diff options
| author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-10 22:13:50 +0000 |
|---|---|---|
| committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-11-10 22:13:50 +0000 |
| commit | 29b31647b5a1cb744c31d9fa53615ce495661849 (patch) | |
| tree | a1cf824ab5edfd1ae31f4ad7ea91895cefe36195 | |
| parent | 2d6e778368680b39f71e000ee03ce3430b96507a (diff) | |
| download | chromium_src-29b31647b5a1cb744c31d9fa53615ce495661849.zip chromium_src-29b31647b5a1cb744c31d9fa53615ce495661849.tar.gz chromium_src-29b31647b5a1cb744c31d9fa53615ce495661849.tar.bz2 | |
net: add Snap Start tests
These tests are Linux only for now. Adding Mac support should be pretty
easy. However, Windows will be tough to do without making the tests
flakey. Given the huge amounts of pain caused by testserver.py and
ephemeral ports I'd rather get the tests working well on a couple of
platforms (since the Snap Start code is all platform-generic anyway),
then add more flakiness.
BUG=none
TEST=snap_start_unittests
http://codereview.chromium.org/4524003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@65714 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | DEPS | 3 | ||||
| -rw-r--r-- | net/net.gyp | 30 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_snapstart_unittest.cc | 320 | ||||
| -rw-r--r-- | net/test/openssl_helper.cc | 240 |
4 files changed, 593 insertions, 0 deletions
@@ -271,6 +271,9 @@ deps_os = { "src/third_party/lss": (Var("googlecode_url") % "linux-syscall-support") + "/trunk/lss@3", + + "src/third_party/openssl": + "/trunk/deps/third_party/openssl@65203", }, } diff --git a/net/net.gyp b/net/net.gyp index 083aac4b..2d2aa50 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -1381,6 +1381,36 @@ # }, # ] # }], + ['OS=="linux"', { + 'targets': [ + { + 'target_name': 'snap_start_unittests', + 'type': 'executable', + 'dependencies': [ + 'net', + 'net_test_support', + 'openssl_helper', + '../build/linux/system.gyp:nss', + '../testing/gmock.gyp:gmock', + '../testing/gtest.gyp:gtest', + ], + 'sources': [ + 'base/run_all_unittests.cc', + 'socket/ssl_client_socket_snapstart_unittest.cc', + ] + }, + { + 'target_name': 'openssl_helper', + 'type': 'executable', + 'dependencies': [ + '../third_party/openssl/openssl.gyp:openssl', + ], + 'sources': [ + 'test/openssl_helper.cc', + ], + }, + ], + }], ['OS=="win"', { 'targets': [ { diff --git a/net/socket/ssl_client_socket_snapstart_unittest.cc b/net/socket/ssl_client_socket_snapstart_unittest.cc new file mode 100644 index 0000000..25c2b1f --- /dev/null +++ b/net/socket/ssl_client_socket_snapstart_unittest.cc @@ -0,0 +1,320 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <arpa/inet.h> +#include <netinet/tcp.h> +#include <stdarg.h> +#include <sys/socket.h> +#include <sys/types.h> + +#include <sslt.h> + +#include <vector> +#include <string> + +#include "base/eintr_wrapper.h" +#include "base/base64.h" +#include "base/file_path.h" +#include "base/file_util.h" +#include "base/path_service.h" +#include "base/process_util.h" +#include "base/string_util.h" +#include "base/values.h" +#include "net/base/io_buffer.h" +#include "net/base/net_errors.h" +#include "net/base/net_log.h" +#include "net/base/net_log_unittest.h" +#include "net/base/ssl_config_service.h" +#include "net/base/test_completion_callback.h" +#include "net/socket/client_socket_factory.h" +#include "net/socket/ssl_client_socket.h" +#include "net/socket/ssl_client_socket_nss.h" +#include "net/socket/ssl_host_info.h" +#include "net/socket/tcp_client_socket.h" +#include "testing/gtest/include/gtest/gtest.h" +#include "testing/platform_test.h" + +namespace net { + +// TestSSLHostInfo is an SSLHostInfo which stores a single state in memory and +// pretends that certificate verification always succeeds. +class TestSSLHostInfo : public SSLHostInfo { + public: + TestSSLHostInfo() + : SSLHostInfo("example.com", kDefaultSSLConfig) { + if (!saved_.empty()) + Parse(saved_); + cert_verification_complete_ = true; + cert_verification_error_ = OK; + } + + virtual void Start() { + } + + virtual int WaitForDataReady(CompletionCallback*) { return OK; } + + virtual void Persist() { + saved_ = Serialize(); + } + + static void Reset() { + saved_.clear(); + } + + private: + static SSLConfig kDefaultSSLConfig; + static std::string saved_; +}; + +std::string TestSSLHostInfo::saved_; + +SSLConfig TestSSLHostInfo::kDefaultSSLConfig; + +class SSLClientSocketSnapStartTest : public PlatformTest { + public: + SSLClientSocketSnapStartTest() + : child_(base::kNullProcessHandle), + socket_factory_(ClientSocketFactory::GetDefaultFactory()), + log_(CapturingNetLog::kUnbounded) { + TestSSLHostInfo::Reset(); + ssl_config_.snap_start_enabled = true; + } + + virtual void TearDown() { + if (child_ != base::kNullProcessHandle) { + int exit_code; + EXPECT_TRUE(base::WaitForExitCode(child_, &exit_code)); + EXPECT_EQ(0, exit_code); + } + } + + protected: + void StartSnapStartServer(const char* arg, ...) { + FilePath dir_exe; + PathService::Get(base::DIR_EXE, &dir_exe); + FilePath helper_binary = dir_exe.Append("openssl_helper"); + + std::vector<std::string> args; + args.push_back(helper_binary.value()); + + va_list ap; + va_start(ap, arg); + while (arg) { + args.push_back(arg); + arg = va_arg(ap, const char*); + } + va_end(ap); + + const int listener = socket(AF_INET, SOCK_STREAM, 0); + ASSERT_GE(listener, 0); + struct sockaddr_in sin; + memset(&sin, 0, sizeof(sin)); + sin.sin_family = PF_INET; + ASSERT_EQ(0, bind(listener, (struct sockaddr*) &sin, sizeof(sin))); + socklen_t socklen = sizeof(remote_); + ASSERT_EQ(0, getsockname(listener, (struct sockaddr*) &remote_, &socklen)); + ASSERT_EQ(sizeof(remote_), socklen); + ASSERT_EQ(0, listen(listener, 1)); + + base::file_handle_mapping_vector mapping; + // The listening socket is installed as the child's fd 3. + mapping.push_back(std::make_pair(listener, 3)); + base::LaunchApp(args, mapping, false /* don't wait */, &child_); + HANDLE_EINTR(close(listener)); + } + + // LoadDefaultCert returns the DER encoded default certificate. + std::string LoadDefaultCert() { + FilePath path; + PathService::Get(base::DIR_SOURCE_ROOT, &path); + path = path.Append("net"); + path = path.Append("data"); + path = path.Append("ssl"); + path = path.Append("certificates"); + path = path.Append("ok_cert.pem"); + + std::string pem; + bool r = file_util::ReadFileToString(path, &pem); + CHECK(r) << "failed to read " << path.value(); + + static const char kStartMarker[] = "-----BEGIN CERTIFICATE-----\n"; + static const char kEndMarker[] = "-----END CERTIFICATE-----\n"; + + std::string::size_type i = pem.find(kStartMarker); + std::string::size_type j = pem.find(kEndMarker); + CHECK(i != std::string::npos); + CHECK(j != std::string::npos); + CHECK_GT(j, i); + i += sizeof(kStartMarker) - 1; + + std::string b64data = pem.substr(i, j - i); + ReplaceSubstringsAfterOffset(&b64data, 0 /* start offset */, "\n", ""); + + std::string der; + base::Base64Decode(b64data, &der); + return der; + } + + void SetupSSLConfig() { + if (ssl_config_.allowed_bad_certs.size()) + return; + const std::string der = LoadDefaultCert(); + SSLConfig::CertAndStatus cert_and_status; + cert_and_status.cert = + X509Certificate::CreateFromBytes(der.data(), der.size()); + cert_and_status.cert_status = ERR_CERT_AUTHORITY_INVALID; + + ssl_config_.allowed_bad_certs.push_back(cert_and_status); + } + + // PerformConnection makes an SSL connection