| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" | 5 #include "chrome/browser/ssl/chrome_security_state_model_client.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/macros.h" | 9 #include "base/macros.h" |
| 10 #include "base/strings/string_split.h" | 10 #include "base/strings/string_split.h" |
| (...skipping 140 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 151 secure_explanations[0].description); | 151 secure_explanations[0].description); |
| 152 int cert_id = browser->tab_strip_model() | 152 int cert_id = browser->tab_strip_model() |
| 153 ->GetActiveWebContents() | 153 ->GetActiveWebContents() |
| 154 ->GetController() | 154 ->GetController() |
| 155 .GetActiveEntry() | 155 .GetActiveEntry() |
| 156 ->GetSSL() | 156 ->GetSSL() |
| 157 .cert_id; | 157 .cert_id; |
| 158 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); | 158 EXPECT_EQ(cert_id, secure_explanations[0].cert_id); |
| 159 } | 159 } |
| 160 | 160 |
| 161 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 161 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
| 162 secure_explanations.back().summary); | 162 secure_explanations.back().summary); |
| 163 EXPECT_EQ( | 163 |
| 164 l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE_DESCRIPTION), | 164 content::WebContents* web_contents = |
| 165 secure_explanations.back().description); | 165 browser->tab_strip_model()->GetActiveWebContents(); |
| 166 const SecurityStateModel::SecurityInfo& security_info = |
| 167 ChromeSecurityStateModelClient::FromWebContents(web_contents) |
| 168 ->GetSecurityInfo(); |
| 169 |
| 170 const char *protocol, *key_exchange, *cipher, *mac; |
| 171 int ssl_version = |
| 172 net::SSLConnectionStatusToVersion(security_info.connection_status); |
| 173 net::SSLVersionToString(&protocol, ssl_version); |
| 174 bool is_aead; |
| 175 uint16_t cipher_suite = |
| 176 net::SSLConnectionStatusToCipherSuite(security_info.connection_status); |
| 177 net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, |
| 178 cipher_suite); |
| 179 EXPECT_TRUE(is_aead); |
| 180 EXPECT_EQ(NULL, mac); // The default secure cipher does not have a MAC. |
| 181 |
| 182 std::vector<base::string16> description_replacements; |
| 183 description_replacements.push_back(base::ASCIIToUTF16(protocol)); |
| 184 description_replacements.push_back(base::ASCIIToUTF16(key_exchange)); |
| 185 description_replacements.push_back(base::ASCIIToUTF16(cipher)); |
| 186 base::string16 secure_description = l10n_util::GetStringFUTF16( |
| 187 IDS_STRONG_SSL_DESCRIPTION, description_replacements, nullptr); |
| 188 |
| 189 EXPECT_EQ(secure_description, |
| 190 base::ASCIIToUTF16(secure_explanations.back().description)); |
| 166 } | 191 } |
| 167 | 192 |
| 168 void CheckSecurityInfoForSecure( | 193 void CheckSecurityInfoForSecure( |
| 169 content::WebContents* contents, | 194 content::WebContents* contents, |
| 170 SecurityStateModel::SecurityLevel expect_security_level, | 195 SecurityStateModel::SecurityLevel expect_security_level, |
| 171 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, | 196 SecurityStateModel::SHA1DeprecationStatus expect_sha1_status, |
| 172 SecurityStateModel::ContentStatus expect_mixed_content_status, | 197 SecurityStateModel::ContentStatus expect_mixed_content_status, |
| 173 bool pkp_bypassed, | 198 bool pkp_bypassed, |
| 174 bool expect_cert_error) { | 199 bool expect_cert_error) { |
| 175 ASSERT_TRUE(contents); | 200 ASSERT_TRUE(contents); |
| (...skipping 898 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1074 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); | 1099 EXPECT_TRUE(observer.latest_explanations().scheme_is_cryptographic); |
| 1075 EXPECT_FALSE(observer.latest_explanations().pkp_bypassed); | 1100 EXPECT_FALSE(observer.latest_explanations().pkp_bypassed); |
| 1076 EXPECT_TRUE(observer.latest_explanations().info_explanations.empty()); | 1101 EXPECT_TRUE(observer.latest_explanations().info_explanations.empty()); |
