| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
| 6 | 6 |
| 7 #include "base/macros.h" | 7 #include "base/macros.h" |
| 8 #include "base/strings/stringprintf.h" | 8 #include "base/strings/stringprintf.h" |
| 9 #include "net/ssl/ssl_connection_status_flags.h" |
| 9 #include "testing/gtest/include/gtest/gtest.h" | 10 #include "testing/gtest/include/gtest/gtest.h" |
| 10 | 11 |
| 11 namespace net { | 12 namespace net { |
| 12 | 13 |
| 13 namespace { | 14 namespace { |
| 14 | 15 |
| 16 int kObsoleteVersion = SSL_CONNECTION_VERSION_TLS1; |
| 17 int kModernVersion = SSL_CONNECTION_VERSION_TLS1_2; |
| 18 |
| 19 uint16_t kModernCipherSuite = |
| 20 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 21 |
| 22 uint16_t kObsoleteCipherObsoleteKeyExchange = |
| 23 0x67; /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */ |
| 24 uint16_t kObsoleteCipherModernKeyExchange = |
| 25 0x9e; /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 26 uint16_t kModernCipherObsoleteKeyExchange = |
| 27 0xc014; /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ |
| 28 uint16_t kModernCipherModernKeyExchange = |
| 29 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ |
| 30 |
| 31 int MakeConnectionStatus(int version, uint16_t cipher_suite) { |
| 32 int connection_status = 0; |
| 33 |
| 34 SSLConnectionStatusSetVersion(version, &connection_status); |
| 35 SSLConnectionStatusSetCipherSuite(cipher_suite, &connection_status); |
| 36 |
| 37 return connection_status; |
| 38 } |
| 39 |
| 15 TEST(CipherSuiteNamesTest, Basic) { | 40 TEST(CipherSuiteNamesTest, Basic) { |
| 16 const char *key_exchange, *cipher, *mac; | 41 const char *key_exchange, *cipher, *mac; |
| 17 bool is_aead; | 42 bool is_aead; |
| 18 | 43 |
| 19 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); | 44 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); |
| 20 EXPECT_STREQ("ECDH_ECDSA", key_exchange); | 45 EXPECT_STREQ("ECDH_ECDSA", key_exchange); |
| 21 EXPECT_STREQ("NULL", cipher); | 46 EXPECT_STREQ("NULL", cipher); |
| 22 EXPECT_STREQ("HMAC-SHA1", mac); | 47 EXPECT_STREQ("HMAC-SHA1", mac); |
| 23 EXPECT_FALSE(is_aead); | 48 EXPECT_FALSE(is_aead); |
| 24 | 49 |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 63 "0x004", | 88 "0x004", |
| 64 "0xBEEFY", | 89 "0xBEEFY", |
| 65 }; | 90 }; |
| 66 | 91 |
| 67 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { | 92 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { |
| 68 uint16_t cipher_suite = 0; | 93 uint16_t cipher_suite = 0; |
| 69 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); | 94 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); |
| 70 } | 95 } |
| 71 } | 96 } |
| 72 | 97 |
| 73 TEST(CipherSuiteNamesTest, SecureCipherSuites) { | 98 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocol) { |
| 74 // Picked some random cipher suites. | 99 // Obsolete |
| 75 EXPECT_FALSE(IsSecureTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 100 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 76 EXPECT_FALSE( | 101 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL2, |
| 77 IsSecureTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 102 kModernCipherSuite))); |
| 78 EXPECT_FALSE(IsSecureTLSCipherSuite( | 103 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 79 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 104 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL3, |
| 80 EXPECT_FALSE( | 105 kModernCipherSuite))); |
| 81 IsSecureTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | 106 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 82 EXPECT_FALSE(IsSecureTLSCipherSuite( | 107 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_TLS1, |
| 83 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); | 108 kModernCipherSuite))); |
| 84 EXPECT_FALSE( | 109 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 85 IsSecureTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 110 ObsoleteSSLStatus(MakeConnectionStatus( |
| 86 EXPECT_FALSE( | 111 SSL_CONNECTION_VERSION_TLS1_1, kModernCipherSuite))); |
| 87 IsSecureTLSCipherSuite(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); | |
| 88 EXPECT_FALSE( | |
| 89 IsSecureTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); | |
| 90 | 112 |
| 91 // Non-existent cipher suite. | 113 // Modern |
| 92 EXPECT_FALSE(IsSecureTLSCipherSuite(0xffff)) << "Doesn't exist!"; | 114 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 115 ObsoleteSSLStatus(MakeConnectionStatus( |
| 116 SSL_CONNECTION_VERSION_TLS1_2, kModernCipherSuite))); |
| 117 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 118 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_QUIC, |
| 119 kModernCipherSuite))); |
| 120 } |
| 93 | 121 |
| 94 // Secure ones. | 122 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocolAndCipherSuite) { |
| 95 EXPECT_TRUE(IsSecureTLSCipherSuite( | 123 // Bogus |
| 96 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 124 EXPECT_EQ( |
| 97 EXPECT_TRUE(IsSecureTLSCipherSuite( | 125 OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | |
| 98 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 126 OBSOLETE_SSL_MASK_CIPHER, |
| 99 EXPECT_TRUE(IsSecureTLSCipherSuite( | 127 ObsoleteSSLStatus(MakeConnectionStatus( |
| 100 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 128 SSL_CONNECTION_VERSION_UNKNOWN, 0x0 /* TLS_NULL_WITH_NULL_NULL */))); |
| 101 EXPECT_TRUE(IsSecureTLSCipherSuite( | 129 |
| 102 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 130 // Cartesian combos |
| 103 EXPECT_TRUE(IsSecureTLSCipherSuite( | 131 // As above, some of these combinations can't happen in practice. |
