OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <memory> | 5 #include <memory> |
6 #include <utility> | 6 #include <utility> |
7 | 7 |
8 #include "base/memory/ptr_util.h" | 8 #include "base/memory/ptr_util.h" |
9 #include "base/run_loop.h" | 9 #include "base/run_loop.h" |
10 #include "build/build_config.h" | 10 #include "build/build_config.h" |
(...skipping 3305 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
3316 public: | 3316 public: |
3317 TestSSLConfigService(bool ev_enabled, | 3317 TestSSLConfigService(bool ev_enabled, |
3318 bool online_rev_checking, | 3318 bool online_rev_checking, |
3319 bool rev_checking_required_local_anchors, | 3319 bool rev_checking_required_local_anchors, |
3320 bool token_binding_enabled) | 3320 bool token_binding_enabled) |
3321 : ev_enabled_(ev_enabled), | 3321 : ev_enabled_(ev_enabled), |
3322 online_rev_checking_(online_rev_checking), | 3322 online_rev_checking_(online_rev_checking), |
3323 rev_checking_required_local_anchors_( | 3323 rev_checking_required_local_anchors_( |
3324 rev_checking_required_local_anchors), | 3324 rev_checking_required_local_anchors), |
3325 token_binding_enabled_(token_binding_enabled), | 3325 token_binding_enabled_(token_binding_enabled), |
3326 min_version_(kDefaultSSLVersionMin), | 3326 min_version_(kDefaultSSLVersionMin) {} |
3327 fallback_min_version_(kDefaultSSLVersionFallbackMin) {} | |
3328 | 3327 |
3329 void set_min_version(uint16_t version) { min_version_ = version; } | 3328 void set_min_version(uint16_t version) { min_version_ = version; } |
3330 | 3329 |
3331 void set_fallback_min_version(uint16_t version) { | |
3332 fallback_min_version_ = version; | |
3333 } | |
3334 | |
3335 // SSLConfigService: | 3330 // SSLConfigService: |
3336 void GetSSLConfig(SSLConfig* config) override { | 3331 void GetSSLConfig(SSLConfig* config) override { |
3337 *config = SSLConfig(); | 3332 *config = SSLConfig(); |
3338 config->rev_checking_enabled = online_rev_checking_; | 3333 config->rev_checking_enabled = online_rev_checking_; |
3339 config->verify_ev_cert = ev_enabled_; | 3334 config->verify_ev_cert = ev_enabled_; |
3340 config->rev_checking_required_local_anchors = | 3335 config->rev_checking_required_local_anchors = |
3341 rev_checking_required_local_anchors_; | 3336 rev_checking_required_local_anchors_; |
3342 if (fallback_min_version_) { | |
3343 config->version_fallback_min = fallback_min_version_; | |
3344 } | |
3345 if (min_version_) { | 3337 if (min_version_) { |
3346 config->version_min = min_version_; | 3338 config->version_min = min_version_; |
3347 } | 3339 } |
3348 if (token_binding_enabled_) { | 3340 if (token_binding_enabled_) { |
3349 config->token_binding_params.push_back(TB_PARAM_ECDSAP256); | 3341 config->token_binding_params.push_back(TB_PARAM_ECDSAP256); |
3350 } | 3342 } |
3351 } | 3343 } |
3352 | 3344 |
3353 protected: | 3345 protected: |
3354 ~TestSSLConfigService() override {} | 3346 ~TestSSLConfigService() override {} |
3355 | 3347 |
3356 private: | 3348 private: |
3357 const bool ev_enabled_; | 3349 const bool ev_enabled_; |
3358 const bool online_rev_checking_; | 3350 const bool online_rev_checking_; |
3359 const bool rev_checking_required_local_anchors_; | 3351 const bool rev_checking_required_local_anchors_; |
3360 const bool token_binding_enabled_; | 3352 const bool token_binding_enabled_; |
3361 uint16_t min_version_; | 3353 uint16_t min_version_; |
3362 uint16_t fallback_min_version_; | |
3363 }; | 3354 }; |
3364 | 3355 |
3365 // TODO(svaldez): Update tests to use EmbeddedTestServer. | 3356 // TODO(svaldez): Update tests to use EmbeddedTestServer. |
3366 #if !defined(OS_IOS) | 3357 #if !defined(OS_IOS) |
3367 class TokenBindingURLRequestTest : public URLRequestTestHTTP { | 3358 class TokenBindingURLRequestTest : public URLRequestTestHTTP { |
3368 public: | 3359 public: |
3369 void SetUp() override { | 3360 void SetUp() override { |
3370 default_context_.set_ssl_config_service( | 3361 default_context_.set_ssl_config_service( |
3371 new TestSSLConfigService(false, false, false, true)); | 3362 new TestSSLConfigService(false, false, false, true)); |
3372 channel_id_service_.reset(new ChannelIDService( | 3363 channel_id_service_.reset(new ChannelIDService( |
