| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
| 6 | 6 |
| 7 #include "base/macros.h" | 7 #include "base/macros.h" |
| 8 #include "net/ssl/ssl_connection_status_flags.h" |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 10 |
| 10 namespace net { | 11 namespace net { |
| 11 | 12 |
| 12 namespace { | 13 namespace { |
| 13 | 14 |
| 15 int MakeConnectionStatus(int version, uint16_t cipher_suite) { |
| 16 int connection_status = 0; |
| 17 |
| 18 SSLConnectionStatusSetVersion(version, &connection_status); |
| 19 SSLConnectionStatusSetCipherSuite(cipher_suite, &connection_status); |
| 20 |
| 21 return connection_status; |
| 22 } |
| 23 |
| 14 TEST(CipherSuiteNamesTest, Basic) { | 24 TEST(CipherSuiteNamesTest, Basic) { |
| 15 const char *key_exchange, *cipher, *mac; | 25 const char *key_exchange, *cipher, *mac; |
| 16 bool is_aead; | 26 bool is_aead; |
| 17 | 27 |
| 18 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); | 28 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); |
| 19 EXPECT_STREQ("ECDH_ECDSA", key_exchange); | 29 EXPECT_STREQ("ECDH_ECDSA", key_exchange); |
| 20 EXPECT_STREQ("NULL", cipher); | 30 EXPECT_STREQ("NULL", cipher); |
| 21 EXPECT_STREQ("HMAC-SHA1", mac); | 31 EXPECT_STREQ("HMAC-SHA1", mac); |
| 22 EXPECT_FALSE(is_aead); | 32 EXPECT_FALSE(is_aead); |
| 23 | 33 |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 62 "0x004", | 72 "0x004", |
| 63 "0xBEEFY", | 73 "0xBEEFY", |
| 64 }; | 74 }; |
| 65 | 75 |
| 66 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { | 76 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { |
| 67 uint16_t cipher_suite = 0; | 77 uint16_t cipher_suite = 0; |
| 68 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); | 78 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); |
| 69 } | 79 } |
| 70 } | 80 } |
| 71 | 81 |
| 72 TEST(CipherSuiteNamesTest, SecureCipherSuites) { | 82 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocol) { |
| 73 // Picked some random cipher suites. | 83 // Modern cipher suite. Note that this can't actually appear with obsolete |
| 74 EXPECT_FALSE(IsSecureTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 84 // cipher suites in a real connection, but we're just trying to test that |
| 75 EXPECT_FALSE( | 85 // ObsoleteSSLStatus() can identify an obsolete protocol individually. |
| 76 IsSecureTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 86 uint16_t kModernCipherSuite = |
| 77 EXPECT_FALSE(IsSecureTLSCipherSuite( | 87 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 78 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | |
| 79 EXPECT_FALSE( | |
| 80 IsSecureTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | |
| 81 EXPECT_FALSE(IsSecureTLSCipherSuite( | |
| 82 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); | |
| 83 EXPECT_FALSE( | |
| 84 IsSecureTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); | |
| 85 EXPECT_FALSE( | |
| 86 IsSecureTLSCipherSuite(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); | |
| 87 EXPECT_FALSE( | |
| 88 IsSecureTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); | |
| 89 | 88 |
| 90 // Non-existent cipher suite. | 89 // Obsolete |
| 91 EXPECT_FALSE(IsSecureTLSCipherSuite(0xffff)) << "Doesn't exist!"; | 90 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 91 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL2, |
| 92 kModernCipherSuite))); |
| 93 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 94 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL3, |
| 95 kModernCipherSuite))); |
| 96 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 97 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_TLS1, |
| 98 kModernCipherSuite))); |
| 99 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 100 ObsoleteSSLStatus(MakeConnectionStatus( |
| 101 SSL_CONNECTION_VERSION_TLS1_1, kModernCipherSuite))); |
| 92 | 102 |
| 93 // Secure ones. | 103 // Modern |
| 94 EXPECT_TRUE(IsSecureTLSCipherSuite( | 104 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 95 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 105 ObsoleteSSLStatus(MakeConnectionStatus( |
| 96 EXPECT_TRUE(IsSecureTLSCipherSuite( | 106 SSL_CONNECTION_VERSION_TLS1_2, kModernCipherSuite))); |
| 97 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 107 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 98 EXPECT_TRUE(IsSecureTLSCipherSuite( | 108 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_QUIC, |
