OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
6 | 6 |
7 #include "base/macros.h" | 7 #include "base/macros.h" |
8 #include "net/ssl/ssl_connection_status_flags.h" | |
8 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
9 | 10 |
11 namespace { | |
12 | |
13 int MakeConnectionStatus(int version, uint16_t cipher_suite) { | |
davidben
2016/04/19 17:47:01
Nit: Move this after line 25 and remove the net::
lgarron
2016/04/25 23:56:54
Done.
| |
14 int connection_status = 0; | |
15 | |
16 net::SSLConnectionStatusSetVersion(version, &connection_status); | |
17 net::SSLConnectionStatusSetCipherSuite(cipher_suite, &connection_status); | |
18 | |
19 return connection_status; | |
20 } | |
21 } | |
22 | |
10 namespace net { | 23 namespace net { |
11 | 24 |
12 namespace { | 25 namespace { |
13 | 26 |
14 TEST(CipherSuiteNamesTest, Basic) { | 27 TEST(CipherSuiteNamesTest, Basic) { |
15 const char *key_exchange, *cipher, *mac; | 28 const char *key_exchange, *cipher, *mac; |
16 bool is_aead; | 29 bool is_aead; |
17 | 30 |
18 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); | 31 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); |
19 EXPECT_STREQ("ECDH_ECDSA", key_exchange); | 32 EXPECT_STREQ("ECDH_ECDSA", key_exchange); |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
62 "0x004", | 75 "0x004", |
63 "0xBEEFY", | 76 "0xBEEFY", |
64 }; | 77 }; |
65 | 78 |
66 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { | 79 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { |
67 uint16_t cipher_suite = 0; | 80 uint16_t cipher_suite = 0; |
68 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); | 81 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); |
69 } | 82 } |
70 } | 83 } |
71 | 84 |
72 TEST(CipherSuiteNamesTest, SecureCipherSuites) { | 85 TEST(CipherSuiteNamesTest, ObsoleteCipherSuites) { |
73 // Picked some random cipher suites. | 86 // Picked some random cipher suites. |
74 EXPECT_FALSE(IsSecureTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 87 EXPECT_TRUE(IsObsoleteTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
75 EXPECT_FALSE( | 88 EXPECT_TRUE( |
76 IsSecureTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 89 IsObsoleteTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
77 EXPECT_FALSE(IsSecureTLSCipherSuite( | 90 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
78 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 91 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
79 EXPECT_FALSE( | 92 EXPECT_TRUE( |
80 IsSecureTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | 93 IsObsoleteTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); |
81 EXPECT_FALSE(IsSecureTLSCipherSuite( | 94 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
82 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); | 95 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); |
83 EXPECT_FALSE( | 96 EXPECT_TRUE( |
84 IsSecureTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 97 IsObsoleteTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); |
85 EXPECT_FALSE( | 98 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
86 IsSecureTLSCipherSuite(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); | 99 0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); |
87 EXPECT_FALSE( | 100 EXPECT_TRUE( |
88 IsSecureTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); | 101 IsObsoleteTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); |
89 | 102 |
90 // Non-existent cipher suite. | 103 // Non-existent cipher suite. |
91 EXPECT_FALSE(IsSecureTLSCipherSuite(0xffff)) << "Doesn't exist!"; | 104 EXPECT_TRUE(IsObsoleteTLSCipherSuite(0xffff)) << "Doesn't exist!"; |
92 | 105 |
93 // Secure ones. | 106 // Secure ones. |
94 EXPECT_TRUE(IsSecureTLSCipherSuite( | 107 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
95 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 108 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); |
96 EXPECT_TRUE(IsSecureTLSCipherSuite( | 109 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
97 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 110 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
98 EXPECT_TRUE(IsSecureTLSCipherSuite( | 111 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
99 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 112 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
100 EXPECT_TRUE(IsSecureTLSCipherSuite( | 113 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
101 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 114 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
102 EXPECT_TRUE(IsSecureTLSCipherSuite( | 115 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
103 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 116 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
104 } | 117 } |
105 | 118 |
119 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocol) { | |
120 // Modern cipher suite. Note that this can't actually appear with obsolete | |
121 // cipher suites in a real connection, but we're just trying to test that | |
122 // ObsoleteSSLStatus() can identify an obsolete protocol individually. | |
123 uint16_t cipher_suite = 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
davidben
2016/04/19 17:47:01
Nit: static const uint16_t kModernCipherSuite = ..
