* buf,
885 int buf_len,
886 CompletionOnceCallback callback) override {
887 return ERR_READ_IF_READY_NOT_IMPLEMENTED;
888 }
889
890 int CancelReadIfReady() override { return ERR_READ_IF_READY_NOT_IMPLEMENTED; }
891};
892
893class ClientSocketFactoryWithoutReadIfReady : public ClientSocketFactory {
894 public:
895 explicit ClientSocketFactoryWithoutReadIfReady(ClientSocketFactory* factory)
896 : factory_(factory) {}
897
898 std::unique_ptr<DatagramClientSocket> CreateDatagramClientSocket(
899 DatagramSocket::BindType bind_type,
900 NetLog* net_log,
901 const NetLogSource& source) override {
902 return factory_->CreateDatagramClientSocket(bind_type, net_log, source);
903 }
904
905 std::unique_ptr<TransportClientSocket> CreateTransportClientSocket(
906 const AddressList& addresses,
907 std::unique_ptr<SocketPerformanceWatcher> socket_performance_watcher,
Eric Roman2bc77162020-09-16 18:30:45[diff] [blame]908 NetworkQualityEstimator* network_quality_estimator,
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]909 NetLog* net_log,
910 const NetLogSource& source) override {
911 return factory_->CreateTransportClientSocket(
Eric Roman2bc77162020-09-16 18:30:45[diff] [blame]912 addresses, std::move(socket_performance_watcher),
913 network_quality_estimator, net_log, source);
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]914 }
915
916 std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]917 SSLClientContext* context,
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]918 std::unique_ptr<StreamSocket> stream_socket,
919 const HostPortPair& host_and_port,
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]920 const SSLConfig& ssl_config) override {
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]921 stream_socket = std::make_unique<StreamSocketWithoutReadIfReady>(
922 std::move(stream_socket));
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]923 return factory_->CreateSSLClientSocket(context, std::move(stream_socket),
924 host_and_port, ssl_config);
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]925 }
926
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]927 private:
Keishi Hattori0e45c022021-11-27 09:25:52[diff] [blame]928 const raw_ptr<ClientSocketFactory> factory_;
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]929};
930
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]931std::vector<uint16_t> GetTLSVersions() {
Chris Thompsond708d342021-11-22 21:42:27[diff] [blame]932 return {SSL_PROTOCOL_VERSION_TLS1_2, SSL_PROTOCOL_VERSION_TLS1_3};
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]933}
934
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]935class SSLClientSocketVersionTest
936 : public SSLClientSocketTest,
937 public ::testing::WithParamInterface<uint16_t> {
938 protected:
Chris Thompsond708d342021-11-22 21:42:27[diff] [blame]939 SSLClientSocketVersionTest() = default;
Chris Thompsone3c3a3b02020-12-17 23:20:40[diff] [blame]940
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]941 uint16_t version() const { return GetParam(); }
942
943 SSLServerConfig GetServerConfig() {
944 SSLServerConfig config;
945 config.version_max = version();
946 config.version_min = version();
947 return config;
948 }
949};
950
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]951// If GetParam(), try ReadIfReady() and fall back to Read() if needed.
952class SSLClientSocketReadTest
953 : public SSLClientSocketTest,
954 public ::testing::WithParamInterface<
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]955 std::tuple<ReadIfReadyTransport, ReadIfReadySSL, uint16_t>> {
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]956 protected:
957 SSLClientSocketReadTest() : SSLClientSocketTest() {
958 if (!read_if_ready_supported()) {
959 wrapped_socket_factory_ =
960 std::make_unique<ClientSocketFactoryWithoutReadIfReady>(
961 socket_factory_);
962 socket_factory_ = wrapped_socket_factory_.get();
Helen Li382bad5a2017-09-11 21:19:53[diff] [blame]963 }
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]964 }
965
966 // Convienient wrapper to call Read()/ReadIfReady() depending on whether
967 // ReadyIfReady() is enabled.
968 int Read(StreamSocket* socket,
969 IOBuffer* buf,
970 int buf_len,
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]971 CompletionOnceCallback callback) {
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]972 if (test_ssl_read_if_ready())
Brad Lassey3a814172018-04-26 03:30:21[diff] [blame]973 return socket->ReadIfReady(buf, buf_len, std::move(callback));
974 return socket->Read(buf, buf_len, std::move(callback));
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]975 }
976
977 // Wait for Read()/ReadIfReady() to complete.
978 int WaitForReadCompletion(StreamSocket* socket,
979 IOBuffer* buf,
980 int buf_len,
981 TestCompletionCallback* callback,
982 int rv) {
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]983 if (!test_ssl_read_if_ready())
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]984 return callback->GetResult(rv);
985 while (rv == ERR_IO_PENDING) {
986 rv = callback->GetResult(rv);
987 if (rv != OK)
988 return rv;
989 rv = socket->ReadIfReady(buf, buf_len, callback->callback());
990 }
991 return rv;
992 }
993
994 // Calls Read()/ReadIfReady() and waits for it to return data.
995 int ReadAndWaitForCompletion(StreamSocket* socket,
996 IOBuffer* buf,
997 int buf_len) {
998 TestCompletionCallback callback;
999 int rv = Read(socket, buf, buf_len, callback.callback());
1000 return WaitForReadCompletion(socket, buf, buf_len, &callback, rv);
1001 }
1002
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1003 SSLServerConfig GetServerConfig() {
1004 SSLServerConfig config;
1005 config.version_max = version();
1006 config.version_min = version();
1007 return config;
1008 }
1009
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]1010 bool test_ssl_read_if_ready() const {
1011 return std::get<1>(GetParam()) == TEST_SSL_READ_IF_READY;
1012 }
1013
1014 bool read_if_ready_supported() const {
1015 return std::get<0>(GetParam()) == READ_IF_READY_SUPPORTED;
1016 }
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1017
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1018 uint16_t version() const { return std::get<2>(GetParam()); }
1019
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1020 private:
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]1021 std::unique_ptr<ClientSocketFactory> wrapped_socket_factory_;
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1022};
1023
Bence Békycc859862021-02-08 17:26:40[diff] [blame]1024INSTANTIATE_TEST_SUITE_P(All,
1025 SSLClientSocketReadTest,
1026 Combine(Values(READ_IF_READY_SUPPORTED,
1027 READ_IF_READY_NOT_SUPPORTED),
1028 Values(TEST_SSL_READ_IF_READY, TEST_SSL_READ),
1029 ValuesIn(GetTLSVersions())));
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1030
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]1031// Verifies the correctness of GetSSLCertRequestInfo.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1032class SSLClientSocketCertRequestInfoTest : public SSLClientSocketVersionTest {
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]1033 protected:
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1034 // Connects to the test server and returns the SSLCertRequestInfo reported by
1035 // the socket.
1036 scoped_refptr<SSLCertRequestInfo> GetCertRequest() {
1037 int rv;
1038 if (!CreateAndConnectSSLClientSocket(SSLConfig(), &rv)) {
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]1039 return nullptr;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1040 }
robpercival214763f2016-07-01 23:27:01[diff] [blame]1041 EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
davidben7c168932015-10-19 19:37:16[diff] [blame]1042
David Benjamin1c4b6d012019-07-08 17:12:57[diff] [blame]1043 auto request_info = base::MakeRefCounted<SSLCertRequestInfo>();
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1044 sock_->GetSSLCertRequestInfo(request_info.get());
1045 sock_->Disconnect();
1046 EXPECT_FALSE(sock_->IsConnected());
1047 EXPECT_TRUE(host_port_pair().Equals(request_info->host_and_port));
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]1048
1049 return request_info;
1050 }
1051};
1052
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1053class SSLClientSocketFalseStartTest : public SSLClientSocketTest {
1054 protected:
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1055 // Creates an SSLClientSocket with |client_config| attached to a
1056 // FakeBlockingStreamSocket, returning both in |*out_raw_transport| and
1057 // |*out_sock|. The FakeBlockingStreamSocket is owned by the SSLClientSocket,
1058 // so |*out_raw_transport| is a raw pointer.
1059 //
1060 // The client socket will begin a connect using |callback| but stop before the
1061 // server's finished message is received. The finished message will be blocked
1062 // in |*out_raw_transport|. To complete the handshake and successfully read
1063 // data, the caller must unblock reads on |*out_raw_transport|. (Note that, if
1064 // the client successfully false started, |callback.WaitForResult()| will
1065 // return OK without unblocking transport reads. But Read() will still block.)
1066 //
David Benjamin50c88f92021-11-16 23:26:09[diff] [blame]1067 // Must be called after StartEmbeddedTestServer is called.
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1068 void CreateAndConnectUntilServerFinishedReceived(
1069 const SSLConfig& client_config,
1070 TestCompletionCallback* callback,
1071 FakeBlockingStreamSocket** out_raw_transport,
danakj655b66c2016-04-16 00:51:38[diff] [blame]1072 std::unique_ptr<SSLClientSocket>* out_sock) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]1073 CHECK(embedded_test_server());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1074
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1075 auto real_transport = std::make_unique<TCPClientSocket>(
1076 addr(), nullptr, nullptr, nullptr, NetLogSource());
1077 auto transport =
1078 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1079 int rv = callback->GetResult(transport->Connect(callback->callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1080 EXPECT_THAT(rv, IsOk());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1081
1082 FakeBlockingStreamSocket* raw_transport = transport.get();
danakj655b66c2016-04-16 00:51:38[diff] [blame]1083 std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]1084 std::move(transport), host_port_pair(), client_config);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1085
1086 // Connect. Stop before the client processes the first server leg
1087 // (ServerHello, etc.)
1088 raw_transport->BlockReadResult();
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1089 rv = sock->Connect(callback->callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]1090 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1091 raw_transport->WaitForReadResult();
1092
1093 // Release the ServerHello and wait for the client to write
1094 // ClientKeyExchange, etc. (A proxy for waiting for the entirety of the
1095 // server's leg to complete, since it may span multiple reads.)
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1096 EXPECT_FALSE(callback->have_result());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1097 raw_transport->BlockWrite();
1098 raw_transport->UnblockReadResult();
1099 raw_transport->WaitForWrite();
1100
1101 // And, finally, release that and block the next server leg
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1102 // (ChangeCipherSpec, Finished).
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1103 raw_transport->BlockReadResult();
1104 raw_transport->UnblockWrite();
1105
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1106 *out_raw_transport = raw_transport;
dchengc7eeda422015-12-26 03:56:48[diff] [blame]1107 *out_sock = std::move(sock);
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1108 }
1109
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]1110 void TestFalseStart(const SSLServerConfig& server_config,
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1111 const SSLConfig& client_config,
1112 bool expect_false_start) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]1113 ASSERT_TRUE(
1114 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1115
1116 TestCompletionCallback callback;
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]1117 FakeBlockingStreamSocket* raw_transport = nullptr;
danakj655b66c2016-04-16 00:51:38[diff] [blame]1118 std::unique_ptr<SSLClientSocket> sock;
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1119 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
1120 client_config, &callback, &raw_transport, &sock));
1121
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1122 if (expect_false_start) {
1123 // When False Starting, the handshake should complete before receiving the
1124 // Change Cipher Spec and Finished messages.
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]1125 //
1126 // Note: callback.have_result() may not be true without waiting. The NSS
1127 // state machine sometimes lives on a separate thread, so this thread may
1128 // not yet have processed the signal that the handshake has completed.
1129 int rv = callback.WaitForResult();
robpercival214763f2016-07-01 23:27:01[diff] [blame]1130 EXPECT_THAT(rv, IsOk());
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1131 EXPECT_TRUE(sock->IsConnected());
1132
1133 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1134 static const int kRequestTextSize =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1135 static_cast<int>(std::size(request_text) - 1);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1136 scoped_refptr<IOBuffer> request_buffer =
1137 base::MakeRefCounted<IOBuffer>(kRequestTextSize);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1138 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1139
1140 // Write the request.
1141 rv = callback.GetResult(sock->Write(request_buffer.get(),
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1142 kRequestTextSize, callback.callback(),
1143 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1144 EXPECT_EQ(kRequestTextSize, rv);
1145
1146 // The read will hang; it's waiting for the peer to complete the
1147 // handshake, and the handshake is still blocked.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1148 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1149 rv = sock->Read(buf.get(), 4096, callback.callback());
1150
1151 // After releasing reads, the connection proceeds.
1152 raw_transport->UnblockReadResult();
1153 rv = callback.GetResult(rv);
rsleevif020edc2015-03-16 19:31:24[diff] [blame]1154 EXPECT_LT(0, rv);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1155 } else {
1156 // False Start is not enabled, so the handshake will not complete because
1157 // the server second leg is blocked.
1158 base::RunLoop().RunUntilIdle();
1159 EXPECT_FALSE(callback.have_result());
1160 }
1161 }
1162};
1163
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]1164// Sends an HTTP request on the socket and reads the response. This may be used
1165// to ensure some data has been consumed from the server.
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]1166int MakeHTTPRequest(StreamSocket* socket, const char* path = "/") {
1167 std::string request = base::StringPrintf("GET %s HTTP/1.0\r\n\r\n", path);
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]1168 TestCompletionCallback callback;
1169 while (!request.empty()) {
1170 auto request_buffer =
Jan Wilken Dörrie14a065b2021-02-12 14:28:32[diff] [blame]1171 base::MakeRefCounted<StringIOBuffer>(std::string(request));
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]1172 int rv = callback.GetResult(
1173 socket->Write(request_buffer.get(), request_buffer->size(),
1174 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
1175 if (rv < 0) {
1176 return rv;
1177 }
1178 request = request.substr(rv);
1179 }
1180
1181 auto response_buffer = base::MakeRefCounted<IOBuffer>(1024);
1182 int rv = callback.GetResult(
1183 socket->Read(response_buffer.get(), 1024, callback.callback()));
1184 if (rv < 0) {
1185 return rv;
1186 }
1187 return OK;
1188}
1189
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1190// Provides a response to the 0RTT request indicating whether it was received
1191// as early data.
1192class ZeroRTTResponse : public test_server::HttpResponse {
1193 public:
Tsuyoshi Horoab268d62022-06-21 04:41:23[diff] [blame]1194 explicit ZeroRTTResponse(bool zero_rtt) : zero_rtt_(zero_rtt) {}
Peter Boström293b1342021-09-22 17:31:43[diff] [blame]1195
1196 ZeroRTTResponse(const ZeroRTTResponse&) = delete;
1197 ZeroRTTResponse& operator=(const ZeroRTTResponse&) = delete;
1198
Tsuyoshi Horo07c3f0e2022-06-16 07:30:47[diff] [blame]1199 ~ZeroRTTResponse() override = default;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1200
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]1201 void SendResponse(
1202 base::WeakPtr<test_server::HttpResponseDelegate> delegate) override {
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1203 std::string response;
1204 if (zero_rtt_) {
1205 response = "1";
1206 } else {
1207 response = "0";
1208 }
1209
1210 // Since the EmbeddedTestServer doesn't keep the socket open by default, it
1211 // is explicitly kept alive to allow the remaining leg of the 0RTT handshake
1212 // to be received after the early data.
Aaron Tagliaboschid4ad7a302021-09-24 19:51:51[diff] [blame]1213 delegate->SendContents(response);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1214 }
1215
1216 private:
1217 bool zero_rtt_;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1218};
1219
1220std::unique_ptr<test_server::HttpResponse> HandleZeroRTTRequest(
1221 const test_server::HttpRequest& request) {
Matt Menke8b99f5a2021-09-27 21:03:06[diff] [blame]1222 if (request.GetURL().path() != "/zerortt" || !request.ssl_info)
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1223 return nullptr;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1224
Matt Menke8b99f5a2021-09-27 21:03:06[diff] [blame]1225 return std::make_unique<ZeroRTTResponse>(
1226 request.ssl_info->early_data_received);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1227}
1228
1229class SSLClientSocketZeroRTTTest : public SSLClientSocketTest {
1230 protected:
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]1231 SSLClientSocketZeroRTTTest() : SSLClientSocketTest() {
1232 SSLContextConfig config;
1233 config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
1234 ssl_config_service_->UpdateSSLConfigAndNotify(config);
1235 }
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1236
1237 bool StartServer() {
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1238 SSLServerConfig server_config;
1239 server_config.early_data_enabled = true;
1240 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]1241 return StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config);
1242 }
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1243
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]1244 void RegisterEmbeddedTestServerHandlers(EmbeddedTestServer* server) override {
1245 SSLClientSocketTest::RegisterEmbeddedTestServerHandlers(server);
1246 server->RegisterRequestHandler(base::BindRepeating(&HandleZeroRTTRequest));
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1247 }
1248
Jeffrey Yasskin55cc2a22019-10-02 18:18:46[diff] [blame]1249 void SetServerConfig(SSLServerConfig server_config) {
1250 embedded_test_server()->ResetSSLConfig(net::EmbeddedTestServer::CERT_OK,
1251 server_config);
1252 }
1253
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]1254 // Makes a new connection to the test server and returns a
1255 // FakeBlockingStreamSocket which may be used to block transport I/O.
1256 //
1257 // Most tests should call BlockReadResult() before calling Connect(). This
1258 // avoid race conditions by controlling the order of events. 0-RTT typically
1259 // races the ServerHello from the server with early data from the client. If
1260 // the ServerHello arrives before client calls Write(), the data may be sent
1261 // with 1-RTT keys rather than 0-RTT keys.
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1262 FakeBlockingStreamSocket* MakeClient(bool early_data_enabled) {
1263 SSLConfig ssl_config;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1264 ssl_config.early_data_enabled = early_data_enabled;
1265
Peter Boström8a7540692021-04-05 20:48:20[diff] [blame]1266 real_transport_ = std::make_unique<TCPClientSocket>(
1267 addr(), nullptr, nullptr, nullptr, NetLogSource());
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1268 auto transport =
1269 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport_));
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1270 FakeBlockingStreamSocket* raw_transport = transport.get();
1271
1272 int rv = callback_.GetResult(transport->Connect(callback_.callback()));
1273 EXPECT_THAT(rv, IsOk());
1274
David Benjaminb08b7972019-05-15 18:47:21[diff] [blame]1275 ssl_socket_ = CreateSSLClientSocket(std::move(transport), host_port_pair(),
1276 ssl_config);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1277 EXPECT_FALSE(ssl_socket_->IsConnected());
1278
1279 return raw_transport;
1280 }
1281
1282 int Connect() {
1283 return callback_.GetResult(ssl_socket_->Connect(callback_.callback()));
1284 }
1285
1286 int WriteAndWait(base::StringPiece request) {
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1287 scoped_refptr<IOBuffer> request_buffer =
1288 base::MakeRefCounted<IOBuffer>(request.size());
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1289 memcpy(request_buffer->data(), request.data(), request.size());
1290 return callback_.GetResult(
1291 ssl_socket_->Write(request_buffer.get(), request.size(),
1292 callback_.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
1293 }
1294
1295 int ReadAndWait(IOBuffer* buf, size_t len) {
1296 return callback_.GetResult(
1297 ssl_socket_->Read(buf, len, callback_.callback()));
1298 }
1299
1300 bool GetSSLInfo(SSLInfo* ssl_info) {
1301 return ssl_socket_->GetSSLInfo(ssl_info);
1302 }
1303
1304 bool RunInitialConnection() {
1305 if (MakeClient(true) == nullptr)
1306 return false;
1307
1308 EXPECT_THAT(Connect(), IsOk());
1309
1310 // Use the socket for an HTTP request to ensure we've processed the
1311 // post-handshake TLS 1.3 ticket.
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]1312 EXPECT_THAT(MakeHTTPRequest(ssl_socket_.get()), IsOk());
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1313
1314 SSLInfo ssl_info;
1315 EXPECT_TRUE(GetSSLInfo(&ssl_info));
Adam Rice86b3fb922022-05-02 13:27:48[diff] [blame]1316
1317 // Make sure all asynchronous histogram logging is complete.
1318 base::RunLoop().RunUntilIdle();
1319
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1320 return SSLInfo::HANDSHAKE_FULL == ssl_info.handshake_type;
1321 }
1322
1323 SSLClientSocket* ssl_socket() { return ssl_socket_.get(); }
1324
1325 private:
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]1326 TestCompletionCallback callback_;
1327 std::unique_ptr<StreamSocket> real_transport_;
1328 std::unique_ptr<SSLClientSocket> ssl_socket_;
1329};
1330
davidbenfe132d92016-09-27 18:07:21[diff] [blame]1331// Returns a serialized unencrypted TLS 1.2 alert record for the given alert
1332// value.
1333std::string FormatTLS12Alert(uint8_t alert) {
1334 std::string ret;
1335 // ContentType.alert
1336 ret.push_back(21);
1337 // Record-layer version. Assume TLS 1.2.
1338 ret.push_back(0x03);
1339 ret.push_back(0x03);
1340 // Record length.
1341 ret.push_back(0);
1342 ret.push_back(2);
1343 // AlertLevel.fatal.
1344 ret.push_back(2);
1345 // The alert itself.
1346 ret.push_back(alert);
1347 return ret;
1348}
1349
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1350// A CertVerifier that never returns on any requests.
1351class HangingCertVerifier : public CertVerifier {
1352 public:
1353 int num_active_requests() const { return num_active_requests_; }
1354
1355 void WaitForRequest() {
1356 if (!num_active_requests_) {
1357 run_loop_.Run();
1358 }
1359 }
1360
1361 int Verify(const RequestParams& params,
1362 CertVerifyResult* verify_result,
1363 CompletionOnceCallback callback,
1364 std::unique_ptr<Request>* out_req,
1365 const NetLogWithSource& net_log) override {
1366 *out_req = std::make_unique<HangingRequest>(this);
1367 return ERR_IO_PENDING;
1368 }
1369
1370 void SetConfig(const Config& config) override {}
1371
1372 private:
1373 class HangingRequest : public Request {
1374 public:
1375 explicit HangingRequest(HangingCertVerifier* verifier)
1376 : verifier_(verifier) {
1377 verifier_->num_active_requests_++;
1378 verifier_->run_loop_.Quit();
1379 }
1380
1381 ~HangingRequest() override { verifier_->num_active_requests_--; }
1382
1383 private:
Keishi Hattori0e45c022021-11-27 09:25:52[diff] [blame]1384 raw_ptr<HangingCertVerifier> verifier_;
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1385 };
1386
1387 base::RunLoop run_loop_;
1388 int num_active_requests_ = 0;
1389};
1390
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]1391} // namespace
1392
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1393INSTANTIATE_TEST_SUITE_P(TLSVersion,
1394 SSLClientSocketVersionTest,
Bence Békycc859862021-02-08 17:26:40[diff] [blame]1395 ValuesIn(GetTLSVersions()));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1396
1397TEST_P(SSLClientSocketVersionTest, Connect) {
1398 ASSERT_TRUE(
1399 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]95409e12010-08-17 20:07:11[diff] [blame]1400
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1401 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1402 auto transport = std::make_unique<TCPClientSocket>(
1403 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
davidben7c168932015-10-19 19:37:16[diff] [blame]1404 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1405 EXPECT_THAT(rv, IsOk());
[email protected]bacff652009-03-31 17:50:33[diff] [blame]1406
danakj655b66c2016-04-16 00:51:38[diff] [blame]1407 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1408 std::move(transport), host_port_pair(), SSLConfig()));
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1409
[email protected]aaead502008-10-15 00:20:11[diff] [blame]1410 EXPECT_FALSE(sock->IsConnected());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1411
[email protected]83039bb2011-12-09 18:43:55[diff] [blame]1412 rv = sock->Connect(callback.callback());
[email protected]b2fcd0e2010-12-01 15:19:40[diff] [blame]1413
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1414 auto entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]1415 EXPECT_TRUE(LogContainsBeginEvent(entries, 5, NetLogEventType::SSL_CONNECT));
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1416 if (rv == ERR_IO_PENDING)
[email protected]7b822b2b2008-08-05 00:15:45[diff] [blame]1417 rv = callback.WaitForResult();
robpercival214763f2016-07-01 23:27:01[diff] [blame]1418 EXPECT_THAT(rv, IsOk());
[email protected]aaead502008-10-15 00:20:11[diff] [blame]1419 EXPECT_TRUE(sock->IsConnected());
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1420 entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]1421 EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1422
[email protected]aaead502008-10-15 00:20:11[diff] [blame]1423 sock->Disconnect();
1424 EXPECT_FALSE(sock->IsConnected());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1425}
1426
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1427TEST_P(SSLClientSocketVersionTest, ConnectSyncVerify) {
1428 ASSERT_TRUE(
1429 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1430
Matt Muellerd6b136682019-08-21 20:58:15[diff] [blame]1431 cert_verifier_->set_async(false);
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1432 int rv;
1433 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
1434 EXPECT_THAT(rv, IsError(OK));
1435}
1436
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1437TEST_P(SSLClientSocketVersionTest, ConnectExpired) {
1438 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED,
1439 GetServerConfig()));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]1440
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1441 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
[email protected]47a12862012-04-10 01:00:49[diff] [blame]1442
davidben7c168932015-10-19 19:37:16[diff] [blame]1443 int rv;
1444 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1445 EXPECT_THAT(rv, IsError(ERR_CERT_DATE_INVALID));
[email protected]6526380c2010-11-10 04:40:33[diff] [blame]1446
1447 // Rather than testing whether or not the underlying socket is connected,
1448 // test that the handshake has finished. This is because it may be
1449 // desirable to disconnect the socket before showing a user prompt, since
1450 // the user may take indefinitely long to respond.
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1451 auto entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]1452 EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]1453}
1454
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1455TEST_P(SSLClientSocketVersionTest, ConnectExpiredSyncVerify) {
1456 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED,
1457 GetServerConfig()));
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1458
1459 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
Matt Muellerd6b136682019-08-21 20:58:15[diff] [blame]1460 cert_verifier_->set_async(false);
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1461
1462 int rv;
1463 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
1464 EXPECT_THAT(rv, IsError(ERR_CERT_DATE_INVALID));
1465}
1466
1467// Test that SSLClientSockets may be destroyed while waiting on a certificate
1468// verification.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1469TEST_P(SSLClientSocketVersionTest, SocketDestroyedDuringVerify) {
1470 ASSERT_TRUE(
1471 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1472
1473 HangingCertVerifier verifier;
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]1474 context_ = std::make_unique<SSLClientContext>(
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]1475 ssl_config_service_.get(), &verifier, transport_security_state_.get(),
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]1476 ct_policy_enforcer_.get(), ssl_client_session_cache_.get(), nullptr);
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1477
1478 TestCompletionCallback callback;
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1479 auto transport = std::make_unique<TCPClientSocket>(
1480 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1481 int rv = callback.GetResult(transport->Connect(callback.callback()));
1482 ASSERT_THAT(rv, IsOk());
1483
1484 std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1485 std::move(transport), host_port_pair(), SSLConfig());
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1486 rv = sock->Connect(callback.callback());
1487 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
1488
1489 // The socket should attempt a certificate verification.
1490 verifier.WaitForRequest();
1491 EXPECT_EQ(1, verifier.num_active_requests());
1492
1493 // Destroying the socket should cancel it.
1494 sock = nullptr;
1495 EXPECT_EQ(0, verifier.num_active_requests());
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]1496
1497 context_ = nullptr;
David Benjaminafd8eed2018-12-17 19:45:43[diff] [blame]1498}
1499
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1500TEST_P(SSLClientSocketVersionTest, ConnectMismatched) {
1501 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_MISMATCHED_NAME,
1502 GetServerConfig()));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]1503
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1504 cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
[email protected]47a12862012-04-10 01:00:49[diff] [blame]1505
davidben7c168932015-10-19 19:37:16[diff] [blame]1506 int rv;
1507 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1508 EXPECT_THAT(rv, IsError(ERR_CERT_COMMON_NAME_INVALID));
[email protected]6526380c2010-11-10 04:40:33[diff] [blame]1509
1510 // Rather than testing whether or not the underlying socket is connected,
1511 // test that the handshake has finished. This is because it may be
1512 // desirable to disconnect the socket before showing a user prompt, since
1513 // the user may take indefinitely long to respond.