to the openssl_helper binary and + // does a ping-pong test to check the the SSL socket is working correctly. + void PerformConnection() { + client_ = socket(AF_INET, SOCK_STREAM, 0); + ASSERT_LE(0, client_); + ASSERT_EQ( + 0, connect(client_, (struct sockaddr*) &remote_, sizeof(remote_))); + int on = 1; + setsockopt(client_, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); + + SetupSSLConfig(); + log_.Clear(); + + std::vector<uint8> localhost; + localhost.push_back(127); + localhost.push_back(0); + localhost.push_back(0); + localhost.push_back(1); + AddressList addr_list(localhost, 443, false); + TCPClientSocket* transport = new TCPClientSocket( + addr_list, &log_, NetLog::Source()); + + transport->AdoptSocket(client_); + scoped_ptr<SSLClientSocket> sock( + socket_factory_->CreateSSLClientSocket(transport, + "example.com", ssl_config_, new TestSSLHostInfo())); + + TestCompletionCallback callback; + int rv = sock->Connect(&callback); + if (rv != OK) { + ASSERT_EQ(ERR_IO_PENDING, rv); + EXPECT_FALSE(sock->IsConnected()); + rv = callback.WaitForResult(); + EXPECT_EQ(OK, rv); + } + EXPECT_TRUE(sock->IsConnected()); + + static const char request_text[] = "hello!"; + scoped_refptr<IOBuffer> request_buffer = + new IOBuffer(arraysize(request_text) - 1); + memcpy(request_buffer->data(), request_text, arraysize(request_text) - 1); + rv = sock->Write(request_buffer, arraysize(request_text), &callback); + if (rv < 0) { + ASSERT_EQ(ERR_IO_PENDING, rv); + rv = callback.WaitForResult(); + } + EXPECT_EQ(7, rv); + + scoped_refptr<IOBuffer> reply_buffer = new IOBuffer(8); + rv = sock->Read(reply_buffer, 8, &callback); + if (rv < 0) { + ASSERT_EQ(ERR_IO_PENDING, rv); + rv = callback.WaitForResult(); + } + EXPECT_EQ(8, rv); + EXPECT_TRUE(memcmp(reply_buffer->data(), "goodbye!", 8) == 0); + + sock->Disconnect(); + } + + // SnapStartEventType extracts the type of Snap Start from the NetLog. See + // the SSL_SNAP_START_* defines in sslt.h + int SnapStartEventType() { + const std::vector<CapturingNetLog::Entry>& entries = log_.entries(); + for (std::vector<CapturingNetLog::Entry>::const_iterator + i = entries.begin(); i != entries.end(); i++) { + if (i->type == NetLog::TYPE_SSL_SNAP_START) { + scoped_ptr<Value> value(i->extra_parameters->ToValue()); + CHECK(value->GetType() == Value::TYPE_DICTIONARY); + DictionaryValue* dict = reinterpret_cast<DictionaryValue*>(value.get()); + int ret; + CHECK(dict->GetInteger("type", &ret)); + return ret; + } + } + return -1; + } + + // DidMerge returns true if the NetLog suggests the the SSL connection merged + // it's certificate validation with the optimistic validation from the + // SSLHostInfo. + bool DidMerge() { + const std::vector<CapturingNetLog::Entry>& entries = log_.entries(); + for (std::vector<CapturingNetLog::Entry>::const_iterator + i = entries.begin(); i != entries.end(); i++) { + if (i->type == NetLog::TYPE_SSL_VERIFICATION_MERGED) + return true; + } + return false; + } + + base::ProcessHandle child_; + ClientSocketFactory* const socket_factory_; + struct sockaddr_in remote_; + int client_; + SSLConfig ssl_config_; + CapturingNetLog log_; +}; + +TEST_F(SSLClientSocketSnapStartTest, Basic) { + // Not a Snap Start