net/http/http_network_transaction_ssl_unittest.cc - Issue 14125003: Do not roll back to SSL 3.0 for Google properties.

Side by Side Diff: net/http/http_network_transaction_ssl_unittest.cc

Issue 14125003: Do not roll back to SSL 3.0 for Google properties. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: disable Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <string>

	6

	7 #include "base/memory/ref_counted.h"

	8 #include "base/memory/scoped_ptr.h"

	9 #include "net/base/net_util.h"

	10 #include "net/base/request_priority.h"

	11 #include "net/http/http_network_session.h"

	12 #include "net/http/http_network_transaction.h"

	13 #include "net/http/http_request_info.h"

	14 #include "net/socket/socket_test_util.h"

	15 #include "net/spdy/spdy_test_util_spdy3.h"

	16 #include "testing/gtest/include/gtest/gtest.h"

	17

	18 namespace net {

	19

	20 namespace {

	21

	22 class HttpNetworkTransactionSSLTest : public testing::Test {

	23 public:

	24 HttpRequestInfo* GetRequestInfo(std::string url) {

	25 HttpRequestInfo* request_info = new HttpRequestInfo;

	26 request_info->url = GURL(url);

	27 request_info->method = "GET";

	28 return request_info;

	29 }

	30 };

	31

	32 TEST_F(HttpNetworkTransactionSSLTest, Google_SSLVersionMinPreloadedEnabled) {

	33 net::test_spdy3::SpdySessionDependencies session_deps;
	thaidn_google 2013/04/16 00:39:12 Please let me know if you think I shouldn't reuse Please let me know if you think I shouldn't reuse this class. Ryan Sleevi 2013/04/16 19:55:26 You shouldn't re-use this class :) You could use Show quoted text On 2013/04/16 00:39:12, thaidn_google wrote: > Please let me know if you think I shouldn't reuse this class. You shouldn't re-use this class :) You could use something similar to http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_network_layer_u... for these bits, AIUI. thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > On 2013/04/16 00:39:12, thaidn_google wrote: > > Please let me know if you think I shouldn't reuse this class. > > You shouldn't re-use this class :) > > You could use something similar to > http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_network_layer_u... > for these bits, AIUI. Done.
	34

	35 // \|ssl_data1\| contains the data for the first SSL handshake that will
	Ryan Sleevi 2013/04/16 19:55:26 comment nit: you intermix comments of "first SSL h comment nit: you intermix comments of "first SSL handshake" (when talking about TLS) and "first handshake" (when talking about SSL3) I would suggest consistently saying "first handshake", and then making sure the comment explains which version you expect to be negotiated. Further, it seems like the # of handshakes is coupled to the TLS versions you're using (eg: TLS 1.1 -> TLS 1.0 -> SSL3), which will then create issues if/when we change the default to include TLS 1.2 (since now you have an ADDITIONAL set of fallbacks) Seems like this test harness should explicitly configure its supported TLS version to 1.0, so that there is only ever one fallback - to SSL3.
	36 // return \|net::ERR_SSL_PROTOCOL_ERROR\| to trigger the fallback logic in

	37 // \|HttpNetworkTransaction::HandleSSLHandshakeError\|.

	38 SSLSocketDataProvider ssl_data1(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	39 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data1);

	40 net::StaticSocketDataProvider data1(NULL, 0, NULL, 0);

	41 session_deps.socket_factory->AddSocketDataProvider(&data1);

	42

	43 // \|ssl_data2\| contains the data for the second SSL handshake. When a

	44 // connection to a server fails during an SSL handshake,

	45 // HttpNetworkTransaction will attempt to fallback to TLSv1 if the previous

	46 // connection was attempted with TLSv1.1. This is transparent to the caller

	47 // of the HttpNetworkTransaction.

	48 SSLSocketDataProvider ssl_data2(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	49 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data2);

	50 net::StaticSocketDataProvider data2(NULL, 0, NULL, 0);

	51 session_deps.socket_factory->AddSocketDataProvider(&data2);

	52

	53 // Note: usually there should be a third handshake when

	54 // \|HttpNetworkTransaction\| attempts to fallback to SSLv3 if the previous

	55 // connection was attempted with TLSv1. There are only two handshakes here

	56 // because SSLv3 fallback on Google's properties is disabled in this test.

	57

	58 scoped_refptr<HttpNetworkSession> session(

	59 net::test_spdy3::SpdySessionDependencies::SpdyCreateSession(

	60 &session_deps));

	61 scoped_ptr<HttpNetworkTransaction> trans(

	62 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));

	63 TestCompletionCallback callback;

	64

	65 // This will consume \|ssl_data1\| and \|ssl_data2\|.

