| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 4903 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4914 request.Start(); | 4914 request.Start(); |
| 4915 base::RunLoop().Run(); | 4915 base::RunLoop().Run(); |
| 4916 | 4916 |
| 4917 TransportSecurityState* security_state = | 4917 TransportSecurityState* security_state = |
| 4918 default_context_.transport_security_state(); | 4918 default_context_.transport_security_state(); |
| 4919 bool sni_available = true; | 4919 bool sni_available = true; |
| 4920 TransportSecurityState::DomainState domain_state; | 4920 TransportSecurityState::DomainState domain_state; |
| 4921 EXPECT_TRUE(security_state->GetDomainState( | 4921 EXPECT_TRUE(security_state->GetDomainState( |
| 4922 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); | 4922 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); |
| 4923 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | 4923 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, |
| 4924 domain_state.upgrade_mode); | 4924 domain_state.dynamic_sts.upgrade_mode); |
| 4925 EXPECT_TRUE(domain_state.sts_include_subdomains); | 4925 EXPECT_TRUE(domain_state.dynamic_sts.include_subdomains); |
| 4926 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 4926 EXPECT_FALSE(domain_state.dynamic_pkp.include_subdomains); |
| 4927 #if defined(OS_ANDROID) | 4927 #if defined(OS_ANDROID) |
| 4928 // Android's CertVerifyProc does not (yet) handle pins. | 4928 // Android's CertVerifyProc does not (yet) handle pins. |
| 4929 #else | 4929 #else |
| 4930 EXPECT_FALSE(domain_state.HasPublicKeyPins()); | 4930 EXPECT_FALSE(domain_state.HasPublicKeyPins()); |
| 4931 #endif | 4931 #endif |
| 4932 } | 4932 } |
| 4933 | 4933 |
| 4934 // Android's CertVerifyProc does not (yet) handle pins. Therefore, it will | 4934 // Android's CertVerifyProc does not (yet) handle pins. Therefore, it will |
| 4935 // reject HPKP headers, and a test setting only HPKP headers will fail (no | 4935 // reject HPKP headers, and a test setting only HPKP headers will fail (no |
| 4936 // DomainState present because header rejected). | 4936 // DomainState present because header rejected). |
| (...skipping 21 matching lines...) Expand all Loading... |
| 4958 request.Start(); | 4958 request.Start(); |
| 4959 base::RunLoop().Run(); | 4959 base::RunLoop().Run(); |
| 4960 | 4960 |
| 4961 TransportSecurityState* security_state = | 4961 TransportSecurityState* security_state = |
| 4962 default_context_.transport_security_state(); | 4962 default_context_.transport_security_state(); |
| 4963 bool sni_available = true; | 4963 bool sni_available = true; |
| 4964 TransportSecurityState::DomainState domain_state; | 4964 TransportSecurityState::DomainState domain_state; |
| 4965 EXPECT_TRUE(security_state->GetDomainState( | 4965 EXPECT_TRUE(security_state->GetDomainState( |
| 4966 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); | 4966 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); |
| 4967 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT, | 4967 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT, |
| 4968 domain_state.upgrade_mode); | 4968 domain_state.dynamic_sts.upgrade_mode); |
| 4969 EXPECT_FALSE(domain_state.sts_include_subdomains); | 4969 EXPECT_FALSE(domain_state.dynamic_sts.include_subdomains); |
| 4970 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 4970 EXPECT_FALSE(domain_state.dynamic_pkp.include_subdomains); |