| 1077 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); | 1102 EXPECT_FALSE(observer.latest_explanations().displayed_insecure_content); |
| 1078 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); | 1103 EXPECT_FALSE(observer.latest_explanations().ran_insecure_content); |
| 1079 } | 1104 } |
| 1080 | 1105 |
| 1081 // After AddNonsecureUrlHandler() is called, requests to this hostname | 1106 // After AddNonsecureUrlHandler() is called, requests to this hostname |
| 1082 // will use obsolete TLS settings. | 1107 // will use obsolete TLS settings. |
| 1083 const char kMockNonsecureHostname[] = "example-nonsecure.test"; | 1108 const char kMockNonsecureHostname[] = "example-nonsecure.test"; |
| 1109 const int kObsoleteTLSVersion = net::SSL_CONNECTION_VERSION_TLS1_1; |
| 1110 // ECDHE_RSA + AES_128_CBC with HMAC-SHA1 |
| 1111 const uint16_t kObsoleteCipherSuite = 0xc013; |
| 1084 | 1112 |
| 1085 // A URLRequestMockHTTPJob that mocks a TLS connection with an obsolete | 1113 // A URLRequestMockHTTPJob that mocks a TLS connection with the obsolete |
| 1086 // protocol version. | 1114 // TLS settings specified in kObsoleteTLSVersion and |
| 1115 // kObsoleteCipherSuite. |
| 1087 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { | 1116 class URLRequestObsoleteTLSJob : public net::URLRequestMockHTTPJob { |
| 1088 public: | 1117 public: |
| 1089 URLRequestObsoleteTLSJob(net::URLRequest* request, | 1118 URLRequestObsoleteTLSJob(net::URLRequest* request, |
| 1090 net::NetworkDelegate* network_delegate, | 1119 net::NetworkDelegate* network_delegate, |
| 1091 const base::FilePath& file_path, | 1120 const base::FilePath& file_path, |
| 1092 scoped_refptr<net::X509Certificate> cert, | 1121 scoped_refptr<net::X509Certificate> cert, |
| 1093 scoped_refptr<base::TaskRunner> task_runner) | 1122 scoped_refptr<base::TaskRunner> task_runner) |
| 1094 : net::URLRequestMockHTTPJob(request, | 1123 : net::URLRequestMockHTTPJob(request, |
| 1095 network_delegate, | 1124 network_delegate, |
| 1096 file_path, | 1125 file_path, |
| 1097 task_runner), | 1126 task_runner), |
| 1098 cert_(std::move(cert)) {} | 1127 cert_(std::move(cert)) {} |
| 1099 | 1128 |
| 1100 void GetResponseInfo(net::HttpResponseInfo* info) override { | 1129 void GetResponseInfo(net::HttpResponseInfo* info) override { |
| 1101 net::URLRequestMockHTTPJob::GetResponseInfo(info); | 1130 net::URLRequestMockHTTPJob::GetResponseInfo(info); |
| 1102 net::SSLConnectionStatusSetVersion(net::SSL_CONNECTION_VERSION_TLS1_1, | 1131 net::SSLConnectionStatusSetVersion(kObsoleteTLSVersion, |
| 1103 &info->ssl_info.connection_status); | 1132 &info->ssl_info.connection_status); |
| 1104 const uint16_t kTlsEcdheRsaWithAes128CbcSha = 0xc013; | 1133 net::SSLConnectionStatusSetCipherSuite(kObsoleteCipherSuite, |
| 1105 net::SSLConnectionStatusSetCipherSuite(kTlsEcdheRsaWithAes128CbcSha, | |
| 1106 &info->ssl_info.connection_status); | 1134 &info->ssl_info.connection_status); |
| 1107 info->ssl_info.cert = cert_; | 1135 info->ssl_info.cert = cert_; |
| 1108 } | 1136 } |
| 1109 | 1137 |
| 1110 protected: | 1138 protected: |
| 1111 ~URLRequestObsoleteTLSJob() override {} | 1139 ~URLRequestObsoleteTLSJob() override {} |
| 1112 | 1140 |
| 1113 private: | 1141 private: |
| 1114 const scoped_refptr<net::X509Certificate> cert_; | 1142 const scoped_refptr<net::X509Certificate> cert_; |
| 1115 | 1143 |
| (...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1203 // The security style of the page doesn't get downgraded for obsolete | 1231 // The security style of the page doesn't get downgraded for obsolete |
| 1204 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. | 1232 // TLS settings, so it should remain at SECURITY_STYLE_AUTHENTICATED. |
| 1205 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, | 1233 EXPECT_EQ(content::SECURITY_STYLE_AUTHENTICATED, |
| 1206 observer.latest_security_style()); | 1234 observer.latest_security_style()); |