lgarron
2016/04/25 23:56:54
Done. I'll also rename the vars below with that co
| |
124 | |
125 // Obsolete | |
126 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
127 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL2, | |
128 cipher_suite))); | |
129 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
130 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL3, | |
131 cipher_suite))); | |
132 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
133 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_TLS1, | |
134 cipher_suite))); | |
135 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
136 ObsoleteSSLStatus(MakeConnectionStatus( | |
137 SSL_CONNECTION_VERSION_TLS1_1, cipher_suite))); | |
138 | |
139 // Modern | |
140 EXPECT_EQ(OBSOLETE_SSL_NONE, | |
141 ObsoleteSSLStatus(MakeConnectionStatus( | |
142 SSL_CONNECTION_VERSION_TLS1_2, cipher_suite))); | |
143 EXPECT_EQ(OBSOLETE_SSL_NONE, ObsoleteSSLStatus(MakeConnectionStatus( | |
144 SSL_CONNECTION_VERSION_QUIC, cipher_suite))); | |
145 } | |
146 | |
147 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocolAndCipherSuite) { | |
148 int version_obsolete = SSL_CONNECTION_VERSION_TLS1; | |
149 int version_modern = SSL_CONNECTION_VERSION_TLS1_2; | |
150 | |
151 uint16_t cipher_suite_obsolete_ke_obsolete_cipher = | |
152 0xc5; /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */ | |
davidben
2016/04/19 17:47:01
Nit: Let's do RSA with AES_128_CBC which is a much
lgarron
2016/04/25 23:56:54
Done.
| |
153 uint16_t cipher_suite_obsolete_ke_modern_cipher = | |
154 0x9e; /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
155 uint16_t cipher_suite_modern_ke_obsolete_cipher = | |
156 0xc014; /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ | |
157 uint16_t cipher_suite_modern_ke_modern_cipher = | |
158 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
159 | |
160 // Bogus | |
161 EXPECT_EQ( | |
162 OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | | |
163 OBSOLETE_SSL_MASK_CIPHER, | |
164 ObsoleteSSLStatus(MakeConnectionStatus( | |
165 SSL_CONNECTION_VERSION_UNKNOWN, 0x0 /* TLS_NULL_WITH_NULL_NULL */))); | |
166 | |
167 // Cartesian combos | |
estark
2016/04/18 11:46:45
optional nit: you might be able to use TEST_P with
lgarron
2016/04/25 23:56:54
INSTANTIATE_TEST_CASE_P looks nice, but it seems t
| |
168 // As above, some of these combinations can't happen in practice. | |
169 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | | |
170 OBSOLETE_SSL_MASK_CIPHER, | |
171 ObsoleteSSLStatus(MakeConnectionStatus( | |
172 version_obsolete, cipher_suite_obsolete_ke_obsolete_cipher))); | |
173 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE, | |
174 ObsoleteSSLStatus(MakeConnectionStatus( | |
175 version_obsolete, cipher_suite_obsolete_ke_modern_cipher))); | |
176 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_CIPHER, | |
177 ObsoleteSSLStatus(MakeConnectionStatus( | |
178 version_obsolete, cipher_suite_modern_ke_obsolete_cipher))); | |
179 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
180 ObsoleteSSLStatus(MakeConnectionStatus( | |
181 version_obsolete, cipher_suite_modern_ke_modern_cipher))); | |
182 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE | OBSOLETE_SSL_MASK_CIPHER, | |
183 ObsoleteSSLStatus(MakeConnectionStatus( | |
184 version_modern, cipher_suite_obsolete_ke_obsolete_cipher))); | |
185 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE, | |
186 ObsoleteSSLStatus(MakeConnectionStatus( | |
187 version_modern, cipher_suite_obsolete_ke_modern_cipher))); | |
188 EXPECT_EQ(OBSOLETE_SSL_MASK_CIPHER, | |
189 ObsoleteSSLStatus(MakeConnectionStatus( | |
190 version_modern, cipher_suite_modern_ke_obsolete_cipher))); | |
191 EXPECT_EQ(OBSOLETE_SSL_NONE, | |
192 ObsoleteSSLStatus(MakeConnectionStatus( | |
193 version_modern, cipher_suite_modern_ke_modern_cipher))); | |
194 } | |
195 | |
106 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { | 196 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { |
107 // Picked some random cipher suites. | 197 // Picked some random cipher suites. |
108 EXPECT_FALSE( | 198 EXPECT_FALSE( |
109 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 199 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
110 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 200 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
111 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 201 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
112 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 202 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
113 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 203 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
114 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 204 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
115 0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | 205 0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); |
(...skipping 18 matching lines...) Expand all Loading... | |
134 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 224 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
135 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 225 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
136 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 226 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
137 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 227 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
138 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 228 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
139 } | 229 } |
140 | 230 |
141 } // anonymous namespace | 231 } // anonymous namespace |
142 | 232 |
143 } // namespace net | 233 } // namespace net |
OLD | NEW |