connection. + StartSnapStartServer(NULL); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_NONE, SnapStartEventType()); + EXPECT_FALSE(DidMerge()); +} + +TEST_F(SSLClientSocketSnapStartTest, SnapStart) { + StartSnapStartServer("snap-start", NULL); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_NONE, SnapStartEventType()); + EXPECT_FALSE(DidMerge()); + SSLClientSocketNSS::ClearSessionCache(); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_FULL, SnapStartEventType()); + EXPECT_TRUE(DidMerge()); +} + +TEST_F(SSLClientSocketSnapStartTest, SnapStartResume) { + StartSnapStartServer("snap-start", NULL); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_NONE, SnapStartEventType()); + EXPECT_FALSE(DidMerge()); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_RESUME, SnapStartEventType()); + EXPECT_TRUE(DidMerge()); +} + +TEST_F(SSLClientSocketSnapStartTest, SnapStartRecovery) { + StartSnapStartServer("snap-start-recovery", NULL); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_NONE, SnapStartEventType()); + EXPECT_FALSE(DidMerge()); + SSLClientSocketNSS::ClearSessionCache(); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_RECOVERY, SnapStartEventType()); + EXPECT_TRUE(DidMerge()); +} + +TEST_F(SSLClientSocketSnapStartTest, SnapStartResumeRecovery) { + StartSnapStartServer("snap-start-recovery", NULL); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_NONE, SnapStartEventType()); + EXPECT_FALSE(DidMerge()); + PerformConnection(); + EXPECT_EQ(SSL_SNAP_START_RESUME_RECOVERY, SnapStartEventType()); + EXPECT_TRUE(DidMerge()); +} + +} // namespace net diff --git a/net/test/openssl_helper.cc b/net/test/openssl_helper.cc new file mode 100644 index 0000000..b3eb20f --- /dev/null +++ b/net/test/openssl_helper.cc @@ -0,0 +1,240 @@ +// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// This helper binary is only used for testing Chrome's SSL stack. + +#include <sys/types.h> +#include <sys/socket.h> + +#include <openssl/bio.h> +#include <openssl/ssl.h> +#include <openssl/err.h> + +static const char kDefaultPEMFile[] = "net/data/ssl/certificates/ok_cert.pem"; + +// Server Name Indication callback from OpenSSL +static int sni_cb(SSL *s, int *ad, void *arg) { + const char* servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (servername && strcmp(servername, "test.example.com") == 0) + *reinterpret_cast<bool*>(arg) = true; + + return SSL_TLSEXT_ERR_OK; +} + +// Client certificate verification callback from OpenSSL +static int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) { + return 1; +} + +// Next Protocol Negotiation callback from OpenSSL +static int next_proto_cb(SSL *ssl, const unsigned char **out, + unsigned int *outlen, void *arg) { + static char kProtos[] = "\003foo\003bar"; + *out = (const unsigned char*) kProtos; + *outlen = sizeof(kProtos) - 1; + return SSL_TLSEXT_ERR_OK; +} + +int +main(int argc, char **argv) { + SSL_library_init(); + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + SSL_load_error_strings(); + + bool sni = false, sni_good = false, snap_start = false; + bool snap_start_recovery = false, sslv3 = false, session_tickets = false; + bool fail_resume = false, client_cert = false, npn = false; + + const char* key_file = kDefaultPEMFile; + const char* cert_file = kDefaultPEMFile; + + for (int i = 1; i < argc; i++) { + if (strcmp(argv[i], "sni") == 0) { + // Require SNI + sni = true; + } else if (strcmp(argv[i], "snap-start") == 0) { + // Support Snap Start + snap_start = true; + } else if (strcmp(argv[i], "snap-start-recovery") == 0) { + // Support Snap Start, but always trigger a recovery + snap_start = true; + snap_start_recovery = true; + } else if (strcmp(argv[i], "sslv3") == 0) { + // Use SSLv3 + sslv3 = true; + } else if (strcmp(argv[i], "session-tickets") == 0) { + // Enable Session Tickets + session_tickets = true; + } else if (strcmp(argv[i], "fail-resume") == 0) { + // Always fail to resume sessions + fail_resume = true; + } else if (strcmp(argv[i], "client-cert") == 0) { + // Request a client certificate + client_cert = true; + } else if (strcmp(argv[i], "npn") == 0) { + // Advertise NPN + npn = true; + } else if (strcmp(argv[i], "--key-file") == 0) { + // Use