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1514 auto entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]1515 EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]1516}
1517
davidbenc6435a72015-08-17 18:28:52[diff] [blame]1518// Tests that certificates parsable by SSLClientSocket's internal SSL
davidbenc7e06c92017-03-07 18:54:11[diff] [blame]1519// implementation, but not X509Certificate are treated as fatal connection
1520// errors. This is a regression test for https://crbug.com/91341.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1521TEST_P(SSLClientSocketVersionTest, ConnectBadValidity) {
1522 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_BAD_VALIDITY,
1523 GetServerConfig()));
mattm1c59eda42017-03-29 21:01:21[diff] [blame]1524 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
1525
davidbenc6435a72015-08-17 18:28:52[diff] [blame]1526 SSLConfig ssl_config;
1527 int rv;
1528 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
mattm1c59eda42017-03-29 21:01:21[diff] [blame]1529 EXPECT_THAT(rv, IsError(ERR_CERT_DATE_INVALID));
davidbenc6435a72015-08-17 18:28:52[diff] [blame]1530}
davidbenc6435a72015-08-17 18:28:52[diff] [blame]1531
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]1532// Ignoring the certificate error from an invalid certificate should
1533// allow a complete connection.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1534TEST_P(SSLClientSocketVersionTest, ConnectBadValidityIgnoreCertErrors) {
1535 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_BAD_VALIDITY,
1536 GetServerConfig()));
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]1537 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
1538
1539 SSLConfig ssl_config;
1540 ssl_config.ignore_certificate_errors = true;
1541 int rv;
1542 CreateAndConnectSSLClientSocket(ssl_config, &rv);
1543 EXPECT_THAT(rv, IsOk());
1544 EXPECT_TRUE(sock_->IsConnected());
1545}
1546
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]1547// Client certificates are disabled on iOS.
1548#if !BUILDFLAG(IS_IOS)
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1549// Attempt to connect to a page which requests a client certificate. It should
1550// return an error code on connect.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1551TEST_P(SSLClientSocketVersionTest, ConnectClientAuthCertRequested) {
1552 SSLServerConfig server_config = GetServerConfig();
1553 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
1554 ASSERT_TRUE(
1555 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]8df162a2010-08-07 01:10:02[diff] [blame]1556
davidben7c168932015-10-19 19:37:16[diff] [blame]1557 int rv;
1558 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1559 EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
[email protected]b2fcd0e2010-12-01 15:19:40[diff] [blame]1560
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]1561 auto entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]1562 EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
davidben7c168932015-10-19 19:37:16[diff] [blame]1563 EXPECT_FALSE(sock_->IsConnected());
[email protected]8df162a2010-08-07 01:10:02[diff] [blame]1564}
1565
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1566// Connect to a server requesting optional client authentication. Send it a
1567// null certificate. It should allow the connection.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1568TEST_P(SSLClientSocketVersionTest, ConnectClientAuthSendNullCert) {
1569 SSLServerConfig server_config = GetServerConfig();
1570 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
1571 ASSERT_TRUE(
1572 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1573
davidben7c168932015-10-19 19:37:16[diff] [blame]1574 // Our test server accepts certificate-less connections.
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]1575 context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1576
davidben7c168932015-10-19 19:37:16[diff] [blame]1577 int rv;
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]1578 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1579 EXPECT_THAT(rv, IsOk());
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1580
[email protected]17a60a52011-10-28 01:18:10[diff] [blame]1581 // We responded to the server's certificate request with a Certificate
1582 // message with no client certificate in it. ssl_info.client_cert_sent
1583 // should be false in this case.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1584 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]1585 sock_->GetSSLInfo(&ssl_info);
[email protected]17a60a52011-10-28 01:18:10[diff] [blame]1586 EXPECT_FALSE(ssl_info.client_cert_sent);
1587
davidben7c168932015-10-19 19:37:16[diff] [blame]1588 sock_->Disconnect();
1589 EXPECT_FALSE(sock_->IsConnected());
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1590}
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]1591#endif // !IS_IOS
[email protected]65a3b912010-08-21 05:46:58[diff] [blame]1592
[email protected]b2197852009-02-19 23:27:33[diff] [blame]1593// TODO(wtc): Add unit tests for IsConnectedAndIdle:
1594// - Server closes an SSL connection (with a close_notify alert message).
1595// - Server closes the underlying TCP connection directly.
1596// - Server sends data unexpectedly.
1597
davidbene74aabd2015-03-18 01:04:28[diff] [blame]1598// Tests that the socket can be read from successfully. Also test that a peer's
1599// close_notify alert is successfully processed without error.
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1600TEST_P(SSLClientSocketReadTest, Read) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1601 ASSERT_TRUE(
1602 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]95409e12010-08-17 20:07:11[diff] [blame]1603
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1604 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1605 auto transport = std::make_unique<TCPClientSocket>(addr(), nullptr, nullptr,
1606 nullptr, NetLogSource());
davidben7c168932015-10-19 19:37:16[diff] [blame]1607 EXPECT_EQ(0, transport->GetTotalReceivedBytes());
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1608
davidben7c168932015-10-19 19:37:16[diff] [blame]1609 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1610 EXPECT_THAT(rv, IsOk());
[email protected]bacff652009-03-31 17:50:33[diff] [blame]1611
danakj655b66c2016-04-16 00:51:38[diff] [blame]1612 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1613 std::move(transport), host_port_pair(), SSLConfig()));
davidben7c168932015-10-19 19:37:16[diff] [blame]1614 EXPECT_EQ(0, sock->GetTotalReceivedBytes());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1615
davidben7c168932015-10-19 19:37:16[diff] [blame]1616 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1617 EXPECT_THAT(rv, IsOk());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1618
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1619 // Number of network bytes received should increase because of SSL socket
1620 // establishment.
davidben7c168932015-10-19 19:37:16[diff] [blame]1621 EXPECT_GT(sock->GetTotalReceivedBytes(), 0);
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1622
[email protected]e3eb8f82010-09-21 15:25:15[diff] [blame]1623 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1624 scoped_refptr<IOBuffer> request_buffer =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1625 base::MakeRefCounted<IOBuffer>(std::size(request_text) - 1);
1626 memcpy(request_buffer->data(), request_text, std::size(request_text) - 1);
[email protected]ffeb0882009-04-30 21:51:25[diff] [blame]1627
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1628 rv = callback.GetResult(
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1629 sock->Write(request_buffer.get(), std::size(request_text) - 1,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1630 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1631 EXPECT_EQ(static_cast<int>(std::size(request_text) - 1), rv);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1632
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1633 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1634 int64_t unencrypted_bytes_read = 0;
1635 int64_t network_bytes_read_during_handshake = sock->GetTotalReceivedBytes();
davidben7c168932015-10-19 19:37:16[diff] [blame]1636 do {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1637 rv = ReadAndWaitForCompletion(sock.get(), buf.get(), 4096);
[email protected]7b822b2b2008-08-05 00:15:45[diff] [blame]1638 EXPECT_GE(rv, 0);
davidben7c168932015-10-19 19:37:16[diff] [blame]1639 if (rv >= 0) {
1640 unencrypted_bytes_read += rv;
1641 }
1642 } while (rv > 0);
1643 EXPECT_GT(unencrypted_bytes_read, 0);
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1644 // Reading the payload should increase the number of bytes on network layer.
davidben7c168932015-10-19 19:37:16[diff] [blame]1645 EXPECT_GT(sock->GetTotalReceivedBytes(), network_bytes_read_during_handshake);
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1646 // Number of bytes received on the network after the handshake should be
1647 // higher than the number of encrypted bytes read.
davidben7c168932015-10-19 19:37:16[diff] [blame]1648 EXPECT_GE(sock->GetTotalReceivedBytes() - network_bytes_read_during_handshake,
tbansalf82cc8e2015-10-14 20:05:49[diff] [blame]1649 unencrypted_bytes_read);
davidbene74aabd2015-03-18 01:04:28[diff] [blame]1650
1651 // The peer should have cleanly closed the connection with a close_notify.
1652 EXPECT_EQ(0, rv);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]1653}
1654
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1655// Tests that SSLClientSocket properly handles when the underlying transport
davidben3418e81f2016-10-19 00:09:45[diff] [blame]1656// synchronously fails a transport write in during the handshake.
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1657TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1658 ASSERT_TRUE(
1659 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1660
1661 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1662 auto real_transport = std::make_unique<TCPClientSocket>(
1663 addr(), nullptr, nullptr, nullptr, NetLogSource());
1664 auto transport =
1665 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1666 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1667 EXPECT_THAT(rv, IsOk());
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1668
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1669 SynchronousErrorStreamSocket* raw_transport = transport.get();
danakj655b66c2016-04-16 00:51:38[diff] [blame]1670 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1671 std::move(transport), host_port_pair(), SSLConfig()));
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1672
1673 raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
1674
1675 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1676 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
[email protected]5aea79182014-07-14 20:43:41[diff] [blame]1677 EXPECT_FALSE(sock->IsConnected());
1678}
1679
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1680// Tests that the SSLClientSocket properly handles when the underlying transport
1681// synchronously returns an error code - such as if an intermediary terminates
1682// the socket connection uncleanly.
1683// This is a regression test for http://crbug.com/238536
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1684TEST_P(SSLClientSocketReadTest, Read_WithSynchronousError) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1685 ASSERT_TRUE(
1686 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1687
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1688 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1689 auto real_transport = std::make_unique<TCPClientSocket>(
1690 addr(), nullptr, nullptr, nullptr, NetLogSource());
1691 auto transport =
1692 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1693 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1694 EXPECT_THAT(rv, IsOk());
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1695
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]1696 SSLConfig config;
1697 config.disable_post_handshake_peek_for_testing = true;
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1698 SynchronousErrorStreamSocket* raw_transport = transport.get();
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1699 std::unique_ptr<SSLClientSocket> sock(
1700 CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1701
1702 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1703 EXPECT_THAT(rv, IsOk());
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1704 EXPECT_TRUE(sock->IsConnected());
1705
1706 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1707 static const int kRequestTextSize =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1708 static_cast<int>(std::size(request_text) - 1);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1709 scoped_refptr<IOBuffer> request_buffer =
1710 base::MakeRefCounted<IOBuffer>(kRequestTextSize);
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1711 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1712
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1713 rv = callback.GetResult(sock->Write(request_buffer.get(), kRequestTextSize,
1714 callback.callback(),
1715 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1716 EXPECT_EQ(kRequestTextSize, rv);
1717
1718 // Simulate an unclean/forcible shutdown.
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1719 raw_transport->SetNextReadError(ERR_CONNECTION_RESET);
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1720
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1721 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1722
1723 // Note: This test will hang if this bug has regressed. Simply checking that
1724 // rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING is a legitimate
1725 // result when using a dedicated task runner for NSS.
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1726 rv = ReadAndWaitForCompletion(sock.get(), buf.get(), 4096);
robpercival214763f2016-07-01 23:27:01[diff] [blame]1727 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1728}
1729
1730// Tests that the SSLClientSocket properly handles when the underlying transport
1731// asynchronously returns an error code while writing data - such as if an
1732// intermediary terminates the socket connection uncleanly.
1733// This is a regression test for http://crbug.com/249848
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1734TEST_P(SSLClientSocketVersionTest, Write_WithSynchronousError) {
1735 ASSERT_TRUE(
1736 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1737
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1738 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1739 auto real_transport = std::make_unique<TCPClientSocket>(
1740 addr(), nullptr, nullptr, nullptr, NetLogSource());
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1741 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1742 // is retained in order to configure additional errors.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1743 auto error_socket =
1744 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1745 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1746 auto transport =
1747 std::make_unique<FakeBlockingStreamSocket>(std::move(error_socket));
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1748 FakeBlockingStreamSocket* raw_transport = transport.get();
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1749 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1750 EXPECT_THAT(rv, IsOk());
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1751
danakj655b66c2016-04-16 00:51:38[diff] [blame]1752 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1753 std::move(transport), host_port_pair(), SSLConfig()));
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1754
1755 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1756 EXPECT_THAT(rv, IsOk());
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1757 EXPECT_TRUE(sock->IsConnected());
1758
1759 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1760 static const int kRequestTextSize =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1761 static_cast<int>(std::size(request_text) - 1);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1762 scoped_refptr<IOBuffer> request_buffer =
1763 base::MakeRefCounted<IOBuffer>(kRequestTextSize);
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1764 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1765
1766 // Simulate an unclean/forcible shutdown on the underlying socket.
1767 // However, simulate this error asynchronously.
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1768 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1769 raw_transport->BlockWrite();
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1770
1771 // This write should complete synchronously, because the TLS ciphertext
1772 // can be created and placed into the outgoing buffers independent of the
1773 // underlying transport.
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1774 rv = callback.GetResult(sock->Write(request_buffer.get(), kRequestTextSize,
1775 callback.callback(),
1776 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1777 EXPECT_EQ(kRequestTextSize, rv);
1778
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1779 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1780
1781 rv = sock->Read(buf.get(), 4096, callback.callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]1782 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1783
1784 // Now unblock the outgoing request, having it fail with the connection
1785 // being reset.
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1786 raw_transport->UnblockWrite();
[email protected]54c0bae2013-06-17 18:01:43[diff] [blame]1787
1788 // Note: This will cause an inifite loop if this bug has regressed. Simply
1789 // checking that rv != ERR_IO_PENDING is insufficient, as ERR_IO_PENDING
1790 // is a legitimate result when using a dedicated task runner for NSS.
1791 rv = callback.GetResult(rv);
robpercival214763f2016-07-01 23:27:01[diff] [blame]1792 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
[email protected]11410f72013-05-09 21:51:27[diff] [blame]1793}
1794
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1795// If there is a Write failure at the transport with no follow-up Read, although
1796// the write error will not be returned to the client until a future Read or
1797// Write operation, SSLClientSocket should not spin attempting to re-write on
1798// the socket. This is a regression test for part of https://crbug.com/381160.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1799TEST_P(SSLClientSocketVersionTest, Write_WithSynchronousErrorNoRead) {
1800 ASSERT_TRUE(
1801 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1802
1803 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1804 auto real_transport = std::make_unique<TCPClientSocket>(
1805 addr(), nullptr, nullptr, nullptr, NetLogSource());
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1806 // Note: intermediate sockets' ownership are handed to |sock|, but a pointer
1807 // is retained in order to query them.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1808 auto error_socket =
1809 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1810 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1811 auto counting_socket =
1812 std::make_unique<CountingStreamSocket>(std::move(error_socket));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1813 CountingStreamSocket* raw_counting_socket = counting_socket.get();
1814 int rv = callback.GetResult(counting_socket->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1815 ASSERT_THAT(rv, IsOk());
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1816
danakj655b66c2016-04-16 00:51:38[diff] [blame]1817 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1818 std::move(counting_socket), host_port_pair(), SSLConfig()));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1819
1820 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1821 ASSERT_THAT(rv, IsOk());
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1822 ASSERT_TRUE(sock->IsConnected());
1823
1824 // Simulate an unclean/forcible shutdown on the underlying socket.
1825 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
1826
1827 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
1828 static const int kRequestTextSize =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]1829 static_cast<int>(std::size(request_text) - 1);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1830 scoped_refptr<IOBuffer> request_buffer =
1831 base::MakeRefCounted<IOBuffer>(kRequestTextSize);
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1832 memcpy(request_buffer->data(), request_text, kRequestTextSize);
1833
1834 // This write should complete synchronously, because the TLS ciphertext
1835 // can be created and placed into the outgoing buffers independent of the
1836 // underlying transport.
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1837 rv = callback.GetResult(sock->Write(request_buffer.get(), kRequestTextSize,
1838 callback.callback(),
1839 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1840 ASSERT_EQ(kRequestTextSize, rv);
1841
1842 // Let the event loop spin for a little bit of time. Even on platforms where
1843 // pumping the state machine involve thread hops, there should be no further
1844 // writes on the transport socket.
1845 //
1846 // TODO(davidben): Avoid the arbitrary timeout?
1847 int old_write_count = raw_counting_socket->write_count();
1848 base::RunLoop loop;
Sean Maher5b9af51f2022-11-21 15:32:47[diff] [blame]1849 base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
Peter Kastinge5a38ed2021-10-02 03:06:35[diff] [blame]1850 FROM_HERE, loop.QuitClosure(), base::Milliseconds(100));
[email protected]33d664952014-06-18 10:22:16[diff] [blame]1851 loop.Run();
1852 EXPECT_EQ(old_write_count, raw_counting_socket->write_count());
1853}
1854
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1855// Test the full duplex mode, with Read and Write pending at the same time.
1856// This test also serves as a regression test for http://crbug.com/29815.
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1857TEST_P(SSLClientSocketReadTest, Read_FullDuplex) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1858 ASSERT_TRUE(
1859 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1860
davidben7c168932015-10-19 19:37:16[diff] [blame]1861 int rv;
1862 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1863 EXPECT_THAT(rv, IsOk());
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1864
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1865 // Issue a "hanging" Read first.
davidben7c168932015-10-19 19:37:16[diff] [blame]1866 TestCompletionCallback callback;
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1867 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
David Benjamin0ba66c92019-10-18 22:24:49[diff] [blame]1868 int read_rv = Read(sock_.get(), buf.get(), 4096, callback.callback());
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1869 // We haven't written the request, so there should be no response yet.
David Benjamin0ba66c92019-10-18 22:24:49[diff] [blame]1870 ASSERT_THAT(read_rv, IsError(ERR_IO_PENDING));
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1871
1872 // Write the request.
1873 // The request is padded with a User-Agent header to a size that causes the
1874 // memio circular buffer (4k bytes) in SSLClientSocketNSS to wrap around.
1875 // This tests the fix for http://crbug.com/29815.
1876 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
[email protected]73343a32011-08-18 02:32:16[diff] [blame]1877 for (int i = 0; i < 3770; ++i)
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1878 request_text.push_back('*');
1879 request_text.append("\r\n\r\n");
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1880 scoped_refptr<IOBuffer> request_buffer =
1881 base::MakeRefCounted<StringIOBuffer>(request_text);
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1882
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1883 TestCompletionCallback callback2; // Used for Write only.
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1884 rv = callback2.GetResult(
1885 sock_->Write(request_buffer.get(), request_text.size(),
1886 callback2.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1887 EXPECT_EQ(static_cast<int>(request_text.size()), rv);
1888
1889 // Now get the Read result.
David Benjamin0ba66c92019-10-18 22:24:49[diff] [blame]1890 read_rv =
1891 WaitForReadCompletion(sock_.get(), buf.get(), 4096, &callback, read_rv);
1892 EXPECT_GT(read_rv, 0);
[email protected]914286d62009-12-10 23:06:44[diff] [blame]1893}
1894
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1895// Attempts to Read() and Write() from an SSLClientSocketNSS in full duplex
1896// mode when the underlying transport is blocked on sending data. When the
1897// underlying transport completes due to an error, it should invoke both the
1898// Read() and Write() callbacks. If the socket is deleted by the Read()
1899// callback, the Write() callback should not be invoked.
1900// Regression test for http://crbug.com/232633
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1901TEST_P(SSLClientSocketReadTest, Read_DeleteWhilePendingFullDuplex) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1902 ASSERT_TRUE(
1903 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1904
[email protected]789aca52013-08-14 06:40:10[diff] [blame]1905 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1906 auto real_transport = std::make_unique<TCPClientSocket>(
1907 addr(), nullptr, nullptr, nullptr, NetLogSource());
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1908 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1909 // is retained in order to configure additional errors.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1910 auto error_socket =
1911 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1912 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1913 auto transport =
1914 std::make_unique<FakeBlockingStreamSocket>(std::move(error_socket));
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1915 FakeBlockingStreamSocket* raw_transport = transport.get();
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1916
1917 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1918 EXPECT_THAT(rv, IsOk());
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1919
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]1920 SSLConfig config;
1921 config.disable_post_handshake_peek_for_testing = true;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1922 std::unique_ptr<SSLClientSocket> sock =
1923 CreateSSLClientSocket(std::move(transport), host_port_pair(), config);
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1924
1925 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]1926 EXPECT_THAT(rv, IsOk());
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1927 EXPECT_TRUE(sock->IsConnected());
1928
1929 std::string request_text = "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
1930 request_text.append(20 * 1024, '*');
1931 request_text.append("\r\n\r\n");
Victor Costancd439782018-08-30 07:27:57[diff] [blame]1932 scoped_refptr<DrainableIOBuffer> request_buffer =
1933 base::MakeRefCounted<DrainableIOBuffer>(
1934 base::MakeRefCounted<StringIOBuffer>(request_text),
1935 request_text.size());
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1936
1937 // Simulate errors being returned from the underlying Read() and Write() ...
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1938 raw_error_socket->SetNextReadError(ERR_CONNECTION_RESET);
1939 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1940 // ... but have those errors returned asynchronously. Because the Write() will
1941 // return first, this will trigger the error.
[email protected]173ef472014-04-16 23:58:20[diff] [blame]1942 raw_transport->BlockReadResult();
1943 raw_transport->BlockWrite();
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1944
1945 // Enqueue a Read() before calling Write(), which should "hang" due to
1946 // the ERR_IO_PENDING caused by SetReadShouldBlock() and thus return.
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1947 SSLClientSocket* raw_sock = sock.get();
1948 DeleteSocketCallback read_callback(sock.release());
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]1949 scoped_refptr<IOBuffer> read_buf = base::MakeRefCounted<IOBuffer>(4096);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1950 rv = Read(raw_sock, read_buf.get(), 4096, read_callback.callback());
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1951
1952 // Ensure things didn't complete synchronously, otherwise |sock| is invalid.
robpercival214763f2016-07-01 23:27:01[diff] [blame]1953 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1954 ASSERT_FALSE(read_callback.have_result());
1955
svaldeze83af292016-04-26 14:33:37[diff] [blame]1956 // Attempt to write the remaining data. OpenSSL will return that its blocked
1957 // because the underlying transport is blocked.
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]1958 rv = raw_sock->Write(request_buffer.get(), request_buffer->BytesRemaining(),
1959 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS);
robpercival214763f2016-07-01 23:27:01[diff] [blame]1960 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1961 ASSERT_FALSE(callback.have_result());
1962
1963 // Now unblock Write(), which will invoke OnSendComplete and (eventually)
1964 // call the Read() callback, deleting the socket and thus aborting calling
1965 // the Write() callback.
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]1966 raw_transport->UnblockWrite();
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1967
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1968 // |read_callback| deletes |sock| so if ReadIfReady() is used, we will get OK
1969 // asynchronously but can't continue reading because the socket is gone.
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1970 rv = read_callback.WaitForResult();
David Benjamin1360bf82019-05-03 20:45:19[diff] [blame]1971 if (test_ssl_read_if_ready()) {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1972 EXPECT_THAT(rv, IsOk());
1973 } else {
1974 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
1975 }
[email protected]be90ba32013-05-13 20:05:25[diff] [blame]1976
1977 // The Write callback should not have been called.
1978 EXPECT_FALSE(callback.have_result());
1979}
1980
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]1981// Tests that the SSLClientSocket does not crash if data is received on the
1982// transport socket after a failing write. This can occur if we have a Write
1983// error in a SPDY socket.
1984// Regression test for http://crbug.com/335557
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]1985TEST_P(SSLClientSocketReadTest, Read_WithWriteError) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]1986 ASSERT_TRUE(
1987 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]1988
1989 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1990 auto real_transport = std::make_unique<TCPClientSocket>(
1991 addr(), nullptr, nullptr, nullptr, NetLogSource());
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]1992 // Note: |error_socket|'s ownership is handed to |transport|, but a pointer
1993 // is retained in order to configure additional errors.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1994 auto error_socket =
1995 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]1996 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]1997 auto transport =
1998 std::make_unique<FakeBlockingStreamSocket>(std::move(error_socket));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]1999 FakeBlockingStreamSocket* raw_transport = transport.get();
2000
2001 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2002 EXPECT_THAT(rv, IsOk());
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2003
danakj655b66c2016-04-16 00:51:38[diff] [blame]2004 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2005 std::move(transport), host_port_pair(), SSLConfig()));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2006
2007 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2008 EXPECT_THAT(rv, IsOk());
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2009 EXPECT_TRUE(sock->IsConnected());
2010
2011 // Send a request so there is something to read from the socket.
2012 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
2013 static const int kRequestTextSize =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2014 static_cast<int>(std::size(request_text) - 1);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2015 scoped_refptr<IOBuffer> request_buffer =
2016 base::MakeRefCounted<IOBuffer>(kRequestTextSize);
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2017 memcpy(request_buffer->data(), request_text, kRequestTextSize);
2018
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2019 rv = callback.GetResult(sock->Write(request_buffer.get(), kRequestTextSize,
2020 callback.callback(),
2021 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2022 EXPECT_EQ(kRequestTextSize, rv);
2023
2024 // Start a hanging read.
2025 TestCompletionCallback read_callback;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]2026 raw_transport->BlockReadResult();
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2027 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2028 rv = Read(sock.get(), buf.get(), 4096, read_callback.callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]2029 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2030
2031 // Perform another write, but have it fail. Write a request larger than the
2032 // internal socket buffers so that the request hits the underlying transport
2033 // socket and detects the error.
2034 std::string long_request_text =
2035 "GET / HTTP/1.1\r\nUser-Agent: long browser name ";
2036 long_request_text.append(20 * 1024, '*');
2037 long_request_text.append("\r\n\r\n");
Victor Costancd439782018-08-30 07:27:57[diff] [blame]2038 scoped_refptr<DrainableIOBuffer> long_request_buffer =
2039 base::MakeRefCounted<DrainableIOBuffer>(
2040 base::MakeRefCounted<StringIOBuffer>(long_request_text),
2041 long_request_text.size());
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2042
2043 raw_error_socket->SetNextWriteError(ERR_CONNECTION_RESET);
2044
davidben3418e81f2016-10-19 00:09:45[diff] [blame]2045 // Write as much data as possible until hitting an error.
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2046 do {
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2047 rv = callback.GetResult(sock->Write(
2048 long_request_buffer.get(), long_request_buffer->BytesRemaining(),
2049 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2050 if (rv > 0) {
2051 long_request_buffer->DidConsume(rv);
davidben3418e81f2016-10-19 00:09:45[diff] [blame]2052 // Abort if the entire input is ever consumed. The input is larger than
2053 // the SSLClientSocket's write buffers.
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2054 ASSERT_LT(0, long_request_buffer->BytesRemaining());
2055 }
2056 } while (rv > 0);
2057
robpercival214763f2016-07-01 23:27:01[diff] [blame]2058 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2059
davidben3418e81f2016-10-19 00:09:45[diff] [blame]2060 // At this point the Read result is available. Transport write errors are
2061 // surfaced through Writes. See https://crbug.com/249848.
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2062 rv = WaitForReadCompletion(sock.get(), buf.get(), 4096, &read_callback, rv);
davidben3418e81f2016-10-19 00:09:45[diff] [blame]2063 EXPECT_THAT(rv, IsError(ERR_CONNECTION_RESET));
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2064
davidben3418e81f2016-10-19 00:09:45[diff] [blame]2065 // Release the read. This does not cause a crash.
2066 raw_transport->UnblockReadResult();
2067 base::RunLoop().RunUntilIdle();
[email protected]3e5c6922014-02-06 02:42:16[diff] [blame]2068}
2069
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2070// Tests that SSLClientSocket fails the handshake if the underlying
2071// transport is cleanly closed.
2072TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2073 // There is no need to vary by TLS version because this test never reads a
2074 // response from the server.
2075 ASSERT_TRUE(
2076 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2077
2078 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2079 auto real_transport = std::make_unique<TCPClientSocket>(
2080 addr(), nullptr, nullptr, nullptr, NetLogSource());
2081 auto transport =
2082 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2083 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2084 EXPECT_THAT(rv, IsOk());
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2085
2086 SynchronousErrorStreamSocket* raw_transport = transport.get();
danakj655b66c2016-04-16 00:51:38[diff] [blame]2087 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2088 std::move(transport), host_port_pair(), SSLConfig()));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2089
2090 raw_transport->SetNextReadError(0);
2091
2092 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2093 EXPECT_THAT(rv, IsError(ERR_CONNECTION_CLOSED));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2094 EXPECT_FALSE(sock->IsConnected());
2095}
2096
davidbene74aabd2015-03-18 01:04:28[diff] [blame]2097// Tests that SSLClientSocket returns a Read of size 0 if the underlying socket
2098// is cleanly closed, but the peer does not send close_notify.
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2099// This is a regression test for https://crbug.com/422246
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2100TEST_P(SSLClientSocketReadTest, Read_WithZeroReturn) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2101 ASSERT_TRUE(
2102 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2103
2104 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2105 auto real_transport = std::make_unique<TCPClientSocket>(
2106 addr(), nullptr, nullptr, nullptr, NetLogSource());
2107 auto transport =
2108 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2109 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2110 EXPECT_THAT(rv, IsOk());
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2111
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]2112 SSLConfig config;
2113 config.disable_post_handshake_peek_for_testing = true;
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2114 SynchronousErrorStreamSocket* raw_transport = transport.get();
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2115 std::unique_ptr<SSLClientSocket> sock(
2116 CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2117
2118 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2119 EXPECT_THAT(rv, IsOk());
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2120 EXPECT_TRUE(sock->IsConnected());
2121
2122 raw_transport->SetNextReadError(0);
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2123 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2124 rv = ReadAndWaitForCompletion(sock.get(), buf.get(), 4096);
davidbenbe6ce7ec2014-10-20 19:15:56[diff] [blame]2125 EXPECT_EQ(0, rv);
2126}
2127
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2128// Tests that SSLClientSocket cleanly returns a Read of size 0 if the
2129// underlying socket is cleanly closed asynchronously.
