OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
64 } | 64 } |
65 | 65 |
66 protected: | 66 protected: |
67 bool GetStaticDomainState(TransportSecurityState* state, | 67 bool GetStaticDomainState(TransportSecurityState* state, |
68 const std::string& host, | 68 const std::string& host, |
69 TransportSecurityState::DomainState* result) { | 69 TransportSecurityState::DomainState* result) { |
70 return state->GetStaticDomainState(host, result); | 70 return state->GetStaticDomainState(host, result); |
71 } | 71 } |
72 }; | 72 }; |
73 | 73 |
| 74 TEST_F(TransportSecurityStateTest, DomainNameOddities) { |
| 75 TransportSecurityState state; |
| 76 const base::Time current_time(base::Time::Now()); |
| 77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 78 |
| 79 // DNS suffix search tests. Some DNS resolvers allow a terminal "." to |
| 80 // indicate not perform DNS suffix searching. Ensure that regardless |
| 81 // of how this is treated at the resolver layer, or at the URL/origin |
| 82 // layer (that is, whether they are treated as equivalent or distinct), |
| 83 // ensure that for policy matching, something lacking a terminal "." |
| 84 // is equivalent to something with a terminal "." |
| 85 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
| 86 |
| 87 state.AddHSTS("example.com", expiry, true /* include_subdomains */); |
| 88 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| 89 // Trailing '.' should be equivalent; it's just a resolver hint |
| 90 EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com.")); |
| 91 // Leading '.' should be invalid |
| 92 EXPECT_FALSE(state.ShouldUpgradeToSSL(".example.com")); |
| 93 // Subdomains should work regardless |
| 94 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com")); |
| 95 EXPECT_TRUE(state.ShouldUpgradeToSSL("sub.example.com.")); |
| 96 // But invalid subdomains should be rejected |
| 97 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com")); |
| 98 EXPECT_FALSE(state.ShouldUpgradeToSSL("sub..example.com.")); |
| 99 |
| 100 // Now try the inverse form |
| 101 TransportSecurityState state2; |
| 102 state2.AddHSTS("example.net.", expiry, true /* include_subdomains */); |
| 103 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net.")); |
| 104 EXPECT_TRUE(state2.ShouldUpgradeToSSL("example.net")); |
| 105 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net.")); |
| 106 EXPECT_TRUE(state2.ShouldUpgradeToSSL("sub.example.net")); |
| 107 |
| 108 // Finally, test weird things |
| 109 TransportSecurityState state3; |
| 110 state3.AddHSTS("", expiry, true /* include_subdomains */); |
| 111 EXPECT_FALSE(state3.ShouldUpgradeToSSL("")); |
| 112 EXPECT_FALSE(state3.ShouldUpgradeToSSL(".")); |
| 113 EXPECT_FALSE(state3.ShouldUpgradeToSSL("...")); |
| 114 // Make sure it didn't somehow apply HSTS to the world |
| 115 EXPECT_FALSE(state3.ShouldUpgradeToSSL("example.org")); |
| 116 |
| 117 TransportSecurityState state4; |
| 118 state4.AddHSTS(".", expiry, true /* include_subdomains */); |
| 119 EXPECT_FALSE(state4.ShouldUpgradeToSSL("")); |
| 120 EXPECT_FALSE(state4.ShouldUpgradeToSSL(".")); |
| 121 EXPECT_FALSE(state4.ShouldUpgradeToSSL("...")); |
| 122 EXPECT_FALSE(state4.ShouldUpgradeToSSL("example.org")); |
| 123 |
| 124 // Now do the same for preloaded entries |
| 125 TransportSecurityState state5; |
| 126 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com")); |
| 127 EXPECT_TRUE(state5.ShouldUpgradeToSSL("accounts.google.com.")); |
| 128 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com")); |
| 129 EXPECT_FALSE(state5.ShouldUpgradeToSSL("accounts..google.com.")); |
| 130 } |
| 131 |
74 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 132 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
75 TransportSecurityState state; | 133 TransportSecurityState state; |
76 const base::Time current_time(base::Time::Now()); | 134 const base::Time current_time(base::Time::Now()); |
77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 135 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
78 | 136 |
79 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); | 137 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
80 bool include_subdomains = false; | 138 bool include_subdomains = false; |
81 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 139 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
82 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); | 140 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
83 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("yahoo.com")); | 141 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("yahoo.com")); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
116 } | 174 } |
117 state.GetStaticDomainState(hostname, &domain_state); | 175 state.GetStaticDomainState(hostname, &domain_state); |
118 } | 176 } |
119 } | 177 } |
120 | 178 |
121 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 179 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
122 TransportSecurityState state; | 180 TransportSecurityState state; |
123 const base::Time current_time(base::Time::Now()); | 181 const base::Time current_time(base::Time::Now()); |
124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 182 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
125 | 183 |
| 184 // Check dynamic entries |
126 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM")); | 185 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM")); |
127 bool include_subdomains = false; | 186 bool include_subdomains = false; |
128 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 187 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
129 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM")); | 188 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM")); |
| 189 |
| 190 // Check static entries |
| 191 EXPECT_TRUE(state.ShouldUpgradeToSSL("AccounTs.GooGle.com")); |
| 192 EXPECT_TRUE(state.ShouldUpgradeToSSL("mail.google.COM")); |
130 } | 193 } |
131 | 194 |
132 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 195 TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
133 TransportSecurityState state; | 196 TransportSecurityState state; |
134 const base::Time current_time(base::Time::Now()); | 197 const base::Time current_time(base::Time::Now()); |
135 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 198 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
136 | 199 |
137 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); | 200 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
138 bool include_subdomains = true; | 201 bool include_subdomains = true; |
139 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 202 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
(...skipping 826 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
966 // These hosts used to only be HSTS when SNI was available. | 1029 // These hosts used to only be HSTS when SNI was available. |
967 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1030 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
968 "gmail.com")); | 1031 "gmail.com")); |
969 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1032 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
970 "googlegroups.com")); | 1033 "googlegroups.com")); |
971 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 1034 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
972 "www.googlegroups.com")); | 1035 "www.googlegroups.com")); |
973 } | 1036 } |
974 | 1037 |
975 } // namespace net | 1038 } // namespace net |
OLD | NEW |