| 4971 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 4971 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 4972 EXPECT_NE(domain_state.upgrade_expiry, | 4972 EXPECT_NE(domain_state.dynamic_sts.expiry, domain_state.dynamic_pkp.expiry); |
| 4973 domain_state.dynamic_spki_hashes_expiry); | |
| 4974 } | 4973 } |
| 4975 | 4974 |
| 4976 TEST_F(URLRequestTestHTTP, ProcessSTSOnce) { | 4975 TEST_F(URLRequestTestHTTP, ProcessSTSOnce) { |
| 4977 SpawnedTestServer::SSLOptions ssl_options; | 4976 SpawnedTestServer::SSLOptions ssl_options; |
| 4978 SpawnedTestServer https_test_server( | 4977 SpawnedTestServer https_test_server( |
| 4979 SpawnedTestServer::TYPE_HTTPS, | 4978 SpawnedTestServer::TYPE_HTTPS, |
| 4980 ssl_options, | 4979 ssl_options, |
| 4981 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); | 4980 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); |
| 4982 ASSERT_TRUE(https_test_server.Start()); | 4981 ASSERT_TRUE(https_test_server.Start()); |
| 4983 | 4982 |
| 4984 TestDelegate d; | 4983 TestDelegate d; |
| 4985 URLRequest request( | 4984 URLRequest request( |
| 4986 https_test_server.GetURL("files/hsts-multiple-headers.html"), | 4985 https_test_server.GetURL("files/hsts-multiple-headers.html"), |
| 4987 DEFAULT_PRIORITY, | 4986 DEFAULT_PRIORITY, |
| 4988 &d, | 4987 &d, |
| 4989 &default_context_); | 4988 &default_context_); |
| 4990 request.Start(); | 4989 request.Start(); |
| 4991 base::RunLoop().Run(); | 4990 base::RunLoop().Run(); |
| 4992 | 4991 |
| 4993 // We should have set parameters from the first header, not the second. | 4992 // We should have set parameters from the first header, not the second. |
| 4994 TransportSecurityState* security_state = | 4993 TransportSecurityState* security_state = |
| 4995 default_context_.transport_security_state(); | 4994 default_context_.transport_security_state(); |
| 4996 bool sni_available = true; | 4995 bool sni_available = true; |
| 4997 TransportSecurityState::DomainState domain_state; | 4996 TransportSecurityState::DomainState domain_state; |
| 4998 EXPECT_TRUE(security_state->GetDomainState( | 4997 EXPECT_TRUE(security_state->GetDomainState( |
| 4999 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); | 4998 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); |
| 5000 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | 4999 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, |
| 5001 domain_state.upgrade_mode); | 5000 domain_state.dynamic_sts.upgrade_mode); |
| 5002 EXPECT_FALSE(domain_state.sts_include_subdomains); | 5001 EXPECT_FALSE(domain_state.dynamic_sts.include_subdomains); |
| 5003 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 5002 EXPECT_FALSE(domain_state.dynamic_pkp.include_subdomains); |
| 5004 } | 5003 } |
| 5005 | 5004 |
| 5006 TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP) { | 5005 TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP) { |
| 5007 SpawnedTestServer::SSLOptions ssl_options; | 5006 SpawnedTestServer::SSLOptions ssl_options; |
| 5008 SpawnedTestServer https_test_server( | 5007 SpawnedTestServer https_test_server( |
| 5009 SpawnedTestServer::TYPE_HTTPS, | 5008 SpawnedTestServer::TYPE_HTTPS, |
| 5010 ssl_options, | 5009 ssl_options, |
| 5011 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); | 5010 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); |
| 5012 ASSERT_TRUE(https_test_server.Start()); | 5011 ASSERT_TRUE(https_test_server.Start()); |
| 5013 | 5012 |
| 5014 TestDelegate d; | 5013 TestDelegate d; |
| 5015 URLRequest request( | 5014 URLRequest request( |