2130// This is a regression test for https://crbug.com/422246
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2131TEST_P(SSLClientSocketReadTest, Read_WithAsyncZeroReturn) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2132 ASSERT_TRUE(
2133 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2134
2135 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2136 auto real_transport = std::make_unique<TCPClientSocket>(
2137 addr(), nullptr, nullptr, nullptr, NetLogSource());
2138 auto error_socket =
2139 std::make_unique<SynchronousErrorStreamSocket>(std::move(real_transport));
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2140 SynchronousErrorStreamSocket* raw_error_socket = error_socket.get();
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2141 auto transport =
2142 std::make_unique<FakeBlockingStreamSocket>(std::move(error_socket));
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2143 FakeBlockingStreamSocket* raw_transport = transport.get();
2144 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2145 EXPECT_THAT(rv, IsOk());
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2146
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]2147 SSLConfig config;
2148 config.disable_post_handshake_peek_for_testing = true;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2149 std::unique_ptr<SSLClientSocket> sock(
2150 CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2151
2152 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2153 EXPECT_THAT(rv, IsOk());
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2154 EXPECT_TRUE(sock->IsConnected());
2155
2156 raw_error_socket->SetNextReadError(0);
2157 raw_transport->BlockReadResult();
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2158 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2159 TestCompletionCallback read_callback;
2160 rv = Read(sock.get(), buf.get(), 4096, read_callback.callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]2161 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2162
2163 raw_transport->UnblockReadResult();
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2164 rv = WaitForReadCompletion(sock.get(), buf.get(), 4096, &read_callback, rv);
davidben1b133ad2014-10-23 04:23:13[diff] [blame]2165 EXPECT_EQ(0, rv);
2166}
2167
davidbene74aabd2015-03-18 01:04:28[diff] [blame]2168// Tests that fatal alerts from the peer are processed. This is a regression
2169// test for https://crbug.com/466303.
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2170TEST_P(SSLClientSocketReadTest, Read_WithFatalAlert) {
David Benjamin50c88f92021-11-16 23:26:09[diff] [blame]2171 SSLServerConfig server_config = GetServerConfig();
2172 server_config.alert_after_handshake_for_testing = SSL_AD_INTERNAL_ERROR;
2173 ASSERT_TRUE(
2174 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbene74aabd2015-03-18 01:04:28[diff] [blame]2175
davidben7c168932015-10-19 19:37:16[diff] [blame]2176 int rv;
2177 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2178 EXPECT_THAT(rv, IsOk());
davidbene74aabd2015-03-18 01:04:28[diff] [blame]2179
2180 // Receive the fatal alert.
davidben7c168932015-10-19 19:37:16[diff] [blame]2181 TestCompletionCallback callback;
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2182 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2183 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR,
2184 ReadAndWaitForCompletion(sock_.get(), buf.get(), 4096));
davidbene74aabd2015-03-18 01:04:28[diff] [blame]2185}
2186
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2187TEST_P(SSLClientSocketReadTest, Read_SmallChunks) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2188 ASSERT_TRUE(
2189 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]2190
davidben7c168932015-10-19 19:37:16[diff] [blame]2191 int rv;
2192 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2193 EXPECT_THAT(rv, IsOk());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2194
2195 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2196 scoped_refptr<IOBuffer> request_buffer =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2197 base::MakeRefCounted<IOBuffer>(std::size(request_text) - 1);
2198 memcpy(request_buffer->data(), request_text, std::size(request_text) - 1);
[email protected]ffeb0882009-04-30 21:51:25[diff] [blame]2199
davidben7c168932015-10-19 19:37:16[diff] [blame]2200 TestCompletionCallback callback;
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2201 rv = callback.GetResult(
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2202 sock_->Write(request_buffer.get(), std::size(request_text) - 1,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2203 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2204 EXPECT_EQ(static_cast<int>(std::size(request_text) - 1), rv);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2205
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2206 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(1);
davidben7c168932015-10-19 19:37:16[diff] [blame]2207 do {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2208 rv = ReadAndWaitForCompletion(sock_.get(), buf.get(), 1);
[email protected]7b822b2b2008-08-05 00:15:45[diff] [blame]2209 EXPECT_GE(rv, 0);
davidben7c168932015-10-19 19:37:16[diff] [blame]2210 } while (rv > 0);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2211}
2212
David Benjamin7cd35b92020-01-28 22:45:18[diff] [blame]2213TEST_P(SSLClientSocketReadTest, Read_ManySmallRecords) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2214 ASSERT_TRUE(
2215 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2216
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2217 TestCompletionCallback callback;
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2218
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2219 auto real_transport = std::make_unique<TCPClientSocket>(
2220 addr(), nullptr, nullptr, nullptr, NetLogSource());
2221 auto transport =
2222 std::make_unique<ReadBufferingStreamSocket>(std::move(real_transport));
[email protected]18ccfdb2013-08-15 00:13:44[diff] [blame]2223 ReadBufferingStreamSocket* raw_transport = transport.get();
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2224 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2225 ASSERT_THAT(rv, IsOk());
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2226
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]2227 SSLConfig config;
2228 config.disable_post_handshake_peek_for_testing = true;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2229 std::unique_ptr<SSLClientSocket> sock(
2230 CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2231
2232 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2233 ASSERT_THAT(rv, IsOk());
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2234 ASSERT_TRUE(sock->IsConnected());
2235
2236 const char request_text[] = "GET /ssl-many-small-records HTTP/1.0\r\n\r\n";
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2237 scoped_refptr<IOBuffer> request_buffer =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2238 base::MakeRefCounted<IOBuffer>(std::size(request_text) - 1);
2239 memcpy(request_buffer->data(), request_text, std::size(request_text) - 1);
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2240
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2241 rv = callback.GetResult(
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2242 sock->Write(request_buffer.get(), std::size(request_text) - 1,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2243 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2244 ASSERT_GT(rv, 0);
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2245 ASSERT_EQ(static_cast<int>(std::size(request_text) - 1), rv);
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2246
2247 // Note: This relies on SSLClientSocketNSS attempting to read up to 17K of
2248 // data (the max SSL record size) at a time. Ensure that at least 15K worth
2249 // of SSL data is buffered first. The 15K of buffered data is made up of
2250 // many smaller SSL records (the TestServer writes along 1350 byte
2251 // plaintext boundaries), although there may also be a few records that are
2252 // smaller or larger, due to timing and SSL False Start.
2253 // 15K was chosen because 15K is smaller than the 17K (max) read issued by
2254 // the SSLClientSocket implementation, and larger than the minimum amount
2255 // of ciphertext necessary to contain the 8K of plaintext requested below.
David Benjamin91900ce52020-02-04 19:25:23[diff] [blame]2256 raw_transport->BufferNextRead(15000);
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2257
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2258 scoped_refptr<IOBuffer> buffer = base::MakeRefCounted<IOBuffer>(8192);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2259 rv = ReadAndWaitForCompletion(sock.get(), buffer.get(), 8192);
[email protected]4b768562013-02-16 04:10:07[diff] [blame]2260 ASSERT_EQ(rv, 8192);
2261}
2262
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2263TEST_P(SSLClientSocketReadTest, Read_Interrupted) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2264 ASSERT_TRUE(
2265 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]73e0bba2009-02-19 22:57:09[diff] [blame]2266
davidben7c168932015-10-19 19:37:16[diff] [blame]2267 int rv;
2268 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2269 EXPECT_THAT(rv, IsOk());
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2270
2271 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2272 scoped_refptr<IOBuffer> request_buffer =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2273 base::MakeRefCounted<IOBuffer>(std::size(request_text) - 1);
2274 memcpy(request_buffer->data(), request_text, std::size(request_text) - 1);
[email protected]ffeb0882009-04-30 21:51:25[diff] [blame]2275
davidben7c168932015-10-19 19:37:16[diff] [blame]2276 TestCompletionCallback callback;
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2277 rv = callback.GetResult(
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2278 sock_->Write(request_buffer.get(), std::size(request_text) - 1,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2279 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2280 EXPECT_EQ(static_cast<int>(std::size(request_text) - 1), rv);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2281
2282 // Do a partial read and then exit. This test should not crash!
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2283 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(512);
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2284 rv = ReadAndWaitForCompletion(sock_.get(), buf.get(), 512);
[email protected]914286d62009-12-10 23:06:44[diff] [blame]2285 EXPECT_GT(rv, 0);
initial.commit586acc5fe2008-07-26 22:42:52[diff] [blame]2286}
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2287
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2288TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2289 ASSERT_TRUE(
2290 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2291
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2292 TestCompletionCallback callback;
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]2293 log_observer_.SetObserverCaptureMode(NetLogCaptureMode::kEverything);
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2294 auto transport = std::make_unique<TCPClientSocket>(
2295 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
davidben7c168932015-10-19 19:37:16[diff] [blame]2296 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2297 EXPECT_THAT(rv, IsOk());
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2298
danakj655b66c2016-04-16 00:51:38[diff] [blame]2299 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2300 std::move(transport), host_port_pair(), SSLConfig()));
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2301
davidben7c168932015-10-19 19:37:16[diff] [blame]2302 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2303 EXPECT_THAT(rv, IsOk());
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2304 EXPECT_TRUE(sock->IsConnected());
2305
2306 const char request_text[] = "GET / HTTP/1.0\r\n\r\n";
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2307 scoped_refptr<IOBuffer> request_buffer =
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2308 base::MakeRefCounted<IOBuffer>(std::size(request_text) - 1);
2309 memcpy(request_buffer->data(), request_text, std::size(request_text) - 1);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2310
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2311 rv = callback.GetResult(
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2312 sock->Write(request_buffer.get(), std::size(request_text) - 1,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2313 callback.callback(), TRAFFIC_ANNOTATION_FOR_TESTS));
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2314 EXPECT_EQ(static_cast<int>(std::size(request_text) - 1), rv);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2315
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]2316 auto entries = log_observer_.GetEntries();
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2317 size_t last_index = ExpectLogContainsSomewhereAfter(
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]2318 entries, 5, NetLogEventType::SSL_SOCKET_BYTES_SENT,
2319 NetLogEventPhase::NONE);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2320
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2321 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2322 for (;;) {
xunjieli321a96f32017-03-07 19:42:17[diff] [blame]2323 rv = ReadAndWaitForCompletion(sock.get(), buf.get(), 4096);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2324 EXPECT_GE(rv, 0);
2325 if (rv <= 0)
2326 break;
2327
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]2328 entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]2329 last_index = ExpectLogContainsSomewhereAfter(
2330 entries, last_index + 1, NetLogEventType::SSL_SOCKET_BYTES_RECEIVED,
2331 NetLogEventPhase::NONE);
[email protected]1d872d32011-05-19 02:45:33[diff] [blame]2332 }
2333}
2334
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2335// Regression test for http://crbug.com/42538
2336TEST_F(SSLClientSocketTest, PrematureApplicationData) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2337 ASSERT_TRUE(
2338 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2339
2340 static const unsigned char application_data[] = {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2341 0x17, 0x03, 0x01, 0x00, 0x4a, 0x02, 0x00, 0x00, 0x46, 0x03, 0x01, 0x4b,
2342 0xc2, 0xf8, 0xb2, 0xc1, 0x56, 0x42, 0xb9, 0x57, 0x7f, 0xde, 0x87, 0x46,
2343 0xf7, 0xa3, 0x52, 0x42, 0x21, 0xf0, 0x13, 0x1c, 0x9c, 0x83, 0x88, 0xd6,
2344 0x93, 0x0c, 0xf6, 0x36, 0x30, 0x05, 0x7e, 0x20, 0xb5, 0xb5, 0x73, 0x36,
2345 0x53, 0x83, 0x0a, 0xfc, 0x17, 0x63, 0xbf, 0xa0, 0xe4, 0x42, 0x90, 0x0d,
2346 0x2f, 0x18, 0x6d, 0x20, 0xd8, 0x36, 0x3f, 0xfc, 0xe6, 0x01, 0xfa, 0x0f,
2347 0xa5, 0x75, 0x7f, 0x09, 0x00, 0x04, 0x00, 0x16, 0x03, 0x01, 0x11, 0x57,
2348 0x0b, 0x00, 0x11, 0x53, 0x00, 0x11, 0x50, 0x00, 0x06, 0x22, 0x30, 0x82,
2349 0x06, 0x1e, 0x30, 0x82, 0x05, 0x06, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
2350 0x0a};
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2351
2352 // All reads and writes complete synchronously (async=false).
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2353 MockRead data_reads[] = {
Avi Drissman4365a4782018-12-28 19:26:24[diff] [blame]2354 MockRead(SYNCHRONOUS, reinterpret_cast<const char*>(application_data),
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2355 std::size(application_data)),
Avi Drissman4365a4782018-12-28 19:26:24[diff] [blame]2356 MockRead(SYNCHRONOUS, OK),
2357 };
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2358
Ryan Sleevib8d7ea02018-05-07 20:01:01[diff] [blame]2359 StaticSocketDataProvider data(data_reads, base::span<MockWrite>());
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2360
davidben7c168932015-10-19 19:37:16[diff] [blame]2361 TestCompletionCallback callback;
danakj655b66c2016-04-16 00:51:38[diff] [blame]2362 std::unique_ptr<StreamSocket> transport(
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2363 std::make_unique<MockTCPClientSocket>(addr(), nullptr, &data));
davidben7c168932015-10-19 19:37:16[diff] [blame]2364 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2365 EXPECT_THAT(rv, IsOk());
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2366
danakj655b66c2016-04-16 00:51:38[diff] [blame]2367 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2368 std::move(transport), host_port_pair(), SSLConfig()));
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2369
davidben7c168932015-10-19 19:37:16[diff] [blame]2370 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2371 EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
[email protected]39afe642010-04-29 14:55:18[diff] [blame]2372}
[email protected]47f7d742010-11-11 04:12:53[diff] [blame]2373
[email protected]7deea3d2011-01-09 06:03:41[diff] [blame]2374TEST_F(SSLClientSocketTest, CipherSuiteDisables) {
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]2375 SSLServerConfig server_config;
2376 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]2377 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]2378 ASSERT_TRUE(
2379 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]47f7d742010-11-11 04:12:53[diff] [blame]2380
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]2381 SSLContextConfig ssl_context_config;
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]2382 ssl_context_config.disabled_cipher_suites.push_back(kModernTLS12Cipher);
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]2383 ssl_config_service_->UpdateSSLConfigAndNotify(ssl_context_config);
[email protected]47f7d742010-11-11 04:12:53[diff] [blame]2384
davidben7c168932015-10-19 19:37:16[diff] [blame]2385 int rv;
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]2386 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2387 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
[email protected]47f7d742010-11-11 04:12:53[diff] [blame]2388}
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2389
David Benjamin0a594692022-10-20 19:32:24[diff] [blame]2390// Test that TLS 1.0 and 1.1 are no longer supported.
2391TEST_F(SSLClientSocketTest, LegacyTLSVersions) {
2392 const struct {
2393 uint16_t server_version;
2394 absl::optional<uint16_t> client_version_min;
2395 bool feature = true;
2396 bool expect_error;
2397 } kTests[] = {
2398 // By default, TLS 1.0 and 1.1 should be disabled and will not be
2399 // negotiated.
2400 {.server_version = SSL_PROTOCOL_VERSION_TLS1, .expect_error = true},
2401 {.server_version = SSL_PROTOCOL_VERSION_TLS1_1, .expect_error = true},
2402 {.server_version = SSL_PROTOCOL_VERSION_TLS1,
2403 .feature = false,
2404 .expect_error = true},
2405 {.server_version = SSL_PROTOCOL_VERSION_TLS1_1,
2406 .feature = false,
2407 .expect_error = true},
Chris Thompsond708d342021-11-22 21:42:27[diff] [blame]2408
David Benjamin0a594692022-10-20 19:32:24[diff] [blame]2409 // Even if enabled at the client, TLS 1.0 and 1.1 should be disabled.
2410 {.server_version = SSL_PROTOCOL_VERSION_TLS1,
2411 .client_version_min = SSL_PROTOCOL_VERSION_TLS1,
2412 .expect_error = true},
2413 {.server_version = SSL_PROTOCOL_VERSION_TLS1_1,
2414 .client_version_min = SSL_PROTOCOL_VERSION_TLS1,
2415 .expect_error = true},
2416
2417 // If `kSSLMinVersionAtLeastTLS12` is disabled, the `version_min` setting
2418 // should take effect.
2419 {.server_version = SSL_PROTOCOL_VERSION_TLS1,
2420 .client_version_min = SSL_PROTOCOL_VERSION_TLS1,
2421 .feature = false,
2422 .expect_error = false},
2423 {.server_version = SSL_PROTOCOL_VERSION_TLS1_1,
2424 .client_version_min = SSL_PROTOCOL_VERSION_TLS1,
2425 .feature = false,
2426 .expect_error = false},
2427 };
2428 for (const auto& test : kTests) {
2429 base::test::ScopedFeatureList feature_list;
2430 if (!test.feature) {
2431 // TODO(https://crbug.com/1376584): When this feature is removed, this
2432 // test can be simplified.
2433 feature_list.InitAndDisableFeature(features::kSSLMinVersionAtLeastTLS12);
2434 }
2435
2436 SSLServerConfig config;
2437 config.version_max = test.server_version;
2438 config.version_min = test.server_version;
2439 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
2440 int rv;
2441
2442 if (test.client_version_min) {
2443 SSLContextConfig client_context_config;
2444 client_context_config.version_min = *test.client_version_min;
2445 ssl_config_service_->UpdateSSLConfigAndNotify(client_context_config);
2446 }
2447
2448 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
2449 if (test.expect_error) {
2450 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
2451 } else {
2452 EXPECT_THAT(rv, IsOk());
2453 }
2454 }
Chris Thompsond708d342021-11-22 21:42:27[diff] [blame]2455}
2456
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2457// When creating an SSLClientSocket, it is allowed to pass in a
2458// ClientSocketHandle that is not obtained from a client socket pool.
2459// Here we verify that such a simple ClientSocketHandle, not associated with any
2460// client socket pool, can be destroyed safely.
2461TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2462 ASSERT_TRUE(
2463 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2464
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2465 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2466 auto transport = std::make_unique<TCPClientSocket>(addr(), nullptr, nullptr,
2467 nullptr, NetLogSource());
davidben7c168932015-10-19 19:37:16[diff] [blame]2468 int rv = callback.GetResult(transport->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2469 EXPECT_THAT(rv, IsOk());
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2470
danakj655b66c2016-04-16 00:51:38[diff] [blame]2471 std::unique_ptr<SSLClientSocket> sock(socket_factory_->CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2472 context_.get(), std::move(transport), host_port_pair(), SSLConfig()));
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2473
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2474 EXPECT_FALSE(sock->IsConnected());
davidben7c168932015-10-19 19:37:16[diff] [blame]2475 rv = callback.GetResult(sock->Connect(callback.callback()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2476 EXPECT_THAT(rv, IsOk());
[email protected]b442da32011-08-16 19:32:28[diff] [blame]2477}
[email protected]c3456bb2011-12-12 22:22:19[diff] [blame]2478
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2479// Verifies that SSLClientSocket::ExportKeyingMaterial return a success
2480// code and different keying label results in different keying material.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2481TEST_P(SSLClientSocketVersionTest, ExportKeyingMaterial) {
2482 ASSERT_TRUE(
2483 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2484
davidben7c168932015-10-19 19:37:16[diff] [blame]2485 int rv;
2486 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2487 EXPECT_THAT(rv, IsOk());
davidben7c168932015-10-19 19:37:16[diff] [blame]2488 EXPECT_TRUE(sock_->IsConnected());
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2489
2490 const int kKeyingMaterialSize = 32;
thestig9d3bb0c2015-01-24 00:49:51[diff] [blame]2491 const char kKeyingLabel1[] = "client-socket-test-1";
davidben866c3d4a72015-04-06 21:56:43[diff] [blame]2492 const char kKeyingContext1[] = "";
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2493 unsigned char client_out1[kKeyingMaterialSize];
2494 memset(client_out1, 0, sizeof(client_out1));
davidben7c168932015-10-19 19:37:16[diff] [blame]2495 rv = sock_->ExportKeyingMaterial(kKeyingLabel1, false, kKeyingContext1,
2496 client_out1, sizeof(client_out1));
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2497 EXPECT_EQ(rv, OK);
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2498
thestig9d3bb0c2015-01-24 00:49:51[diff] [blame]2499 const char kKeyingLabel2[] = "client-socket-test-2";
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2500 unsigned char client_out2[kKeyingMaterialSize];
2501 memset(client_out2, 0, sizeof(client_out2));
davidben7c168932015-10-19 19:37:16[diff] [blame]2502 rv = sock_->ExportKeyingMaterial(kKeyingLabel2, false, kKeyingContext1,
2503 client_out2, sizeof(client_out2));
davidben866c3d4a72015-04-06 21:56:43[diff] [blame]2504 EXPECT_EQ(rv, OK);
2505 EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2506
2507 const char kKeyingContext2[] = "context";
davidben7c168932015-10-19 19:37:16[diff] [blame]2508 rv = sock_->ExportKeyingMaterial(kKeyingLabel1, true, kKeyingContext2,
2509 client_out2, sizeof(client_out2));
davidben866c3d4a72015-04-06 21:56:43[diff] [blame]2510 EXPECT_EQ(rv, OK);
2511 EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2512
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2513 // Prior to TLS 1.3, using an empty context should give different key material
2514 // from not using a context at all. In TLS 1.3, the distinction is deprecated
2515 // and they are the same.
davidben866c3d4a72015-04-06 21:56:43[diff] [blame]2516 memset(client_out2, 0, sizeof(client_out2));
davidben7c168932015-10-19 19:37:16[diff] [blame]2517 rv = sock_->ExportKeyingMaterial(kKeyingLabel1, true, kKeyingContext1,
2518 client_out2, sizeof(client_out2));
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2519 EXPECT_EQ(rv, OK);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2520 if (version() >= SSL_PROTOCOL_VERSION_TLS1_3) {
2521 EXPECT_EQ(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2522 } else {
2523 EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
2524 }
[email protected]dffa687e2012-03-08 23:20:42[diff] [blame]2525}
2526
bnc90c00692014-12-12 16:26:07[diff] [blame]2527TEST(SSLClientSocket, SerializeNextProtos) {
2528 NextProtoVector next_protos;
2529 next_protos.push_back(kProtoHTTP11);
bnca9b9e222016-07-11 20:10:40[diff] [blame]2530 next_protos.push_back(kProtoHTTP2);
bnc90c00692014-12-12 16:26:07[diff] [blame]2531 static std::vector<uint8_t> serialized =
bncf76254d622015-09-29 00:03:44[diff] [blame]2532 SSLClientSocket::SerializeNextProtos(next_protos);
bnca9b9e222016-07-11 20:10:40[diff] [blame]2533 ASSERT_EQ(12u, serialized.size());
bnc90c00692014-12-12 16:26:07[diff] [blame]2534 EXPECT_EQ(8, serialized[0]); // length("http/1.1")
2535 EXPECT_EQ('h', serialized[1]);
2536 EXPECT_EQ('t', serialized[2]);
2537 EXPECT_EQ('t', serialized[3]);
2538 EXPECT_EQ('p', serialized[4]);
2539 EXPECT_EQ('/', serialized[5]);
2540 EXPECT_EQ('1', serialized[6]);
2541 EXPECT_EQ('.', serialized[7]);
2542 EXPECT_EQ('1', serialized[8]);
bnca9b9e222016-07-11 20:10:40[diff] [blame]2543 EXPECT_EQ(2, serialized[9]); // length("h2")
2544 EXPECT_EQ('h', serialized[10]);
2545 EXPECT_EQ('2', serialized[11]);
bnc90c00692014-12-12 16:26:07[diff] [blame]2546}
2547
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2548// Test that the server certificates are properly retrieved from the underlying
2549// SSL stack.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2550TEST_P(SSLClientSocketVersionTest, VerifyServerChainProperlyOrdered) {
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2551 // The connection does not have to be successful.
2552 cert_verifier_->set_default_result(ERR_CERT_INVALID);
2553
2554 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
2555 // This makes the server present redundant-server-chain.pem, which contains
2556 // intermediate certificates.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2557 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
2558 GetServerConfig()));
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2559
davidben7c168932015-10-19 19:37:16[diff] [blame]2560 int rv;
2561 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2562 EXPECT_THAT(rv, IsError(ERR_CERT_INVALID));
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]2563 EXPECT_FALSE(sock_->IsConnected());
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2564
David Benjamin778627292021-11-17 19:29:20[diff] [blame]2565 // When given option CERT_CHAIN_WRONG_ROOT, EmbeddedTestServer will present
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2566 // certs from redundant-server-chain.pem.
2567 CertificateList server_certs =
2568 CreateCertificateListFromFile(GetTestCertsDirectory(),
2569 "redundant-server-chain.pem",
2570 X509Certificate::FORMAT_AUTO);
2571
2572 // Get the server certificate as received client side.
estark03d644f2015-06-13 00:11:32[diff] [blame]2573 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]2574 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
estark03d644f2015-06-13 00:11:32[diff] [blame]2575 scoped_refptr<X509Certificate> server_certificate = ssl_info.unverified_cert;
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2576
2577 // Get the intermediates as received client side.
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2578 const auto& server_intermediates = server_certificate->intermediate_buffers();
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2579
2580 // Check that the unverified server certificate chain is properly retrieved
2581 // from the underlying ssl stack.
2582 ASSERT_EQ(4U, server_certs.size());
2583
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2584 EXPECT_TRUE(x509_util::CryptoBufferEqual(server_certificate->cert_buffer(),
2585 server_certs[0]->cert_buffer()));
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2586
2587 ASSERT_EQ(3U, server_intermediates.size());
2588
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2589 EXPECT_TRUE(x509_util::CryptoBufferEqual(server_intermediates[0].get(),
2590 server_certs[1]->cert_buffer()));
2591 EXPECT_TRUE(x509_util::CryptoBufferEqual(server_intermediates[1].get(),
2592 server_certs[2]->cert_buffer()));
2593 EXPECT_TRUE(x509_util::CryptoBufferEqual(server_intermediates[2].get(),
2594 server_certs[3]->cert_buffer()));
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2595
davidben7c168932015-10-19 19:37:16[diff] [blame]2596 sock_->Disconnect();
2597 EXPECT_FALSE(sock_->IsConnected());
[email protected]7f38da8a2014-03-17 16:44:26[diff] [blame]2598}
2599
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2600// This tests that SSLInfo contains a properly re-constructed certificate
2601// chain. That, in turn, verifies that GetSSLInfo is giving us the chain as
2602// verified, not the chain as served by the server. (They may be different.)
2603//
2604// CERT_CHAIN_WRONG_ROOT is redundant-server-chain.pem. It contains A
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2605// (end-entity) -> B -> C, and C is signed by D. redundant-validated-chain.pem
2606// contains a chain of A -> B -> C2, where C2 is the same public key as C, but
2607// a self-signed root. Such a situation can occur when a new root (C2) is
2608// cross-certified by an old root (D) and has two different versions of its
2609// floating around. Servers may supply C2 as an intermediate, but the
2610// SSLClientSocket should return the chain that was verified, from
2611// verify_result, instead.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2612TEST_P(SSLClientSocketVersionTest, VerifyReturnChainProperlyOrdered) {
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2613 // By default, cause the CertVerifier to treat all certificates as
2614 // expired.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2615 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2616
estark03d644f2015-06-13 00:11:32[diff] [blame]2617 CertificateList unverified_certs = CreateCertificateListFromFile(
2618 GetTestCertsDirectory(), "redundant-server-chain.pem",
2619 X509Certificate::FORMAT_AUTO);
2620 ASSERT_EQ(4u, unverified_certs.size());
2621
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2622 // We will expect SSLInfo to ultimately contain this chain.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2623 CertificateList certs =
2624 CreateCertificateListFromFile(GetTestCertsDirectory(),
2625 "redundant-validated-chain.pem",
2626 X509Certificate::FORMAT_AUTO);
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2627 ASSERT_EQ(3U, certs.size());
2628
Matt Mueller294998d2018-04-17 03:04:53[diff] [blame]2629 ASSERT_TRUE(certs[0]->EqualsExcludingChain(unverified_certs[0].get()));
rsleevi74e99742016-09-13 20:35:25[diff] [blame]2630
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2631 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> temp_intermediates;
David Benjamin4db85cf2018-07-10 16:10:04[diff] [blame]2632 temp_intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
2633 temp_intermediates.push_back(bssl::UpRef(certs[2]->cert_buffer()));
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2634
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2635 CertVerifyResult verify_result;
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2636 verify_result.verified_cert = X509Certificate::CreateFromBuffer(
David Benjamin4db85cf2018-07-10 16:10:04[diff] [blame]2637 bssl::UpRef(certs[0]->cert_buffer()), std::move(temp_intermediates));
mattmfe4511a2017-03-22 01:38:49[diff] [blame]2638 ASSERT_TRUE(verify_result.verified_cert);
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2639
2640 // Add a rule that maps the server cert (A) to the chain of A->B->C2
2641 // rather than A->B->C.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2642 cert_verifier_->AddResultForCert(certs[0].get(), verify_result, OK);
[email protected]47a12862012-04-10 01:00:49[diff] [blame]2643
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2644 // Load and install the root for the validated chain.
