Chromium Code Reviews Chromium Code Reviews
Issue 1727133002:
Expose TLS settings in the Security panel overview, and call out individual obsolete settings. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/ssl/ssl_cipher_suite_names.h" | 5 #include "net/ssl/ssl_cipher_suite_names.h" |
| 6 | 6 |
| 7 #include "base/macros.h" | 7 #include "base/macros.h" |
| 8 #include "net/ssl/ssl_connection_status_flags.h" | |
| 8 #include "testing/gtest/include/gtest/gtest.h" | 9 #include "testing/gtest/include/gtest/gtest.h" |
| 9 | 10 |
| 11 namespace { | |
| 12 | |
| 13 int MakeConnectionStatus(int version, uint16_t cipher_suite) { | |
|
davidben
2016/04/19 17:47:01
Nit: Move this after line 25 and remove the net::
lgarron
2016/04/25 23:56:54
Done.
| |
| 14 int connection_status = 0; | |
| 15 | |
| 16 net::SSLConnectionStatusSetVersion(version, &connection_status); | |
| 17 net::SSLConnectionStatusSetCipherSuite(cipher_suite, &connection_status); | |
| 18 | |
| 19 return connection_status; | |
| 20 } | |
| 21 } | |
| 22 | |
| 10 namespace net { | 23 namespace net { |
| 11 | 24 |
| 12 namespace { | 25 namespace { |
| 13 | 26 |
| 14 TEST(CipherSuiteNamesTest, Basic) { | 27 TEST(CipherSuiteNamesTest, Basic) { |
| 15 const char *key_exchange, *cipher, *mac; | 28 const char *key_exchange, *cipher, *mac; |
| 16 bool is_aead; | 29 bool is_aead; |
| 17 | 30 |
| 18 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); | 31 SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead, 0xc001); |
| 19 EXPECT_STREQ("ECDH_ECDSA", key_exchange); | 32 EXPECT_STREQ("ECDH_ECDSA", key_exchange); |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 62 "0x004", | 75 "0x004", |
| 63 "0xBEEFY", | 76 "0xBEEFY", |
| 64 }; | 77 }; |
| 65 | 78 |
| 66 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { | 79 for (size_t i = 0; i < arraysize(cipher_strings); ++i) { |
| 67 uint16_t cipher_suite = 0; | 80 uint16_t cipher_suite = 0; |
| 68 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); | 81 EXPECT_FALSE(ParseSSLCipherString(cipher_strings[i], &cipher_suite)); |
| 69 } | 82 } |
| 70 } | 83 } |
| 71 | 84 |
| 72 TEST(CipherSuiteNamesTest, SecureCipherSuites) { | 85 TEST(CipherSuiteNamesTest, ObsoleteCipherSuites) { |
| 73 // Picked some random cipher suites. | 86 // Picked some random cipher suites. |
| 74 EXPECT_FALSE(IsSecureTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 87 EXPECT_TRUE(IsObsoleteTLSCipherSuite(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
| 75 EXPECT_FALSE( | 88 EXPECT_TRUE( |
| 76 IsSecureTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 89 IsObsoleteTLSCipherSuite(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
| 77 EXPECT_FALSE(IsSecureTLSCipherSuite( | 90 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
| 78 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 91 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
| 79 EXPECT_FALSE( | 92 EXPECT_TRUE( |
| 80 IsSecureTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | 93 IsObsoleteTLSCipherSuite(0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); |
| 81 EXPECT_FALSE(IsSecureTLSCipherSuite( | 94 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
| 82 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); | 95 0xc083 /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */)); |
| 83 EXPECT_FALSE( | 96 EXPECT_TRUE( |
| 84 IsSecureTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 97 IsObsoleteTLSCipherSuite(0x9e /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */)); |
| 85 EXPECT_FALSE( | 98 EXPECT_TRUE(IsObsoleteTLSCipherSuite( |
| 86 IsSecureTLSCipherSuite(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); | 99 0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */)); |
| 87 EXPECT_FALSE( | 100 EXPECT_TRUE( |
| 88 IsSecureTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); | 101 IsObsoleteTLSCipherSuite(0x9c /* TLS_RSA_WITH_AES_128_GCM_SHA256 */)); |
| 89 | 102 |
| 90 // Non-existent cipher suite. | 103 // Non-existent cipher suite. |
| 91 EXPECT_FALSE(IsSecureTLSCipherSuite(0xffff)) << "Doesn't exist!"; | 104 EXPECT_TRUE(IsObsoleteTLSCipherSuite(0xffff)) << "Doesn't exist!"; |
| 92 | 105 |
| 93 // Secure ones. | 106 // Secure ones. |
| 94 EXPECT_TRUE(IsSecureTLSCipherSuite( | 107 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
| 95 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); | 108 0xc02f /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */)); |
| 96 EXPECT_TRUE(IsSecureTLSCipherSuite( | 109 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
| 97 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 110 0xcc13 /* ECDHE_RSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
| 98 EXPECT_TRUE(IsSecureTLSCipherSuite( | 111 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
| 99 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 112 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
| 100 EXPECT_TRUE(IsSecureTLSCipherSuite( | 113 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
| 101 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 114 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 102 EXPECT_TRUE(IsSecureTLSCipherSuite( | 115 EXPECT_FALSE(IsObsoleteTLSCipherSuite( |
| 103 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 116 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 104 } | 117 } |
| 105 | 118 |
| 119 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocol) { | |
| 120 // Modern cipher suite. Note that this can't actually appear with obsolete | |
| 121 // cipher suites in a real connection, but we're just trying to test that | |
| 122 // ObsoleteSSLStatus() can identify an obsolete protocol individually. | |
| 123 uint16_t cipher_suite = 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
|
davidben
2016/04/19 17:47:01
Nit: static const uint16_t kModernCipherSuite = ..