| 5016 https_test_server.GetURL("files/hsts-and-hpkp-headers.html"), | 5015 https_test_server.GetURL("files/hsts-and-hpkp-headers.html"), |
| 5017 DEFAULT_PRIORITY, | 5016 DEFAULT_PRIORITY, |
| 5018 &d, | 5017 &d, |
| 5019 &default_context_); | 5018 &default_context_); |
| 5020 request.Start(); | 5019 request.Start(); |
| 5021 base::RunLoop().Run(); | 5020 base::RunLoop().Run(); |
| 5022 | 5021 |
| 5023 // We should have set parameters from the first header, not the second. | 5022 // We should have set parameters from the first header, not the second. |
| 5024 TransportSecurityState* security_state = | 5023 TransportSecurityState* security_state = |
| 5025 default_context_.transport_security_state(); | 5024 default_context_.transport_security_state(); |
| 5026 bool sni_available = true; | 5025 bool sni_available = true; |
| 5027 TransportSecurityState::DomainState domain_state; | 5026 TransportSecurityState::DomainState domain_state; |
| 5028 EXPECT_TRUE(security_state->GetDomainState( | 5027 EXPECT_TRUE(security_state->GetDomainState( |
| 5029 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); | 5028 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); |
| 5030 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | 5029 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, |
| 5031 domain_state.upgrade_mode); | 5030 domain_state.dynamic_sts.upgrade_mode); |
| 5032 #if defined(OS_ANDROID) | 5031 #if defined(OS_ANDROID) |
| 5033 // Android's CertVerifyProc does not (yet) handle pins. | 5032 // Android's CertVerifyProc does not (yet) handle pins. |
| 5034 #else | 5033 #else |
| 5035 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 5034 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 5036 #endif | 5035 #endif |
| 5037 EXPECT_NE(domain_state.upgrade_expiry, | 5036 EXPECT_NE(domain_state.dynamic_sts.expiry, domain_state.dynamic_pkp.expiry); |
| 5038 domain_state.dynamic_spki_hashes_expiry); | |
| 5039 | 5037 |
| 5040 // Even though there is an HSTS header asserting includeSubdomains, it is | 5038 // Even though there is an HSTS header asserting includeSubdomains, it is |
| 5041 // the *second* such header, and we MUST process only the first. | 5039 // the *second* such header, and we MUST process only the first. |
| 5042 EXPECT_FALSE(domain_state.sts_include_subdomains); | 5040 EXPECT_FALSE(domain_state.dynamic_sts.include_subdomains); |
| 5043 // includeSubdomains does not occur in the test HPKP header. | 5041 // includeSubdomains does not occur in the test HPKP header. |
| 5044 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 5042 EXPECT_FALSE(domain_state.dynamic_pkp.include_subdomains); |
| 5045 } | 5043 } |
| 5046 | 5044 |
| 5047 // Tests that when multiple HPKP headers are present, asserting different | 5045 // Tests that when multiple HPKP headers are present, asserting different |
| 5048 // policies, that only the first such policy is processed. | 5046 // policies, that only the first such policy is processed. |
| 5049 TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP2) { | 5047 TEST_F(URLRequestTestHTTP, ProcessSTSAndPKP2) { |
| 5050 SpawnedTestServer::SSLOptions ssl_options; | 5048 SpawnedTestServer::SSLOptions ssl_options; |
| 5051 SpawnedTestServer https_test_server( | 5049 SpawnedTestServer https_test_server( |
| 5052 SpawnedTestServer::TYPE_HTTPS, | 5050 SpawnedTestServer::TYPE_HTTPS, |
| 5053 ssl_options, | 5051 ssl_options, |
| 5054 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); | 5052 base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest"))); |