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2645 scoped_refptr<X509Certificate> root_cert = ImportCertFromFile(
2646 GetTestCertsDirectory(), "redundant-validated-chain-root.pem");
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]2647 ASSERT_NE(static_cast<X509Certificate*>(nullptr), root_cert.get());
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2648 ScopedTestRoot scoped_root(root_cert.get());
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2649
2650 // Set up a test server with CERT_CHAIN_WRONG_ROOT.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2651 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
2652 GetServerConfig()));
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2653
davidben7c168932015-10-19 19:37:16[diff] [blame]2654 int rv;
2655 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2656 EXPECT_THAT(rv, IsOk());
davidben7c168932015-10-19 19:37:16[diff] [blame]2657 EXPECT_TRUE(sock_->IsConnected());
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2658
Matt Reichhoff36a1fd62021-10-12 22:52:20[diff] [blame]2659 auto entries = log_observer_.GetEntries();
mikecirone8b85c432016-09-08 19:11:00[diff] [blame]2660 EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2661
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2662 SSLInfo ssl_info;
rsleevi74e99742016-09-13 20:35:25[diff] [blame]2663 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2664
2665 // Verify that SSLInfo contains the corrected re-constructed chain A -> B
2666 // -> C2.
rsleevi74e99742016-09-13 20:35:25[diff] [blame]2667 ASSERT_TRUE(ssl_info.cert);
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2668 const auto& intermediates = ssl_info.cert->intermediate_buffers();
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2669 ASSERT_EQ(2U, intermediates.size());
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2670 EXPECT_TRUE(x509_util::CryptoBufferEqual(ssl_info.cert->cert_buffer(),
2671 certs[0]->cert_buffer()));
2672 EXPECT_TRUE(x509_util::CryptoBufferEqual(intermediates[0].get(),
2673 certs[1]->cert_buffer()));
2674 EXPECT_TRUE(x509_util::CryptoBufferEqual(intermediates[1].get(),
2675 certs[2]->cert_buffer()));
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2676
estark03d644f2015-06-13 00:11:32[diff] [blame]2677 // Verify that SSLInfo also contains the chain as received from the server.
rsleevi74e99742016-09-13 20:35:25[diff] [blame]2678 ASSERT_TRUE(ssl_info.unverified_cert);
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2679 const auto& served_intermediates =
2680 ssl_info.unverified_cert->intermediate_buffers();
estark03d644f2015-06-13 00:11:32[diff] [blame]2681 ASSERT_EQ(3U, served_intermediates.size());
Matt Muellera4193272017-12-07 00:23:34[diff] [blame]2682 EXPECT_TRUE(x509_util::CryptoBufferEqual(ssl_info.cert->cert_buffer(),
2683 unverified_certs[0]->cert_buffer()));
2684 EXPECT_TRUE(x509_util::CryptoBufferEqual(served_intermediates[0].get(),
2685 unverified_certs[1]->cert_buffer()));
2686 EXPECT_TRUE(x509_util::CryptoBufferEqual(served_intermediates[1].get(),
2687 unverified_certs[2]->cert_buffer()));
2688 EXPECT_TRUE(x509_util::CryptoBufferEqual(served_intermediates[2].get(),
2689 unverified_certs[3]->cert_buffer()));
estark03d644f2015-06-13 00:11:32[diff] [blame]2690
davidben7c168932015-10-19 19:37:16[diff] [blame]2691 sock_->Disconnect();
2692 EXPECT_FALSE(sock_->IsConnected());
[email protected]e54d0af2012-03-03 01:07:15[diff] [blame]2693}
2694
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]2695// Client certificates are disabled on iOS.
2696#if !BUILDFLAG(IS_IOS)
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2697INSTANTIATE_TEST_SUITE_P(TLSVersion,
2698 SSLClientSocketCertRequestInfoTest,
Bence Békycc859862021-02-08 17:26:40[diff] [blame]2699 ValuesIn(GetTLSVersions()));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2700
2701TEST_P(SSLClientSocketCertRequestInfoTest,
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]2702 DontRequestClientCertsIfServerCertInvalid) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2703 SSLServerConfig config = GetServerConfig();
2704 config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
2705 ASSERT_TRUE(
2706 StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED, config));
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]2707
2708 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
2709 int rv;
2710 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
2711 EXPECT_THAT(rv, IsError(ERR_CERT_DATE_INVALID));
2712}
2713
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2714TEST_P(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
2715 SSLServerConfig config = GetServerConfig();
2716 config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
2717 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
2718 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
[email protected]90499482013-06-01 00:39:50[diff] [blame]2719 ASSERT_TRUE(request_info.get());
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2720 EXPECT_EQ(0u, request_info->cert_authorities.size());
2721}
2722
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2723TEST_P(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2724 const unsigned char kThawteDN[] = {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2725 0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2726 0x02, 0x5a, 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a,
2727 0x13, 0x1c, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6f, 0x6e,
2728 0x73, 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79,
2729 0x29, 0x20, 0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
2730 0x55, 0x04, 0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20,
2731 0x53, 0x47, 0x43, 0x20, 0x43, 0x41};
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2732
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2733 const unsigned char kDiginotarDN[] = {
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2734 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
2735 0x02, 0x4e, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
2736 0x13, 0x09, 0x44, 0x69, 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x31,
2737 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x44, 0x69,
2738 0x67, 0x69, 0x4e, 0x6f, 0x74, 0x61, 0x72, 0x20, 0x52, 0x6f, 0x6f, 0x74,
2739 0x20, 0x43, 0x41, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x09, 0x2a, 0x86, 0x48,
2740 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x11, 0x69, 0x6e, 0x66, 0x6f,
2741 0x40, 0x64, 0x69, 0x67, 0x69, 0x6e, 0x6f, 0x74, 0x61, 0x72, 0x2e, 0x6e,
2742 0x6c};
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2743
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2744 SSLServerConfig config = GetServerConfig();
2745 config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
Tsuyoshi Horoebc507882022-06-30 11:16:45[diff] [blame]2746 config.cert_authorities.emplace_back(std::begin(kThawteDN),
2747 std::end(kThawteDN));
2748 config.cert_authorities.emplace_back(std::begin(kDiginotarDN),
2749 std::end(kDiginotarDN));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2750 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
2751 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
[email protected]90499482013-06-01 00:39:50[diff] [blame]2752 ASSERT_TRUE(request_info.get());
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2753 EXPECT_EQ(config.cert_authorities, request_info->cert_authorities);
[email protected]515adc22013-01-09 16:01:23[diff] [blame]2754}
[email protected]789aca52013-08-14 06:40:10[diff] [blame]2755
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2756TEST_P(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
David Benjamin8d959c22021-11-17 05:07:53[diff] [blame]2757 SSLServerConfig config = GetServerConfig();
2758 config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
2759 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2760 scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
[email protected]c0787702014-05-20 21:51:44[diff] [blame]2761 ASSERT_TRUE(request_info.get());
David Benjamin8d959c22021-11-17 05:07:53[diff] [blame]2762 if (version() >= SSL_PROTOCOL_VERSION_TLS1_3) {
2763 // TLS 1.3 does not use cert_key_types, only signature algorithms. This
2764 // should be migrated to a more modern mechanism. See
2765 // https://crbug.com/1270530.
2766 EXPECT_EQ(0u, request_info->cert_key_types.size());
2767 } else {
2768 // BoringSSL always sends rsa_sign and ecdsa_sign.
2769 ASSERT_EQ(2u, request_info->cert_key_types.size());
2770 EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]);
2771 EXPECT_EQ(CLIENT_CERT_ECDSA_SIGN, request_info->cert_key_types[1]);
2772 }
[email protected]c0787702014-05-20 21:51:44[diff] [blame]2773}
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]2774#endif // !IS_IOS
[email protected]c0787702014-05-20 21:51:44[diff] [blame]2775
Ryan Sleevid1a894e2018-04-03 20:24:07[diff] [blame]2776// Tests that the Certificate Transparency (RFC 6962) TLS extension is
2777// supported.
David Benjamin8e657bc2021-09-20 19:07:44[diff] [blame]2778TEST_P(SSLClientSocketVersionTest, ConnectSignedCertTimestampsTLSExtension) {
svaldez9a751f7d2016-11-30 18:03:36[diff] [blame]2779 // Encoding of SCT List containing 'test'.
rsleevi22cae1672016-12-28 01:53:36[diff] [blame]2780 base::StringPiece sct_ext("\x00\x06\x00\x04test", 8);
[email protected]4e72ee502013-11-28 13:43:26[diff] [blame]2781
David Benjamin8e657bc2021-09-20 19:07:44[diff] [blame]2782 SSLServerConfig server_config = GetServerConfig();
2783 server_config.signed_cert_timestamp_list =
2784 std::vector<uint8_t>(sct_ext.begin(), sct_ext.end());
2785 ASSERT_TRUE(
2786 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]4e72ee502013-11-28 13:43:26[diff] [blame]2787
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]2788 auto ct_verifier = std::make_unique<MockCTVerifier>();
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]2789
rsleevi22cae1672016-12-28 01:53:36[diff] [blame]2790 // Check that the SCT list is extracted from the TLS extension as expected,
2791 // while also simulating that it was an unparsable response.
2792 SignedCertificateTimestampAndStatusList sct_list;
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]2793 EXPECT_CALL(*ct_verifier, Verify(_, _, _, sct_ext, _, _))
Rob Percivalbc658a22017-12-13 08:24:42[diff] [blame]2794 .WillOnce(testing::SetArgPointee<4>(sct_list));
davidbeneb5f8ef32014-09-04 14:14:32[diff] [blame]2795
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]2796 auto cert_and_ct_verifier = std::make_unique<CertAndCTVerifier>(
2797 std::move(cert_verifier_), std::move(ct_verifier));
2798
2799 context_ = std::make_unique<SSLClientContext>(
2800 ssl_config_service_.get(), cert_and_ct_verifier.get(),
2801 transport_security_state_.get(), ct_policy_enforcer_.get(),
2802 ssl_client_session_cache_.get(), nullptr);
2803
davidben7c168932015-10-19 19:37:16[diff] [blame]2804 int rv;
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]2805 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2806 EXPECT_THAT(rv, IsOk());
[email protected]4e72ee502013-11-28 13:43:26[diff] [blame]2807
davidben7c168932015-10-19 19:37:16[diff] [blame]2808 EXPECT_TRUE(sock_->signed_cert_timestamps_received_);
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]2809
2810 sock_ = nullptr;
2811 context_ = nullptr;
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2812}
2813
estark6f9b3d82016-01-12 21:37:05[diff] [blame]2814// Test that when a CT verifier and a CTPolicyEnforcer are defined, and
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2815// the EV certificate used conforms to the CT/EV policy, its EV status
2816// is maintained.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2817TEST_P(SSLClientSocketVersionTest, EVCertStatusMaintainedForCompliantCert) {
2818 ASSERT_TRUE(
2819 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2820
2821 SSLConfig ssl_config;
2822 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
2823
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2824 // Emulate compliance of the certificate to the policy.
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]2825 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
estark0fc8d0782016-02-25 20:41:20[diff] [blame]2826 .WillRepeatedly(
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]2827 Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2828
2829 int rv;
2830 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2831 EXPECT_THAT(rv, IsOk());
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2832
2833 SSLInfo result;
2834 ASSERT_TRUE(sock_->GetSSLInfo(&result));
2835
2836 EXPECT_TRUE(result.cert_status & CERT_STATUS_IS_EV);
2837}
2838
estark6f9b3d82016-01-12 21:37:05[diff] [blame]2839// Test that when a CT verifier and a CTPolicyEnforcer are defined, but
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2840// the EV certificate used does not conform to the CT/EV policy, its EV status
2841// is removed.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2842TEST_P(SSLClientSocketVersionTest, EVCertStatusRemovedForNonCompliantCert) {
2843 ASSERT_TRUE(
2844 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2845
2846 SSLConfig ssl_config;
2847 AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
2848
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2849 // Emulate non-compliance of the certificate to the policy.
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]2850 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(_, _, _))
estark0fc8d0782016-02-25 20:41:20[diff] [blame]2851 .WillRepeatedly(
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]2852 Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2853
2854 int rv;
2855 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2856 EXPECT_THAT(rv, IsOk());
eranm0d92230e2015-12-16 20:59:04[diff] [blame]2857
2858 SSLInfo result;
2859 ASSERT_TRUE(sock_->GetSSLInfo(&result));
2860
2861 EXPECT_FALSE(result.cert_status & CERT_STATUS_IS_EV);
2862 EXPECT_TRUE(result.cert_status & CERT_STATUS_CT_COMPLIANCE_FAILED);
2863}
2864
Ryan Sleevid1a894e2018-04-03 20:24:07[diff] [blame]2865// Tests that OCSP stapling is requested, as per Certificate Transparency (RFC
2866// 6962).
Matt Muellerf566f0e52020-05-06 00:52:25[diff] [blame]2867TEST_P(SSLClientSocketVersionTest, ConnectSignedCertTimestampsEnablesOCSP) {
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2868 // The test server currently only knows how to generate OCSP responses
2869 // for a freshly minted certificate.
Matt Muellerf566f0e52020-05-06 00:52:25[diff] [blame]2870 EmbeddedTestServer::ServerCertificateConfig cert_config;
2871 cert_config.stapled_ocsp_config = EmbeddedTestServer::OCSPConfig(
2872 {{OCSPRevocationStatus::GOOD,
2873 EmbeddedTestServer::OCSPConfig::SingleResponse::Date::kValid}});
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2874
Matt Muellerf566f0e52020-05-06 00:52:25[diff] [blame]2875 ASSERT_TRUE(StartEmbeddedTestServer(cert_config, GetServerConfig()));
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2876
2877 SSLConfig ssl_config;
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2878
davidben7c168932015-10-19 19:37:16[diff] [blame]2879 int rv;
2880 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2881 EXPECT_THAT(rv, IsOk());
[email protected]c9feb5f2013-12-17 00:25:51[diff] [blame]2882
davidben7c168932015-10-19 19:37:16[diff] [blame]2883 EXPECT_TRUE(sock_->stapled_ocsp_response_received_);
[email protected]4e72ee502013-11-28 13:43:26[diff] [blame]2884}
2885
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2886// Tests that IsConnectedAndIdle and WasEverUsed behave as expected.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2887TEST_P(SSLClientSocketVersionTest, ReuseStates) {
2888 ASSERT_TRUE(
2889 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2890
davidben7c168932015-10-19 19:37:16[diff] [blame]2891 int rv;
2892 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2893
2894 // The socket was just connected. It should be idle because it is speaking
2895 // HTTP. Although the transport has been used for the handshake, WasEverUsed()
2896 // returns false.
davidben7c168932015-10-19 19:37:16[diff] [blame]2897 EXPECT_TRUE(sock_->IsConnected());
2898 EXPECT_TRUE(sock_->IsConnectedAndIdle());
2899 EXPECT_FALSE(sock_->WasEverUsed());
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2900
2901 const char kRequestText[] = "GET / HTTP/1.0\r\n\r\n";
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2902 const size_t kRequestLen = std::size(kRequestText) - 1;
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2903 scoped_refptr<IOBuffer> request_buffer =
2904 base::MakeRefCounted<IOBuffer>(kRequestLen);
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2905 memcpy(request_buffer->data(), kRequestText, kRequestLen);
2906
davidben7c168932015-10-19 19:37:16[diff] [blame]2907 TestCompletionCallback callback;
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2908 rv = callback.GetResult(sock_->Write(request_buffer.get(), kRequestLen,
2909 callback.callback(),
2910 TRAFFIC_ANNOTATION_FOR_TESTS));
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2911 EXPECT_EQ(static_cast<int>(kRequestLen), rv);
2912
2913 // The socket has now been used.
davidben7c168932015-10-19 19:37:16[diff] [blame]2914 EXPECT_TRUE(sock_->WasEverUsed());
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2915
2916 // TODO(davidben): Read one byte to ensure the test server has responded and
2917 // then assert IsConnectedAndIdle is false. This currently doesn't work
svaldeze83af292016-04-26 14:33:37[diff] [blame]2918 // because SSLClientSocketImpl doesn't check the implementation's internal
2919 // buffer. Call SSL_pending.
[email protected]0dc88b32014-03-26 20:12:28[diff] [blame]2920}
2921
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2922// Tests that |is_fatal_cert_error| does not get set for a certificate error,
2923// on a non-HSTS host.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2924TEST_P(SSLClientSocketVersionTest, IsFatalErrorNotSetOnNonFatalError) {
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2925 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2926 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
2927 GetServerConfig()));
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2928 int rv;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2929 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2930 SSLInfo ssl_info;
2931 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
2932 EXPECT_FALSE(ssl_info.is_fatal_cert_error);
2933}
2934
2935// Tests that |is_fatal_cert_error| gets set for a certificate error on an
2936// HSTS host.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2937TEST_P(SSLClientSocketVersionTest, IsFatalErrorSetOnFatalError) {
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2938 cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2939 ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
2940 GetServerConfig()));
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2941 int rv;
Peter Kastinge5a38ed2021-10-02 03:06:35[diff] [blame]2942 const base::Time expiry = base::Time::Now() + base::Seconds(1000);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2943 transport_security_state_->AddHSTS(host_port_pair().host(), expiry, true);
2944 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
Carlos IL81133382017-12-06 17:18:45[diff] [blame]2945 SSLInfo ssl_info;
2946 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
2947 EXPECT_TRUE(ssl_info.is_fatal_cert_error);
2948}
2949
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2950// Tests that IsConnectedAndIdle treats a socket as idle even if a Write hasn't
2951// been flushed completely out of SSLClientSocket's internal buffers. This is a
2952// regression test for https://crbug.com/466147.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2953TEST_P(SSLClientSocketVersionTest, ReusableAfterWrite) {
2954 ASSERT_TRUE(
2955 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2956
2957 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]2958 auto real_transport = std::make_unique<TCPClientSocket>(
2959 addr(), nullptr, nullptr, nullptr, NetLogSource());
2960 auto transport =
2961 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2962 FakeBlockingStreamSocket* raw_transport = transport.get();
robpercival214763f2016-07-01 23:27:01[diff] [blame]2963 ASSERT_THAT(callback.GetResult(transport->Connect(callback.callback())),
2964 IsOk());
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2965
danakj655b66c2016-04-16 00:51:38[diff] [blame]2966 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2967 std::move(transport), host_port_pair(), SSLConfig()));
robpercival214763f2016-07-01 23:27:01[diff] [blame]2968 ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())), IsOk());
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2969
2970 // Block any application data from reaching the network.
2971 raw_transport->BlockWrite();
2972
2973 // Write a partial HTTP request.
2974 const char kRequestText[] = "GET / HTTP/1.0";
Daniel Cheng5feb16f2022-02-28 06:52:07[diff] [blame]2975 const size_t kRequestLen = std::size(kRequestText) - 1;
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]2976 scoped_refptr<IOBuffer> request_buffer =
2977 base::MakeRefCounted<IOBuffer>(kRequestLen);
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2978 memcpy(request_buffer->data(), kRequestText, kRequestLen);
2979
svaldeze83af292016-04-26 14:33:37[diff] [blame]2980 // Although transport writes are blocked, SSLClientSocketImpl completes the
2981 // outer Write operation.
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2982 EXPECT_EQ(static_cast<int>(kRequestLen),
2983 callback.GetResult(sock->Write(request_buffer.get(), kRequestLen,
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]2984 callback.callback(),
2985 TRAFFIC_ANNOTATION_FOR_TESTS)));
davidbenfc9a6b82015-04-15 23:47:32[diff] [blame]2986
2987 // The Write operation is complete, so the socket should be treated as
2988 // reusable, in case the server returns an HTTP response before completely
2989 // consuming the request body. In this case, we assume the server will
2990 // properly drain the request body before trying to read the next request.
2991 EXPECT_TRUE(sock->IsConnectedAndIdle());
2992}
2993
davidbendafe4e52015-04-08 22:53:52[diff] [blame]2994// Tests that basic session resumption works.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]2995TEST_P(SSLClientSocketVersionTest, SessionResumption) {
2996 ASSERT_TRUE(
2997 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]2998
2999 // First, perform a full handshake.
3000 SSLConfig ssl_config;
davidben7c168932015-10-19 19:37:16[diff] [blame]3001 int rv;
3002 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3003 ASSERT_THAT(rv, IsOk());
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3004 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]3005 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3006 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3007
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3008 // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
3009 // use the socket to ensure the session ticket has been picked up.
3010 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
3011
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3012 // The next connection should resume.
davidben7c168932015-10-19 19:37:16[diff] [blame]3013 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3014 ASSERT_THAT(rv, IsOk());
davidben7c168932015-10-19 19:37:16[diff] [blame]3015 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3016 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
davidben7c168932015-10-19 19:37:16[diff] [blame]3017 sock_.reset();
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3018
3019 // Using a different HostPortPair uses a different session cache key.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]3020 auto transport = std::make_unique<TCPClientSocket>(
3021 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
davidben7c168932015-10-19 19:37:16[diff] [blame]3022 TestCompletionCallback callback;
robpercival214763f2016-07-01 23:27:01[diff] [blame]3023 ASSERT_THAT(callback.GetResult(transport->Connect(callback.callback())),
3024 IsOk());
danakj655b66c2016-04-16 00:51:38[diff] [blame]3025 std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
dchengc7eeda422015-12-26 03:56:48[diff] [blame]3026 std::move(transport), HostPortPair("example.com", 443), ssl_config);
robpercival214763f2016-07-01 23:27:01[diff] [blame]3027 ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())), IsOk());
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3028 ASSERT_TRUE(sock->GetSSLInfo(&ssl_info));
3029 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
davidben7c168932015-10-19 19:37:16[diff] [blame]3030 sock.reset();
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3031
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]3032 ssl_client_session_cache_->Flush();
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3033
3034 // After clearing the session cache, the next handshake doesn't resume.
davidben7c168932015-10-19 19:37:16[diff] [blame]3035 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3036 ASSERT_THAT(rv, IsOk());
davidben7c168932015-10-19 19:37:16[diff] [blame]3037 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3038 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3039}
3040
Adam Langley26cf55a2019-07-01 21:14:57[diff] [blame]3041namespace {
3042
3043// FakePeerAddressSocket wraps a |StreamSocket|, forwarding all calls except
3044// that it provides a given answer for |GetPeerAddress|.
3045class FakePeerAddressSocket : public WrappedStreamSocket {
3046 public:
3047 FakePeerAddressSocket(std::unique_ptr<StreamSocket> socket,
3048 const IPEndPoint& address)
3049 : WrappedStreamSocket(std::move(socket)), address_(address) {}
Tsuyoshi Horo07c3f0e2022-06-16 07:30:47[diff] [blame]3050 ~FakePeerAddressSocket() override = default;
Adam Langley26cf55a2019-07-01 21:14:57[diff] [blame]3051
3052 int GetPeerAddress(IPEndPoint* address) const override {
3053 *address = address_;
3054 return OK;
3055 }
3056
3057 private:
3058 const IPEndPoint address_;
3059};
3060
3061} // namespace
3062
3063TEST_F(SSLClientSocketTest, SessionResumption_RSA) {
3064 for (bool use_rsa : {false, true}) {
3065 SCOPED_TRACE(use_rsa);
3066
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3067 SSLServerConfig server_config;
3068 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3069 server_config.cipher_suite_for_testing =
3070 use_rsa ? kRSACipher : kModernTLS12Cipher;
3071 ASSERT_TRUE(
3072 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
Adam Langley26cf55a2019-07-01 21:14:57[diff] [blame]3073 SSLConfig ssl_config;
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]3074 ssl_client_session_cache_->Flush();
Adam Langley26cf55a2019-07-01 21:14:57[diff] [blame]3075
3076 for (int i = 0; i < 3; i++) {
3077 SCOPED_TRACE(i);
3078
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]3079 auto transport = std::make_unique<TCPClientSocket>(
3080 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
Adam Langley26cf55a2019-07-01 21:14:57[diff] [blame]3081 TestCompletionCallback callback;
3082 ASSERT_THAT(callback.GetResult(transport->Connect(callback.callback())),
3083 IsOk());
3084 // The third handshake sees a different destination IP address.
3085 IPEndPoint fake_peer_address(IPAddress(1, 1, 1, i == 2 ? 2 : 1), 443);
3086 auto socket = std::make_unique<FakePeerAddressSocket>(
3087 std::move(transport), fake_peer_address);
3088 std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
3089 std::move(socket), HostPortPair("example.com", 443), ssl_config);
3090 ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())),
3091 IsOk());
3092 SSLInfo ssl_info;
3093 ASSERT_TRUE(sock->GetSSLInfo(&ssl_info));
3094 sock.reset();
3095
3096 switch (i) {
3097 case 0:
3098 // Initial handshake should be a full handshake.
3099 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3100 break;
3101 case 1:
3102 // Second handshake should resume.
3103 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
3104 break;
3105 case 2:
3106 // Third handshake gets a different IP address and, if the
3107 // session used RSA key exchange, it should not resume.
3108 EXPECT_EQ(
3109 use_rsa ? SSLInfo::HANDSHAKE_FULL : SSLInfo::HANDSHAKE_RESUME,
3110 ssl_info.handshake_type);
3111 break;
3112 default:
3113 NOTREACHED();
3114 }
3115 }
3116 }
3117}
3118
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3119// Tests that ALPN works with session resumption.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3120TEST_F(SSLClientSocketTest, SessionResumptionAlpn) {
3121 SSLServerConfig server_config;
3122 server_config.alpn_protos = {NextProto::kProtoHTTP2, NextProto::kProtoHTTP11};
3123 ASSERT_TRUE(
3124 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3125
3126 // First, perform a full handshake.
3127 SSLConfig ssl_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3128 ssl_config.alpn_protos.push_back(kProtoHTTP2);
3129 int rv;
3130 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3131 ASSERT_THAT(rv, IsOk());
3132 SSLInfo ssl_info;
3133 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3134 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3135 EXPECT_EQ(kProtoHTTP2, sock_->GetNegotiatedProtocol());
3136
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]3137 // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
3138 // use the socket to ensure the session ticket has been picked up.
3139 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
3140
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3141 // The next connection should resume; ALPN should be renegotiated.
3142 ssl_config.alpn_protos.clear();
3143 ssl_config.alpn_protos.push_back(kProtoHTTP11);
3144 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3145 ASSERT_THAT(rv, IsOk());
3146 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3147 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
3148 EXPECT_EQ(kProtoHTTP11, sock_->GetNegotiatedProtocol());
3149}
3150
Brianna Goldsteind22b0642022-10-11 16:30:50[diff] [blame]3151// Tests that the session cache is not sharded by NetworkAnonymizationKey if the
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3152// feature is disabled.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3153TEST_P(SSLClientSocketVersionTest,
3154 SessionResumptionNetworkIsolationKeyDisabled) {
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3155 base::test::ScopedFeatureList feature_list;
3156 feature_list.InitAndDisableFeature(
3157 features::kPartitionSSLSessionsByNetworkIsolationKey);
3158
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3159 ASSERT_TRUE(
3160 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3161
3162 // First, perform a full handshake.
3163 SSLConfig ssl_config;
3164 int rv;
3165 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3166 ASSERT_THAT(rv, IsOk());
3167 SSLInfo ssl_info;
3168 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3169 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3170
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3171 // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
3172 // use the socket to ensure the session ticket has been picked up. Do this for
3173 // every connection to avoid problems with TLS 1.3 single-use tickets.
3174 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
3175
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3176 // The next connection should resume.
