OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
9 #include "base/macros.h" | 9 #include "base/macros.h" |
10 #include "base/strings/string_split.h" | 10 #include "base/strings/string_split.h" |
(...skipping 135 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
146 secure_explanations[0].description); | 146 secure_explanations[0].description); |
147 int cert_id = browser->tab_strip_model() | 147 int cert_id = browser->tab_strip_model() |
148 ->GetActiveWebContents() | 148 ->GetActiveWebContents() |
149 ->GetController() | 149 ->GetController() |
150 .GetActiveEntry() | 150 .GetActiveEntry() |
151 ->GetSSL() | 151 ->GetSSL() |
152 .cert_id; | 152 .cert_id; |
153 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); | 153 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); |
154 } | 154 } |
155 | 155 |
156 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 156 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
157 secure_explanations.back().summary); | 157 secure_explanations.back().summary); |
158 EXPECT_EQ( | 158 |
159 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION), | 159 const std::string secureDescription = |
160 secure_explanations.back().description); | 160 "The connection to this site is encrypted and authenticated using a " |
lgarron
2016/06/14 00:59:42
estark@, do you know if it's okay to hardcode thes
estark
2016/06/15 04:46:08
Why hardcode the string instead of instantiating i
lgarron
2016/08/05 23:22:58
Thanks for the tip. I've switched to instantiating
| |
161 "strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a " | |
162 "strong cipher (AES_128_GCM)."; | |
163 EXPECT_EQ(secureDescription, secure_explanations.back().description); | |
161 } | 164 } |
162 | 165 |
163 void CheckSecurityInfoForSecure( | 166 void CheckSecurityInfoForSecure( |
164 content::WebContents* contents, | 167 content::WebContents* contents, |
165 SecurityStateModel::SecurityLevel expect_security_level, | 168 SecurityStateModel::SecurityLevel expect_security_level, |
166 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, | 169 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, |
167 SecurityStateModel::MixedContentStatus expect_mixed_content_status, | 170 SecurityStateModel::MixedContentStatus expect_mixed_content_status, |
168 bool expect_cert_error) { | 171 bool expect_cert_error) { |
169 ASSERT_TRUE(contents); | 172 ASSERT_TRUE(contents); |
170 | 173 |
(...skipping 682 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
853 CheckSecureExplanations(observer.latest_explanations().secure_explanations, | 856 CheckSecureExplanations(observer.latest_explanations().secure_explanations, |
854 VALID_CERTIFICATE, browser()); | 857 VALID_CERTIFICATE, browser()); |
855 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); | 858 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); |
856 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); | 859 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); |
857 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); | 860 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); |
858 } | 861 } |
859 | 862 |
860 // After AddNonsecureUrlHandler() is called, requests to this hostname | 863 // After AddNonsecureUrlHandler() is called, requests to this hostname |
861 // will use obsolete TLS settings. | 864 // will use obsolete TLS settings. |
862 const char kMockNonsecureHostname[] = "example-nonsecure.test"; | 865 const char kMockNonsecureHostname[] = "example-nonsecure.test"; |
866 const int obsoleteTLSVersion = net::SSL_CONNECTION_VERSION_TLS1_1; | |
estark
2016/06/15 04:46:08
should be named kObsoleteTLSVersion, I think (and
lgarron
2016/08/05 23:22:58
Done.
| |
867 // ECDHE_RSA + AES_128_CBC with HMAC-SHA1 | |
868 const uint16_t obsoleteTLSJobCipherSuite = 0xc013; | |
estark
2016/06/15 04:46:08
Why the "Job" in the name?