| 5055 ASSERT_TRUE(https_test_server.Start()); | 5053 ASSERT_TRUE(https_test_server.Start()); |
| 5056 | 5054 |
| 5057 TestDelegate d; | 5055 TestDelegate d; |
| 5058 URLRequest request( | 5056 URLRequest request( |
| 5059 https_test_server.GetURL("files/hsts-and-hpkp-headers2.html"), | 5057 https_test_server.GetURL("files/hsts-and-hpkp-headers2.html"), |
| 5060 DEFAULT_PRIORITY, | 5058 DEFAULT_PRIORITY, |
| 5061 &d, | 5059 &d, |
| 5062 &default_context_); | 5060 &default_context_); |
| 5063 request.Start(); | 5061 request.Start(); |
| 5064 base::RunLoop().Run(); | 5062 base::RunLoop().Run(); |
| 5065 | 5063 |
| 5066 TransportSecurityState* security_state = | 5064 TransportSecurityState* security_state = |
| 5067 default_context_.transport_security_state(); | 5065 default_context_.transport_security_state(); |
| 5068 bool sni_available = true; | 5066 bool sni_available = true; |
| 5069 TransportSecurityState::DomainState domain_state; | 5067 TransportSecurityState::DomainState domain_state; |
| 5070 EXPECT_TRUE(security_state->GetDomainState( | 5068 EXPECT_TRUE(security_state->GetDomainState( |
| 5071 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); | 5069 SpawnedTestServer::kLocalhost, sni_available, &domain_state)); |
| 5072 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | 5070 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, |
| 5073 domain_state.upgrade_mode); | 5071 domain_state.dynamic_sts.upgrade_mode); |
| 5074 #if defined(OS_ANDROID) | 5072 #if defined(OS_ANDROID) |
| 5075 // Android's CertVerifyProc does not (yet) handle pins. | 5073 // Android's CertVerifyProc does not (yet) handle pins. |
| 5076 #else | 5074 #else |
| 5077 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 5075 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 5078 #endif | 5076 #endif |
| 5079 EXPECT_NE(domain_state.upgrade_expiry, | 5077 EXPECT_NE(domain_state.dynamic_sts.expiry, domain_state.dynamic_pkp.expiry); |
| 5080 domain_state.dynamic_spki_hashes_expiry); | |
| 5081 | 5078 |
| 5082 EXPECT_TRUE(domain_state.sts_include_subdomains); | 5079 EXPECT_TRUE(domain_state.dynamic_sts.include_subdomains); |
| 5083 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 5080 EXPECT_FALSE(domain_state.dynamic_pkp.include_subdomains); |
| 5084 } | 5081 } |
| 5085 | 5082 |
| 5086 TEST_F(URLRequestTestHTTP, ContentTypeNormalizationTest) { | 5083 TEST_F(URLRequestTestHTTP, ContentTypeNormalizationTest) { |
| 5087 ASSERT_TRUE(test_server_.Start()); | 5084 ASSERT_TRUE(test_server_.Start()); |
| 5088 | 5085 |
| 5089 TestDelegate d; | 5086 TestDelegate d; |
| 5090 URLRequest req(test_server_.GetURL("files/content-type-normalization.html"), | 5087 URLRequest req(test_server_.GetURL("files/content-type-normalization.html"), |
| 5091 DEFAULT_PRIORITY, | 5088 DEFAULT_PRIORITY, |
| 5092 &d, | 5089 &d, |
| 5093 &default_context_); | 5090 &default_context_); |
| (...skipping 1199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6293 | 6290 |
| 6294 EXPECT_EQ(1, d.response_started_count()); | 6291 EXPECT_EQ(1, d.response_started_count()); |
| 6295 EXPECT_FALSE(d.received_data_before_response()); | 6292 EXPECT_FALSE(d.received_data_before_response()); |
| 6296 EXPECT_TRUE(d.have_certificate_errors()); | 6293 EXPECT_TRUE(d.have_certificate_errors()); |
| 6297 EXPECT_TRUE(d.certificate_errors_are_fatal()); | 6294 EXPECT_TRUE(d.certificate_errors_are_fatal()); |
| 6298 | 6295 |
