diff options
| author | haavardm@opera.com <haavardm@opera.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-15 16:30:33 +0000 |
|---|---|---|
| committer | haavardm@opera.com <haavardm@opera.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-15 16:30:33 +0000 |
| commit | df3db7a2076b32f64fe1e1e757c7005ced9a15b7 (patch) | |
| tree | c7073da48314124331fee7060a2f5ce06894f9b7 | |
| parent | 84b24c832afdad47399b29a2b8e3ad4ca61dc1ea (diff) | |
| download | chromium_src-df3db7a2076b32f64fe1e1e757c7005ced9a15b7.zip chromium_src-df3db7a2076b32f64fe1e1e757c7005ced9a15b7.tar.gz chromium_src-df3db7a2076b32f64fe1e1e757c7005ced9a15b7.tar.bz2 | |
Move channel id tests up from OpenSSL and update channelid version.
NSS (and soon OpenSSL) runs the new ChannelID version 30032. This patch
moves the simple ChannelID tests from OpenSSL unittests to the general
ssl_client_socket_unittest.cc and updates the channelid version in
TLS Lite.
TLS Lite is not updated with ChannelId resumption support since
ChannelID signature checking is not yet implemented in TLS Lite.
ChannelID Signature checks, along with ChannelId resumption support
and ChannelID resumption tests should be implemented in further work.
This CL will also roll third_party/openssl:
OpenSSL: rolls DEPS 267648->269063
Takes in following change:
r269063 | haavardm@opera.com | 2014-05-08 17:48:32 +0200 (to., 08 mai 2014) | 8 lines
New tls channel id version for OpenSSL
New tls channel id version extracted from patch 0015-channelid.patch attached to http://crbug.com/366961.
BUG=366961
Review URL: https://codereview.chromium.org/263213005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@270683 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | DEPS | 2 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_openssl_unittest.cc | 85 | ||||
| -rw-r--r-- | net/socket/ssl_client_socket_unittest.cc | 145 | ||||
| -rw-r--r-- | third_party/tlslite/patches/channel_id.patch | 2 | ||||
| -rw-r--r-- | third_party/tlslite/tlslite/constants.py | 2 |
5 files changed, 148 insertions, 88 deletions
@@ -70,7 +70,7 @@ vars = { # Three lines of non-changing comments so that # the commit queue can handle CLs rolling openssl # and whatever else without interference from each other. - "openssl_revision": "267674", + "openssl_revision": "269063", # Three lines of non-changing comments so that # the commit queue can handle CLs rolling ANGLE # and whatever else without interference from each other. diff --git a/net/socket/ssl_client_socket_openssl_unittest.cc b/net/socket/ssl_client_socket_openssl_unittest.cc index 91c9a93..00cf9f3 100644 --- a/net/socket/ssl_client_socket_openssl_unittest.cc +++ b/net/socket/ssl_client_socket_openssl_unittest.cc @@ -35,9 +35,7 @@ #include "net/socket/client_socket_handle.h" #include "net/socket/socket_test_util.h" #include "net/socket/tcp_client_socket.h" -#include "net/ssl/default_server_bound_cert_store.h" #include "net/ssl/openssl_client_key_store.h" -#include "net/ssl/server_bound_cert_service.h" #include "net/ssl/ssl_cert_request_info.h" #include "net/ssl/ssl_config_service.h" #include "net/test/cert_test_util.h" @@ -64,35 +62,6 @@ typedef crypto::ScopedOpenSSL<BIGNUM, BN_free> ScopedBIGNUM; const SSLConfig kDefaultSSLConfig; -// A ServerBoundCertStore that always returns an error when asked for a -// certificate. -class FailingServerBoundCertStore : public ServerBoundCertStore { - virtual int GetServerBoundCert(const std::string& server_identifier, - base::Time* expiration_time, - std::string* private_key_result, - std::string* cert_result, - const GetCertCallback& callback) OVERRIDE { - return ERR_UNEXPECTED; - } - virtual void SetServerBoundCert(const std::string& server_identifier, - base::Time creation_time, - base::Time expiration_time, - const std::string& private_key, - const std::string& cert) OVERRIDE {} - virtual void DeleteServerBoundCert(const std::string& server_identifier, - const base::Closure& completion_callback) - OVERRIDE {} - virtual void DeleteAllCreatedBetween(base::Time delete_begin, - base::Time delete_end, - const base::Closure& completion_callback) - OVERRIDE {} - virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {} - virtual void GetAllServerBoundCerts(const GetCertListCallback& callback) - OVERRIDE {} - virtual int GetCertCount() OVERRIDE { return 0; } - virtual void SetForceKeepSessionState() OVERRIDE {} -}; - // Loads a PEM-encoded private key file into a scoped EVP_PKEY object. // |filepath| is the private key file path. // |*pkey| is reset to the new EVP_PKEY on success, untouched otherwise. @@ -141,20 +110,6 @@ class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { } protected: - void EnabledChannelID() { - cert_service_.reset( - new ServerBoundCertService(new