Chromium Code Reviews Chromium Code Reviews
Issue 1057733002:
Require ECDHE for False Start. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include "base/callback_helpers.h" | 7 #include "base/callback_helpers.h" |
| 8 #include "base/memory/ref_counted.h" | 8 #include "base/memory/ref_counted.h" |
| 9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
| 10 #include "base/time/time.h" | 10 #include "base/time/time.h" |
| (...skipping 2185 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2196 if (rv == ERR_IO_PENDING) | 2196 if (rv == ERR_IO_PENDING) |
| 2197 rv = callback.WaitForResult(); | 2197 rv = callback.WaitForResult(); |
| 2198 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv); | 2198 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv); |
| 2199 } | 2199 } |
| 2200 | 2200 |
| 2201 TEST_F(SSLClientSocketTest, CipherSuiteDisables) { | 2201 TEST_F(SSLClientSocketTest, CipherSuiteDisables) { |
| 2202 // Rather than exhaustively disabling every RC4 ciphersuite defined at | 2202 // Rather than exhaustively disabling every RC4 ciphersuite defined at |
| 2203 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml, | 2203 // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml, |
| 2204 // only disabling those cipher suites that the test server actually | 2204 // only disabling those cipher suites that the test server actually |
| 2205 // implements. | 2205 // implements. |
| 2206 const uint16 kCiphersToDisable[] = {0x0005, // TLS_RSA_WITH_RC4_128_SHA | 2206 const uint16 kCiphersToDisable[] = { |
| 2207 0x0005, // TLS_RSA_WITH_RC4_128_SHA | |
| 2208 0xc011, // TLS_ECDHE_RSA_WITH_RC4_128_SHA | |
| 2207 }; | 2209 }; |
| 2208 | 2210 |
| 2209 SpawnedTestServer::SSLOptions ssl_options; | 2211 SpawnedTestServer::SSLOptions ssl_options; |
| 2210 // Enable only RC4 on the test server. | 2212 // Enable only RC4 on the test server. |
| 2211 ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4; | 2213 ssl_options.bulk_ciphers = SpawnedTestServer::SSLOptions::BULK_CIPHER_RC4; |
| 2212 SpawnedTestServer test_server( | 2214 SpawnedTestServer test_server( |
| 2213 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath()); | 2215 SpawnedTestServer::TYPE_HTTPS, ssl_options, base::FilePath()); |
| 2214 ASSERT_TRUE(test_server.Start()); | 2216 ASSERT_TRUE(test_server.Start()); |
| 2215 | 2217 |
| 2216 AddressList addr; | 2218 AddressList addr; |
| (...skipping 657 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2874 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1, | 2876 EXPECT_EQ(SSL_CONNECTION_VERSION_TLS1, |
| 2875 SSLConnectionStatusToVersion(ssl_info.connection_status)); | 2877 SSLConnectionStatusToVersion(ssl_info.connection_status)); |
| 2876 } | 2878 } |
| 2877 | 2879 |
| 2878 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { | 2880 TEST_F(SSLClientSocketFalseStartTest, FalseStartEnabled) { |
| 2879 if (!SupportsAESGCM()) { | 2881 if (!SupportsAESGCM()) { |
| 2880 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | 2882 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; |
| 2881 return; | 2883 return; |
| 2882 } | 2884 } |
| 2883 | 2885 |
| 2884 // False Start requires NPN/ALPN, perfect forward secrecy, and an AEAD. | 2886 // False Start requires NPN/ALPN, ECDHE, and an AEAD. |
| 2885 SpawnedTestServer::SSLOptions server_options; | 2887 SpawnedTestServer::SSLOptions server_options; |
| 2886 server_options.key_exchanges = | 2888 server_options.key_exchanges = |
| 2887 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2889 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
| 2888 server_options.bulk_ciphers = | 2890 server_options.bulk_ciphers = |
| 2889 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2891 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
| 2890 server_options.enable_npn = true; | 2892 server_options.enable_npn = true; |
| 2891 SSLConfig client_config; | 2893 SSLConfig client_config; |
| 2892 client_config.next_protos.push_back(kProtoHTTP11); | 2894 client_config.next_protos.push_back(kProtoHTTP11); |
| 2893 ASSERT_NO_FATAL_FAILURE( | 2895 ASSERT_NO_FATAL_FAILURE( |
| 2894 TestFalseStart(server_options, client_config, true)); | 2896 TestFalseStart(server_options, client_config, true)); |
| 2895 } | 2897 } |
| 2896 | 2898 |
| 2897 // Test that False Start is disabled without NPN. | 2899 // Test that False Start is disabled without NPN. |