lgarron
2016/04/25 23:56:54
Done. I'll also rename the vars below with that co
| |
| 124 | |
| 125 // Obsolete | |
| 126 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
| 127 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL2, | |
| 128 cipher_suite))); | |
| 129 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
| 130 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_SSL3, | |
| 131 cipher_suite))); | |
| 132 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
| 133 ObsoleteSSLStatus(MakeConnectionStatus(SSL_CONNECTION_VERSION_TLS1, | |
| 134 cipher_suite))); | |
| 135 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
| 136 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 137 SSL_CONNECTION_VERSION_TLS1_1, cipher_suite))); | |
| 138 | |
| 139 // Modern | |
| 140 EXPECT_EQ(OBSOLETE_SSL_NONE, | |
| 141 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 142 SSL_CONNECTION_VERSION_TLS1_2, cipher_suite))); | |
| 143 EXPECT_EQ(OBSOLETE_SSL_NONE, ObsoleteSSLStatus(MakeConnectionStatus( | |
| 144 SSL_CONNECTION_VERSION_QUIC, cipher_suite))); | |
| 145 } | |
| 146 | |
| 147 TEST(CipherSuiteNamesTest, ObsoleteSSLStatusProtocolAndCipherSuite) { | |
| 148 int version_obsolete = SSL_CONNECTION_VERSION_TLS1; | |
| 149 int version_modern = SSL_CONNECTION_VERSION_TLS1_2; | |
| 150 | |
| 151 uint16_t cipher_suite_obsolete_ke_obsolete_cipher = | |
| 152 0xc5; /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */ | |
|
davidben
2016/04/19 17:47:01
Nit: Let's do RSA with AES_128_CBC which is a much
lgarron
2016/04/25 23:56:54
Done.
| |
| 153 uint16_t cipher_suite_obsolete_ke_modern_cipher = | |
| 154 0x9e; /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
| 155 uint16_t cipher_suite_modern_ke_obsolete_cipher = | |
| 156 0xc014; /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */ | |
| 157 uint16_t cipher_suite_modern_ke_modern_cipher = | |
| 158 0xc02f; /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */ | |
| 159 | |
| 160 // Bogus | |
| 161 EXPECT_EQ( | |
| 162 OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | | |
| 163 OBSOLETE_SSL_MASK_CIPHER, | |
| 164 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 165 SSL_CONNECTION_VERSION_UNKNOWN, 0x0 /* TLS_NULL_WITH_NULL_NULL */))); | |
| 166 | |
| 167 // Cartesian combos | |
|
estark
2016/04/18 11:46:45
optional nit: you might be able to use TEST_P with
lgarron
2016/04/25 23:56:54
INSTANTIATE_TEST_CASE_P looks nice, but it seems t
| |
| 168 // As above, some of these combinations can't happen in practice. | |
| 169 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE | | |
| 170 OBSOLETE_SSL_MASK_CIPHER, | |
| 171 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 172 version_obsolete, cipher_suite_obsolete_ke_obsolete_cipher))); | |
| 173 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_KEY_EXCHANGE, | |
| 174 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 175 version_obsolete, cipher_suite_obsolete_ke_modern_cipher))); | |
| 176 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL | OBSOLETE_SSL_MASK_CIPHER, | |
| 177 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 178 version_obsolete, cipher_suite_modern_ke_obsolete_cipher))); | |
| 179 EXPECT_EQ(OBSOLETE_SSL_MASK_PROTOCOL, | |
| 180 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 181 version_obsolete, cipher_suite_modern_ke_modern_cipher))); | |
| 182 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE | OBSOLETE_SSL_MASK_CIPHER, | |
| 183 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 184 version_modern, cipher_suite_obsolete_ke_obsolete_cipher))); | |
| 185 EXPECT_EQ(OBSOLETE_SSL_MASK_KEY_EXCHANGE, | |
| 186 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 187 version_modern, cipher_suite_obsolete_ke_modern_cipher))); | |
| 188 EXPECT_EQ(OBSOLETE_SSL_MASK_CIPHER, | |
| 189 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 190 version_modern, cipher_suite_modern_ke_obsolete_cipher))); | |
| 191 EXPECT_EQ(OBSOLETE_SSL_NONE, | |
| 192 ObsoleteSSLStatus(MakeConnectionStatus( | |
| 193 version_modern, cipher_suite_modern_ke_modern_cipher))); | |
| 194 } | |
| 195 | |
| 106 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { | 196 TEST(CipherSuiteNamesTest, HTTP2CipherSuites) { |
| 107 // Picked some random cipher suites. | 197 // Picked some random cipher suites. |
| 108 EXPECT_FALSE( | 198 EXPECT_FALSE( |
| 109 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); | 199 IsTLSCipherSuiteAllowedByHTTP2(0x0 /* TLS_NULL_WITH_NULL_NULL */)); |
| 110 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 200 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 111 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); | 201 0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */)); |
| 112 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 202 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 113 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); | 203 0xc5 /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */)); |
| 114 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( | 204 EXPECT_FALSE(IsTLSCipherSuiteAllowedByHTTP2( |
| 115 0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); | 205 0xc00f /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */)); |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 134 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); | 224 0xcc14 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305 (non-standard) */)); |
| 135 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 225 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
| 136 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 226 0xcca8 /* ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 137 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( | 227 EXPECT_TRUE(IsTLSCipherSuiteAllowedByHTTP2( |
| 138 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); | 228 0xcca9 /* ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */)); |
| 139 } | 229 } |
| 140 | 230 |
| 141 } // anonymous namespace | 231 } // anonymous namespace |
| 142 | 232 |
| 143 } // namespace net | 233 } // namespace net |
| OLD | NEW |
