| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include "net/base/address_list.h" | 7 #include "net/base/address_list.h" |
| 8 #include "net/base/host_resolver.h" | 8 #include "net/base/host_resolver.h" |
| 9 #include "net/base/io_buffer.h" | 9 #include "net/base/io_buffer.h" |
| 10 #include "net/base/net_log.h" | 10 #include "net/base/net_log.h" |
| (...skipping 496 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 507 EXPECT_EQ(net::OK, rv); | 507 EXPECT_EQ(net::OK, rv); |
| 508 | 508 |
| 509 scoped_ptr<net::SSLClientSocket> sock( | 509 scoped_ptr<net::SSLClientSocket> sock( |
| 510 socket_factory_->CreateSSLClientSocket( | 510 socket_factory_->CreateSSLClientSocket( |
| 511 transport, test_server.host_port_pair().host(), kDefaultSSLConfig, | 511 transport, test_server.host_port_pair().host(), kDefaultSSLConfig, |
| 512 NULL)); | 512 NULL)); |
| 513 | 513 |
| 514 rv = sock->Connect(&callback); | 514 rv = sock->Connect(&callback); |
| 515 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); | 515 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv); |
| 516 } | 516 } |
| 517 |
| 518 #if defined(USE_OPENSSL) |
| 519 // TODO(rsleevi): Not implemented for Schannel or OpenSSL. Schannel is |
| 520 // controlled by the SSL client socket factory, rather than a define, so it |
| 521 // cannot be conditionally disabled here. As Schannel is only used when |
| 522 // performing client authentication, it will not be tested here. |
| 523 #define MAYBE_CipherSuiteDisables DISABLED_CipherSuiteDisables |
| 524 #else |
| 525 #define MAYBE_CipherSuiteDisables CipherSuiteDisables |
| 526 #endif |
| 527 TEST_F(SSLClientSocketTest, MAYBE_CipherSuiteDisables) { |
| 528 // Rather than exhaustively disabling every RC4 ciphersuite defined at |
| 529 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml, |
| 530 // only disabling those cipher suites that the test server actually |
| 531 // implements. |
| 532 const uint16 kCiphersToDisable[] = { |
| 533 0x0005, // TLS_RSA_WITH_RC4_128_SHA |
| 534 }; |
| 535 |
| 536 net::TestServer::HTTPSOptions https_options; |
| 537 // Enable only RC4 on the test server. |
| 538 https_options.bulk_ciphers = |
| 539 net::TestServer::HTTPSOptions::BULK_CIPHER_RC4; |
| 540 net::TestServer test_server(https_options, FilePath()); |
| 541 ASSERT_TRUE(test_server.Start()); |
| 542 |
| 543 net::AddressList addr; |
| 544 ASSERT_TRUE(test_server.GetAddressList(&addr)); |
| 545 |
| 546 TestCompletionCallback callback; |
| 547 net::CapturingNetLog log(net::CapturingNetLog::kUnbounded); |
| 548 net::ClientSocket* transport = new net::TCPClientSocket( |
| 549 addr, &log, net::NetLog::Source()); |
| 550 int rv = transport->Connect(&callback); |
| 551 if (rv == net::ERR_IO_PENDING) |
| 552 rv = callback.WaitForResult(); |
| 553 EXPECT_EQ(net::OK, rv); |
| 554 |
| 555 net::SSLConfig ssl_config; |
| 556 for (size_t i = 0; i < arraysize(kCiphersToDisable); ++i) |
| 557 ssl_config.disabled_cipher_suites.push_back(kCiphersToDisable[i]); |
| 558 |
| 559 scoped_ptr<net::SSLClientSocket> sock( |
| 560 socket_factory_->CreateSSLClientSocket( |
| 561 transport, test_server.host_port_pair().host(), |
| 562 ssl_config, NULL)); |
| 563 |
| 564 EXPECT_FALSE(sock->IsConnected()); |
| 565 |
| 566 rv = sock->Connect(&callback); |
| 567 EXPECT_TRUE(net::LogContainsBeginEvent( |
| 568 log.entries(), 5, net::NetLog::TYPE_SSL_CONNECT)); |
| 569 |
| 570 // NSS has special handling that maps a handshake_failure alert received |
| 571 // immediately after a client_hello to be a mismatched cipher suite error, |
| 572 // leading to ERR_SSL_VERSION_OR_CIPHER_MISMATCH. When using OpenSSL or |
| 573 // Secure Transport (OS X), the handshake_failure is bubbled up without any |
| 574 // interpretation, leading to ERR_SSL_PROTOCOL_ERROR. Either way, a failure |
| 575 // indicates that no cipher suite was negotiated with the test server. |
| 576 if (rv == net::ERR_IO_PENDING) |
| 577 rv = callback.WaitForResult(); |
| 578 EXPECT_TRUE(rv == net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH || |
| 579 rv == net::ERR_SSL_PROTOCOL_ERROR); |
| 580 // The exact ordering differs between SSLClientSocketNSS (which issues an |
| 581 // extra read) and SSLClientSocketMac (which does not). Just make sure the |
| 582 // error appears somewhere in the log. |
| 583 net::ExpectLogContainsSomewhere(log.entries(), 0, |
| 584 net::NetLog::TYPE_SSL_HANDSHAKE_ERROR, |
| 585 net::NetLog::PHASE_NONE); |
| 586 |
| 587 // We cannot test sock->IsConnected(), as the NSS implementation disconnects |
| 588 // the socket when it encounters an error, whereas other implementations |
| 589 // leave it connected. |
| 590 EXPECT_TRUE(LogContainsSSLConnectEndEvent(log.entries(), -1)); |
| 591 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3845005:
Add support for restricting the cipher suites that SSLClientSocket(Mac,NSS) use (Closed)