| 2898 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { | 2900 TEST_F(SSLClientSocketFalseStartTest, NoNPN) { |
| 2899 if (!SupportsAESGCM()) { | 2901 if (!SupportsAESGCM()) { |
| 2900 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | 2902 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; |
| 2901 return; | 2903 return; |
| 2902 } | 2904 } |
| 2903 | 2905 |
| 2904 SpawnedTestServer::SSLOptions server_options; | 2906 SpawnedTestServer::SSLOptions server_options; |
| 2905 server_options.key_exchanges = | 2907 server_options.key_exchanges = |
| 2906 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2908 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
| 2907 server_options.bulk_ciphers = | 2909 server_options.bulk_ciphers = |
| 2908 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2910 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
| 2909 SSLConfig client_config; | 2911 SSLConfig client_config; |
| 2910 client_config.next_protos.clear(); | 2912 client_config.next_protos.clear(); |
| 2911 ASSERT_NO_FATAL_FAILURE( | 2913 ASSERT_NO_FATAL_FAILURE( |
| 2912 TestFalseStart(server_options, client_config, false)); | 2914 TestFalseStart(server_options, client_config, false)); |
| 2913 } | 2915 } |
| 2914 | 2916 |
| 2915 // Test that False Start is disabled without perfect forward secrecy. | 2917 // Test that False Start is disabled without perfect forward secrecy. |
| 2916 TEST_F(SSLClientSocketFalseStartTest, NoForwardSecrecy) { | 2918 TEST_F(SSLClientSocketFalseStartTest, RSA) { |
| 2917 if (!SupportsAESGCM()) { | 2919 if (!SupportsAESGCM()) { |
| 2918 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | 2920 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; |
| 2919 return; | 2921 return; |
| 2920 } | 2922 } |
| 2921 | 2923 |
| 2922 SpawnedTestServer::SSLOptions server_options; | 2924 SpawnedTestServer::SSLOptions server_options; |
| 2923 server_options.key_exchanges = | 2925 server_options.key_exchanges = |
| 2924 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; | 2926 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_RSA; |
| 2925 server_options.bulk_ciphers = | 2927 server_options.bulk_ciphers = |
| 2926 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2928 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
| 2927 server_options.enable_npn = true; | 2929 server_options.enable_npn = true; |
| 2928 SSLConfig client_config; | 2930 SSLConfig client_config; |
| 2929 client_config.next_protos.push_back(kProtoHTTP11); | 2931 client_config.next_protos.push_back(kProtoHTTP11); |
| 2930 ASSERT_NO_FATAL_FAILURE( | 2932 ASSERT_NO_FATAL_FAILURE( |
| 2931 TestFalseStart(server_options, client_config, false)); | 2933 TestFalseStart(server_options, client_config, false)); |
| 2932 } | 2934 } |
| 2933 | 2935 |
| 2936 // Test that False Start is disabled without perfect forward secrecy. | |
|
Ryan Sleevi
2015/04/02 00:42:58
Is this comment correct? DHE is PFS
davidben
2015/04/02 16:48:31
Done.
| |
| 2937 TEST_F(SSLClientSocketFalseStartTest, DHE_RSA) { | |
| 2938 if (!SupportsAESGCM()) { | |
| 2939 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | |
| 2940 return; | |
| 2941 } | |
| 2942 | |
| 2943 SpawnedTestServer::SSLOptions server_options; | |
| 2944 server_options.key_exchanges = | |
| 2945 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | |
| 2946 server_options.bulk_ciphers = | |
| 2947 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | |
| 2948 server_options.enable_npn = true; | |
| 2949 SSLConfig client_config; | |
| 2950 client_config.next_protos.push_back(kProtoHTTP11); | |
| 2951 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); | |
| 2952 } | |
| 2953 | |
| 2934 // Test that False Start is disabled without an AEAD. | 2954 // Test that False Start is disabled without an AEAD. |
| 2935 TEST_F(SSLClientSocketFalseStartTest, NoAEAD) { | 2955 TEST_F(SSLClientSocketFalseStartTest, NoAEAD) { |
| 2936 SpawnedTestServer::SSLOptions server_options; | 2956 SpawnedTestServer::SSLOptions server_options; |
| 2937 server_options.key_exchanges = | 2957 server_options.key_exchanges = |
| 2938 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2958 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
| 2939 server_options.bulk_ciphers = | 2959 server_options.bulk_ciphers = |
| 2940 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128; | 2960 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128; |
| 2941 server_options.enable_npn = true; | 2961 server_options.enable_npn = true; |