3177 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3178 ASSERT_THAT(rv, IsOk());
3179 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3180 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3181 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3182 sock_.reset();
3183
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3184 // Using a different NetworkAnonymizationKey shares session cache key because
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3185 // sharding is disabled.
Matt Menke4807a9a2020-11-21 00:14:41[diff] [blame]3186 const SchemefulSite kSiteA(GURL("https://a.test"));
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3187 ssl_config.network_anonymization_key =
3188 NetworkAnonymizationKey(kSiteA, kSiteA, /*is_cross_site=*/false);
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3189 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3190 ASSERT_THAT(rv, IsOk());
3191 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3192 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3193 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3194 sock_.reset();
3195
Matt Menke4807a9a2020-11-21 00:14:41[diff] [blame]3196 const SchemefulSite kSiteB(GURL("https://a.test"));
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3197 ssl_config.network_anonymization_key =
3198 NetworkAnonymizationKey(kSiteB, kSiteB, /*is_cross_site=*/false);
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3199 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3200 ASSERT_THAT(rv, IsOk());
3201 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3202 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3203 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3204 sock_.reset();
3205}
3206
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3207// Tests that the session cache is sharded by NetworkAnonymizationKey if the
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3208// feature is enabled.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3209TEST_P(SSLClientSocketVersionTest,
3210 SessionResumptionNetworkIsolationKeyEnabled) {
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3211 base::test::ScopedFeatureList feature_list;
3212 feature_list.InitAndEnableFeature(
3213 features::kPartitionSSLSessionsByNetworkIsolationKey);
3214
Matt Menke4807a9a2020-11-21 00:14:41[diff] [blame]3215 const SchemefulSite kSiteA(GURL("https://a.test"));
3216 const SchemefulSite kSiteB(GURL("https://b.test"));
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3217 const NetworkAnonymizationKey kNetworkAnonymizationKeyA(
3218 kSiteA, kSiteA, /*is_cross_site=*/false);
3219 const NetworkAnonymizationKey kNetworkAnonymizationKeyB(
3220 kSiteB, kSiteB, /*is_cross_site=*/false);
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3221
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3222 ASSERT_TRUE(
3223 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3224
3225 // First, perform a full handshake.
3226 SSLConfig ssl_config;
3227 int rv;
3228 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3229 ASSERT_THAT(rv, IsOk());
3230 SSLInfo ssl_info;
3231 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3232 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3233
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3234 // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
3235 // use the socket to ensure the session ticket has been picked up. Do this for
3236 // every connection to avoid problems with TLS 1.3 single-use tickets.
3237 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
3238
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3239 // The next connection should resume.
3240 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3241 ASSERT_THAT(rv, IsOk());
3242 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3243 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3244 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3245 sock_.reset();
3246
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3247 // Using a different NetworkAnonymizationKey uses a different session cache
3248 // key.
3249 ssl_config.network_anonymization_key = kNetworkAnonymizationKeyA;
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3250 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3251 ASSERT_THAT(rv, IsOk());
3252 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3253 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3254 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3255 sock_.reset();
3256
3257 // We, however, can resume under that newly-established session.
3258 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3259 ASSERT_THAT(rv, IsOk());
3260 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3261 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3262 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3263 sock_.reset();
3264
3265 // Repeat with another non-null key.
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3266 ssl_config.network_anonymization_key = kNetworkAnonymizationKeyB;
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3267 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3268 ASSERT_THAT(rv, IsOk());
3269 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3270 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3271 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3272 sock_.reset();
3273
3274 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3275 ASSERT_THAT(rv, IsOk());
3276 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3277 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3278 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3279 sock_.reset();
3280
3281 // b.test does not evict a.test's session.
Brianna Goldstein92b34452022-09-28 13:45:37[diff] [blame]3282 ssl_config.network_anonymization_key = kNetworkAnonymizationKeyA;
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3283 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3284 ASSERT_THAT(rv, IsOk());
3285 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3286 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3287 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin6f2da652019-06-26 23:36:35[diff] [blame]3288 sock_.reset();
3289}
3290
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3291// Tests that connections with certificate errors do not add entries to the
3292// session cache.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3293TEST_P(SSLClientSocketVersionTest, CertificateErrorNoResume) {
3294 ASSERT_TRUE(
3295 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3296
3297 cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
3298
3299 SSLConfig ssl_config;
davidben7c168932015-10-19 19:37:16[diff] [blame]3300 int rv;
3301 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3302 ASSERT_THAT(rv, IsError(ERR_CERT_COMMON_NAME_INVALID));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3303
3304 cert_verifier_->set_default_result(OK);
3305
3306 // The next connection should perform a full handshake.
davidben7c168932015-10-19 19:37:16[diff] [blame]3307 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3308 ASSERT_THAT(rv, IsOk());
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3309 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]3310 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3311 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3312}
3313
sergeyu01442492015-06-16 20:43:04[diff] [blame]3314TEST_F(SSLClientSocketTest, RequireECDHE) {
3315 // Run test server without ECDHE.
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3316 SSLServerConfig server_config;
3317 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3318 server_config.cipher_suite_for_testing = kRSACipher;
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3319 ASSERT_TRUE(
3320 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
sergeyu01442492015-06-16 20:43:04[diff] [blame]3321
3322 SSLConfig config;
3323 config.require_ecdhe = true;
davidben7c168932015-10-19 19:37:16[diff] [blame]3324 int rv;
3325 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3326 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
sergeyu01442492015-06-16 20:43:04[diff] [blame]3327}
3328
David Benjamin07a07d652020-02-26 22:26:59[diff] [blame]3329TEST_F(SSLClientSocketTest, 3DES) {
3330 SSLServerConfig server_config;
3331 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3332 server_config.cipher_suite_for_testing = k3DESCipher;
David Benjamin07a07d652020-02-26 22:26:59[diff] [blame]3333 ASSERT_TRUE(
3334 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
3335
David Benjamindc1219b2021-10-15 16:28:26[diff] [blame]3336 // 3DES is always disabled.
David Benjamin07a07d652020-02-26 22:26:59[diff] [blame]3337 int rv;
3338 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
David Benjamin56be7ed2021-10-08 03:09:05[diff] [blame]3339 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
David Benjamin07a07d652020-02-26 22:26:59[diff] [blame]3340}
3341
3342TEST_F(SSLClientSocketTest, SHA1) {
3343 SSLServerConfig server_config;
3344 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3345 // Disable RSA key exchange, to ensure the server does not pick a non-signing
3346 // cipher.
3347 server_config.require_ecdhe = true;
3348 server_config.signature_algorithm_for_testing = SSL_SIGN_RSA_PKCS1_SHA1;
3349 ASSERT_TRUE(
3350 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
3351
3352 int rv;
3353 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3354 EXPECT_THAT(rv, IsOk());
3355
3356 SSLConfig config;
3357 config.disable_legacy_crypto = true;
3358 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
3359 EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
3360}
3361
bncce6ea242016-09-15 20:22:32[diff] [blame]3362TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) {
3363 // False Start requires ALPN, ECDHE, and an AEAD.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3364 SSLServerConfig server_config;
3365 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3366 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
3367 server_config.alpn_protos = {NextProto::kProtoHTTP11};
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3368 SSLConfig client_config;
3369 client_config.alpn_protos.push_back(kProtoHTTP11);
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3370 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_config, client_config, true));
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3371}
3372
bncce6ea242016-09-15 20:22:32[diff] [blame]3373// Test that False Start is disabled without ALPN.
3374TEST_F(SSLClientSocketFalseStartTest, NoAlpn) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3375 SSLServerConfig server_config;
3376 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3377 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
[email protected]173ef472014-04-16 23:58:20[diff] [blame]3378 SSLConfig client_config;
bnc1f295372015-10-21 23:24:22[diff] [blame]3379 client_config.alpn_protos.clear();
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3380 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_config, client_config, false));
[email protected]173ef472014-04-16 23:58:20[diff] [blame]3381}
3382
davidben1f77e1a2015-04-03 18:35:35[diff] [blame]3383// Test that False Start is disabled with plain RSA ciphers.
3384TEST_F(SSLClientSocketFalseStartTest, RSA) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3385 SSLServerConfig server_config;
3386 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3387 server_config.cipher_suite_for_testing = kRSACipher;
3388 server_config.alpn_protos = {NextProto::kProtoHTTP11};
[email protected]173ef472014-04-16 23:58:20[diff] [blame]3389 SSLConfig client_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3390 client_config.alpn_protos.push_back(kProtoHTTP11);
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3391 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_config, client_config, false));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3392}
3393
davidben818d93b2015-02-19 22:27:32[diff] [blame]3394// Test that False Start is disabled without an AEAD.
3395TEST_F(SSLClientSocketFalseStartTest, NoAEAD) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3396 SSLServerConfig server_config;
3397 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3398 server_config.cipher_suite_for_testing = kCBCCipher;
3399 server_config.alpn_protos = {NextProto::kProtoHTTP11};
davidben818d93b2015-02-19 22:27:32[diff] [blame]3400 SSLConfig client_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3401 client_config.alpn_protos.push_back(kProtoHTTP11);
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3402 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_config, client_config, false));
davidben818d93b2015-02-19 22:27:32[diff] [blame]3403}
3404
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3405// Test that sessions are resumable after receiving the server Finished message.
3406TEST_F(SSLClientSocketFalseStartTest, SessionResumption) {
3407 // Start a server.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3408 SSLServerConfig server_config;
3409 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3410 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
3411 server_config.alpn_protos = {NextProto::kProtoHTTP11};
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3412 SSLConfig client_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3413 client_config.alpn_protos.push_back(kProtoHTTP11);
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3414
3415 // Let a full handshake complete with False Start.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3416 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_config, client_config, true));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3417
3418 // Make a second connection.
davidben7c168932015-10-19 19:37:16[diff] [blame]3419 int rv;
3420 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3421 EXPECT_THAT(rv, IsOk());
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3422
3423 // It should resume the session.
3424 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]3425 EXPECT_TRUE(sock_->GetSSLInfo(&ssl_info));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3426 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
3427}
3428
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]3429// Test that the client completes the handshake in the background and installs
3430// new sessions, even if the socket isn't used. This also avoids a theoretical
3431// deadlock if NewSessionTicket is sufficiently large that neither it nor the
3432// client's HTTP/1.1 POST fit in transport windows.
3433TEST_F(SSLClientSocketFalseStartTest, CompleteHandshakeWithoutRequest) {
3434 // Start a server.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3435 SSLServerConfig server_config;
3436 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3437 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
3438 server_config.alpn_protos = {NextProto::kProtoHTTP11};
3439 ASSERT_TRUE(
3440 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]3441
3442 SSLConfig client_config;
3443 client_config.alpn_protos.push_back(kProtoHTTP11);
3444
3445 // Start a handshake up to the server Finished message.
3446 TestCompletionCallback callback;
3447 FakeBlockingStreamSocket* raw_transport = nullptr;
3448 std::unique_ptr<SSLClientSocket> sock;
3449 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
3450 client_config, &callback, &raw_transport, &sock));
3451
3452 // Wait for the server Finished to arrive, release it, and allow
David Benjamin778627292021-11-17 19:29:20[diff] [blame]3453 // SSLClientSocket to process it. This should install a session. It make take
3454 // a few iterations to complete if the server writes in small chunks
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]3455 while (ssl_client_session_cache_->size() == 0) {
3456 raw_transport->WaitForReadResult();
3457 raw_transport->UnblockReadResult();
3458 base::RunLoop().RunUntilIdle();
3459 raw_transport->BlockReadResult();
3460 }
3461
3462 // Drop the old socket. This is needed because the Python test server can't
3463 // service two sockets in parallel.
3464 sock.reset();
3465
3466 // Make a second connection.
3467 int rv;
3468 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
3469 EXPECT_THAT(rv, IsOk());
3470
3471 // It should resume the session.
3472 SSLInfo ssl_info;
3473 EXPECT_TRUE(sock_->GetSSLInfo(&ssl_info));
3474 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
3475}
3476
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3477// Test that False Started sessions are not resumable before receiving the
3478// server Finished message.
3479TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinished) {
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3480 // Start a server.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3481 SSLServerConfig server_config;
3482 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3483 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
3484 server_config.alpn_protos = {NextProto::kProtoHTTP11};
3485 ASSERT_TRUE(
3486 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3487
3488 SSLConfig client_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3489 client_config.alpn_protos.push_back(kProtoHTTP11);
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3490
3491 // Start a handshake up to the server Finished message.
3492 TestCompletionCallback callback;
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]3493 FakeBlockingStreamSocket* raw_transport1 = nullptr;
danakj655b66c2016-04-16 00:51:38[diff] [blame]3494 std::unique_ptr<SSLClientSocket> sock1;
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3495 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
3496 client_config, &callback, &raw_transport1, &sock1));
3497 // Although raw_transport1 has the server Finished blocked, the handshake
3498 // still completes.
robpercival214763f2016-07-01 23:27:01[diff] [blame]3499 EXPECT_THAT(callback.WaitForResult(), IsOk());
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3500
davidben65287612015-03-09 23:10:08[diff] [blame]3501 // Continue to block the client (|sock1|) from processing the Finished
3502 // message, but allow it to arrive on the socket. This ensures that, from the
3503 // server's point of view, it has completed the handshake and added the
3504 // session to its session cache.
3505 //
3506 // The actual read on |sock1| will not complete until the Finished message is
3507 // processed; however, pump the underlying transport so that it is read from
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3508 // the socket. NOTE: This may flakily pass if the server's final flight
3509 // doesn't come in one Read.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]3510 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
davidben65287612015-03-09 23:10:08[diff] [blame]3511 int rv = sock1->Read(buf.get(), 4096, callback.callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]3512 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
davidben65287612015-03-09 23:10:08[diff] [blame]3513 raw_transport1->WaitForReadResult();
3514
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3515 // Drop the old socket. This is needed because the Python test server can't
3516 // service two sockets in parallel.
3517 sock1.reset();
3518
3519 // Start a second connection.
davidben7c168932015-10-19 19:37:16[diff] [blame]3520 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3521 EXPECT_THAT(rv, IsOk());
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3522
3523 // No session resumption because the first connection never received a server
3524 // Finished message.
3525 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]3526 EXPECT_TRUE(sock_->GetSSLInfo(&ssl_info));
[email protected]cdec3d6b2014-06-14 08:39:02[diff] [blame]3527 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
[email protected]173ef472014-04-16 23:58:20[diff] [blame]3528}
3529
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3530// Test that False Started sessions are not resumable if the server Finished
3531// message was bad.
3532TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBadFinished) {
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3533 // Start a server.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3534 SSLServerConfig server_config;
3535 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3536 server_config.cipher_suite_for_testing = kModernTLS12Cipher;
3537 server_config.alpn_protos = {NextProto::kProtoHTTP11};
3538 ASSERT_TRUE(
3539 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3540
3541 SSLConfig client_config;
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3542 client_config.alpn_protos.push_back(kProtoHTTP11);
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3543
3544 // Start a handshake up to the server Finished message.
3545 TestCompletionCallback callback;
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]3546 FakeBlockingStreamSocket* raw_transport1 = nullptr;
danakj655b66c2016-04-16 00:51:38[diff] [blame]3547 std::unique_ptr<SSLClientSocket> sock1;
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3548 ASSERT_NO_FATAL_FAILURE(CreateAndConnectUntilServerFinishedReceived(
3549 client_config, &callback, &raw_transport1, &sock1));
3550 // Although raw_transport1 has the server Finished blocked, the handshake
3551 // still completes.
robpercival214763f2016-07-01 23:27:01[diff] [blame]3552 EXPECT_THAT(callback.WaitForResult(), IsOk());
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3553
3554 // Continue to block the client (|sock1|) from processing the Finished
3555 // message, but allow it to arrive on the socket. This ensures that, from the
3556 // server's point of view, it has completed the handshake and added the
3557 // session to its session cache.
3558 //
3559 // The actual read on |sock1| will not complete until the Finished message is
3560 // processed; however, pump the underlying transport so that it is read from
3561 // the socket.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]3562 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3563 int rv = sock1->Read(buf.get(), 4096, callback.callback());
robpercival214763f2016-07-01 23:27:01[diff] [blame]3564 EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3565 raw_transport1->WaitForReadResult();
3566
3567 // The server's second leg, or part of it, is now received but not yet sent to
3568 // |sock1|. Before doing so, break the server's second leg.
3569 int bytes_read = raw_transport1->pending_read_result();
3570 ASSERT_LT(0, bytes_read);
3571 raw_transport1->pending_read_buf()->data()[bytes_read - 1]++;
3572
3573 // Unblock the Finished message. |sock1->Read| should now fail.
3574 raw_transport1->UnblockReadResult();
robpercival214763f2016-07-01 23:27:01[diff] [blame]3575 EXPECT_THAT(callback.GetResult(rv), IsError(ERR_SSL_PROTOCOL_ERROR));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3576
3577 // Drop the old socket. This is needed because the Python test server can't
3578 // service two sockets in parallel.
3579 sock1.reset();
3580
3581 // Start a second connection.
davidben7c168932015-10-19 19:37:16[diff] [blame]3582 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3583 EXPECT_THAT(rv, IsOk());
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3584
3585 // No session resumption because the first connection never received a server
3586 // Finished message.
3587 SSLInfo ssl_info;
davidben7c168932015-10-19 19:37:16[diff] [blame]3588 EXPECT_TRUE(sock_->GetSSLInfo(&ssl_info));
davidbendafe4e52015-04-08 22:53:52[diff] [blame]3589 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
3590}
3591
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3592// Server preference should win in ALPN.
3593TEST_F(SSLClientSocketTest, Alpn) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3594 SSLServerConfig server_config;
3595 server_config.alpn_protos = {NextProto::kProtoHTTP2, NextProto::kProtoHTTP11};
3596 ASSERT_TRUE(
3597 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
bncc7d53892015-10-02 12:11:24[diff] [blame]3598
3599 SSLConfig client_config;
bnc2d6bd0f2015-10-28 01:52:05[diff] [blame]3600 client_config.alpn_protos.push_back(kProtoHTTP11);
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3601 client_config.alpn_protos.push_back(kProtoHTTP2);
3602
3603 int rv;
3604 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
3605 EXPECT_THAT(rv, IsOk());
3606
3607 EXPECT_EQ(kProtoHTTP2, sock_->GetNegotiatedProtocol());
3608}
3609
3610// If the server supports ALPN but the client does not, then ALPN is not used.
3611TEST_F(SSLClientSocketTest, AlpnClientDisabled) {
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3612 SSLServerConfig server_config;
3613 server_config.alpn_protos = {NextProto::kProtoHTTP2};
3614 ASSERT_TRUE(
3615 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
bncb784c2f5e2016-08-05 19:09:21[diff] [blame]3616
3617 SSLConfig client_config;
bncc7d53892015-10-02 12:11:24[diff] [blame]3618
3619 int rv;
3620 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
robpercival214763f2016-07-01 23:27:01[diff] [blame]3621 EXPECT_THAT(rv, IsOk());
bncc7d53892015-10-02 12:11:24[diff] [blame]3622
bnc3cf2a592016-08-11 14:48:36[diff] [blame]3623 EXPECT_EQ(kProtoUnknown, sock_->GetNegotiatedProtocol());
bncc7d53892015-10-02 12:11:24[diff] [blame]3624}
3625
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]3626// Client certificates are disabled on iOS.
3627#if !BUILDFLAG(IS_IOS)
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3628// Connect to a server requesting client authentication, do not send
3629// any client certificates. It should refuse the connection.
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3630TEST_P(SSLClientSocketVersionTest, NoCert) {
3631 SSLServerConfig server_config = GetServerConfig();
3632 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
3633 ASSERT_TRUE(
3634 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3635
3636 int rv;
3637 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3638
robpercival214763f2016-07-01 23:27:01[diff] [blame]3639 EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3640 EXPECT_FALSE(sock_->IsConnected());
3641}
3642
3643// Connect to a server requesting client authentication, and send it
3644// an empty certificate.
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3645TEST_P(SSLClientSocketVersionTest, SendEmptyCert) {
3646 SSLServerConfig server_config = GetServerConfig();
3647 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
3648 ASSERT_TRUE(
3649 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3650
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3651 context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3652
3653 int rv;
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3654 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3655
robpercival214763f2016-07-01 23:27:01[diff] [blame]3656 EXPECT_THAT(rv, IsOk());
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3657 EXPECT_TRUE(sock_->IsConnected());
3658
3659 SSLInfo ssl_info;
3660 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3661 EXPECT_FALSE(ssl_info.client_cert_sent);
3662}
3663
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3664// Connect to a server requesting client authentication and send a certificate.
3665TEST_P(SSLClientSocketVersionTest, SendGoodCert) {
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3666 base::FilePath certs_dir = GetTestCertsDirectory();
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3667 scoped_refptr<X509Certificate> client_cert =
3668 ImportCertFromFile(certs_dir, "client_1.pem");
3669 ASSERT_TRUE(client_cert);
3670
3671 // Configure the server to only accept |client_cert|.
3672 MockClientCertVerifier verifier;
3673 verifier.set_default_result(ERR_CERT_INVALID);
3674 verifier.AddResultForCert(client_cert.get(), OK);
3675
3676 SSLServerConfig server_config = GetServerConfig();
3677 server_config.client_cert_type = SSLServerConfig::REQUIRE_CLIENT_CERT;
3678 server_config.client_cert_verifier = &verifier;
3679 ASSERT_TRUE(
3680 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
3681
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3682 context_->SetClientCertificate(
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3683 host_port_pair(), client_cert,
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3684 key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3685
3686 int rv;
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3687 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3688
robpercival214763f2016-07-01 23:27:01[diff] [blame]3689 EXPECT_THAT(rv, IsOk());
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3690 EXPECT_TRUE(sock_->IsConnected());
3691
3692 SSLInfo ssl_info;
3693 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3694 EXPECT_TRUE(ssl_info.client_cert_sent);
3695
3696 sock_->Disconnect();
3697 EXPECT_FALSE(sock_->IsConnected());
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3698
3699 // Shut down the test server before |verifier| goes out of scope.
3700 ASSERT_TRUE(embedded_test_server()->ShutdownAndWaitUntilComplete());
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3701}
svaldez0e6a4c62016-01-29 21:17:11[diff] [blame]3702
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3703// When client certificate preferences change, the session cache should be
3704// cleared so the client certificate preferences are applied.
3705TEST_F(SSLClientSocketTest, ClearSessionCacheOnClientCertChange) {
3706 SSLServerConfig server_config;
3707 // TLS 1.3 reports client certificate errors after the handshake, so test at
3708 // TLS 1.2 for simplicity.
3709 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3710 server_config.client_cert_type = SSLServerConfig::REQUIRE_CLIENT_CERT;
3711 ASSERT_TRUE(
3712 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
3713
3714 // Connecting without a client certificate will fail with
3715 // ERR_SSL_CLIENT_AUTH_CERT_NEEDED.
3716 int rv;
3717 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3718 EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
3719
3720 // Configure a client certificate.
3721 base::FilePath certs_dir = GetTestCertsDirectory();
3722 context_->SetClientCertificate(
3723 host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
3724 key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
3725
3726 // Now the connection succeeds.
3727 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3728 EXPECT_THAT(rv, IsOk());
3729 EXPECT_TRUE(sock_->IsConnected());
3730
3731 SSLInfo ssl_info;
3732 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3733 EXPECT_TRUE(ssl_info.client_cert_sent);
3734 EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
3735
3736 // Make a second connection. This should resume the session from the previous
3737 // connection.
3738 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3739 EXPECT_THAT(rv, IsOk());
3740 EXPECT_TRUE(sock_->IsConnected());
3741
3742 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3743 EXPECT_TRUE(ssl_info.client_cert_sent);
3744 EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_RESUME);
3745
3746 // Clear the client certificate preference.
3747 context_->ClearClientCertificate(host_port_pair());
3748
3749 // Connections return to failing, rather than resume the previous session.
3750 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3751 EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
3752
3753 // Establish a new session with the correct client certificate.
3754 context_->SetClientCertificate(
3755 host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
3756 key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
3757 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3758 EXPECT_THAT(rv, IsOk());
3759 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3760 EXPECT_TRUE(ssl_info.client_cert_sent);
3761 EXPECT_EQ(ssl_info.handshake_type, SSLInfo::HANDSHAKE_FULL);
3762
3763 // Switch to continuing without a client certificate.
3764 context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
3765
3766 // This also clears the session cache and the new preference is applied.
3767 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
3768 EXPECT_THAT(rv, IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
3769}
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]3770#endif // !IS_IOS
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]3771
dadriandf302c42016-06-10 18:48:59[diff] [blame]3772HashValueVector MakeHashValueVector(uint8_t value) {
3773 HashValueVector out;
3774 HashValue hash(HASH_VALUE_SHA256);
3775 memset(hash.data(), value, hash.size());
3776 out.push_back(hash);
3777 return out;
3778}
3779
3780// Test that |ssl_info.pkp_bypassed| is set when a local trust anchor causes
3781// pinning to be bypassed.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3782TEST_P(SSLClientSocketVersionTest, PKPBypassedSet) {
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]3783 base::test::ScopedFeatureList scoped_feature_list_;
3784 scoped_feature_list_.InitAndEnableFeature(
3785 net::features::kStaticKeyPinningEnforcement);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3786 ASSERT_TRUE(
3787 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
dadriandf302c42016-06-10 18:48:59[diff] [blame]3788 scoped_refptr<X509Certificate> server_cert =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3789 embedded_test_server()->GetCertificate();
dadriandf302c42016-06-10 18:48:59[diff] [blame]3790
3791 // The certificate needs to be trusted, but chain to a local root with
3792 // different public key hashes than specified in the pin.
3793 CertVerifyResult verify_result;
3794 verify_result.is_issued_by_known_root = false;
3795 verify_result.verified_cert = server_cert;
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]3796 verify_result.public_key_hashes =
3797 MakeHashValueVector(kBadHashValueVectorInput);
dadriandf302c42016-06-10 18:48:59[diff] [blame]3798 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3799
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]3800 transport_security_state_->EnableStaticPinsForTesting();
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]3801 transport_security_state_->SetPinningListAlwaysTimelyForTesting(true);
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]3802 ScopedTransportSecurityStateSource scoped_security_state_source;
dadriandf302c42016-06-10 18:48:59[diff] [blame]3803
3804 SSLConfig ssl_config;
3805 int rv;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3806 HostPortPair new_host_port_pair("example.test", host_port_pair().port());
3807 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
3808 new_host_port_pair, &rv));
dadriandf302c42016-06-10 18:48:59[diff] [blame]3809 SSLInfo ssl_info;
3810 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3811
robpercival214763f2016-07-01 23:27:01[diff] [blame]3812 EXPECT_THAT(rv, IsOk());
dadriandf302c42016-06-10 18:48:59[diff] [blame]3813 EXPECT_TRUE(sock_->IsConnected());
3814
3815 EXPECT_TRUE(ssl_info.pkp_bypassed);
dadrian8f8946652016-06-21 23:48:31[diff] [blame]3816 EXPECT_FALSE(ssl_info.cert_status & CERT_STATUS_PINNED_KEY_MISSING);
dadriandf302c42016-06-10 18:48:59[diff] [blame]3817}
3818
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3819TEST_P(SSLClientSocketVersionTest, PKPEnforced) {
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]3820 base::test::ScopedFeatureList scoped_feature_list_;
3821 scoped_feature_list_.InitAndEnableFeature(
3822 net::features::kStaticKeyPinningEnforcement);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3823 ASSERT_TRUE(
3824 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
dadriandf302c42016-06-10 18:48:59[diff] [blame]3825 scoped_refptr<X509Certificate> server_cert =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3826 embedded_test_server()->GetCertificate();
dadriandf302c42016-06-10 18:48:59[diff] [blame]3827
3828 // Certificate is trusted, but chains to a public root that doesn't match the
3829 // pin hashes.