| 6299 // Get a fresh copy of the state, and check that it hasn't been updated. | 6296 // Get a fresh copy of the state, and check that it hasn't been updated. |
| 6300 TransportSecurityState::DomainState new_domain_state; | 6297 TransportSecurityState::DomainState new_domain_state; |
| 6301 EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true, | 6298 EXPECT_TRUE(transport_security_state.GetDomainState("www.google.com", true, |
| 6302 &new_domain_state)); | 6299 &new_domain_state)); |
| 6303 EXPECT_EQ(new_domain_state.upgrade_mode, domain_state.upgrade_mode); | 6300 EXPECT_EQ(new_domain_state.dynamic_sts.upgrade_mode, |
| 6304 EXPECT_EQ(new_domain_state.sts_include_subdomains, | 6301 domain_state.dynamic_sts.upgrade_mode); |
| 6305 domain_state.sts_include_subdomains); | 6302 EXPECT_EQ(new_domain_state.dynamic_sts.include_subdomains, |
| 6306 EXPECT_EQ(new_domain_state.pkp_include_subdomains, | 6303 domain_state.dynamic_sts.include_subdomains); |
| 6307 domain_state.pkp_include_subdomains); | 6304 EXPECT_EQ(new_domain_state.dynamic_pkp.include_subdomains, |
| 6308 EXPECT_TRUE(FingerprintsEqual(new_domain_state.static_spki_hashes, | 6305 domain_state.dynamic_pkp.include_subdomains); |
| 6309 domain_state.static_spki_hashes)); | 6306 EXPECT_TRUE(FingerprintsEqual(new_domain_state.static_pkp.spki_hashes, |
| 6310 EXPECT_TRUE(FingerprintsEqual(new_domain_state.dynamic_spki_hashes, | 6307 domain_state.static_pkp.spki_hashes)); |
| 6311 domain_state.dynamic_spki_hashes)); | 6308 EXPECT_TRUE(FingerprintsEqual(new_domain_state.dynamic_pkp.spki_hashes, |
| 6312 EXPECT_TRUE(FingerprintsEqual(new_domain_state.bad_static_spki_hashes, | 6309 domain_state.dynamic_pkp.spki_hashes)); |
| 6313 domain_state.bad_static_spki_hashes)); | 6310 EXPECT_TRUE(FingerprintsEqual(new_domain_state.static_pkp.bad_spki_hashes, |
| 6311 domain_state.static_pkp.bad_spki_hashes)); |
| 6314 } | 6312 } |
| 6315 | 6313 |
| 6316 // Make sure HSTS preserves a POST request's method and body. | 6314 // Make sure HSTS preserves a POST request's method and body. |
| 6317 TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { | 6315 TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { |
| 6318 static const char kData[] = "hello world"; | 6316 static const char kData[] = "hello world"; |
| 6319 | 6317 |
| 6320 SpawnedTestServer::SSLOptions ssl_options( | 6318 SpawnedTestServer::SSLOptions ssl_options( |
| 6321 SpawnedTestServer::SSLOptions::CERT_OK); | 6319 SpawnedTestServer::SSLOptions::CERT_OK); |
| 6322 SpawnedTestServer test_server( | 6320 SpawnedTestServer test_server( |
| 6323 SpawnedTestServer::TYPE_HTTPS, | 6321 SpawnedTestServer::TYPE_HTTPS, |
| (...skipping 1269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7593 | 7591 |
| 7594 EXPECT_FALSE(r.is_pending()); | 7592 EXPECT_FALSE(r.is_pending()); |
| 7595 EXPECT_EQ(1, d->response_started_count()); | 7593 EXPECT_EQ(1, d->response_started_count()); |
| 7596 EXPECT_FALSE(d->received_data_before_response()); | 7594 EXPECT_FALSE(d->received_data_before_response()); |
| 7597 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 7595 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
| 7598 } | 7596 } |
| 7599 } | 7597 } |
| 7600 #endif // !defined(DISABLE_FTP_SUPPORT) | 7598 #endif // !defined(DISABLE_FTP_SUPPORT) |
| 7601 | 7599 |
| 7602 } // namespace net | 7600 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 103803012:
Make HSTS headers not clobber preloaded pins. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src