| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include "net/base/address_list.h" | 7 #include "net/base/address_list.h" |
| 8 #include "net/base/host_resolver.h" | 8 #include "net/base/host_resolver.h" |
| 9 #include "net/base/io_buffer.h" | 9 #include "net/base/io_buffer.h" |
| 10 #include "net/base/net_log.h" | 10 #include "net/base/net_log.h" |
| (...skipping 542 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 553 EXPECT_EQ(net::OK, rv); | 553 EXPECT_EQ(net::OK, rv); |
| 554 | 554 |
| 555 scoped_ptr<net::SSLClientSocket> sock( | 555 scoped_ptr<net::SSLClientSocket> sock( |
| 556 socket_factory_->CreateSSLClientSocket( | 556 socket_factory_->CreateSSLClientSocket( |
| 557 transport, test_server.host_port_pair().host(), kDefaultSSLConfig, | 557 transport, test_server.host_port_pair().host(), kDefaultSSLConfig, |
| 558 NULL /* ssl_host_info */)); | 558 NULL /* ssl_host_info */)); |
| 559 | 559 |
| 560 rv = sock->Connect(&callback); | 560 rv = sock->Connect(&callback); |
| 561 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); | 561 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); |
| 562 } | 562 } |
| 563 |
| 564 #if defined(USE_OPENSSL) |
| 565 // TODO(rsleevi): Not implemented for Schannel or OpenSSL. Schannel is |
| 566 // controlled by the SSL client socket factory, rather than a define, so it |
| 567 // cannot be conditionally disabled here. As Schannel is only used when |
| 568 // performing client authentication, it will not be tested here. |
| 569 #define MAYBE_CipherSuiteDisables DISABLED_CipherSuiteDisables |
| 570 #else |
| 571 #define MAYBE_CipherSuiteDisables CipherSuiteDisables |
| 572 #endif |
| 573 TEST_F(SSLClientSocketTest, MAYBE_CipherSuiteDisables) { |
| 574 // Rather than exhaustively disabling every RC4 ciphersuite defined at |
| 575 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml, |
| 576 // only disabling those cipher suites that the test server actually |
| 577 // implements. |
| 578 const uint16 kCiphersToDisable[] = { |
| 579 0x0005, // TLS_RSA_WITH_RC4_128_SHA |
| 580 }; |
| 581 |
| 582 net::TestServer::HTTPSOptions https_options; |
| 583 // Enable only RC4 on the test server. |
| 584 https_options.bulk_ciphers = |
| 585 net::TestServer::HTTPSOptions::BULK_CIPHER_RC4; |
| 586 net::TestServer test_server(https_options, FilePath()); |
| 587 ASSERT_TRUE(test_server.Start()); |
| 588 |
| 589 net::AddressList addr; |
| 590 ASSERT_TRUE(test_server.GetAddressList(&addr)); |
| 591 |
| 592 TestCompletionCallback callback; |
| 593 net::CapturingNetLog log(net::CapturingNetLog::kUnbounded); |
| 594 net::ClientSocket* transport = new net::TCPClientSocket( |
| 595 addr, &log, net::NetLog::Source()); |
| 596 int rv = transport->Connect(&callback); |
| 597 if (rv == net::ERR_IO_PENDING) |
| 598 rv = callback.WaitForResult(); |
| 599 EXPECT_EQ(net::OK, rv); |
| 600 |
| 601 net::SSLConfig ssl_config; |
| 602 for (size_t i = 0; i < arraysize(kCiphersToDisable); ++i) |
| 603 ssl_config.disabled_cipher_suites.push_back(kCiphersToDisable[i]); |
| 604 |
| 605 scoped_ptr<net::SSLClientSocket> sock( |
| 606 socket_factory_->CreateSSLClientSocket( |
| 607 transport, test_server.host_port_pair().host(), |
| 608 ssl_config, NULL)); |
| 609 |
| 610 EXPECT_FALSE(sock->IsConnected()); |
| 611 |
| 612 rv = sock->Connect(&callback); |
| 613 EXPECT_TRUE(net::LogContainsBeginEvent( |
| 614 log.entries(), 5, net::NetLog::TYPE_SSL_CONNECT)); |
| 615 |
| 616 // NSS has special handling that maps a handshake_failure alert received |
| 617 // immediately after a client_hello to be a mismatched cipher suite error, |
| 618 // leading to ERR_SSL_VERSION_OR_CIPHER_MISMATCH. When using OpenSSL or |
| 619 // Secure Transport (OS X), the handshake_failure is bubbled up without any |
| 620 // interpretation, leading to ERR_SSL_PROTOCOL_ERROR. Either way, a failure |
| 621 // indicates that no cipher suite was negotiated with the test server. |
| 622 if (rv == net::ERR_IO_PENDING) { |
| 623 EXPECT_FALSE(sock->IsConnected()); |
| 624 EXPECT_FALSE(net::LogContainsEndEvent( |
| 625 log.entries(), -1, net::NetLog::TYPE_SSL_CONNECT)); |
| 626 |
| 627 rv = callback.WaitForResult(); |
| 628 } |
| 629 EXPECT_TRUE(rv == net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH || |
| 630 rv == net::ERR_SSL_PROTOCOL_ERROR); |
| 631 // The exact ordering differs between SSLClientSocketNSS (which issues an |
| 632 // extra read) and SSLClientSocketMac (which does not). Just make sure the |
| 633 // error appears somewhere in the log. |
| 634 net::ExpectLogContainsSomewhere(log.entries(), 0, |
| 635 net::NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 636 net::NetLog::PHASE_NONE); |
| 637 |
| 638 // We cannot test sock->IsConnected(), as the NSS implementation disconnects |
| 639 // the socket when it encounters an error, whereas other implementations |
| 640 // leave it connected. |
| 641 EXPECT_TRUE(LogContainsSSLConnectEndEvent(log.entries(), -1)); |
| 642 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3845005:
Add support for restricting the cipher suites that SSLClientSocket(Mac,NSS) use (Closed)
