1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/socket/ssl_session_cache_openssl.h"
#include <openssl/ssl.h>
#include "base/lazy_instance.h"
#include "base/logging.h"
#include "base/strings/stringprintf.h"
#include "crypto/openssl_util.h"
#include "crypto/scoped_openssl_types.h"
#include "testing/gtest/include/gtest/gtest.h"
// This is an internal OpenSSL function that can be used to create a new
// session for an existing SSL object. This shall force a call to the
// 'generate_session_id' callback from the SSL's session context.
// |s| is the target SSL connection handle.
// |session| is non-0 to ask for the creation of a new session. If 0,
// this will set an empty session with no ID instead.
extern "C" int ssl_get_new_session(SSL* s, int session);
// This is an internal OpenSSL function which is used internally to add
// a new session to the cache. It is normally triggered by a succesful
// connection. However, this unit test does not use the network at all.
extern "C" void ssl_update_cache(SSL* s, int mode);
namespace net {
namespace {
typedef crypto::ScopedOpenSSL<SSL, SSL_free>::Type ScopedSSL;
typedef crypto::ScopedOpenSSL<SSL_CTX, SSL_CTX_free>::Type ScopedSSL_CTX;
// Helper class used to associate arbitrary std::string keys with SSL objects.
class SSLKeyHelper {
public:
// Return the string associated with a given SSL handle |ssl|, or the
// empty string if none exists.
static std::string Get(const SSL* ssl) {
return GetInstance()->GetValue(ssl);
}
// Associate a string with a given SSL handle |ssl|.
static void Set(SSL* ssl, const std::string& value) {
GetInstance()->SetValue(ssl, value);
}
static SSLKeyHelper* GetInstance() {
static base::LazyInstance<SSLKeyHelper>::Leaky s_instance =
LAZY_INSTANCE_INITIALIZER;
return s_instance.Pointer();
}
SSLKeyHelper() {
ex_index_ = SSL_get_ex_new_index(0, NULL, NULL, KeyDup, KeyFree);
CHECK_NE(-1, ex_index_);
}
std::string GetValue(const SSL* ssl) {
std::string* value =
reinterpret_cast<std::string*>(SSL_get_ex_data(ssl, ex_index_));
if (!value)
return std::string();
return *value;
}
void SetValue(SSL* ssl, const std::string& value) {
int ret = SSL_set_ex_data(ssl, ex_index_, new std::string(value));
CHECK_EQ(1, ret);
}
// Called when an SSL object is copied through SSL_dup(). This needs to copy
// the value as well.
static int KeyDup(CRYPTO_EX_DATA* to,
const CRYPTO_EX_DATA* from,
void** from_fd,
int idx,
long argl,
void* argp) {
// |from_fd| is really the address of a temporary pointer. On input, it
// points to the value from the original SSL object. The function must
// update it to the address of a copy.
std::string** ptr = reinterpret_cast<std::string**>(from_fd);
std::string* old_string = *ptr;
std::string* new_string = new std::string(*old_string);
*ptr = new_string;
return 0; // Ignored by the implementation.
}
// Called to destroy the value associated with an SSL object.
static void KeyFree(void* parent,
void* ptr,
CRYPTO_EX_DATA* ad,
int index,
long argl,
void* argp) {
std::string* value = reinterpret_cast<std::string*>(ptr);
delete value;
}
int ex_index_;
};
} // namespace
class SSLSessionCacheOpenSSLTest : public testing::Test {
public:
SSLSessionCacheOpenSSLTest() {
crypto::EnsureOpenSSLInit();
ctx_.reset(SSL_CTX_new(SSLv23_client_method()));
cache_.Reset(ctx_.get(), kDefaultConfig);
}
// Reset cache configuration.
void ResetConfig(const SSLSessionCacheOpenSSL::Config& config) {
cache_.Reset(ctx_.get(), config);
}
// Helper function to create a new SSL connection object associated with
// a given unique |cache_key|. This does _not_ add the session to the cache.
// Caller must free the object with SSL_free().
SSL* NewSSL(const std::string& cache_key) {
SSL* ssl = SSL_new(ctx_.get());
if (!ssl)
return NULL;
SSLKeyHelper::Set(ssl, cache_key); // associate cache key.
ResetSessionID(ssl); // create new unique session ID.
return ssl;
}
// Reset the session ID of a given SSL object. This creates a new session
// with a new unique random ID. Does not add it to the cache.
static void ResetSessionID(SSL* ssl) { ssl_get_new_session(ssl, 1); }
// Add a given SSL object and its session to the cache.
void AddToCache(SSL* ssl) {
ssl_update_cache(ssl, ctx_.get()->session_cache_mode);
}
static const SSLSessionCacheOpenSSL::Config kDefaultConfig;
protected:
ScopedSSL_CTX ctx_;
// |cache_| must be destroyed before |ctx_| and thus appears after it.