| 1207 | 1235 |
| 1208 // The messages explaining the security style do, however, get | 1236 // The messages explaining the security style do, however, get |
| 1209 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when | 1237 // downgraded: SECURE_PROTOCOL_AND_CIPHERSUITE should not show up when |
| 1210 // the TLS settings are obsolete. | 1238 // the TLS settings are obsolete. |
| 1211 for (const auto& explanation : | 1239 for (const auto& explanation : |
| 1212 observer.latest_explanations().secure_explanations) { | 1240 observer.latest_explanations().secure_explanations) { |
| 1213 EXPECT_NE(l10n_util::GetStringUTF8(IDS_SECURE_PROTOCOL_AND_CIPHERSUITE), | 1241 EXPECT_NE(l10n_util::GetStringUTF8(IDS_STRONG_SSL_SUMMARY), |
| 1214 explanation.summary); | 1242 explanation.summary); |
| 1215 } | 1243 } |
| 1244 |
| 1245 // Populate description string replacement with values corresponding |
| 1246 // to test constants. |
| 1247 std::vector<base::string16> description_replacements; |
| 1248 description_replacements.push_back( |
| 1249 l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_PROTOCOL)); |
| 1250 description_replacements.push_back(base::ASCIIToUTF16("TLS 1.1")); |
| 1251 description_replacements.push_back( |
| 1252 l10n_util::GetStringUTF16(IDS_SSL_A_STRONG_KEY_EXCHANGE)); |
| 1253 description_replacements.push_back(base::ASCIIToUTF16("ECDHE_RSA")); |
| 1254 description_replacements.push_back( |
| 1255 l10n_util::GetStringUTF16(IDS_SSL_AN_OBSOLETE_CIPHER)); |
| 1256 description_replacements.push_back( |
| 1257 base::ASCIIToUTF16("AES_128_CBC with HMAC-SHA1")); |
| 1258 base::string16 obsolete_description = l10n_util::GetStringFUTF16( |
| 1259 IDS_OBSOLETE_SSL_DESCRIPTION, description_replacements, nullptr); |
| 1260 |
| 1261 EXPECT_EQ( |
| 1262 obsolete_description, |
| 1263 base::ASCIIToUTF16( |
| 1264 observer.latest_explanations().info_explanations[0].description)); |
| 1216 } | 1265 } |
| 1217 | 1266 |
| 1218 // After AddSCTUrlHandler() is called, requests to this hostname | 1267 // After AddSCTUrlHandler() is called, requests to this hostname |
| 1219 // will be served with Signed Certificate Timestamps. | 1268 // will be served with Signed Certificate Timestamps. |
| 1220 const char kMockHostnameWithSCTs[] = "example-scts.test"; | 1269 const char kMockHostnameWithSCTs[] = "example-scts.test"; |
| 1221 | 1270 |
| 1222 // URLRequestJobWithSCTs mocks a connection that includes a set of dummy | 1271 // URLRequestJobWithSCTs mocks a connection that includes a set of dummy |
| 1223 // SCTs with these statuses. | 1272 // SCTs with these statuses. |
| 1224 const std::vector<net::ct::SCTVerifyStatus> kTestSCTStatuses{ | 1273 const std::vector<net::ct::SCTVerifyStatus> kTestSCTStatuses{ |
| 1225 net::ct::SCT_STATUS_OK, net::ct::SCT_STATUS_LOG_UNKNOWN, | 1274 net::ct::SCT_STATUS_OK, net::ct::SCT_STATUS_LOG_UNKNOWN, |
| (...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1346 ChromeSecurityStateModelClient* model_client = | 1395 ChromeSecurityStateModelClient* model_client = |
| 1347 ChromeSecurityStateModelClient::FromWebContents(web_contents); | 1396 ChromeSecurityStateModelClient::FromWebContents(web_contents); |
| 1348 ASSERT_TRUE(model_client); | 1397 ASSERT_TRUE(model_client); |
| 1349 const SecurityStateModel::SecurityInfo& security_info = | 1398 const SecurityStateModel::SecurityInfo& security_info = |
| 1350 model_client->GetSecurityInfo(); | 1399 model_client->GetSecurityInfo(); |
| 1351 EXPECT_EQ(SecurityStateModel::SECURE, security_info.security_level); | 1400 EXPECT_EQ(SecurityStateModel::SECURE, security_info.security_level); |
| 1352 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); | 1401 EXPECT_EQ(kTestSCTStatuses, security_info.sct_verify_statuses); |
| 1353 } | 1402 } |
| 1354 | 1403 |
| 1355 } // namespace | 1404 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1727133002:
Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master