| 2942 SSLConfig client_config; | 2962 SSLConfig client_config; |
| 2943 client_config.next_protos.push_back(kProtoHTTP11); | 2963 client_config.next_protos.push_back(kProtoHTTP11); |
| 2944 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); | 2964 ASSERT_NO_FATAL_FAILURE(TestFalseStart(server_options, client_config, false)); |
| 2945 } | 2965 } |
| 2946 | 2966 |
| 2947 // Test that sessions are resumable after receiving the server Finished message. | 2967 // Test that sessions are resumable after receiving the server Finished message. |
| 2948 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { | 2968 TEST_F(SSLClientSocketFalseStartTest, SessionResumption) { |
| 2949 if (!SupportsAESGCM()) { | 2969 if (!SupportsAESGCM()) { |
| 2950 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | 2970 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; |
| 2951 return; | 2971 return; |
| 2952 } | 2972 } |
| 2953 | 2973 |
| 2954 // Start a server. | 2974 // Start a server. |
| 2955 SpawnedTestServer::SSLOptions server_options; | 2975 SpawnedTestServer::SSLOptions server_options; |
| 2956 server_options.key_exchanges = | 2976 server_options.key_exchanges = |
| 2957 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 2977 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
| 2958 server_options.bulk_ciphers = | 2978 server_options.bulk_ciphers = |
| 2959 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 2979 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
| 2960 server_options.enable_npn = true; | 2980 server_options.enable_npn = true; |
| 2961 SSLConfig client_config; | 2981 SSLConfig client_config; |
| 2962 client_config.next_protos.push_back(kProtoHTTP11); | 2982 client_config.next_protos.push_back(kProtoHTTP11); |
| 2963 | 2983 |
| 2964 // Let a full handshake complete with False Start. | 2984 // Let a full handshake complete with False Start. |
| 2965 ASSERT_NO_FATAL_FAILURE( | 2985 ASSERT_NO_FATAL_FAILURE( |
| 2966 TestFalseStart(server_options, client_config, true)); | 2986 TestFalseStart(server_options, client_config, true)); |
| 2967 | 2987 |
| (...skipping 17 matching lines...) Expand all Loading... | |
| 2985 // message. | 3005 // message. |
| 2986 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) { | 3006 TEST_F(SSLClientSocketFalseStartTest, NoSessionResumptionBeforeFinish) { |
| 2987 if (!SupportsAESGCM()) { | 3007 if (!SupportsAESGCM()) { |
| 2988 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; | 3008 LOG(WARNING) << "Skipping test because AES-GCM is not supported."; |
| 2989 return; | 3009 return; |
| 2990 } | 3010 } |
| 2991 | 3011 |
| 2992 // Start a server. | 3012 // Start a server. |
| 2993 SpawnedTestServer::SSLOptions server_options; | 3013 SpawnedTestServer::SSLOptions server_options; |
| 2994 server_options.key_exchanges = | 3014 server_options.key_exchanges = |
| 2995 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_DHE_RSA; | 3015 SpawnedTestServer::SSLOptions::KEY_EXCHANGE_ECDHE_RSA; |
| 2996 server_options.bulk_ciphers = | 3016 server_options.bulk_ciphers = |
| 2997 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; | 3017 SpawnedTestServer::SSLOptions::BULK_CIPHER_AES128GCM; |
| 2998 server_options.enable_npn = true; | 3018 server_options.enable_npn = true; |
| 2999 ASSERT_TRUE(StartTestServer(server_options)); | 3019 ASSERT_TRUE(StartTestServer(server_options)); |
| 3000 | 3020 |
| 3001 SSLConfig client_config; | 3021 SSLConfig client_config; |
| 3002 client_config.next_protos.push_back(kProtoHTTP11); | 3022 client_config.next_protos.push_back(kProtoHTTP11); |
| 3003 | 3023 |
| 3004 // Start a handshake up to the server Finished message. | 3024 // Start a handshake up to the server Finished message. |
| 3005 TestCompletionCallback callback; | 3025 TestCompletionCallback callback; |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3099 ssl_config.channel_id_enabled = true; | 3119 ssl_config.channel_id_enabled = true; |
| 3100 | 3120 |
| 3101 int rv; | 3121 int rv; |
| 3102 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 3122 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3103 | 3123 |
| 3104 EXPECT_EQ(ERR_UNEXPECTED, rv); | 3124 EXPECT_EQ(ERR_UNEXPECTED, rv); |
| 3105 EXPECT_FALSE(sock_->IsConnected()); | 3125 EXPECT_FALSE(sock_->IsConnected()); |
| 3106 } | 3126 } |
| 3107 | 3127 |
| 3108 } // namespace net | 3128 } // namespace net |
| OLD | NEW |