3830 CertVerifyResult verify_result;
3831 verify_result.is_issued_by_known_root = true;
3832 verify_result.verified_cert = server_cert;
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]3833 verify_result.public_key_hashes =
3834 MakeHashValueVector(kBadHashValueVectorInput);
dadriandf302c42016-06-10 18:48:59[diff] [blame]3835 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3836
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]3837 transport_security_state_->EnableStaticPinsForTesting();
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]3838 transport_security_state_->SetPinningListAlwaysTimelyForTesting(true);
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]3839 ScopedTransportSecurityStateSource scoped_security_state_source;
dadriandf302c42016-06-10 18:48:59[diff] [blame]3840
3841 SSLConfig ssl_config;
3842 int rv;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3843 HostPortPair new_host_port_pair("example.test", host_port_pair().port());
3844 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
3845 new_host_port_pair, &rv));
dadriandf302c42016-06-10 18:48:59[diff] [blame]3846 SSLInfo ssl_info;
3847 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3848
robpercival214763f2016-07-01 23:27:01[diff] [blame]3849 EXPECT_THAT(rv, IsError(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN));
rsleevi9545d342016-06-21 03:17:37[diff] [blame]3850 EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PINNED_KEY_MISSING);
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]3851 EXPECT_FALSE(sock_->IsConnected());
dadriandf302c42016-06-10 18:48:59[diff] [blame]3852
3853 EXPECT_FALSE(ssl_info.pkp_bypassed);
3854}
3855
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3856namespace {
3857// TLS_RSA_WITH_AES_128_GCM_SHA256's key exchange involves encrypting to the
3858// server long-term key.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3859const uint16_t kEncryptingCipher = kRSACipher;
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3860// TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256's key exchange involves a signature by
3861// the server long-term key.
David Benjaminbc3a4da72021-03-31 16:42:38[diff] [blame]3862const uint16_t kSigningCipher = kModernTLS12Cipher;
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3863} // namespace
3864
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3865struct KeyUsageTest {
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3866 EmbeddedTestServer::ServerCertificate server_cert;
3867 uint16_t cipher_suite;
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3868 bool known_root;
3869 bool success;
3870};
3871
3872class SSLClientSocketKeyUsageTest
3873 : public SSLClientSocketTest,
3874 public ::testing::WithParamInterface<struct KeyUsageTest> {};
3875
3876const struct KeyUsageTest kKeyUsageTests[] = {
3877 // Known Root: Success iff keyUsage allows the key exchange method
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3878 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_ENCIPHERMENT, kSigningCipher, true,
3879 false},
3880 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_DIGITAL_SIGNATURE, kSigningCipher,
3881 true, true},
3882 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_ENCIPHERMENT, kEncryptingCipher,
3883 true, true},
3884 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_DIGITAL_SIGNATURE,
3885 kEncryptingCipher, true, false},
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3886 // Unknown Root: Always succeeds
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3887 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_ENCIPHERMENT, kSigningCipher, false,
3888 true},
3889 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_DIGITAL_SIGNATURE, kSigningCipher,
3890 false, true},
3891 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_ENCIPHERMENT, kEncryptingCipher,
3892 false, true},
3893 {EmbeddedTestServer::CERT_KEY_USAGE_RSA_DIGITAL_SIGNATURE,
3894 kEncryptingCipher, false, true},
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3895};
3896
3897TEST_P(SSLClientSocketKeyUsageTest, RSAKeyUsageEnforcedForKnownRoot) {
3898 const KeyUsageTest test = GetParam();
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3899 SSLServerConfig server_config;
3900 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
3901 server_config.cipher_suite_for_testing = test.cipher_suite;
3902 ASSERT_TRUE(StartEmbeddedTestServer(test.server_cert, server_config));
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3903 scoped_refptr<X509Certificate> server_cert =
David Benjaminb073f4cc2020-07-09 17:49:04[diff] [blame]3904 embedded_test_server()->GetCertificate();
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3905
3906 // Certificate is trusted.
3907 CertVerifyResult verify_result;
3908 verify_result.is_issued_by_known_root = test.known_root;
3909 verify_result.verified_cert = server_cert;
3910 verify_result.public_key_hashes =
3911 MakeHashValueVector(kGoodHashValueVectorInput);
3912 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3913
3914 SSLConfig ssl_config;
3915 int rv;
3916 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3917 SSLInfo ssl_info;
3918 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3919
3920 if (test.success) {
3921 EXPECT_THAT(rv, IsOk());
3922 EXPECT_TRUE(sock_->IsConnected());
3923 } else {
3924 EXPECT_THAT(rv, IsError(ERR_SSL_KEY_USAGE_INCOMPATIBLE));
3925 EXPECT_FALSE(sock_->IsConnected());
3926 }
3927}
3928
3929INSTANTIATE_TEST_SUITE_P(RSAKeyUsageInstantiation,
3930 SSLClientSocketKeyUsageTest,
Bence Békycc859862021-02-08 17:26:40[diff] [blame]3931 ValuesIn(kKeyUsageTests));
Jesse Selover4ae157d2019-04-10 21:06:37[diff] [blame]3932
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3933// Test that when CT is required (in this case, by the delegate), the
3934// absence of CT information is a socket error.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3935TEST_P(SSLClientSocketVersionTest, CTIsRequired) {
3936 ASSERT_TRUE(
3937 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3938 scoped_refptr<X509Certificate> server_cert =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3939 embedded_test_server()->GetCertificate();
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3940
3941 // Certificate is trusted and chains to a public root.
3942 CertVerifyResult verify_result;
3943 verify_result.is_issued_by_known_root = true;
3944 verify_result.verified_cert = server_cert;
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]3945 verify_result.public_key_hashes =
3946 MakeHashValueVector(kGoodHashValueVectorInput);
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3947 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3948
3949 // Set up CT
3950 MockRequireCTDelegate require_ct_delegate;
3951 transport_security_state_->SetRequireCTDelegate(&require_ct_delegate);
Ryan Sleevi3dabe0b2018-04-05 03:59:01[diff] [blame]3952 EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3953 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
3954 CTRequirementLevel::NOT_REQUIRED));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3955 EXPECT_CALL(require_ct_delegate,
3956 IsCTRequiredForHost(host_port_pair().host(), _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3957 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
3958 CTRequirementLevel::REQUIRED));
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]3959 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3960 .WillRepeatedly(
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]3961 Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3962
3963 SSLConfig ssl_config;
3964 int rv;
3965 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
3966 SSLInfo ssl_info;
3967 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
3968
robpercival214763f2016-07-01 23:27:01[diff] [blame]3969 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3970 EXPECT_TRUE(ssl_info.cert_status &
3971 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]3972 EXPECT_FALSE(sock_->IsConnected());
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]3973}
3974
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]3975// Test that when CT is required, setting ignore_certificate_errors
3976// ignores errors in CT.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3977TEST_P(SSLClientSocketVersionTest, IgnoreCertificateErrorsBypassesRequiredCT) {
3978 ASSERT_TRUE(
3979 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]3980 scoped_refptr<X509Certificate> server_cert =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3981 embedded_test_server()->GetCertificate();
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]3982
3983 // Certificate is trusted and chains to a public root.
3984 CertVerifyResult verify_result;
3985 verify_result.is_issued_by_known_root = true;
3986 verify_result.verified_cert = server_cert;
3987 verify_result.public_key_hashes =
3988 MakeHashValueVector(kGoodHashValueVectorInput);
3989 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
3990
3991 // Set up CT
3992 MockRequireCTDelegate require_ct_delegate;
3993 transport_security_state_->SetRequireCTDelegate(&require_ct_delegate);
3994 EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
3995 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
3996 CTRequirementLevel::NOT_REQUIRED));
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]3997 EXPECT_CALL(require_ct_delegate,
3998 IsCTRequiredForHost(host_port_pair().host(), _, _))
Jesse Selover94c9a942019-01-16 01:18:04[diff] [blame]3999 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
4000 CTRequirementLevel::REQUIRED));
4001 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
4002 .WillRepeatedly(
4003 Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
4004
4005 SSLConfig ssl_config;
4006 ssl_config.ignore_certificate_errors = true;
4007 int rv;
4008 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
4009 SSLInfo ssl_info;
4010 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
4011
4012 EXPECT_THAT(rv, IsOk());
4013 EXPECT_TRUE(ssl_info.cert_status &
4014 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
4015 EXPECT_TRUE(sock_->IsConnected());
4016}
4017
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]4018// When both PKP and CT are required for a host, and both fail, the more
4019// serious error is that the pin validation failed.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4020TEST_P(SSLClientSocketVersionTest, PKPMoreImportantThanCT) {
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]4021 base::test::ScopedFeatureList scoped_feature_list_;
4022 scoped_feature_list_.InitAndEnableFeature(
4023 net::features::kStaticKeyPinningEnforcement);
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4024 ASSERT_TRUE(
4025 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4026 scoped_refptr<X509Certificate> server_cert =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4027 embedded_test_server()->GetCertificate();
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4028
4029 // Certificate is trusted, but chains to a public root that doesn't match the
4030 // pin hashes.
4031 CertVerifyResult verify_result;
4032 verify_result.is_issued_by_known_root = true;
4033 verify_result.verified_cert = server_cert;
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]4034 verify_result.public_key_hashes =
4035 MakeHashValueVector(kBadHashValueVectorInput);
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4036 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
4037
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]4038 transport_security_state_->EnableStaticPinsForTesting();
Carlos ILf12eac92022-05-12 02:19:53[diff] [blame]4039 transport_security_state_->SetPinningListAlwaysTimelyForTesting(true);
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]4040 ScopedTransportSecurityStateSource scoped_security_state_source;
4041
Emily Starkfcd1ed2e2022-12-07 18:37:46[diff] [blame]4042 const char kCTHost[] = "hsts-hpkp-preloaded.test";
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4043
4044 // Set up CT.
4045 MockRequireCTDelegate require_ct_delegate;
4046 transport_security_state_->SetRequireCTDelegate(&require_ct_delegate);
Ryan Sleevi3dabe0b2018-04-05 03:59:01[diff] [blame]4047 EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4048 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
4049 CTRequirementLevel::NOT_REQUIRED));
Matt Mueller230996f12018-10-22 19:39:44[diff] [blame]4050 EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(kCTHost, _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4051 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
4052 CTRequirementLevel::REQUIRED));
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]4053 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4054 .WillRepeatedly(
Emily Stark627238f2017-11-29 03:29:54[diff] [blame]4055 Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4056
4057 SSLConfig ssl_config;
4058 int rv;
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4059 HostPortPair ct_host_port_pair(kCTHost, host_port_pair().port());
4060 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
4061 ct_host_port_pair, &rv));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4062 SSLInfo ssl_info;
4063 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
4064
robpercival214763f2016-07-01 23:27:01[diff] [blame]4065 EXPECT_THAT(rv, IsError(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN));
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4066 EXPECT_TRUE(ssl_info.cert_status & CERT_STATUS_PINNED_KEY_MISSING);
4067 EXPECT_TRUE(ssl_info.cert_status &
4068 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED);
Jesse Seloverdaf87902018-12-03 20:44:30[diff] [blame]4069 EXPECT_FALSE(sock_->IsConnected());
rsleevi4a6ca8c2016-06-24 03:05:22[diff] [blame]4070}
4071
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]4072// Tests that the SCTAuditingDelegate is called to enqueue SCT reports.
4073TEST_P(SSLClientSocketVersionTest, SCTAuditingReportCollected) {
4074 ASSERT_TRUE(
4075 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
4076 scoped_refptr<X509Certificate> server_cert =
4077 embedded_test_server()->GetCertificate();
4078
4079 // Certificate is trusted and chains to a public root.
4080 CertVerifyResult verify_result;
4081 verify_result.is_issued_by_known_root = true;
4082 verify_result.verified_cert = server_cert;
4083 verify_result.public_key_hashes =
4084 MakeHashValueVector(kGoodHashValueVectorInput);
4085 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
4086
4087 // Set up CT and auditing delegate.
4088 MockRequireCTDelegate require_ct_delegate;
4089 transport_security_state_->SetRequireCTDelegate(&require_ct_delegate);
4090 EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
4091 .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
4092 CTRequirementLevel::REQUIRED));
4093 EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
4094 .WillRepeatedly(
4095 Return(ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS));
4096
4097 MockSCTAuditingDelegate sct_auditing_delegate;
4098 context_ = std::make_unique<SSLClientContext>(
4099 ssl_config_service_.get(), cert_verifier_.get(),
Chris Thompsonb20d5892020-11-25 02:54:02[diff] [blame]4100 transport_security_state_.get(), ct_policy_enforcer_.get(),
4101 ssl_client_session_cache_.get(), &sct_auditing_delegate);
Chris Thompsonf31b2492020-07-21 05:47:42[diff] [blame]4102
4103 EXPECT_CALL(sct_auditing_delegate, IsSCTAuditingEnabled())
4104 .WillRepeatedly(Return(true));
4105 EXPECT_CALL(sct_auditing_delegate,
4106 MaybeEnqueueReport(host_port_pair(), server_cert.get(), _))
4107 .Times(1);
4108
4109 SSLConfig ssl_config;
4110 int rv;
4111 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
4112 EXPECT_THAT(rv, 0);
4113 EXPECT_TRUE(sock_->IsConnected());
4114}
4115
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4116// Test that handshake_failure alerts at the ServerHello are mapped to
4117// ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
4118TEST_F(SSLClientSocketTest, HandshakeFailureServerHello) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4119 ASSERT_TRUE(
4120 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4121
4122 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4123 auto real_transport = std::make_unique<TCPClientSocket>(
4124 addr(), nullptr, nullptr, nullptr, NetLogSource());
4125 auto transport =
4126 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4127 FakeBlockingStreamSocket* raw_transport = transport.get();
4128 int rv = callback.GetResult(transport->Connect(callback.callback()));
4129 ASSERT_THAT(rv, IsOk());
4130
4131 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4132 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4133
4134 // Connect. Stop before the client processes ServerHello.
4135 raw_transport->BlockReadResult();
4136 rv = sock->Connect(callback.callback());
4137 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4138 raw_transport->WaitForReadResult();
4139
4140 // Replace it with an alert.
4141 raw_transport->ReplaceReadResult(
4142 FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
4143 raw_transport->UnblockReadResult();
4144
4145 rv = callback.GetResult(rv);
4146 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
4147}
4148
4149// Test that handshake_failure alerts after the ServerHello but without a
4150// CertificateRequest are mapped to ERR_SSL_PROTOCOL_ERROR.
4151TEST_F(SSLClientSocketTest, HandshakeFailureNoClientCerts) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4152 SSLServerConfig server_config;
4153 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4154 ASSERT_TRUE(
4155 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4156
4157 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4158 auto real_transport = std::make_unique<TCPClientSocket>(
4159 addr(), nullptr, nullptr, nullptr, NetLogSource());
4160 auto transport =
4161 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4162 FakeBlockingStreamSocket* raw_transport = transport.get();
4163 int rv = callback.GetResult(transport->Connect(callback.callback()));
4164 ASSERT_THAT(rv, IsOk());
4165
4166 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4167 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4168
4169 // Connect. Stop before the client processes ServerHello.
4170 raw_transport->BlockReadResult();
4171 rv = sock->Connect(callback.callback());
4172 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4173 raw_transport->WaitForReadResult();
4174
4175 // Release the ServerHello and wait for the client to write its second flight.
4176 raw_transport->BlockWrite();
4177 raw_transport->UnblockReadResult();
4178 raw_transport->WaitForWrite();
4179
4180 // Wait for the server's final flight.
4181 raw_transport->BlockReadResult();
4182 raw_transport->UnblockWrite();
4183 raw_transport->WaitForReadResult();
4184
4185 // Replace it with an alert.
4186 raw_transport->ReplaceReadResult(
4187 FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
4188 raw_transport->UnblockReadResult();
4189
4190 rv = callback.GetResult(rv);
4191 EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
4192}
4193
4194// Test that handshake_failure alerts after the ServerHello map to
4195// ERR_BAD_SSL_CLIENT_AUTH_CERT if a client certificate was requested but not
4196// supplied. TLS does not have an alert for this case, so handshake_failure is
4197// common. See https://crbug.com/646567.
4198TEST_F(SSLClientSocketTest, LateHandshakeFailureMissingClientCerts) {
4199 // Request a client certificate.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4200 SSLServerConfig server_config;
4201 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4202 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
4203 ASSERT_TRUE(
4204 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4205
4206 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4207 auto real_transport = std::make_unique<TCPClientSocket>(
4208 addr(), nullptr, nullptr, nullptr, NetLogSource());
4209 auto transport =
4210 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4211 FakeBlockingStreamSocket* raw_transport = transport.get();
4212 int rv = callback.GetResult(transport->Connect(callback.callback()));
4213 ASSERT_THAT(rv, IsOk());
4214
4215 // Send no client certificate.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4216 context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4217 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4218 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4219
4220 // Connect. Stop before the client processes ServerHello.
4221 raw_transport->BlockReadResult();
4222 rv = sock->Connect(callback.callback());
4223 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4224 raw_transport->WaitForReadResult();
4225
4226 // Release the ServerHello and wait for the client to write its second flight.
4227 raw_transport->BlockWrite();
4228 raw_transport->UnblockReadResult();
4229 raw_transport->WaitForWrite();
4230
4231 // Wait for the server's final flight.
4232 raw_transport->BlockReadResult();
4233 raw_transport->UnblockWrite();
4234 raw_transport->WaitForReadResult();
4235
4236 // Replace it with an alert.
4237 raw_transport->ReplaceReadResult(
4238 FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
4239 raw_transport->UnblockReadResult();
4240
4241 rv = callback.GetResult(rv);
4242 EXPECT_THAT(rv, IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
4243}
4244
4245// Test that handshake_failure alerts after the ServerHello map to
4246// ERR_SSL_PROTOCOL_ERROR if received after sending a client certificate. It is
4247// assumed servers will send a more appropriate alert in this case.
4248TEST_F(SSLClientSocketTest, LateHandshakeFailureSendClientCerts) {
4249 // Request a client certificate.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4250 SSLServerConfig server_config;
4251 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4252 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
4253 ASSERT_TRUE(
4254 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4255
4256 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4257 auto real_transport = std::make_unique<TCPClientSocket>(
4258 addr(), nullptr, nullptr, nullptr, NetLogSource());
4259 auto transport =
4260 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4261 FakeBlockingStreamSocket* raw_transport = transport.get();
4262 int rv = callback.GetResult(transport->Connect(callback.callback()));
4263 ASSERT_THAT(rv, IsOk());
4264
4265 // Send a client certificate.
4266 base::FilePath certs_dir = GetTestCertsDirectory();
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]4267 context_->SetClientCertificate(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4268 host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]4269 key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4270 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4271 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4272
4273 // Connect. Stop before the client processes ServerHello.
4274 raw_transport->BlockReadResult();
4275 rv = sock->Connect(callback.callback());
4276 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4277 raw_transport->WaitForReadResult();
4278
4279 // Release the ServerHello and wait for the client to write its second flight.
4280 raw_transport->BlockWrite();
4281 raw_transport->UnblockReadResult();
4282 raw_transport->WaitForWrite();
4283
4284 // Wait for the server's final flight.
4285 raw_transport->BlockReadResult();
4286 raw_transport->UnblockWrite();
4287 raw_transport->WaitForReadResult();
4288
4289 // Replace it with an alert.
4290 raw_transport->ReplaceReadResult(
4291 FormatTLS12Alert(40 /* AlertDescription.handshake_failure */));
4292 raw_transport->UnblockReadResult();
4293
4294 rv = callback.GetResult(rv);
4295 EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
4296}
4297
4298// Test that access_denied alerts are mapped to ERR_SSL_PROTOCOL_ERROR if
4299// received on a connection not requesting client certificates. This is an
4300// incorrect use of the alert but is common. See https://crbug.com/630883.
4301TEST_F(SSLClientSocketTest, AccessDeniedNoClientCerts) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4302 // Request a client certificate.
4303 SSLServerConfig server_config;
4304 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4305 ASSERT_TRUE(
4306 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4307
4308 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4309 auto real_transport = std::make_unique<TCPClientSocket>(
4310 addr(), nullptr, nullptr, nullptr, NetLogSource());
4311 auto transport =
4312 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4313 FakeBlockingStreamSocket* raw_transport = transport.get();
4314 int rv = callback.GetResult(transport->Connect(callback.callback()));
4315 ASSERT_THAT(rv, IsOk());
4316
4317 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4318 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4319
4320 // Connect. Stop before the client processes ServerHello.
4321 raw_transport->BlockReadResult();
4322 rv = sock->Connect(callback.callback());
4323 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4324 raw_transport->WaitForReadResult();
4325
4326 // Release the ServerHello and wait for the client to write its second flight.
4327 raw_transport->BlockWrite();
4328 raw_transport->UnblockReadResult();
4329 raw_transport->WaitForWrite();
4330
4331 // Wait for the server's final flight.
4332 raw_transport->BlockReadResult();
4333 raw_transport->UnblockWrite();
4334 raw_transport->WaitForReadResult();
4335
4336 // Replace it with an alert.
4337 raw_transport->ReplaceReadResult(
4338 FormatTLS12Alert(49 /* AlertDescription.access_denied */));
4339 raw_transport->UnblockReadResult();
4340
4341 rv = callback.GetResult(rv);
4342 EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
4343}
4344
4345// Test that access_denied alerts are mapped to ERR_BAD_SSL_CLIENT_AUTH_CERT if
4346// received on a connection requesting client certificates.
4347TEST_F(SSLClientSocketTest, AccessDeniedClientCerts) {
4348 // Request a client certificate.
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4349 SSLServerConfig server_config;
4350 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4351 server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
4352 ASSERT_TRUE(
4353 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4354
4355 TestCompletionCallback callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4356 auto real_transport = std::make_unique<TCPClientSocket>(
4357 addr(), nullptr, nullptr, nullptr, NetLogSource());
4358 auto transport =
4359 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4360 FakeBlockingStreamSocket* raw_transport = transport.get();
4361 int rv = callback.GetResult(transport->Connect(callback.callback()));
4362 ASSERT_THAT(rv, IsOk());
4363
4364 // Send a client certificate.
4365 base::FilePath certs_dir = GetTestCertsDirectory();
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]4366 context_->SetClientCertificate(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4367 host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
David Benjaminbac8dff2019-08-07 01:30:41[diff] [blame]4368 key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4369 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4370 std::move(transport), host_port_pair(), SSLConfig()));
davidbenfe132d92016-09-27 18:07:21[diff] [blame]4371
4372 // Connect. Stop before the client processes ServerHello.
4373 raw_transport->BlockReadResult();
4374 rv = sock->Connect(callback.callback());
4375 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
4376 raw_transport->WaitForReadResult();
4377
4378 // Release the ServerHello and wait for the client to write its second flight.
4379 raw_transport->BlockWrite();
4380 raw_transport->UnblockReadResult();
4381 raw_transport->WaitForWrite();
4382
4383 // Wait for the server's final flight.
4384 raw_transport->BlockReadResult();
4385 raw_transport->UnblockWrite();
4386 raw_transport->WaitForReadResult();
4387
4388 // Replace it with an alert.
4389 raw_transport->ReplaceReadResult(
4390 FormatTLS12Alert(49 /* AlertDescription.access_denied */));
4391 raw_transport->UnblockReadResult();
4392
4393 rv = callback.GetResult(rv);
4394 EXPECT_THAT(rv, IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
4395}
4396
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4397// Test the client can send application data before the ServerHello comes in.
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4398TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTEarlyDataBeforeServerHello) {
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4399 ASSERT_TRUE(StartServer());
4400 ASSERT_TRUE(RunInitialConnection());
4401
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4402 // Make a 0-RTT Connection. Connect() and Write() complete even though the
4403 // ServerHello is blocked.
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4404 FakeBlockingStreamSocket* socket = MakeClient(true);
4405 socket->BlockReadResult();
4406 ASSERT_THAT(Connect(), IsOk());
4407 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4408 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4409
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4410 // Release the ServerHello. Now reads complete.
4411 socket->UnblockReadResult();
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4412 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4413 int size = ReadAndWait(buf.get(), 4096);
4414 EXPECT_GT(size, 0);
4415 EXPECT_EQ('1', buf->data()[size - 1]);
4416
4417 SSLInfo ssl_info;
4418 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4419 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4420}
4421
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4422// Test that the client sends 1-RTT data if the ServerHello happens to come in
4423// before Write() is called. See https://crbug.com/950706.
4424TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTEarlyDataAfterServerHello) {
4425 ASSERT_TRUE(StartServer());
4426 ASSERT_TRUE(RunInitialConnection());
4427
4428 // Make a 0-RTT Connection. Connect() completes even though the ServerHello is
4429 // blocked.
4430 FakeBlockingStreamSocket* socket = MakeClient(true);
4431 socket->BlockReadResult();
4432 ASSERT_THAT(Connect(), IsOk());
4433
4434 // Wait for the ServerHello to come in and for SSLClientSocket to process it.
4435 socket->WaitForReadResult();
4436 socket->UnblockReadResult();
4437 base::RunLoop().RunUntilIdle();
4438
4439 // Now write to the socket.
4440 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4441 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4442
4443 // Although the socket was created in early data state and the client never
4444 // explicitly called ReaD() or ConfirmHandshake(), SSLClientSocketImpl
4445 // internally consumed the ServerHello and switch keys. The server then
4446 // responds with '0'.
4447 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
4448 int size = ReadAndWait(buf.get(), 4096);
4449 EXPECT_GT(size, 0);
4450 EXPECT_EQ('0', buf->data()[size - 1]);
4451
4452 SSLInfo ssl_info;
4453 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4454 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4455}
4456
4457// Check that 0RTT is confirmed after a Write and Read.
4458TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTConfirmedAfterRead) {
4459 ASSERT_TRUE(StartServer());
4460 ASSERT_TRUE(RunInitialConnection());
4461
4462 // Make a 0-RTT Connection. Connect() and Write() complete even though the
4463 // ServerHello is blocked.
4464 FakeBlockingStreamSocket* socket = MakeClient(true);
4465 socket->BlockReadResult();
4466 ASSERT_THAT(Connect(), IsOk());
4467 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4468 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4469
4470 socket->UnblockReadResult();
4471 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
4472 int size = ReadAndWait(buf.get(), 4096);
4473 EXPECT_GT(size, 0);
4474 EXPECT_EQ('1', buf->data()[size - 1]);
4475
4476 // After the handshake is confirmed, ConfirmHandshake should return
4477 // synchronously.
4478 TestCompletionCallback callback;
4479 ASSERT_THAT(ssl_socket()->ConfirmHandshake(callback.callback()), IsOk());
4480
4481 SSLInfo ssl_info;
4482 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4483 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4484}
4485
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4486// Test that writes wait for the ServerHello once it has reached the early data
4487// limit.
4488TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTEarlyDataLimit) {
4489 ASSERT_TRUE(StartServer());
4490 ASSERT_TRUE(RunInitialConnection());
4491
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4492 // Make a 0-RTT Connection. Connect() completes even though the ServerHello is
4493 // blocked.
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4494 FakeBlockingStreamSocket* socket = MakeClient(true);
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4495 socket->BlockReadResult();
David Benjamine1d42732018-11-09 19:31:34[diff] [blame]4496 ASSERT_THAT(Connect(), IsOk());
4497
4498 // EmbeddedTestServer uses BoringSSL's hard-coded early data limit, which is
4499 // below 16k.
4500 constexpr size_t kRequestSize = 16 * 1024;
4501 std::string request = "GET /zerortt HTTP/1.0\r\n";
4502 while (request.size() < kRequestSize) {
4503 request += "The-Answer-To-Life-The-Universe-And-Everything: 42\r\n";
4504 }
4505 request += "\r\n";
4506
4507 // Writing the large input should not succeed. It is blocked on the
4508 // ServerHello.
4509 TestCompletionCallback write_callback;
4510 auto write_buf = base::MakeRefCounted<StringIOBuffer>(request);
4511 int write_rv = ssl_socket()->Write(write_buf.get(), request.size(),
4512 write_callback.callback(),
4513 TRAFFIC_ANNOTATION_FOR_TESTS);
4514 ASSERT_THAT(write_rv, IsError(ERR_IO_PENDING));
4515
4516 // The Write should have issued a read for the ServerHello, so
4517 // WaitForReadResult has something to wait for.
4518 socket->WaitForReadResult();
4519 EXPECT_TRUE(socket->pending_read_result());
4520
4521 // Queue a read. It should be blocked on the ServerHello.
4522 TestCompletionCallback read_callback;
4523 auto read_buf = base::MakeRefCounted<IOBuffer>(4096);
4524 int read_rv =
4525 ssl_socket()->Read(read_buf.get(), 4096, read_callback.callback());
4526 ASSERT_THAT(read_rv, IsError(ERR_IO_PENDING));
4527
4528 // Also queue a ConfirmHandshake. It should also be blocked on ServerHello.
4529 TestCompletionCallback confirm_callback;
4530 int confirm_rv = ssl_socket()->ConfirmHandshake(confirm_callback.callback());
4531 ASSERT_THAT(confirm_rv, IsError(ERR_IO_PENDING));
4532
4533 // Double-check the write was not accidentally blocked on the network.
4534 base::RunLoop().RunUntilIdle();
4535 EXPECT_FALSE(write_callback.have_result());
4536
4537 // At this point, the maximum possible number of events are all blocked on the
4538 // same thing. Release the ServerHello. All three should complete.