(...skipping 5496 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8869 // insert xyz | 8860 // insert xyz |
8870 // | 8861 // |
8871 // With a newline at the end which makes the split think that there are | 8862 // With a newline at the end which makes the split think that there are |
8872 // three lines. | 8863 // three lines. |
8873 | 8864 |
8874 EXPECT_EQ(1, d.response_started_count()); | 8865 EXPECT_EQ(1, d.response_started_count()); |
8875 AssertTwoDistinctSessionsInserted(d.data_received()); | 8866 AssertTwoDistinctSessionsInserted(d.data_received()); |
8876 } | 8867 } |
8877 } | 8868 } |
8878 | 8869 |
8879 class FallbackTestURLRequestContext : public TestURLRequestContext { | |
8880 public: | |
8881 explicit FallbackTestURLRequestContext(bool delay_initialization) | |
8882 : TestURLRequestContext(delay_initialization) {} | |
8883 | |
8884 void set_fallback_min_version(uint16_t version) { | |
8885 TestSSLConfigService* ssl_config_service = new TestSSLConfigService( | |
8886 true /* check for EV */, false /* online revocation checking */, | |
8887 false /* require rev. checking for local | |
8888 anchors */, | |
8889 false /* token binding enabled */); | |
8890 ssl_config_service->set_fallback_min_version(version); | |
8891 set_ssl_config_service(ssl_config_service); | |
8892 } | |
8893 }; | |
8894 | |
8895 class HTTPSFallbackTest : public testing::Test { | 8870 class HTTPSFallbackTest : public testing::Test { |
8896 public: | 8871 public: |
8897 HTTPSFallbackTest() : context_(true) {} | 8872 HTTPSFallbackTest() : context_(true) {} |
8898 ~HTTPSFallbackTest() override {} | 8873 ~HTTPSFallbackTest() override {} |
8899 | 8874 |
8900 protected: | 8875 protected: |
8901 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { | 8876 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
8902 DCHECK(!request_); | 8877 DCHECK(!request_); |
8903 context_.Init(); | 8878 context_.Init(); |
8904 delegate_.set_allow_certificate_errors(true); | 8879 delegate_.set_allow_certificate_errors(true); |
8905 | 8880 |
8906 SpawnedTestServer test_server( | 8881 SpawnedTestServer test_server( |
8907 SpawnedTestServer::TYPE_HTTPS, | 8882 SpawnedTestServer::TYPE_HTTPS, |
8908 ssl_options, | 8883 ssl_options, |
8909 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 8884 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
8910 ASSERT_TRUE(test_server.Start()); | 8885 ASSERT_TRUE(test_server.Start()); |
8911 | 8886 |
8912 request_ = context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, | 8887 request_ = context_.CreateRequest(test_server.GetURL("/"), DEFAULT_PRIORITY, |
8913 &delegate_); | 8888 &delegate_); |
8914 request_->Start(); | 8889 request_->Start(); |
8915 | 8890 |
8916 base::RunLoop().Run(); | 8891 base::RunLoop().Run(); |
8917 } | 8892 } |
8918 | 8893 |
8919 void set_fallback_min_version(uint16_t version) { | |
8920 context_.set_fallback_min_version(version); | |
8921 } | |
8922 | |
8923 void ExpectConnection(int version) { | 8894 void ExpectConnection(int version) { |
8924 EXPECT_EQ(1, delegate_.response_started_count()); | 8895 EXPECT_EQ(1, delegate_.response_started_count()); |
8925 EXPECT_NE(0, delegate_.bytes_received()); | 8896 EXPECT_NE(0, delegate_.bytes_received()); |
8926 EXPECT_EQ(version, SSLConnectionStatusToVersion( | 8897 EXPECT_EQ(version, SSLConnectionStatusToVersion( |
8927 request_->ssl_info().connection_status)); | 8898 request_->ssl_info().connection_status)); |
8928 EXPECT_TRUE(request_->ssl_info().connection_status & | 8899 EXPECT_TRUE(request_->ssl_info().connection_status & |
8929 SSL_CONNECTION_VERSION_FALLBACK); | 8900 SSL_CONNECTION_VERSION_FALLBACK); |
8930 } | 8901 } |
8931 | 8902 |
8932 void ExpectFailure(int error) { | 8903 void ExpectFailure(int error) { |
8933 EXPECT_EQ(1, delegate_.response_started_count()); | 8904 EXPECT_EQ(1, delegate_.response_started_count()); |
8934 EXPECT_FALSE(request_->status().is_success()); | 8905 EXPECT_FALSE(request_->status().is_success()); |
8935 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); | 8906 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
8936 EXPECT_EQ(error, request_->status().error()); | 8907 EXPECT_EQ(error, request_->status().error()); |
8937 } | 8908 } |
8938 | 8909 |
8939 private: | 8910 private: |
8940 TestDelegate delegate_; | 8911 TestDelegate delegate_; |