	66 int rv = trans->Start(GetRequestInfo("https://www.google.com/"),

	67 callback.callback(), BoundNetLog());

	68 EXPECT_EQ(ERR_IO_PENDING, rv);

	69 // Complete the SSL handshake.

	70 rv = callback.WaitForResult();
	Ryan Sleevi 2013/04/16 19:55:26 We're trying to phase out this pattern in existing We're trying to phase out this pattern in existing code. You can either do: int rv = callback.GetResult(trans->Start(...)) or int rv = trans->Start(); rv = callback.GetResult(rv); The former is preferable. The point of this is that the assertion that rv == ERR_IO_PENDING isn't strictly a requirement of the code under test. For example, you could just as well change line 38/48 to be SYNCHRONOUS completions and the test (should) still function correctly. thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > We're trying to phase out this pattern in existing code. > > You can either do: > > int rv = callback.GetResult(trans->Start(...)) or > > int rv = trans->Start(); > rv = callback.GetResult(rv); > > The former is preferable. > > The point of this is that the assertion that rv == ERR_IO_PENDING isn't strictly > a requirement of the code under test. For example, you could just as well change > line 38/48 to be SYNCHRONOUS completions and the test (should) still function > correctly. Done.
	71 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv);
	Ryan Sleevi 2013/04/16 19:55:26 You're in net (line 18), so you don't need the net You're in net (line 18), so you don't need the net:: prefix anywhere in this file. thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > You're in net (line 18), so you don't need the net:: prefix anywhere in this > file. Done.
	72

	73 // \|version_max\| never fallbacks to SSLv3 for Google's properties.

	74 EXPECT_EQ(SSL_PROTOCOL_VERSION_TLS1,

	75 trans->server_ssl_config_for_testing().version_max);

	76 }

	77

	78 TEST_F(HttpNetworkTransactionSSLTest, Google_SSLVersionMinPreloadedDisabled) {

	79 net::test_spdy3::SpdySessionDependencies session_deps;

	80

	81 // \|ssl_data1\| contains the data for the first SSL handshake that will

	82 // return \|net::ERR_SSL_PROTOCOL_ERROR\| to trigger the fallback logic in

	83 // \|HttpNetworkTransaction::HandleSSLHandshakeError\|.

	84 SSLSocketDataProvider ssl_data1(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	85 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data1);

	86 net::StaticSocketDataProvider data1(NULL, 0, NULL, 0);

	87 session_deps.socket_factory->AddSocketDataProvider(&data1);

	88

	89 // \|ssl_data2\| contains the data for the second SSL handshake. When a

	90 // connection to a server fails during an SSL handshake,

	91 // HttpNetworkTransaction will attempt to fallback to TLSv1 if the previous

	92 // connection was attempted with TLSv1.1. This is transparent to the caller

	93 // of the HttpNetworkTransaction.

	94 SSLSocketDataProvider ssl_data2(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	95 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data2);

	96 net::StaticSocketDataProvider data2(NULL, 0, NULL, 0);

	97 session_deps.socket_factory->AddSocketDataProvider(&data2);

	98

	99 // ssl_data3 contains the data for the third SSL handshake. When a

	100 // connection to a server fails during an SSL handshake,

	101 // \|HttpNetworkTransaction\| will attempt to fallback to SSLv3 if the previous

	102 // connection was attempted with TLSv1. This is transparent to the caller

	103 // of the \|HttpNetworkTransaction\|.

	104 SSLSocketDataProvider ssl_data3(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	105 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data3);

	106 net::StaticSocketDataProvider data3(NULL, 0, NULL, 0);

	107 session_deps.socket_factory->AddSocketDataProvider(&data3);

	108

	109 // Note: if ssl_data3 is omitted (like in

	110 // \|Google_SSLVersionMinPreloadedEnabled\|) then this test will crash, because

	111 // Chrome will attempt to handshake 3 times, but there are just 2 handshake

	112 // data.

	113

	114 scoped_refptr<HttpNetworkSession> session(

	115 net::test_spdy3::SpdySessionDependencies::SpdyCreateSession(

	116 &session_deps));

	117 scoped_ptr<HttpNetworkTransaction> trans(

	118 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));

	119 TestCompletionCallback callback;

	120

	121 SSLConfig& ssl_config = trans->server_ssl_config_for_testing();

	122 ssl_config.ssl_version_min_preloaded_disabled = true;

	123

	124 // This will consume \|ssl_data1\|, \|ssl_data2\| and \|ssl_data3\|.

	125 int rv = trans->Start(GetRequestInfo("https://www.google.com/"),

	126 callback.callback(), BoundNetLog());

	127 EXPECT_EQ(ERR_IO_PENDING, rv);

	128 // Complete the SSL handshake.

	129 rv = callback.WaitForResult();

	130 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv);

	131

	132 // \|version_max\| fallbacks to SSLv3 for Google's properties when

	133 // \|ssl_version_min_preloaded_disabled\| is true.