4539 socket->UnblockReadResult();
4540 EXPECT_EQ(static_cast<int>(request.size()),
4541 write_callback.GetResult(write_rv));
4542 EXPECT_THAT(confirm_callback.GetResult(confirm_rv), IsOk());
4543 int size = read_callback.GetResult(read_rv);
4544 ASSERT_GT(size, 0);
4545 EXPECT_EQ('1', read_buf->data()[size - 1]);
4546
4547 SSLInfo ssl_info;
4548 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4549 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4550}
4551
David Benjamine992af92021-03-11 20:27:46[diff] [blame]4552// When a client socket reaches the 0-RTT early data limit, both Write() and
4553// ConfirmHandshake() become blocked on a transport read. Test that
4554// CancelReadIfReady() does not interrupt those.
4555TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTEarlyDataLimitCancelReadIfReady) {
4556 ASSERT_TRUE(StartServer());
4557 ASSERT_TRUE(RunInitialConnection());
4558
4559 // Make a 0-RTT Connection. Connect() completes even though the ServerHello is
4560 // blocked.
4561 FakeBlockingStreamSocket* socket = MakeClient(true);
4562 socket->BlockReadResult();
4563 ASSERT_THAT(Connect(), IsOk());
4564
4565 // EmbeddedTestServer uses BoringSSL's hard-coded early data limit, which is
4566 // below 16k.
4567 constexpr size_t kRequestSize = 16 * 1024;
4568 std::string request = "GET /zerortt HTTP/1.0\r\n";
4569 while (request.size() < kRequestSize) {
4570 request += "The-Answer-To-Life-The-Universe-And-Everything: 42\r\n";
4571 }
4572 request += "\r\n";
4573
4574 // Writing the large input should not succeed. It is blocked on the
4575 // ServerHello.
4576 TestCompletionCallback write_callback;
4577 auto write_buf = base::MakeRefCounted<StringIOBuffer>(request);
4578 int write_rv = ssl_socket()->Write(write_buf.get(), request.size(),
4579 write_callback.callback(),
4580 TRAFFIC_ANNOTATION_FOR_TESTS);
4581 ASSERT_THAT(write_rv, IsError(ERR_IO_PENDING));
4582
4583 // The Write should have issued a read for the ServerHello, so
4584 // WaitForReadResult has something to wait for.
4585 socket->WaitForReadResult();
4586 EXPECT_TRUE(socket->pending_read_result());
4587
4588 // Attempt a ReadIfReady(). It should be blocked on the ServerHello.
4589 TestCompletionCallback read_callback;
4590 auto read_buf = base::MakeRefCounted<IOBuffer>(4096);
4591 int read_rv =
4592 ssl_socket()->ReadIfReady(read_buf.get(), 4096, read_callback.callback());
4593 ASSERT_THAT(read_rv, IsError(ERR_IO_PENDING));
4594
4595 // Also queue a ConfirmHandshake. It should also be blocked on ServerHello.
4596 TestCompletionCallback confirm_callback;
4597 int confirm_rv = ssl_socket()->ConfirmHandshake(confirm_callback.callback());
4598 ASSERT_THAT(confirm_rv, IsError(ERR_IO_PENDING));
4599
4600 // Cancel the ReadIfReady() and release the ServerHello. The remaining
4601 // operations should complete.
4602 ASSERT_THAT(ssl_socket()->CancelReadIfReady(), IsOk());
4603 socket->UnblockReadResult();
4604 EXPECT_EQ(static_cast<int>(request.size()),
4605 write_callback.GetResult(write_rv));
4606 EXPECT_THAT(confirm_callback.GetResult(confirm_rv), IsOk());
4607
4608 // ReadIfReady() should not complete.
4609 base::RunLoop().RunUntilIdle();
4610 EXPECT_FALSE(read_callback.have_result());
4611
4612 SSLInfo ssl_info;
4613 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4614 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4615
4616 // After a canceled read, future reads are still possible.
4617 TestCompletionCallback read_callback2;
4618 read_rv = read_callback2.GetResult(
4619 ssl_socket()->Read(read_buf.get(), 4096, read_callback2.callback()));
4620 ASSERT_GT(read_rv, 0);
4621}
4622
David Benjamin3b819c4f2020-05-14 18:20:05[diff] [blame]4623TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTReject) {
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4624 ASSERT_TRUE(StartServer());
4625 ASSERT_TRUE(RunInitialConnection());
4626
4627 SSLServerConfig server_config;
4628 server_config.early_data_enabled = false;
4629 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4630 SetServerConfig(server_config);
4631
4632 // 0-RTT Connection
4633 FakeBlockingStreamSocket* socket = MakeClient(true);
4634 socket->BlockReadResult();
4635 ASSERT_THAT(Connect(), IsOk());
4636 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4637 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4638 socket->UnblockReadResult();
4639
4640 // Expect early data to be rejected.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4641 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4642 int rv = ReadAndWait(buf.get(), 4096);
4643 EXPECT_EQ(ERR_EARLY_DATA_REJECTED, rv);
4644 rv = WriteAndWait(kRequest);
4645 EXPECT_EQ(ERR_EARLY_DATA_REJECTED, rv);
David Benjamin3b819c4f2020-05-14 18:20:05[diff] [blame]4646
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]4647 // Run the event loop so the rejection has reached the TLS session cache.
4648 base::RunLoop().RunUntilIdle();
4649
4650 // Now that the session cache has been updated, retrying the connection
4651 // should succeed.
David Benjamin3b819c4f2020-05-14 18:20:05[diff] [blame]4652 socket = MakeClient(true);
4653 ASSERT_THAT(Connect(), IsOk());
4654 ASSERT_THAT(MakeHTTPRequest(ssl_socket()), IsOk());
4655 SSLInfo ssl_info;
4656 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4657 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
4658}
4659
4660TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTWrongVersion) {
4661 ASSERT_TRUE(StartServer());
4662 ASSERT_TRUE(RunInitialConnection());
4663
4664 SSLServerConfig server_config;
4665 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
4666 SetServerConfig(server_config);
4667
4668 // 0-RTT Connection
4669 FakeBlockingStreamSocket* socket = MakeClient(true);
4670 socket->BlockReadResult();
4671 ASSERT_THAT(Connect(), IsOk());
4672 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4673 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4674 socket->UnblockReadResult();
4675
4676 // Expect early data to be rejected because the TLS version was incorrect.
4677 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
4678 int rv = ReadAndWait(buf.get(), 4096);
4679 EXPECT_EQ(ERR_WRONG_VERSION_ON_EARLY_DATA, rv);
4680 rv = WriteAndWait(kRequest);
David Benjamin29aa4012021-06-18 02:15:03[diff] [blame]4681 EXPECT_EQ(ERR_WRONG_VERSION_ON_EARLY_DATA, rv);
David Benjamin3b819c4f2020-05-14 18:20:05[diff] [blame]4682
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]4683 // Run the event loop so the rejection has reached the TLS session cache.
4684 base::RunLoop().RunUntilIdle();
4685
4686 // Now that the session cache has been updated, retrying the connection
4687 // should succeed.
David Benjamin3b819c4f2020-05-14 18:20:05[diff] [blame]4688 socket = MakeClient(true);
4689 ASSERT_THAT(Connect(), IsOk());
4690 ASSERT_THAT(MakeHTTPRequest(ssl_socket()), IsOk());
4691 SSLInfo ssl_info;
4692 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4693 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4694}
4695
4696// Test that the ConfirmHandshake successfully completes the handshake and that
4697// it blocks until the server's leg has been received.
4698TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTConfirmHandshake) {
4699 ASSERT_TRUE(StartServer());
4700 ASSERT_TRUE(RunInitialConnection());
4701
4702 // 0-RTT Connection
4703 FakeBlockingStreamSocket* socket = MakeClient(true);
4704 socket->BlockReadResult();
4705 ASSERT_THAT(Connect(), IsOk());
4706
4707 // The ServerHello is blocked, so ConfirmHandshake should not complete.
4708 TestCompletionCallback callback;
4709 ASSERT_EQ(ERR_IO_PENDING,
4710 ssl_socket()->ConfirmHandshake(callback.callback()));
4711 base::RunLoop().RunUntilIdle();
4712 EXPECT_FALSE(callback.have_result());
4713
4714 // Release the ServerHello. ConfirmHandshake now completes.
4715 socket->UnblockReadResult();
4716 ASSERT_THAT(callback.GetResult(ERR_IO_PENDING), IsOk());
4717
4718 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4719 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4720
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4721 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4722 int size = ReadAndWait(buf.get(), 4096);
4723 EXPECT_GT(size, 0);
4724 EXPECT_EQ('0', buf->data()[size - 1]);
4725
4726 SSLInfo ssl_info;
4727 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4728 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4729}
4730
4731// Test that an early read does not break during zero RTT.
4732TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTReadBeforeWrite) {
4733 ASSERT_TRUE(StartServer());
4734 ASSERT_TRUE(RunInitialConnection());
4735
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4736 // Make a 0-RTT Connection. Connect() completes even though the ServerHello is
4737 // blocked.
4738 FakeBlockingStreamSocket* socket = MakeClient(true);
4739 socket->BlockReadResult();
4740 ASSERT_THAT(Connect(), IsOk());
4741
4742 // Read() does not make progress.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4743 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4744 TestCompletionCallback read_callback;
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4745 ASSERT_EQ(ERR_IO_PENDING,
4746 ssl_socket()->Read(buf.get(), 4096, read_callback.callback()));
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4747
4748 // Write() completes, even though reads are blocked.
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4749 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4750 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4751
David Benjamin43527bf2019-10-04 17:59:40[diff] [blame]4752 // Release the ServerHello, etc. The Read() now completes.
4753 socket->UnblockReadResult();
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4754 int size = read_callback.GetResult(ERR_IO_PENDING);
4755 EXPECT_GT(size, 0);
4756 EXPECT_EQ('1', buf->data()[size - 1]);
4757
4758 SSLInfo ssl_info;
4759 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4760 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4761}
4762
4763TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTDoubleConfirmHandshake) {
4764 ASSERT_TRUE(StartServer());
4765 ASSERT_TRUE(RunInitialConnection());
4766
4767 // 0-RTT Connection
4768 MakeClient(true);
4769 ASSERT_THAT(Connect(), IsOk());
4770 TestCompletionCallback callback;
4771 ASSERT_THAT(
4772 callback.GetResult(ssl_socket()->ConfirmHandshake(callback.callback())),
4773 IsOk());
4774 // After the handshake is confirmed, ConfirmHandshake should return
4775 // synchronously.
4776 ASSERT_THAT(ssl_socket()->ConfirmHandshake(callback.callback()), IsOk());
4777 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4778 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4779
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4780 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4781 int size = ReadAndWait(buf.get(), 4096);
4782 EXPECT_GT(size, 0);
4783 EXPECT_EQ('0', buf->data()[size - 1]);
4784
4785 SSLInfo ssl_info;
4786 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4787 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4788}
4789
4790TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTParallelReadConfirm) {
4791 ASSERT_TRUE(StartServer());
4792 ASSERT_TRUE(RunInitialConnection());
4793
4794 // 0-RTT Connection
4795 FakeBlockingStreamSocket* socket = MakeClient(true);
4796 socket->BlockReadResult();
4797 ASSERT_THAT(Connect(), IsOk());
4798
4799 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
4800 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
4801
4802 // The ServerHello is blocked, so ConfirmHandshake should not complete.
4803 TestCompletionCallback callback;
4804 ASSERT_EQ(ERR_IO_PENDING,
4805 ssl_socket()->ConfirmHandshake(callback.callback()));
4806 base::RunLoop().RunUntilIdle();
4807 EXPECT_FALSE(callback.have_result());
4808
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4809 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
Steven Valdez6af02df2018-07-15 21:52:33[diff] [blame]4810 TestCompletionCallback read_callback;
4811 ASSERT_EQ(ERR_IO_PENDING,
4812 ssl_socket()->Read(buf.get(), 4096, read_callback.callback()));
4813 base::RunLoop().RunUntilIdle();
4814 EXPECT_FALSE(read_callback.have_result());
4815
4816 // Release the ServerHello. ConfirmHandshake now completes.
4817 socket->UnblockReadResult();
4818 ASSERT_THAT(callback.WaitForResult(), IsOk());
4819
4820 int result = read_callback.WaitForResult();
4821 EXPECT_GT(result, 0);
4822 EXPECT_EQ('1', buf->data()[result - 1]);
4823
4824 SSLInfo ssl_info;
4825 ASSERT_TRUE(GetSSLInfo(&ssl_info));
4826 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
4827}
4828
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4829TEST_P(SSLClientSocketReadTest, IdleAfterRead) {
4830 // Set up a TCP server.
Raul Tambre94493c652019-03-11 17:18:35[diff] [blame]4831 TCPServerSocket server_listener(nullptr, NetLogSource());
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4832 ASSERT_THAT(
4833 server_listener.Listen(IPEndPoint(IPAddress::IPv4Localhost(), 0), 1),
4834 IsOk());
4835 IPEndPoint server_address;
4836 ASSERT_THAT(server_listener.GetLocalAddress(&server_address), IsOk());
4837
4838 // Connect a TCP client and server socket.
4839 TestCompletionCallback server_callback;
4840 std::unique_ptr<StreamSocket> server_transport;
4841 int server_rv =
4842 server_listener.Accept(&server_transport, server_callback.callback());
4843
4844 TestCompletionCallback client_callback;
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]4845 auto client_transport = std::make_unique<TCPClientSocket>(
4846 AddressList(server_address), nullptr, nullptr, nullptr, NetLogSource());
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4847 int client_rv = client_transport->Connect(client_callback.callback());
4848
4849 EXPECT_THAT(server_callback.GetResult(server_rv), IsOk());
4850 EXPECT_THAT(client_callback.GetResult(client_rv), IsOk());
4851
4852 // Set up an SSL server.
4853 base::FilePath certs_dir = GetTestCertsDirectory();
4854 scoped_refptr<net::X509Certificate> cert =
4855 ImportCertFromFile(certs_dir, "ok_cert.pem");
4856 ASSERT_TRUE(cert);
4857 bssl::UniquePtr<EVP_PKEY> pkey =
Jesse Selover1d82faf2019-03-20 19:44:35[diff] [blame]4858 key_util::LoadEVP_PKEYFromPEM(certs_dir.AppendASCII("ok_cert.pem"));
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4859 ASSERT_TRUE(pkey);
4860 std::unique_ptr<crypto::RSAPrivateKey> key =
4861 crypto::RSAPrivateKey::CreateFromKey(pkey.get());
4862 ASSERT_TRUE(key);
4863 std::unique_ptr<SSLServerContext> server_context =
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4864 CreateSSLServerContext(cert.get(), *key.get(), GetServerConfig());
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4865
4866 // Complete the SSL handshake on both sides.
4867 std::unique_ptr<SSLClientSocket> client(CreateSSLClientSocket(
4868 std::move(client_transport), HostPortPair::FromIPEndPoint(server_address),
4869 SSLConfig()));
4870 std::unique_ptr<SSLServerSocket> server(
4871 server_context->CreateSSLServerSocket(std::move(server_transport)));
4872
4873 server_rv = server->Handshake(server_callback.callback());
4874 client_rv = client->Connect(client_callback.callback());
4875
4876 EXPECT_THAT(server_callback.GetResult(server_rv), IsOk());
4877 EXPECT_THAT(client_callback.GetResult(client_rv), IsOk());
4878
4879 // Write a single record on the server.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4880 scoped_refptr<IOBuffer> write_buf = base::MakeRefCounted<StringIOBuffer>("a");
Ramin Halavati0a08cc82018-02-06 07:46:38[diff] [blame]4881 server_rv = server->Write(write_buf.get(), 1, server_callback.callback(),
4882 TRAFFIC_ANNOTATION_FOR_TESTS);
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4883
4884 // Read that record on the server, but with a much larger buffer than
4885 // necessary.
Victor Costan9c7302b2018-08-27 16:39:44[diff] [blame]4886 scoped_refptr<IOBuffer> read_buf = base::MakeRefCounted<IOBuffer>(1024);
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4887 client_rv =
4888 Read(client.get(), read_buf.get(), 1024, client_callback.callback());
4889
4890 EXPECT_EQ(1, server_callback.GetResult(server_rv));
4891 EXPECT_EQ(1, WaitForReadCompletion(client.get(), read_buf.get(), 1024,
4892 &client_callback, client_rv));
4893
4894 // At this point the client socket should be idle.
4895 EXPECT_TRUE(client->IsConnectedAndIdle());
davidben8ea6b172017-03-07 23:53:50[diff] [blame]4896}
4897
David Benjamin9dc103f2019-05-15 00:11:43[diff] [blame]4898// Test that certificate errors are properly reported when the underlying
4899// transport is itself a TLS connection, such as when tunneling over an HTTPS
4900// proxy. See https://crbug.com/959305.
4901TEST_F(SSLClientSocketTest, SSLOverSSLBadCertificate) {
4902 // Load a pair of certificates.
4903 base::FilePath certs_dir = GetTestCertsDirectory();
4904 scoped_refptr<net::X509Certificate> ok_cert =
4905 ImportCertFromFile(certs_dir, "ok_cert.pem");
4906 ASSERT_TRUE(ok_cert);
4907 bssl::UniquePtr<EVP_PKEY> ok_pkey =
4908 key_util::LoadEVP_PKEYFromPEM(certs_dir.AppendASCII("ok_cert.pem"));
4909 ASSERT_TRUE(ok_pkey);
4910
4911 scoped_refptr<net::X509Certificate> expired_cert =
4912 ImportCertFromFile(certs_dir, "expired_cert.pem");
4913 ASSERT_TRUE(expired_cert);
4914 bssl::UniquePtr<EVP_PKEY> expired_pkey =
4915 key_util::LoadEVP_PKEYFromPEM(certs_dir.AppendASCII("expired_cert.pem"));
4916 ASSERT_TRUE(expired_pkey);
4917
4918 CertVerifyResult expired_result;
4919 expired_result.verified_cert = expired_cert;
4920 expired_result.cert_status = CERT_STATUS_DATE_INVALID;
4921 cert_verifier_->AddResultForCert(expired_cert, expired_result,
4922 ERR_CERT_DATE_INVALID);
4923
4924 // Set up a TCP server.
4925 TCPServerSocket server_listener(nullptr, NetLogSource());
4926 ASSERT_THAT(
4927 server_listener.Listen(IPEndPoint(IPAddress::IPv4Localhost(), 0), 1),
4928 IsOk());
4929 IPEndPoint server_address;
4930 ASSERT_THAT(server_listener.GetLocalAddress(&server_address), IsOk());
4931
4932 // Connect a TCP client and server socket.
4933 TestCompletionCallback server_callback;
4934 std::unique_ptr<StreamSocket> server_transport;
4935 int server_rv =
4936 server_listener.Accept(&server_transport, server_callback.callback());
4937
4938 TestCompletionCallback client_callback;
4939 auto client_transport = std::make_unique<TCPClientSocket>(
Eric Roman2bc77162020-09-16 18:30:45[diff] [blame]4940 AddressList(server_address), nullptr, nullptr, nullptr, NetLogSource());
David Benjamin9dc103f2019-05-15 00:11:43[diff] [blame]4941 int client_rv = client_transport->Connect(client_callback.callback());
4942
4943 ASSERT_THAT(server_callback.GetResult(server_rv), IsOk());
4944 ASSERT_THAT(client_callback.GetResult(client_rv), IsOk());
4945
4946 // Set up a pair of SSL servers.
4947 std::unique_ptr<crypto::RSAPrivateKey> ok_key =
4948 crypto::RSAPrivateKey::CreateFromKey(ok_pkey.get());
4949 ASSERT_TRUE(ok_key);
4950 std::unique_ptr<SSLServerContext> ok_server_context =
4951 CreateSSLServerContext(ok_cert.get(), *ok_key.get(), SSLServerConfig());
4952
4953 std::unique_ptr<crypto::RSAPrivateKey> expired_key =
4954 crypto::RSAPrivateKey::CreateFromKey(expired_pkey.get());
4955 ASSERT_TRUE(expired_key);
4956 std::unique_ptr<SSLServerContext> expired_server_context =
4957 CreateSSLServerContext(expired_cert.get(), *expired_key.get(),
4958 SSLServerConfig());
4959
4960 // Complete the proxy SSL handshake with ok_cert.pem. This should succeed.
4961 std::unique_ptr<SSLClientSocket> client =
4962 CreateSSLClientSocket(std::move(client_transport),
4963 HostPortPair("proxy.test", 443), SSLConfig());
4964 std::unique_ptr<SSLServerSocket> server =
4965 ok_server_context->CreateSSLServerSocket(std::move(server_transport));
4966
4967 client_rv = client->Connect(client_callback.callback());
4968 server_rv = server->Handshake(server_callback.callback());
4969 ASSERT_THAT(client_callback.GetResult(client_rv), IsOk());
4970 ASSERT_THAT(server_callback.GetResult(server_rv), IsOk());
4971
4972 // Run the tunneled SSL handshake on with expired_cert.pem. This should fail.
4973 client = CreateSSLClientSocket(std::move(client),
4974 HostPortPair("server.test", 443), SSLConfig());
4975 server = expired_server_context->CreateSSLServerSocket(std::move(server));
4976
4977 client_rv = client->Connect(client_callback.callback());
4978 server_rv = server->Handshake(server_callback.callback());
4979
4980 // The client should observe the bad certificate error.
4981 EXPECT_THAT(client_callback.GetResult(client_rv),
4982 IsError(ERR_CERT_DATE_INVALID));
4983 SSLInfo ssl_info;
4984 ASSERT_TRUE(client->GetSSLInfo(&ssl_info));
4985 EXPECT_EQ(ssl_info.cert_status, expired_result.cert_status);
4986
4987 // TODO(https://crbug.com/912383): The server sees
4988 // ERR_BAD_SSL_CLIENT_AUTH_CERT because its peer (the client) alerts it with
4989 // bad_certificate. The alert-mapping code assumes it is running on a client,
4990 // so it translates bad_certificate to ERR_BAD_SSL_CLIENT_AUTH_CERT, which
4991 // shouldn't be the error for a bad server certificate.
4992 EXPECT_THAT(server_callback.GetResult(server_rv),
4993 IsError(ERR_BAD_SSL_CLIENT_AUTH_CERT));
4994}
4995
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]4996TEST_F(SSLClientSocketTest, Tag) {
David Benjaminbba56ef2019-10-29 18:51:55[diff] [blame]4997 ASSERT_TRUE(
4998 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]4999
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]5000 auto transport = std::make_unique<TCPClientSocket>(
5001 addr(), nullptr, nullptr, NetLog::Get(), NetLogSource());
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]5002
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]5003 auto tagging_sock =
5004 std::make_unique<MockTaggingStreamSocket>(std::move(transport));
Tsuyoshi Horoc39623a82022-07-11 01:27:58[diff] [blame]5005 auto* tagging_sock_ptr = tagging_sock.get();
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]5006
5007 // |sock| takes ownership of |tagging_sock|, but keep a
5008 // non-owning pointer to it.
Tsuyoshi Horof8861cb2022-07-05 23:50:20[diff] [blame]5009 std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
5010 std::move(tagging_sock), host_port_pair(), SSLConfig()));
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]5011
Tsuyoshi Horoc39623a82022-07-11 01:27:58[diff] [blame]5012 EXPECT_EQ(tagging_sock_ptr->tag(), SocketTag());
Xiaohan Wang2a6845b2022-01-08 04:40:57[diff] [blame]5013#if BUILDFLAG(IS_ANDROID)
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]5014 SocketTag tag(0x12345678, 0x87654321);
5015 sock->ApplySocketTag(tag);
Tsuyoshi Horoc39623a82022-07-11 01:27:58[diff] [blame]5016 EXPECT_EQ(tagging_sock_ptr->tag(), tag);
Xiaohan Wang83bdf142022-01-21 19:23:11[diff] [blame]5017#endif // BUILDFLAG(IS_ANDROID)
Paul Jensen0f49dec2017-12-12 23:39:58[diff] [blame]5018}
5019
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5020TEST_F(SSLClientSocketTest, ECH) {
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5021 base::test::ScopedFeatureList feature_list;
5022 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5023
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5024 SSLServerConfig server_config;
5025 SSLConfig client_config;
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5026 server_config.ech_keys = MakeTestEchKeys(
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5027 "public.example", /*max_name_len=*/64, &client_config.ech_config_list);
5028 ASSERT_TRUE(server_config.ech_keys);
5029
5030 ASSERT_TRUE(
5031 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5032
5033 // Connecting with the client should use ECH.
5034 int rv;
5035 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5036 EXPECT_THAT(rv, IsOk());
5037 SSLInfo ssl_info;
5038 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
5039 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
5040 EXPECT_TRUE(ssl_info.encrypted_client_hello);
5041
5042 // TLS 1.3 causes the ticket to arrive later. Use the socket to ensure we have
5043 // a ticket. This also populates the SSLInfo from the server.
5044 EXPECT_THAT(MakeHTTPRequest(sock_.get(), "/ssl-info"), IsOk());
5045 absl::optional<SSLInfo> server_ssl_info = LastSSLInfoFromServer();
5046 ASSERT_TRUE(server_ssl_info);
5047 EXPECT_TRUE(server_ssl_info->encrypted_client_hello);
5048
5049 // Reconnect. ECH should not interfere with resumption.
5050 sock_.reset();
5051 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5052 EXPECT_THAT(rv, IsOk());
5053 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
5054 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
5055 EXPECT_TRUE(ssl_info.encrypted_client_hello);
5056
5057 // Check SSLInfo from the server.
5058 EXPECT_THAT(MakeHTTPRequest(sock_.get(), "/ssl-info"), IsOk());
5059 server_ssl_info = LastSSLInfoFromServer();
5060 ASSERT_TRUE(server_ssl_info);
5061 EXPECT_TRUE(server_ssl_info->encrypted_client_hello);
5062
5063 // Connecting without ECH should not report ECH was used.
5064 client_config.ech_config_list.clear();
5065 sock_.reset();
5066 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5067 EXPECT_THAT(rv, IsOk());
5068 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
5069 EXPECT_FALSE(ssl_info.encrypted_client_hello);
5070
5071 // Check SSLInfo from the server.
5072 EXPECT_THAT(MakeHTTPRequest(sock_.get(), "/ssl-info"), IsOk());
5073 server_ssl_info = LastSSLInfoFromServer();
5074 ASSERT_TRUE(server_ssl_info);
5075 EXPECT_FALSE(server_ssl_info->encrypted_client_hello);
5076}
5077
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5078// Test that, on key mismatch, the public name can be used to authenticate
5079// replacement keys.
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5080TEST_F(SSLClientSocketTest, ECHWrongKeys) {
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5081 base::test::ScopedFeatureList feature_list;
5082 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5083
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5084 static const char kPublicName[] = "public.example";
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5085 std::vector<uint8_t> ech_config_list1, ech_config_list2;
5086 bssl::UniquePtr<SSL_ECH_KEYS> keys1 =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5087 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list1);
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5088 ASSERT_TRUE(keys1);
5089 bssl::UniquePtr<SSL_ECH_KEYS> keys2 =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5090 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list2);
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5091 ASSERT_TRUE(keys2);
5092
5093 // Configure the client and server with different keys.
5094 SSLServerConfig server_config;
5095 server_config.ech_keys = std::move(keys1);
5096 SSLConfig client_config;
5097 client_config.ech_config_list = std::move(ech_config_list2);
5098
5099 ASSERT_TRUE(
5100 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5101
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5102 // Verify the fallback handshake verifies the certificate against the public
5103 // name.
5104 cert_verifier_->set_default_result(ERR_CERT_INVALID);
5105 scoped_refptr<X509Certificate> server_cert =
5106 embedded_test_server()->GetCertificate();
5107 CertVerifyResult verify_result;
5108 verify_result.verified_cert = server_cert;
5109 cert_verifier_->AddResultForCertAndHost(server_cert, kPublicName,
5110 verify_result, OK);
5111
5112 // Connecting with the client should report ECH was not negotiated.
David Benjaminf3b8b512021-09-01 21:14:01[diff] [blame]5113 int rv;
5114 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5115 EXPECT_THAT(rv, IsError(ERR_ECH_NOT_NEGOTIATED));
5116
5117 // The server's keys are available as retry keys.
5118 EXPECT_EQ(ech_config_list1, sock_->GetECHRetryConfigs());
5119}
5120
5121// Test that, if the server does not support ECH, it can securely report this
5122// via the public name. This allows recovery if the server needed to
5123// rollback ECH support.