| 104 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 132 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | |
| 133 OBSOLETE_SSL_MASK_CIPHER, |
| 134 ObsoleteSSLStatus(MakeConnectionStatus( |
| 135 kObsoleteVersion, kObsoleteCipherObsoleteKeyExchange))); |
| 136 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE, |
| 137 ObsoleteSSLStatus(MakeConnectionStatus( |
| 138 kObsoleteVersion, kObsoleteCipherModernKeyExchange))); |
| 139 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_CIPHER, |
| 140 ObsoleteSSLStatus(MakeConnectionStatus( |
| 141 kObsoleteVersion, kModernCipherObsoleteKeyExchange))); |
| 142 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, |
| 143 ObsoleteSSLStatus(MakeConnectionStatus( |
| 144 kObsoleteVersion, kModernCipherModernKeyExchange))); |
| 145 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE | OBSOLETE_SSL_MASK_CIPHER, |
| 146 ObsoleteSSLStatus(MakeConnectionStatus( |
| 147 kModernVersion, kObsoleteCipherObsoleteKeyExchange))); |
| 148 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE, |
| 149 ObsoleteSSLStatus(MakeConnectionStatus( |
| 150 kModernVersion, kObsoleteCipherModernKeyExchange))); |
| 151 EXPECT_EQ(OBSOLETE_SSL_MASK_CIPHER, |
| 152 ObsoleteSSLStatus(MakeConnectionStatus( |
| 153 kModernVersion, kModernCipherObsoleteKeyExchange))); |
| 154 EXPECT_EQ(OBSOLETE_SSL_NONE, |
| 155 ObsoleteSSLStatus(MakeConnectionStatus( |
| 156 kModernVersion, kModernCipherModernKeyExchange))); |
| 105 } | 157 } |
| 106 | 158 |
| 107 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { | 159 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { |
| 108 // Picked some random cipher suites. | 160 // Picked some random cipher suites. |
| 109 EXPECT_FALSE( | 161 EXPECT_FALSE( |
| 110 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 162 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
| 111 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 163 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 112 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 164 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
| 113 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 165 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 114 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 166 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
| (...skipping 30 matching lines...) Expand all Loading... |
| 145 0x16b8, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (non-standard) | 197 0x16b8, // TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (non-standard) |
| 146 0x16b9, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (non-standard) | 198 0x16b9, // TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 (non-standard) |
| 147 0x16ba, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (non-standard) | 199 0x16ba, // TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 (non-standard) |
| 148 }; | 200 }; |
| 149 const char *key_exchange, *cipher, *mac; | 201 const char *key_exchange, *cipher, *mac; |
| 150 bool is_aead; | 202 bool is_aead; |
| 151 | 203 |
| 152 for (const uint16_t cipher_suite_id : kCECPQ1CipherSuites) { | 204 for (const uint16_t cipher_suite_id : kCECPQ1CipherSuites) { |
| 153 SCOPED_TRACE(base::StringPrintf("cipher suite %x", cipher_suite_id)); | 205 SCOPED_TRACE(base::StringPrintf("cipher suite %x", cipher_suite_id)); |
| 154 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2(cipher_suite_id)); | 206 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2(cipher_suite_id)); |
| 155 EXPECT_TRUE(IsSecureTLSCipherSuite(cipher_suite_id)); | 207 |
| 208 int connection_status = |
| 209 MakeConnectionStatus(kModernVersion, cipher_suite_id); |
| 210 EXPECT_EQ(OBSOLETE_SSL_NONE, ObsoleteSSLStatus(connection_status)); |
| 156 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, | 211 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, |
| 157 cipher_suite_id); | 212 cipher_suite_id); |
| 158 EXPECT_TRUE(is_aead); | 213 EXPECT_TRUE(is_aead); |
| 159 EXPECT_EQ(nullptr, mac); | 214 EXPECT_EQ(nullptr, mac); |
| 160 } | 215 } |
| 161 | 216 |
| 162 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b7); | 217 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b7); |
| 163 EXPECT_STREQ("CECPQ1_RSA", key_exchange); | 218 EXPECT_STREQ("CECPQ1_RSA", key_exchange); |
| 164 EXPECT_STREQ("CHACHA20_POLY1305", cipher); | 219 EXPECT_STREQ("CHACHA20_POLY1305", cipher); |
| 165 | 220 |
| 166 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b8); | 221 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b8); |
| 167 EXPECT_STREQ("CECPQ1_ECDSA", key_exchange); | 222 EXPECT_STREQ("CECPQ1_ECDSA", key_exchange); |
| 168 EXPECT_STREQ("CHACHA20_POLY1305", cipher); | 223 EXPECT_STREQ("CHACHA20_POLY1305", cipher); |
| 169 | 224 |
| 170 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b9); | 225 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16b9); |
| 171 EXPECT_STREQ("CECPQ1_RSA", key_exchange); | 226 EXPECT_STREQ("CECPQ1_RSA", key_exchange); |
| 172 EXPECT_STREQ("AES_256_GCM", cipher); | 227 EXPECT_STREQ("AES_256_GCM", cipher); |
| 173 | 228 |
| 174 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16ba); | 229 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0x16ba); |
| 175 EXPECT_STREQ("CECPQ1_ECDSA", key_exchange); | 230 EXPECT_STREQ("CECPQ1_ECDSA", key_exchange); |
| 176 EXPECT_STREQ("AES_256_GCM", cipher); | 231 EXPECT_STREQ("AES_256_GCM", cipher); |
| 177 } | 232 } |
| 178 | 233 |
| 179 } // anonymous namespace | 234 } // anonymous namespace |
| 180 | 235 |
| 181 } // namespace net | 236 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1727133002:
Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master