alternative key file + i++; + if (i == argc) { + fprintf(stderr, "Missing argument to --key-file\n"); + return 1; + } + key_file = argv[i]; + } else if (strcmp(argv[i], "--cert-file") == 0) { + // Use alternative certificate file + i++; + if (i == argc) { + fprintf(stderr, "Missing argument to --cert-file\n"); + return 1; + } + cert_file = argv[i]; + } else { + fprintf(stderr, "Unknown argument: %s\n", argv[i]); + return 1; + } + } + + SSL_CTX* ctx; + + if (sslv3) { + ctx = SSL_CTX_new(SSLv3_server_method()); + } else { + ctx = SSL_CTX_new(TLSv1_server_method()); + } + + if (sni) { + SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, &sni_good); + } + + BIO* key = BIO_new(BIO_s_file()); + if (BIO_read_filename(key, key_file) <= 0) { + fprintf(stderr, "Failed to read %s\n", key_file); + return 1; + } + + EVP_PKEY *pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, NULL); + if (!pkey) { + fprintf(stderr, "Failed to parse %s\n", key_file); + return 1; + } + BIO_free(key); + + + BIO* cert = BIO_new(BIO_s_file()); + if (BIO_read_filename(cert, cert_file) <= 0) { + fprintf(stderr, "Failed to read %s\n", cert_file); + return 1; + } + + X509 *pcert = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL); + if (!pcert) { + fprintf(stderr, "Failed to parse %s\n", cert_file); + return 1; + } + BIO_free(cert); + + if (SSL_CTX_use_certificate(ctx, pcert) <= 0) { + fprintf(stderr, "Failed to load %s\n", cert_file); + return 1; + } + + if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) { + fprintf(stderr, "Failed to load %s\n", key_file); + return 1; + } + + if (!SSL_CTX_check_private_key(ctx)) { + fprintf(stderr, "Public and private keys don't match\n"); + return 1; + } + + if (client_cert) + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb); + + if (session_tickets) + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); + + if (snap_start) { + static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8}; + SSL_CTX_set_snap_start_orbit(ctx, orbit); + } + + if (npn) + SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, NULL); + + unsigned connection_limit = 1; + if (snap_start || session_tickets) + connection_limit = 2; + + for (unsigned connections = 0; connections < connection_limit; + connections++) { + const int fd = accept(3, NULL, NULL); + + SSL* server = SSL_new(ctx); + BIO* bio = BIO_new_socket(fd, 1 /* take ownership of fd */); + SSL_set_bio(server, bio, bio); + + if (fail_resume) { + SSL_set_session_id_context(server, (unsigned char*) &connections, + sizeof(connections)); + } + + int err; + for (;;) { + const int ret = SSL_accept(server); + if (ret == 1) + break; + + err = SSL_get_error(server, ret); + if (err == SSL_ERROR_WANT_READ) + continue; + if (err == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING && snap_start) { + SSL_set_suggested_server_random_validity( + server, !snap_start_recovery); + continue; + } + ERR_print_errors_fp(stderr); + fprintf(stderr, "SSL_accept failed: %d\n", err); + return 1; + } + + if (sni && !sni_good) { + fprintf(stderr, "SNI failed\n"); + return 1; + } + + if (npn) { + const unsigned char *data; + unsigned len; + SSL_get0_next_proto_negotiated(server, &data, &len); + if (len != 3 || memcmp(data, "bar", 3) != 0) { + fprintf(stderr, "Bad NPN: %d\n", len); + return 1; + } + } + + unsigned char buffer[6]; + + int ret = SSL_read(server, buffer, sizeof(buffer)); + if (ret == -1) { + err = SSL_get_error(server, ret); + ERR_print_errors_fp(stderr); + fprintf(stderr, "SSL_read failed: %d\n", err); + } + if (memcmp(buffer, "hello!", sizeof(buffer)) == 0) { + SSL_write(server, "goodbye!", 8); + } + + SSL_shutdown(server); + SSL_shutdown(server); + } + + SSL_CTX_free(ctx); + + return 0; +} |