DefaultServerBoundCertStore(NULL), - base::MessageLoopProxy::current())); - context_.server_bound_cert_service = cert_service_.get(); - } - - void EnabledFailingChannelID() { - cert_service_.reset( - new ServerBoundCertService(new FailingServerBoundCertStore(), - base::MessageLoopProxy::current())); - context_.server_bound_cert_service = cert_service_.get(); - } - scoped_ptr<SSLClientSocket> CreateSSLClientSocket( scoped_ptr<StreamSocket> transport_socket, const HostPortPair& host_and_port, @@ -236,7 +191,6 @@ class SSLClientSocketOpenSSLClientAuthTest : public PlatformTest { return ssl_info.client_cert_sent; } - scoped_ptr<ServerBoundCertService> cert_service_; ClientSocketFactory* socket_factory_; scoped_ptr<MockCertVerifier> cert_verifier_; scoped_ptr<TransportSecurityState> transport_security_state_; @@ -323,45 +277,6 @@ TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendGoodCert) { sock_->Disconnect(); EXPECT_FALSE(sock_->IsConnected()); } - -// Connect to a server using channel id. It should allow the connection. -TEST_F(SSLClientSocketOpenSSLClientAuthTest, SendChannelID) { - SpawnedTestServer::SSLOptions ssl_options; - - ASSERT_TRUE(ConnectToTestServer(ssl_options)); - - EnabledChannelID(); - SSLConfig ssl_config = kDefaultSSLConfig; - ssl_config.channel_id_enabled = true; - - int rv; - ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); - - EXPECT_EQ(OK, rv); - EXPECT_TRUE(sock_->IsConnected()); - EXPECT_TRUE(sock_->WasChannelIDSent()); - - sock_->Disconnect(); - EXPECT_FALSE(sock_->IsConnected()); -} - -// Connect to a server using channel id but without sending a key. It should -// fail. -TEST_F(SSLClientSocketOpenSSLClientAuthTest, FailingChannelID) { - SpawnedTestServer::SSLOptions ssl_options; - - ASSERT_TRUE(ConnectToTestServer(ssl_options)); - - EnabledFailingChannelID(); - SSLConfig ssl_config = kDefaultSSLConfig; - ssl_config.channel_id_enabled = true; - - int rv; - ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); - - EXPECT_EQ(ERR_UNEXPECTED, rv); - EXPECT_FALSE(sock_->IsConnected()); -} #endif // defined(USE_OPENSSL_CERTS) } // namespace diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc index 05844cd..8d8e2fd 100644 --- a/net/socket/ssl_client_socket_unittest.cc +++ b/net/socket/ssl_client_socket_unittest.cc @@ -22,6 +22,7 @@ #include "net/socket/client_socket_handle.h" #include "net/socket/socket_test_util.h" #include "net/socket/tcp_client_socket.h" +#include "net/ssl/default_server_bound_cert_store.h" #include "net/ssl/ssl_cert_request_info.h" #include "net/ssl/ssl_config_service.h" #include "net/test/cert_test_util.h" @@ -557,6 +558,35 @@ class DeleteSocketCallback : public TestCompletionCallbackBase { DISALLOW_COPY_AND_ASSIGN(DeleteSocketCallback); }; +// A ServerBoundCertStore that always returns an error when asked for a +// certificate. +class FailingServerBoundCertStore : public ServerBoundCertStore { + virtual int GetServerBoundCert(const std::string& server_identifier, + base::Time* expiration_time, + std::string* private_key_result, + std::string* cert_result, + const GetCertCallback& callback) OVERRIDE { + return ERR_UNEXPECTED; + } + virtual void SetServerBoundCert(const std::string& server_identifier, + base::Time creation_time, + base::Time expiration_time, + const std::string& private_key, + const std::string& cert) OVERRIDE {} + virtual void DeleteServerBoundCert(const std::string& server_identifier, + const base::Closure& completion_callback) + OVERRIDE {} + virtual void DeleteAllCreatedBetween(base::Time delete_begin, + base::Time delete_end, + const base::Closure& completion_callback) + OVERRIDE {} + virtual void DeleteAll(const base::Closure& completion_callback) OVERRIDE {} + virtual void GetAllServerBoundCerts(const GetCertListCallback& callback) + OVERRIDE {} + virtual int GetCertCount() OVERRIDE { return 0; } + virtual void SetForceKeepSessionState() OVERRIDE {} +}; + class SSLClientSocketTest : public PlatformTest { public: SSLClientSocketTest() @@ -569,6 +599,30 @@ class SSLClientSocketTest : public PlatformTest { } protected: + // Sets up a TCP connection to a HTTPS server. To actually do the SSL + // handshake, follow up with call to CreateAndConnectSSLClientSocket() below. + bool ConnectToTestServer(SpawnedTestServer::SSLOptions& ssl_options) { + test_server_.reset(new SpawnedTestServer( + SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath())); + if (!test_server_->Start()) { + LOG(ERROR) << "Could not start SpawnedTestServer"; + return false; + } + + if (!test_server_->GetAddressList(&addr_)) { + LOG(ERROR) << "Could not get SpawnedTestServer address list"; + return false; + } + + transport_.reset(new TCPClientSocket(addr_, &log_, NetLog::Source())); + int rv = callback_.GetResult(transport_->Connect(callback_.callback())); + if (rv != OK) { + LOG(ERROR) << "Could not connect to SpawnedTestServer"; + return false; + } + return true; + } + scoped_ptr<SSLClientSocket> CreateSSLClientSocket( scoped_ptr<StreamSocket> transport_socket, const HostPortPair& host_and_port, @@ -579,10 +633,39 @@ class SSLClientSocketTest : public PlatformTest { connection.Pass(), host_and_port, ssl_config, context_); } + // Create an SSLClientSocket object and use it to connect to a test + // server, then wait for connection results. This must be called after + // a successful ConnectToTestServer() call. + // |ssl_config| the SSL configuration to use. + // |result| will retrieve the ::Connect() result value. + // Returns true on success, false otherwise. Success means that the socket + // could be created and its Connect() was called, not that the connection + // itself was a success. + bool CreateAndConnectSSLClientSocket(SSLConfig& ssl_config, int* result) { + sock_ = CreateSSLClientSocket( + transport_.Pass(), test_server_->host_port_pair(), ssl_config); + + if (sock_->IsConnected()) { + LOG(ERROR) << "SSL Socket prematurely connected"; + return false; + } + + *result = callback_.GetResult(sock_->Connect(callback_.callback())); + return true; + } + ClientSocketFactory* socket_factory_; scoped_ptr<MockCertVerifier> cert_verifier_; scoped_ptr<TransportSecurityState> transport_security_state_; SSLClientSocketContext context_; + scoped_ptr<SSLClientSocket> sock_; + CapturingNetLog log_; + + private: + scoped_ptr<StreamSocket> transport_; + scoped_ptr<SpawnedTestServer> test_server_; + TestCompletionCallback callback_; + AddressList addr_; }; // Verifies the correctness of GetSSLCertRequestInfo. @@ -713,6 +796,25 @@ class SSLClientSocketFalseStartTest : public SSLClientSocketTest { } }; +class SSLClientSocketChannelIDTest : public SSLClientSocketTest { + protected: + void EnableChannelID() { + cert_service_.reset( + new ServerBoundCertService(new DefaultServerBoundCertStore(NULL), + base::MessageLoopProxy::current())); + context_.server_bound_cert_service = cert_service_.get(); + } + + void EnableFailingChannelID() { + cert_service_.reset(new ServerBoundCertService( + new FailingServerBoundCertStore(), base::MessageLoopProxy::current())); + context_.server_bound_cert_service = cert_service_.get(); + } + + private: + scoped_ptr<ServerBoundCertService> cert_service_; +}; + //----------------------------------------------------------------------------- // LogContainsSSLConnectEndEvent returns true if the given index in the given @@ -2363,4 +2465,47 @@ TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { TestFalseStart(server_options, client_config, false); } +// Connect to a server using channel id. It should allow the connection. +TEST_F(SSLClientSocketChannelIDTest, SendChannelID) { + SpawnedTestServer::SSLOptions ssl_options; + + ASSERT_TRUE(ConnectToTestServer(ssl_options)); + + EnableChannelID(); + SSLConfig ssl_config = kDefaultSSLConfig; + ssl_config.channel_id_enabled = true; + + int rv; + ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); + + EXPECT_EQ(OK, rv); + EXPECT_TRUE(sock_->IsConnected()); + EXPECT_TRUE(sock_->WasChannelIDSent()); + + sock_->Disconnect(); + EXPECT_FALSE(sock_->IsConnected()); +} + +// Connect to a server using channel id but without sending a key. It should +// fail. +TEST_F(SSLClientSocketChannelIDTest, FailingChannelID) { + SpawnedTestServer::SSLOptions ssl_options; + + ASSERT_TRUE(ConnectToTestServer(ssl_options)); + + EnableFailingChannelID(); + SSLConfig ssl_config = kDefaultSSLConfig; + ssl_config.channel_id_enabled = true; + + int rv; + ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); + + // TODO(haavardm@opera.com): Due to differences in threading, Linux returns + // ERR_UNEXPECTED while Mac and Windows return ERR_PROTOCOL_ERROR. Accept all + // error codes for now. + // http://crbug.com/373670 + EXPECT_NE(OK, rv); + EXPECT_FALSE(sock_->IsConnected()); +} + } // namespace net diff --git a/third_party/tlslite/patches/channel_id.patch b/third_party/tlslite/patches/channel_id.patch index 34d4e9d..0fe1692 100644 --- a/third_party/tlslite/patches/channel_id.patch +++ b/third_party/tlslite/patches/channel_id.patch @@ -14,7 +14,7 @@ index d52e596..79ad145 100755 cert_type = 9 # RFC 6091 tack = 0xF300 supports_npn = 13172 -+ channel_id = 30031 ++ channel_id = 30032 class NameType: host_name = 0 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py index feca423..30d1f9f 100644 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py @@ -52,7 +52,7 @@ class ExtensionType: # RFC 6066 / 4366 signed_cert_timestamps = 18 # RFC 6962 tack = 0xF300 supports_npn = 13172 - channel_id = 30031 + channel_id = 30032 class NameType: host_name = 0 |