5124TEST_F(SSLClientSocketTest, ECHSecurelyDisabled) {
5125 base::test::ScopedFeatureList feature_list;
5126 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5127
5128 static const char kPublicName[] = "public.example";
5129 std::vector<uint8_t> ech_config_list;
5130 bssl::UniquePtr<SSL_ECH_KEYS> keys =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5131 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list);
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5132 ASSERT_TRUE(keys);
5133
5134 // The server does not have keys configured.
5135 ASSERT_TRUE(
5136 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
5137
5138 // However it can authenticate for kPublicName.
5139 cert_verifier_->set_default_result(ERR_CERT_INVALID);
5140 scoped_refptr<X509Certificate> server_cert =
5141 embedded_test_server()->GetCertificate();
5142 CertVerifyResult verify_result;
5143 verify_result.verified_cert = server_cert;
5144 cert_verifier_->AddResultForCertAndHost(server_cert, kPublicName,
5145 verify_result, OK);
5146
5147 // Connecting with the client should report ECH was not negotiated.
5148 SSLConfig client_config;
5149 client_config.ech_config_list = std::move(ech_config_list);
5150 int rv;
5151 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5152 EXPECT_THAT(rv, IsError(ERR_ECH_NOT_NEGOTIATED));
5153
5154 // The retry config is empty, meaning the server has securely reported that
5155 // ECH is disabled
5156 EXPECT_TRUE(sock_->GetECHRetryConfigs().empty());
5157}
5158
5159// The same as the above, but testing that it also works in TLS 1.2, which
5160// otherwise does not support ECH.
5161TEST_F(SSLClientSocketTest, ECHSecurelyDisabledTLS12) {
5162 base::test::ScopedFeatureList feature_list;
5163 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5164
5165 static const char kPublicName[] = "public.example";
5166 std::vector<uint8_t> ech_config_list;
5167 bssl::UniquePtr<SSL_ECH_KEYS> keys =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5168 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list);
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5169 ASSERT_TRUE(keys);
5170
5171 // The server does not have keys configured.
5172 SSLServerConfig server_config;
5173 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
5174 ASSERT_TRUE(
5175 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5176
5177 // However it can authenticate for kPublicName.
5178 cert_verifier_->set_default_result(ERR_CERT_INVALID);
5179 scoped_refptr<X509Certificate> server_cert =
5180 embedded_test_server()->GetCertificate();
5181 CertVerifyResult verify_result;
5182 verify_result.verified_cert = server_cert;
5183 cert_verifier_->AddResultForCertAndHost(server_cert, kPublicName,
5184 verify_result, OK);
5185
5186 // Connecting with the client should report ECH was not negotiated.
5187 SSLConfig client_config;
5188 client_config.ech_config_list = std::move(ech_config_list);
5189 int rv;
5190 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5191 EXPECT_THAT(rv, IsError(ERR_ECH_NOT_NEGOTIATED));
5192
5193 // The retry config is empty, meaning the server has securely reported that
5194 // ECH is disabled
5195 EXPECT_TRUE(sock_->GetECHRetryConfigs().empty());
5196}
5197
5198// Test that the ECH fallback handshake rejects bad certificates.
5199TEST_F(SSLClientSocketTest, ECHFallbackBadCert) {
5200 base::test::ScopedFeatureList feature_list;
5201 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5202
5203 static const char kPublicName[] = "public.example";
5204 std::vector<uint8_t> ech_config_list1, ech_config_list2;
5205 bssl::UniquePtr<SSL_ECH_KEYS> keys1 =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5206 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list1);
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5207 ASSERT_TRUE(keys1);
5208 bssl::UniquePtr<SSL_ECH_KEYS> keys2 =
David Benjamin6e089be2022-02-11 18:22:21[diff] [blame]5209 MakeTestEchKeys(kPublicName, /*max_name_len=*/64, &ech_config_list2);
David Benjamin2cd5f6092021-10-18 18:54:49[diff] [blame]5210 ASSERT_TRUE(keys2);
5211
5212 // Configure the client and server with different keys.
5213 SSLServerConfig server_config;
5214 server_config.ech_keys = std::move(keys1);
5215 SSLConfig client_config;
5216 client_config.ech_config_list = std::move(ech_config_list2);
5217
5218 ASSERT_TRUE(
5219 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5220
5221 // Configure the client to reject the certificate for the public name (or any
5222 // other name).
5223 cert_verifier_->set_default_result(ERR_CERT_INVALID);
5224
5225 // Connecting with the client will fail with a fatal error.
5226 int rv;
5227 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5228 EXPECT_THAT(rv, IsError(ERR_ECH_FALLBACK_CERTIFICATE_INVALID));
5229}
5230
David Benjamin6e79f752021-09-14 01:20:50[diff] [blame]5231TEST_F(SSLClientSocketTest, InvalidECHConfigList) {
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5232 base::test::ScopedFeatureList feature_list;
5233 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5234
David Benjamin6e79f752021-09-14 01:20:50[diff] [blame]5235 ASSERT_TRUE(
5236 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
5237
5238 // If the ECHConfigList cannot be parsed at all, report an error to the
5239 // caller.
5240 SSLConfig client_config;
5241 client_config.ech_config_list = {0x00};
5242 int rv;
5243 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5244 EXPECT_THAT(rv, IsError(ERR_INVALID_ECH_CONFIG_LIST));
5245}
5246
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5247// Test that, if no ECHConfigList is available, the client sends ECH GREASE.
5248TEST_F(SSLClientSocketTest, ECHGreaseEnabled) {
5249 base::test::ScopedFeatureList feature_list;
5250 feature_list.InitAndEnableFeature(features::kEncryptedClientHello);
5251
5252 // Configure the server to expect an ECH extension.
5253 bool ran_callback = false;
5254 SSLServerConfig server_config;
5255 server_config.client_hello_callback_for_testing =
5256 base::BindLambdaForTesting([&](const SSL_CLIENT_HELLO* client_hello) {
5257 const uint8_t* data;
5258 size_t len;
5259 EXPECT_TRUE(SSL_early_callback_ctx_extension_get(
5260 client_hello, TLSEXT_TYPE_encrypted_client_hello, &data, &len));
5261 ran_callback = true;
David Benjamind8d00b62021-11-16 18:27:01[diff] [blame]5262 return true;
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5263 });
5264 ASSERT_TRUE(
5265 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5266 int rv;
5267 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
5268 EXPECT_THAT(rv, IsOk());
5269 EXPECT_TRUE(ran_callback);
5270}
5271
5272// Test that, if the feature flag is disabled, the client does not send ECH
5273// GREASE.
5274TEST_F(SSLClientSocketTest, ECHGreaseDisabled) {
5275 base::test::ScopedFeatureList feature_list;
5276 feature_list.InitAndDisableFeature(features::kEncryptedClientHello);
5277
5278 // Configure the server not to expect an ECH extension.
5279 bool ran_callback = false;
5280 SSLServerConfig server_config;
5281 server_config.client_hello_callback_for_testing =
5282 base::BindLambdaForTesting([&](const SSL_CLIENT_HELLO* client_hello) {
5283 const uint8_t* data;
5284 size_t len;
5285 EXPECT_FALSE(SSL_early_callback_ctx_extension_get(
5286 client_hello, TLSEXT_TYPE_encrypted_client_hello, &data, &len));
5287 ran_callback = true;
David Benjamind8d00b62021-11-16 18:27:01[diff] [blame]5288 return true;
David Benjamin4c81d93e2021-10-12 17:32:36[diff] [blame]5289 });
5290 ASSERT_TRUE(
5291 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5292 int rv;
5293 ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
5294 EXPECT_THAT(rv, IsOk());
5295 EXPECT_TRUE(ran_callback);
5296}
5297
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5298struct SSLHandshakeDetailsParams {
5299 bool alpn;
5300 bool early_data;
5301 uint16_t version;
5302 SSLHandshakeDetails expected_initial;
5303 SSLHandshakeDetails expected_resume;
5304};
5305
5306const SSLHandshakeDetailsParams kSSLHandshakeDetailsParams[] = {
5307 // TLS 1.0 and 1.1 never do False Start.
5308 {false /* no ALPN */, false /* no early data */, SSL_PROTOCOL_VERSION_TLS1,
5309 SSLHandshakeDetails::kTLS12Full, SSLHandshakeDetails::kTLS12Resume},
5310 {false /* no ALPN */, false /* no early data */,
5311 SSL_PROTOCOL_VERSION_TLS1_1, SSLHandshakeDetails::kTLS12Full,
5312 SSLHandshakeDetails::kTLS12Resume},
5313
5314 // TLS 1.2 does False Start if ALPN is enabled.
5315 {false /* no ALPN */, false /* no early data */,
5316 SSL_PROTOCOL_VERSION_TLS1_2, SSLHandshakeDetails::kTLS12Full,
5317 SSLHandshakeDetails::kTLS12Resume},
5318 {true /* ALPN */, false /* no early data */, SSL_PROTOCOL_VERSION_TLS1_2,
5319 SSLHandshakeDetails::kTLS12FalseStart, SSLHandshakeDetails::kTLS12Resume},
5320
5321 // TLS 1.3 supports full handshakes, resumption, and 0-RTT.
5322 {false /* no ALPN */, false /* no early data */,
5323 SSL_PROTOCOL_VERSION_TLS1_3, SSLHandshakeDetails::kTLS13Full,
5324 SSLHandshakeDetails::kTLS13Resume},
5325 {false /* no ALPN */, true /* early data */, SSL_PROTOCOL_VERSION_TLS1_3,
5326 SSLHandshakeDetails::kTLS13Full, SSLHandshakeDetails::kTLS13Early},
5327};
5328
5329class SSLHandshakeDetailsTest
5330 : public SSLClientSocketTest,
5331 public ::testing::WithParamInterface<SSLHandshakeDetailsParams> {};
5332
Ilia Samsonov2dfd9212019-12-09 15:26:57[diff] [blame]5333INSTANTIATE_TEST_SUITE_P(All,
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5334 SSLHandshakeDetailsTest,
Bence Békycc859862021-02-08 17:26:40[diff] [blame]5335 ValuesIn(kSSLHandshakeDetailsParams));
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5336
5337TEST_P(SSLHandshakeDetailsTest, Metrics) {
David Benjamin0a594692022-10-20 19:32:24[diff] [blame]5338 // TLS 1.0 and 1.1 are unreachable by default.
5339 // TODO(https://crbug.com/1376584): When this feature is removed, just delete
5340 // the TLS 1.0 and 1.1 test cases.
5341 base::test::ScopedFeatureList feature_list;
5342 feature_list.InitAndDisableFeature(features::kSSLMinVersionAtLeastTLS12);
5343
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5344 // Enable all test features in the server.
5345 SSLServerConfig server_config;
David Benjamin24725be2019-07-24 20:57:18[diff] [blame]5346 server_config.version_min = SSL_PROTOCOL_VERSION_TLS1;
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5347 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
5348 server_config.early_data_enabled = true;
5349 server_config.alpn_protos = {kProtoHTTP11};
5350 ASSERT_TRUE(
5351 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5352
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5353 SSLContextConfig client_context_config;
5354 client_context_config.version_min = GetParam().version;
5355 client_context_config.version_max = GetParam().version;
5356 ssl_config_service_->UpdateSSLConfigAndNotify(client_context_config);
5357
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5358 SSLConfig client_config;
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5359 client_config.version_min_override = GetParam().version;
5360 client_config.version_max_override = GetParam().version;
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5361 client_config.early_data_enabled = GetParam().early_data;
5362 if (GetParam().alpn) {
5363 client_config.alpn_protos = {kProtoHTTP11};
5364 }
5365
5366 SSLVersion version;
5367 switch (GetParam().version) {
5368 case SSL_PROTOCOL_VERSION_TLS1:
5369 version = SSL_CONNECTION_VERSION_TLS1;
5370 break;
5371 case SSL_PROTOCOL_VERSION_TLS1_1:
5372 version = SSL_CONNECTION_VERSION_TLS1_1;
5373 break;
5374 case SSL_PROTOCOL_VERSION_TLS1_2:
5375 version = SSL_CONNECTION_VERSION_TLS1_2;
5376 break;
5377 case SSL_PROTOCOL_VERSION_TLS1_3:
5378 version = SSL_CONNECTION_VERSION_TLS1_3;
5379 break;
5380 default:
5381 FAIL() << GetParam().version;
5382 }
5383
5384 // Make the initial connection.
5385 {
5386 base::HistogramTester histograms;
5387 int rv;
5388 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5389 EXPECT_THAT(rv, IsOk());
5390
5391 // Sanity-check the socket matches the test parameters.
5392 SSLInfo info;
5393 ASSERT_TRUE(sock_->GetSSLInfo(&info));
5394 EXPECT_EQ(version, SSLConnectionStatusToVersion(info.connection_status));
5395 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, info.handshake_type);
5396 EXPECT_EQ(GetParam().alpn, sock_->WasAlpnNegotiated());
5397
5398 histograms.ExpectUniqueSample("Net.SSLHandshakeDetails",
5399 GetParam().expected_initial, 1);
5400
David Benjamin4e0215d2019-08-13 19:11:18[diff] [blame]5401 // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
5402 // use the socket to ensure the session ticket has been picked up.
5403 EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
David Benjamin0627236e2019-06-27 02:01:18[diff] [blame]5404 }
5405
5406 // Make a resumption connection.
5407 {
5408 base::HistogramTester histograms;
5409 int rv;
5410 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5411 EXPECT_THAT(rv, IsOk());
5412
5413 // Sanity-check the socket matches the test parameters.
5414 SSLInfo info;
5415 ASSERT_TRUE(sock_->GetSSLInfo(&info));
5416 EXPECT_EQ(version, SSLConnectionStatusToVersion(info.connection_status));
5417 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, info.handshake_type);
5418 EXPECT_EQ(GetParam().alpn, sock_->WasAlpnNegotiated());
5419
5420 histograms.ExpectUniqueSample("Net.SSLHandshakeDetails",
5421 GetParam().expected_resume, 1);
5422 }
5423}
5424
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5425TEST_F(SSLClientSocketZeroRTTTest, EarlyDataReasonNewSession) {
5426 const char kReasonHistogram[] = "Net.SSLHandshakeEarlyDataReason";
5427
5428 ASSERT_TRUE(StartServer());
5429 base::HistogramTester histograms;
5430 ASSERT_TRUE(RunInitialConnection());
5431 histograms.ExpectUniqueSample(kReasonHistogram,
5432 ssl_early_data_no_session_offered, 1);
5433}
5434
5435// Test 0-RTT logging when the server declines to resume a connection.
5436TEST_F(SSLClientSocketZeroRTTTest, EarlyDataReasonNoResume) {
5437 const char kReasonHistogram[] = "Net.SSLHandshakeEarlyDataReason";
5438
5439 ASSERT_TRUE(StartServer());
5440 ASSERT_TRUE(RunInitialConnection());
5441
5442 SSLServerConfig server_config;
5443 server_config.early_data_enabled = false;
5444 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
5445
5446 SetServerConfig(server_config);
5447
5448 base::HistogramTester histograms;
5449
5450 // 0-RTT Connection
5451 FakeBlockingStreamSocket* socket = MakeClient(true);
5452 socket->BlockReadResult();
5453 ASSERT_THAT(Connect(), IsOk());
5454 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
5455 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
5456 socket->UnblockReadResult();
5457
5458 // Expect early data to be rejected.
5459 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
5460 int rv = ReadAndWait(buf.get(), 4096);
5461 EXPECT_EQ(ERR_EARLY_DATA_REJECTED, rv);
5462
David Benjamin6d3c1bb2022-11-08 17:46:07[diff] [blame]5463 // The histogram may be record asynchronously.
5464 base::RunLoop().RunUntilIdle();
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5465 histograms.ExpectUniqueSample(kReasonHistogram,
5466 ssl_early_data_session_not_resumed, 1);
5467}
5468
5469// Test 0-RTT logging in the standard ConfirmHandshake-after-acceptance case.
Adam Rice86b3fb922022-05-02 13:27:48[diff] [blame]5470TEST_F(SSLClientSocketZeroRTTTest, EarlyDataReasonZeroRTT) {
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5471 const char kReasonHistogram[] = "Net.SSLHandshakeEarlyDataReason";
5472
5473 ASSERT_TRUE(StartServer());
5474 ASSERT_TRUE(RunInitialConnection());
5475
5476 // 0-RTT Connection
5477 base::HistogramTester histograms;
5478 MakeClient(true);
5479 ASSERT_THAT(Connect(), IsOk());
5480 TestCompletionCallback callback;
5481 ASSERT_THAT(
5482 callback.GetResult(ssl_socket()->ConfirmHandshake(callback.callback())),
5483 IsOk());
Adam Rice86b3fb922022-05-02 13:27:48[diff] [blame]5484
5485 base::RunLoop().RunUntilIdle();
5486
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5487 histograms.ExpectUniqueSample(kReasonHistogram, ssl_early_data_accepted, 1);
5488}
5489
5490// Check that we're correctly logging 0-rtt success when the handshake
5491// concludes during a Read.
David Benjamin74a961d2021-02-11 14:13:07[diff] [blame]5492TEST_F(SSLClientSocketZeroRTTTest, EarlyDataReasonReadServerHello) {
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5493 const char kReasonHistogram[] = "Net.SSLHandshakeEarlyDataReason";
5494 ASSERT_TRUE(StartServer());
5495 ASSERT_TRUE(RunInitialConnection());
5496
5497 // 0-RTT Connection
5498 base::HistogramTester histograms;
5499 MakeClient(true);
5500 ASSERT_THAT(Connect(), IsOk());
5501 constexpr base::StringPiece kRequest = "GET /zerortt HTTP/1.0\r\n\r\n";
5502 EXPECT_EQ(static_cast<int>(kRequest.size()), WriteAndWait(kRequest));
5503
5504 scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
5505 int size = ReadAndWait(buf.get(), 4096);
5506 EXPECT_GT(size, 0);
5507 EXPECT_EQ('1', buf->data()[size - 1]);
5508
David Benjamin74a961d2021-02-11 14:13:07[diff] [blame]5509 // 0-RTT metrics are logged on a PostTask, so if Read returns synchronously,
5510 // it is possible the metrics haven't been picked up yet.
5511 base::RunLoop().RunUntilIdle();
5512
David Van Cleve4134d5b2019-10-07 15:54:53[diff] [blame]5513 SSLInfo ssl_info;
5514 ASSERT_TRUE(GetSSLInfo(&ssl_info));
5515 EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
5516
5517 histograms.ExpectUniqueSample(kReasonHistogram, ssl_early_data_accepted, 1);
5518}
5519
Chris Thompsone3c3a3b02020-12-17 23:20:40[diff] [blame]5520TEST_F(SSLClientSocketTest, VersionMaxOverride) {
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5521 SSLServerConfig server_config;
Chris Thompsone3c3a3b02020-12-17 23:20:40[diff] [blame]5522 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5523 ASSERT_TRUE(
5524 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5525
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5526 // Connecting normally uses the global configuration.
5527 SSLConfig config;
5528 int rv;
5529 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
5530 EXPECT_THAT(rv, IsOk());
5531 SSLInfo info;
5532 ASSERT_TRUE(sock_->GetSSLInfo(&info));
Chris Thompsone3c3a3b02020-12-17 23:20:40[diff] [blame]5533 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1_3,
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5534 SSLConnectionStatusToVersion(info.connection_status));
5535
5536 // Individual sockets may override the maximum version.
5537 config.version_max_override = SSL_PROTOCOL_VERSION_TLS1_2;
5538 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
5539 EXPECT_THAT(rv, IsOk());
5540 ASSERT_TRUE(sock_->GetSSLInfo(&info));
5541 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1_2,
5542 SSLConnectionStatusToVersion(info.connection_status));
Chris Thompsone3c3a3b02020-12-17 23:20:40[diff] [blame]5543}
5544
5545TEST_F(SSLClientSocketTest, VersionMinOverride) {
5546 SSLServerConfig server_config;
5547 server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
5548 ASSERT_TRUE(
5549 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5550
5551 // Connecting normally uses the global configuration.
5552 SSLConfig config;
5553 int rv;
5554 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
5555 EXPECT_THAT(rv, IsOk());
5556 SSLInfo info;
5557 ASSERT_TRUE(sock_->GetSSLInfo(&info));
5558 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1_2,
5559 SSLConnectionStatusToVersion(info.connection_status));
David Benjamin151ec6b2019-08-02 19:38:52[diff] [blame]5560
5561 // Individual sockets may also override the minimum version.
5562 config.version_min_override = SSL_PROTOCOL_VERSION_TLS1_3;
5563 config.version_max_override = SSL_PROTOCOL_VERSION_TLS1_3;
5564 ASSERT_TRUE(CreateAndConnectSSLClientSocket(config, &rv));
5565 EXPECT_THAT(rv, IsError(ERR_SSL_VERSION_OR_CIPHER_MISMATCH));
5566}
5567
David Benjamine992af92021-03-11 20:27:46[diff] [blame]5568// Basic test of CancelReadIfReady works.
5569TEST_F(SSLClientSocketTest, CancelReadIfReady) {
5570 ASSERT_TRUE(
5571 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
5572
5573 // Connect with a FakeBlockingStreamSocket.
5574 auto real_transport = std::make_unique<TCPClientSocket>(
5575 addr(), nullptr, nullptr, nullptr, NetLogSource());
5576 auto transport =
5577 std::make_unique<FakeBlockingStreamSocket>(std::move(real_transport));
5578 FakeBlockingStreamSocket* raw_transport = transport.get();
5579 TestCompletionCallback callback;
5580 ASSERT_THAT(callback.GetResult(transport->Connect(callback.callback())),
5581 IsOk());
5582
5583 // Complete the handshake. Disable the post-handshake peek so that, after the
5584 // handshake, there are no pending reads on the transport.
5585 SSLConfig config;
5586 config.disable_post_handshake_peek_for_testing = true;
5587 auto sock =
5588 CreateSSLClientSocket(std::move(transport), host_port_pair(), config);
5589 ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())), IsOk());
5590
5591 // Block the socket and wait for some data to arrive from the server.
5592 raw_transport->BlockReadResult();
5593 auto write_buf =
5594 base::MakeRefCounted<StringIOBuffer>("GET / HTTP/1.0\r\n\r\n");
5595 ASSERT_EQ(callback.GetResult(sock->Write(write_buf.get(), write_buf->size(),
5596 callback.callback(),
5597 TRAFFIC_ANNOTATION_FOR_TESTS)),
5598 write_buf->size());
5599
5600 // ReadIfReady() should not read anything because the socket is blocked.
5601 bool callback_called = false;
5602 auto read_buf = base::MakeRefCounted<IOBuffer>(100);
5603 int rv = sock->ReadIfReady(
5604 read_buf.get(), 100,
5605 base::BindLambdaForTesting([&](int rv) { callback_called = true; }));
5606 ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
5607
5608 // Cancel ReadIfReady() and unblock the socket.
5609 ASSERT_THAT(sock->CancelReadIfReady(), IsOk());
5610 raw_transport->WaitForReadResult();
5611 raw_transport->UnblockReadResult();
5612 base::RunLoop().RunUntilIdle();
5613
5614 // Although data is now available, the callback should not have been called.
5615 EXPECT_FALSE(callback_called);
5616
5617 // Future reads on the socket should still work. The data should be
5618 // synchronously available.
5619 EXPECT_GT(
5620 callback.GetResult(sock->Read(read_buf.get(), 100, callback.callback())),
5621 0);
5622}
5623
David Benjamind6a9dc32021-10-12 21:50:45[diff] [blame]5624// Test that the server_name extension (SNI) is sent on DNS names, and not IP
5625// literals.
5626TEST_F(SSLClientSocketTest, ServerName) {
5627 absl::optional<std::string> got_server_name;
5628 bool ran_callback = false;
5629 auto reset_callback_state = [&] {
5630 got_server_name = absl::nullopt;
5631 ran_callback = false;
5632 };
5633
5634 // Start a server which records the server name.
5635 SSLServerConfig server_config;
5636 server_config.client_hello_callback_for_testing =
5637 base::BindLambdaForTesting([&](const SSL_CLIENT_HELLO* client_hello) {
5638 const char* server_name =
5639 SSL_get_servername(client_hello->ssl, TLSEXT_NAMETYPE_host_name);
5640 if (server_name) {
5641 got_server_name = server_name;
5642 } else {
5643 got_server_name = absl::nullopt;
5644 }
5645 ran_callback = true;
David Benjamind8d00b62021-11-16 18:27:01[diff] [blame]5646 return true;
David Benjamind6a9dc32021-10-12 21:50:45[diff] [blame]5647 });
5648 ASSERT_TRUE(
5649 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5650
5651 // The client should send the server_name extension for DNS names.
5652 uint16_t port = host_port_pair().port();
5653 int rv;
5654 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(
5655 SSLConfig(), HostPortPair("example.com", port), &rv));
5656 ASSERT_THAT(rv, IsOk());
5657 EXPECT_TRUE(ran_callback);
5658 EXPECT_EQ(got_server_name, "example.com");
5659
5660 // The client should not send the server_name extension for IPv4 and IPv6
5661 // literals. See https://crbug.com/500981.
5662 reset_callback_state();
5663 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(
5664 SSLConfig(), HostPortPair("1.2.3.4", port), &rv));
5665 ASSERT_THAT(rv, IsOk());
5666 EXPECT_TRUE(ran_callback);
5667 EXPECT_EQ(got_server_name, absl::nullopt);
5668
5669 reset_callback_state();
5670 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(
5671 SSLConfig(), HostPortPair("::1", port), &rv));
5672 ASSERT_THAT(rv, IsOk());
5673 EXPECT_TRUE(ran_callback);
5674 EXPECT_EQ(got_server_name, absl::nullopt);
5675
5676 reset_callback_state();
5677 ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(
5678 SSLConfig(), HostPortPair("2001:db8::42", port), &rv));
5679 ASSERT_THAT(rv, IsOk());
5680 EXPECT_TRUE(ran_callback);
5681 EXPECT_EQ(got_server_name, absl::nullopt);
5682}
5683
Bence Békycc859862021-02-08 17:26:40[diff] [blame]5684class SSLClientSocketAlpsTest
5685 : public SSLClientSocketTest,
5686 public ::testing::WithParamInterface<std::tuple<bool, bool>> {
5687 public:
5688 SSLClientSocketAlpsTest()
5689 : client_alps_enabled_(std::get<0>(GetParam())),
5690 server_alps_enabled_(std::get<1>(GetParam())) {}
5691 ~SSLClientSocketAlpsTest() override = default;
5692 const bool client_alps_enabled_;
5693 const bool server_alps_enabled_;
5694};
5695
5696INSTANTIATE_TEST_SUITE_P(All, SSLClientSocketAlpsTest, Combine(Bool(), Bool()));
5697
5698TEST_P(SSLClientSocketAlpsTest, Alps) {
5699 const std::string server_data = "server sends some test data";
5700 const std::string client_data = "client also sends some data";
5701
5702 SSLServerConfig server_config;
5703 server_config.alpn_protos = {kProtoHTTP2};
5704 if (server_alps_enabled_) {
5705 server_config.application_settings[kProtoHTTP2] =
5706 std::vector<uint8_t>(server_data.begin(), server_data.end());
5707 }
5708 ASSERT_TRUE(
5709 StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
5710
5711 SSLConfig client_config;
5712 client_config.alpn_protos = {kProtoHTTP2};
5713 if (client_alps_enabled_) {
5714 client_config.application_settings[kProtoHTTP2] =
5715 std::vector<uint8_t>(client_data.begin(), client_data.end());
5716 }
5717
5718 int rv;
5719 ASSERT_TRUE(CreateAndConnectSSLClientSocket(client_config, &rv));
5720 EXPECT_THAT(rv, IsOk());
5721
5722 SSLInfo info;
5723 ASSERT_TRUE(sock_->GetSSLInfo(&info));
5724 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1_3,
5725 SSLConnectionStatusToVersion(info.connection_status));
5726 EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, info.handshake_type);
5727
5728 EXPECT_EQ(true, sock_->WasAlpnNegotiated());
5729 EXPECT_EQ(kProtoHTTP2, sock_->GetNegotiatedProtocol());
5730
5731 // ALPS is negotiated only if ALPS is enabled both on client and server.
5732 const auto alps_data_received_by_client = sock_->GetPeerApplicationSettings();
5733
5734 if (client_alps_enabled_ && server_alps_enabled_) {
5735 ASSERT_TRUE(alps_data_received_by_client.has_value());
5736 EXPECT_EQ(server_data, alps_data_received_by_client.value());
5737 } else {
5738 EXPECT_FALSE(alps_data_received_by_client.has_value());
5739 }
5740}
5741
[email protected]789aca52013-08-14 06:40:10[diff] [blame]5742} // namespace net