	134 EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3,

	135 ssl_config.version_max);

	136 }

	137

	138 TEST_F(HttpNetworkTransactionSSLTest, PayPal_SSLVersionMinPreloadedDisabled) {

	139 net::test_spdy3::SpdySessionDependencies session_deps;

	140

	141 // \|ssl_data1\| contains the data for the first SSL handshake that will

	142 // return \|net::ERR_SSL_PROTOCOL_ERROR\| to trigger the fallback logic in

	143 // \|HttpNetworkTransaction::HandleSSLHandshakeError\|.

	144 SSLSocketDataProvider ssl_data1(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	145 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data1);

	146 net::StaticSocketDataProvider data1(NULL, 0, NULL, 0);

	147 session_deps.socket_factory->AddSocketDataProvider(&data1);

	148

	149 // \|ssl_data2\| contains the data for the second SSL handshake. When a

	150 // connection to a server fails during an SSL handshake,

	151 // HttpNetworkTransaction will attempt to fallback to TLSv1 if the previous

	152 // connection was attempted with TLSv1.1. This is transparent to the caller

	153 // of the HttpNetworkTransaction.

	154 SSLSocketDataProvider ssl_data2(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	155 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data2);

	156 net::StaticSocketDataProvider data2(NULL, 0, NULL, 0);

	157 session_deps.socket_factory->AddSocketDataProvider(&data2);

	158

	159 // ssl_data3 contains the data for the third SSL handshake. When a

	160 // connection to a server fails during an SSL handshake,

	161 // HttpNetworkTransaction will attempt to fallback to SSLv3 if the previous

	162 // connection was attempted with TLSv1. This is transparent to the caller

	163 // of the HttpNetworkTransaction. Because this test failure is due to

	164 // requiring a client certificate, this fallback handshake should also

	165 // fail.
	Ryan Sleevi 2013/04/16 19:55:26 This comment seems entirely incorrect (and thus cr This comment seems entirely incorrect (and thus creates issues for the comment on 171-173). Where is it ever set that the failure is due to client certs? You're just flagging a protocol error. thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > This comment seems entirely incorrect (and thus creates issues for the comment > on 171-173). > > Where is it ever set that the failure is due to client certs? You're just > flagging a protocol error. Done.
	166 SSLSocketDataProvider ssl_data3(ASYNC, net::ERR_SSL_PROTOCOL_ERROR);

	167 session_deps.socket_factory->AddSSLSocketDataProvider(&ssl_data3);

	168 net::StaticSocketDataProvider data3(NULL, 0, NULL, 0);

	169 session_deps.socket_factory->AddSocketDataProvider(&data3);

	170

	171 // Note: if ssl_data3 is omitted (like in

	172 // \|Google_SSLVersionMinPreloadedEnabled\|) then this test will crash, because

	173 // Chrome will attempt to handshake 3 times, but there are just 2 handshake
	Ryan Sleevi 2013/04/16 19:55:26 nit: s/Chrome/Chromium/ nit: s/Chrome/Chromium/ thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > nit: s/Chrome/Chromium/ Done.
	174 // data.

	175

	176 scoped_refptr<HttpNetworkSession> session(

	177 net::test_spdy3::SpdySessionDependencies::SpdyCreateSession(

	178 &session_deps));

	179 scoped_ptr<HttpNetworkTransaction> trans(

	180 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));
	Ryan Sleevi 2013/04/16 19:55:26 style: indentation style: indentation thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > style: indentation Done.
	181 TestCompletionCallback callback;

	182

	183 // This will consume \|ssl_data1\|, \|ssl_data2\| and \|ssl_data3\|.

	184 int rv = trans->Start(GetRequestInfo("https://www.paypal.com/"),

	185 callback.callback(), BoundNetLog());
	Ryan Sleevi 2013/04/16 19:55:26 style: indentation style: indentation thaidn_google 2013/04/17 00:46:17 Done. Show quoted text On 2013/04/16 19:55:26, Ryan Sleevi wrote: > style: indentation Done.
	186 EXPECT_EQ(ERR_IO_PENDING, rv);

	187 // Complete the SSL handshake.

	188 rv = callback.WaitForResult();

	189 EXPECT_EQ(net::ERR_SSL_PROTOCOL_ERROR, rv);

	190

	191 // \|version_max\| fallbacks to SSLv3.

	192 EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3,

	193 trans->server_ssl_config_for_testing().version_max);

	194 }

	195

	196 } // namespace

	197 } // namespace net

	198

OLD	NEW

« net/http/http_network_transaction.cc ('K') | « net/http/http_network_transaction.cc ('k') | net/net.gyp » ('j') | net/ssl/ssl_config_service.h » ('J')