SSLSessionCacheOpenSSL cache_;
};
// static
const SSLSessionCacheOpenSSL::Config
SSLSessionCacheOpenSSLTest::kDefaultConfig = {
&SSLKeyHelper::Get, // key_func
1024, // max_entries
256, // expiration_check_count
60 * 60, // timeout_seconds
};
TEST_F(SSLSessionCacheOpenSSLTest, EmptyCacheCreation) {
EXPECT_EQ(0U, cache_.size());
}
TEST_F(SSLSessionCacheOpenSSLTest, CacheOneSession) {
ScopedSSL ssl(NewSSL("hello"));
EXPECT_EQ(0U, cache_.size());
AddToCache(ssl.get());
EXPECT_EQ(1U, cache_.size());
ssl.reset(NULL);
EXPECT_EQ(1U, cache_.size());
}
TEST_F(SSLSessionCacheOpenSSLTest, CacheMultipleSessions) {
const size_t kNumItems = 100;
int local_id = 1;
// Add kNumItems to the cache.
for (size_t n = 0; n < kNumItems; ++n) {
std::string local_id_string = base::StringPrintf("%d", local_id++);
ScopedSSL ssl(NewSSL(local_id_string));
AddToCache(ssl.get());
EXPECT_EQ(n + 1, cache_.size());
}
}
TEST_F(SSLSessionCacheOpenSSLTest, Flush) {
const size_t kNumItems = 100;
int local_id = 1;
// Add kNumItems to the cache.
for (size_t n = 0; n < kNumItems; ++n) {
std::string local_id_string = base::StringPrintf("%d", local_id++);
ScopedSSL ssl(NewSSL(local_id_string));
AddToCache(ssl.get());
}
EXPECT_EQ(kNumItems, cache_.size());
cache_.Flush();
EXPECT_EQ(0U, cache_.size());
}
TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSession) {
const std::string key("hello");
ScopedSSL ssl(NewSSL(key));
// First call should fail because the session is not in the cache.
EXPECT_FALSE(cache_.SetSSLSession(ssl.get()));
SSL_SESSION* session = ssl.get()->session;
EXPECT_TRUE(session);
EXPECT_EQ(1, session->references);
AddToCache(ssl.get());
EXPECT_EQ(2, session->references);
// Mark the session as good, so that it is re-used for the second connection.
cache_.MarkSSLSessionAsGood(ssl.get());
ssl.reset(NULL);
EXPECT_EQ(1, session->references);
// Second call should find the session ID and associate it with |ssl2|.
ScopedSSL ssl2(NewSSL(key));
EXPECT_TRUE(cache_.SetSSLSession(ssl2.get()));
EXPECT_EQ(session, ssl2.get()->session);
EXPECT_EQ(2, session->references);
}
TEST_F(SSLSessionCacheOpenSSLTest, SetSSLSessionWithKey) {
const std::string key("hello");
ScopedSSL ssl(NewSSL(key));
AddToCache(ssl.get());
cache_.MarkSSLSessionAsGood(ssl.get());
ssl.reset(NULL);
ScopedSSL ssl2(NewSSL(key));
EXPECT_TRUE(cache_.SetSSLSessionWithKey(ssl2.get(), key));
}
TEST_F(SSLSessionCacheOpenSSLTest, CheckSessionReplacement) {
// Check that if two SSL connections have the same key, only one
// corresponding session can be stored in the cache.
const std::string common_key("common-key");
ScopedSSL ssl1(NewSSL(common_key));
ScopedSSL ssl2(NewSSL(common_key));
AddToCache(ssl1.get());
EXPECT_EQ(1U, cache_.size());
EXPECT_EQ(2, ssl1.get()->session->references);
// This ends up calling OnSessionAdded which will discover that there is
// already one session ID associated with the key, and will replace it.
AddToCache(ssl2.get());
EXPECT_EQ(1U, cache_.size());
EXPECT_EQ(1, ssl1.get()->session->references);
EXPECT_EQ(2, ssl2.get()->session->references);
}
// Check that when two connections have the same key, a new session is created
// if the existing session has not yet been marked "good". Further, after the
// first session completes, if the second session has replaced it in the cache,
// new sessions should continue to fail until the currently cached session
// succeeds.