lgarron
2016/08/05 23:22:58
Because it's the cipher suite used by the [URLRequ
| |
863 | 869 |
864 // A URLRequestMockHTTPJob that mocks a TLS connection with an obsolete | 870 // A URLRequestMockHTTPJob that mocks a TLS connection with the obsolete |
865 // protocol version. | 871 // TLS settings specified in obsoleteTLSVersion and |
872 // obsoleteTLSJobCipherSuite. | |
866 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { | 873 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { |
867 public: | 874 public: |
868 URLRequestObsoleteTLSJob(net::URLRequest* request, | 875 URLRequestObsoleteTLSJob(net::URLRequest* request, |
869 net::NetworkDelegate* network_delegate, | 876 net::NetworkDelegate* network_delegate, |
870 const base::FilePath& file_path, | 877 const base::FilePath& file_path, |
871 scoped_refptr<net::X509Certificate> cert, | 878 scoped_refptr<net::X509Certificate> cert, |
872 scoped_refptr<base::TaskRunner> task_runner) | 879 scoped_refptr<base::TaskRunner> task_runner) |
873 : net::URLRequestMockHTTPJob(request, | 880 : net::URLRequestMockHTTPJob(request, |
874 network_delegate, | 881 network_delegate, |
875 file_path, | 882 file_path, |
876 task_runner), | 883 task_runner), |
877 cert_(std::move(cert)) {} | 884 cert_(std::move(cert)) {} |
878 | 885 |
879 void GetResponseInfo(net::HttpResponseInfo* info) override { | 886 void GetResponseInfo(net::HttpResponseInfo* info) override { |
880 net::URLRequestMockHTTPJob::GetResponseInfo(info); | 887 net::URLRequestMockHTTPJob::GetResponseInfo(info); |
881 net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_1, | 888 net::SSLConnectionStatusSetVersion(obsoleteTLSVersion, |
882 &info->ssl_info.connection_status); | 889 &info->ssl_info.connection_status); |
883 const uint16_t kTlsEcdheRsaWithAes128CbcSha = 0xc013; | 890 net::SSLConnectionStatusSetCipherSuite(obsoleteTLSJobCipherSuite, |
884 net::SSLConnectionStatusSetCipherSuite(kTlsEcdheRsaWithAes128CbcSha, | |
885 &info->ssl_info.connection_status); | 891 &info->ssl_info.connection_status); |
886 info->ssl_info.cert = cert_; | 892 info->ssl_info.cert = cert_; |
887 } | 893 } |
888 | 894 |
889 protected: | 895 protected: |
890 ~URLRequestObsoleteTLSJob() override {} | 896 ~URLRequestObsoleteTLSJob() override {} |
891 | 897 |
892 private: | 898 private: |
893 const scoped_refptr<net::X509Certificate> cert_; | 899 const scoped_refptr<net::X509Certificate> cert_; |
894 | 900 |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
982 // The security style of the page doesn't get downgraded for obsolete | 988 // The security style of the page doesn't get downgraded for obsolete |
983 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. | 989 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. |
984 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, | 990 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, |
985 observer.latest_security_style()); | 991 observer.latest_security_style()); |
986 | 992 |
987 // The messages explaining the security style do, however, get | 993 // The messages explaining the security style do, however, get |
988 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when | 994 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when |
989 // the TLS settings are obsolete. | 995 // the TLS settings are obsolete. |
990 for (const auto& explanation : | 996 for (const auto& explanation : |
991 observer.latest_explanations().secure_explanations) { | 997 observer.latest_explanations().secure_explanations) { |
992 EXPECT_NE(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 998 EXPECT_NE(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
993 explanation.summary); | 999 explanation.summary); |
994 } | 1000 } |
1001 | |
1002 // Sanity check that the test values match what we expect. | |
1003 ASSERT_EQ(net::SSL_CONNECTION_VERSION_TLS1_1, obsoleteTLSVersion); | |
estark
2016/06/15 04:46:08
These should both be EXPECT_EQ, unless I'm missing
lgarron
2016/08/05 23:22:58
Hmm, I had the impression that EXPECT was for stuf
| |
1004 ASSERT_EQ(0xc013, obsoleteTLSJobCipherSuite); | |
estark
2016/06/15 04:46:08
Huh. This strikes me as a little weird (asserting
lgarron
2016/08/05 23:22:58
Okay, okay. :-)
| |
1005 | |
1006 EXPECT_EQ(observer.latest_explanations().info_explanations[0].description, | |
1007 "The connection to this site uses an obsolete protocol (TLS 1.1), " | |
estark
2016/06/15 04:46:08
ditto about instantiating the parameterized string
| |
1008 "a strong key exchange (ECDHE_RSA), and an obsolete cipher " | |
1009 "(AES_128_CBC with HMAC-SHA1)."); | |
995 } | 1010 } |
996 | 1011 |
997 } // namespace | 1012 } // namespace |
OLD | NEW |