| 99 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 109 kModernCipherSuite))); |
| 100 EXPECT_TRUE(IsSecureTLSCipherSuite( | 110 } |
| 101 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 111 |
| 102 EXPECT_TRUE(IsSecureTLSCipherSuite( | 112 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocolAndCipherSuite) { |
| 103 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 113 int kObsoleteVersion = SSL_CONNECTION_VERSION_TLS1; |
| 114 int kModernVersion = SSL_CONNECTION_VERSION_TLS1_2; |
| 115 |
| 116 uint16_t kObsoleteCipherObsoleteKeyExchange = |
| 117 0x67; /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */ |
| 118 uint16_t kObsoleteCipherModernKeyExchange = |
| 119 0x9e; /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 120 uint16_t kModernCipherObsoleteKeyExchange = |
| 121 0xc014; /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ |
| 122 uint16_t kModernCipherModernKeyExchange = |
| 123 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 124 |
| 125 // Bogus |
| 126 EXPECT_EQ( |
| 127 OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | |
| 128 OBSOLETE_SSL_MASK_CIPHER, |
| 129 ObsoleteSSLStatus(MakeConnectionStatus( |
| 130 SSL_CONNECTION_VERSION_UNKNOWN, 0x0 /* TLS_NULL_WITH_NULL_NULL */))); |
| 131 |
| 132 // Cartesian combos |
| 133 // As above, some of these combinations can't happen in practice. |
| 134 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | |
| 135 OBSOLETE_SSL_MASK_CIPHER, |
| 136 ObsoleteSSLStatus(MakeConnectionStatus( |
| 137 kObsoleteVersion, kObsoleteCipherObsoleteKeyExchange))); |
| 138 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE, |
| 139 ObsoleteSSLStatus(MakeConnectionStatus( |
| 140 kObsoleteVersion, kObsoleteCipherModernKeyExchange))); |
| 141 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_CIPHER, |
| 142 ObsoleteSSLStatus(MakeConnectionStatus( |
| 143 kObsoleteVersion, kModernCipherObsoleteKeyExchange))); |
| 144 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 145 ObsoleteSSLStatus(MakeConnectionStatus( |
| 146 kObsoleteVersion, kModernCipherModernKeyExchange))); |
| 147 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE | OBSOLETE_SSL_MASK_CIPHER, |
| 148 ObsoleteSSLStatus(MakeConnectionStatus( |
| 149 kModernVersion, kObsoleteCipherObsoleteKeyExchange))); |
| 150 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE, |
| 151 ObsoleteSSLStatus(MakeConnectionStatus( |
| 152 kModernVersion, kObsoleteCipherModernKeyExchange))); |
| 153 EXPECT_EQ(OBSOLETE_SSL_MASK_CIPHER, |
| 154 ObsoleteSSLStatus(MakeConnectionStatus( |
| 155 kModernVersion, kModernCipherObsoleteKeyExchange))); |
| 156 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 157 ObsoleteSSLStatus(MakeConnectionStatus( |
| 158 kModernVersion, kModernCipherModernKeyExchange))); |
| 104 } | 159 } |
| 105 | 160 |
| 106 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { | 161 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { |
| 107 // Picked some random cipher suites. | 162 // Picked some random cipher suites. |
| 108 EXPECT_FALSE( | 163 EXPECT_FALSE( |
| 109 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 164 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
| 110 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 165 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 111 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 166 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
| 112 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 167 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 113 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 168 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 134 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 189 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
| 135 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 190 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
| 136 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 191 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 137 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 192 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
| 138 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 193 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 139 } | 194 } |
| 140 | 195 |
| 141 } // anonymous namespace | 196 } // anonymous namespace |
| 142 | 197 |
| 143 } // namespace net | 198 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1727133002:
Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master