TEST_F(SSLSessionCacheOpenSSLTest, CheckSessionReplacementWhenNotGood) {
const std::string key("hello");
ScopedSSL ssl(NewSSL(key));
// First call should fail because the session is not in the cache.
EXPECT_FALSE(cache_.SetSSLSession(ssl.get()));
SSL_SESSION* session = ssl.get()->session;
ASSERT_TRUE(session);
EXPECT_EQ(1, session->references);
AddToCache(ssl.get());
EXPECT_EQ(2, session->references);
// Second call should find the session ID, but because it is not yet good,
// fail to associate it with |ssl2|.
ScopedSSL ssl2(NewSSL(key));
EXPECT_FALSE(cache_.SetSSLSession(ssl2.get()));
SSL_SESSION* session2 = ssl2.get()->session;
ASSERT_TRUE(session2);
EXPECT_EQ(1, session2->references);
EXPECT_NE(session, session2);
// Add the second connection to the cache. It should replace the first
// session, and the cache should hold on to the second session.
AddToCache(ssl2.get());
EXPECT_EQ(1, session->references);
EXPECT_EQ(2, session2->references);
// Mark the first session as good, simulating it completing.
cache_.MarkSSLSessionAsGood(ssl.get());
// Third call should find the session ID, but because the second session (the
// current cache entry) is not yet good, fail to associate it with |ssl3|.
ScopedSSL ssl3(NewSSL(key));
EXPECT_FALSE(cache_.SetSSLSession(ssl3.get()));
EXPECT_NE(session, ssl3.get()->session);
EXPECT_NE(session2, ssl3.get()->session);
EXPECT_EQ(1, ssl3.get()->session->references);
}
TEST_F(SSLSessionCacheOpenSSLTest, CheckEviction) {
const size_t kMaxItems = 20;
int local_id = 1;
SSLSessionCacheOpenSSL::Config config = kDefaultConfig;
config.max_entries = kMaxItems;
ResetConfig(config);
// Add kMaxItems to the cache.
for (size_t n = 0; n < kMaxItems; ++n) {
std::string local_id_string = base::StringPrintf("%d", local_id++);
ScopedSSL ssl(NewSSL(local_id_string));
AddToCache(ssl.get());
EXPECT_EQ(n + 1, cache_.size());
}
// Continue adding new items to the cache, check that old ones are
// evicted.
for (size_t n = 0; n < kMaxItems; ++n) {
std::string local_id_string = base::StringPrintf("%d", local_id++);
ScopedSSL ssl(NewSSL(local_id_string));
AddToCache(ssl.get());
EXPECT_EQ(kMaxItems, cache_.size());
}
}
// Check that session expiration works properly.
TEST_F(SSLSessionCacheOpenSSLTest, CheckExpiration) {
const size_t kMaxCheckCount = 10;
const size_t kNumEntries = 20;
SSLSessionCacheOpenSSL::Config config = kDefaultConfig;
config.expiration_check_count = kMaxCheckCount;
config.timeout_seconds = 1000;
ResetConfig(config);
// Add |kNumItems - 1| session entries with crafted time values.
for (size_t n = 0; n < kNumEntries - 1U; ++n) {
std::string key = base::StringPrintf("%d", static_cast<int>(n));
ScopedSSL ssl(NewSSL(key));
// Cheat a little: Force the session |time| value, this guarantees that they
// are expired, given that ::time() will always return a value that is
// past the first 100 seconds after the Unix epoch.
ssl.get()->session->time = static_cast<long>(n);
AddToCache(ssl.get());
}
EXPECT_EQ(kNumEntries - 1U, cache_.size());
// Add nother session which will get the current time, and thus not be
// expirable until 1000 seconds have passed.
ScopedSSL good_ssl(NewSSL("good-key"));
AddToCache(good_ssl.get());
good_ssl.reset(NULL);
EXPECT_EQ(kNumEntries, cache_.size());
// Call SetSSLSession() |kMaxCheckCount - 1| times, this shall not expire
// any session
for (size_t n = 0; n < kMaxCheckCount - 1U; ++n) {
ScopedSSL ssl(NewSSL("unknown-key"));
cache_.SetSSLSession(ssl.get());
EXPECT_EQ(kNumEntries, cache_.size());
}
// Call SetSSLSession another time, this shall expire all sessions except
// the last one.
ScopedSSL bad_ssl(NewSSL("unknown-key"));
cache_.SetSSLSession(bad_ssl.get());
bad_ssl.reset(NULL);
EXPECT_EQ(1U, cache_.size());
}
} // namespace net
|