8941 FallbackTestURLRequestContext context_; | 8912 TestURLRequestContext context_; |
8942 std::unique_ptr<URLRequest> request_; | 8913 std::unique_ptr<URLRequest> request_; |
8943 }; | 8914 }; |
8944 | 8915 |
8945 // Tests the TLS 1.0 fallback doesn't happen. | 8916 // Tests the TLS 1.0 fallback doesn't happen. |
8946 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { | 8917 TEST_F(HTTPSFallbackTest, TLSv1NoFallback) { |
8947 SpawnedTestServer::SSLOptions ssl_options( | 8918 SpawnedTestServer::SSLOptions ssl_options( |
8948 SpawnedTestServer::SSLOptions::CERT_OK); | 8919 SpawnedTestServer::SSLOptions::CERT_OK); |
8949 ssl_options.tls_intolerant = | 8920 ssl_options.tls_intolerant = |
8950 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 8921 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
8951 | 8922 |
8952 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8923 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8953 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); | 8924 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
8954 } | 8925 } |
8955 | 8926 |
8956 // Tests the TLS 1.1 fallback doesn't happen but 1.2-intolerance is detected. | 8927 // Tests the TLS 1.1 fallback doesn't happen. |
8957 TEST_F(HTTPSFallbackTest, TLSv1_1NoFallback) { | 8928 TEST_F(HTTPSFallbackTest, TLSv1_1NoFallback) { |
8958 SpawnedTestServer::SSLOptions ssl_options( | 8929 SpawnedTestServer::SSLOptions ssl_options( |
8959 SpawnedTestServer::SSLOptions::CERT_OK); | 8930 SpawnedTestServer::SSLOptions::CERT_OK); |
8960 ssl_options.tls_intolerant = | 8931 ssl_options.tls_intolerant = |
8961 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | 8932 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; |
8962 | 8933 |
8963 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 8934 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
8964 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | |
8965 } | |
8966 | |
8967 // Tests the TLS 1.1 fallback when explicitly enabled. | |
8968 TEST_F(HTTPSFallbackTest, TLSv1_1Fallback) { | |
8969 SpawnedTestServer::SSLOptions ssl_options( | |
8970 SpawnedTestServer::SSLOptions::CERT_OK); | |
8971 ssl_options.tls_intolerant = | |
8972 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | |
8973 | |
8974 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
8975 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
8976 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | |
8977 } | |
8978 | |
8979 // Tests that the TLS 1.1 fallback, if enabled, triggers on closed connections. | |
8980 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackClosed) { | |
8981 SpawnedTestServer::SSLOptions ssl_options( | |
8982 SpawnedTestServer::SSLOptions::CERT_OK); | |
8983 ssl_options.tls_intolerant = | |
8984 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | |
8985 ssl_options.tls_intolerance_type = | |
8986 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | |
8987 | |
8988 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
8989 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
8990 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | |
8991 } | |
8992 | |
8993 // This test is disabled on Android because the remote test server doesn't cause | |
8994 // a TCP reset. | |
8995 #if !defined(OS_ANDROID) | |
8996 // Tests fallback to TLS 1.1, if enabled, on connection reset. | |
8997 TEST_F(HTTPSFallbackTest, TLSv1_1FallbackReset) { | |
8998 SpawnedTestServer::SSLOptions ssl_options( | |
8999 SpawnedTestServer::SSLOptions::CERT_OK); | |
9000 ssl_options.tls_intolerant = | |
9001 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | |
9002 ssl_options.tls_intolerance_type = | |
9003 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; | |
9004 | |
9005 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
9006 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
9007 ExpectConnection(SSL_CONNECTION_VERSION_TLS1_1); | |
9008 } | |
9009 #endif // !OS_ANDROID | |
9010 | |
9011 // Tests that we don't fallback, even if enabled, on handshake failure with | |
9012 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error | |
9013 // code is reported. | |
9014 TEST_F(HTTPSFallbackTest, FallbackSCSV) { | |
9015 SpawnedTestServer::SSLOptions ssl_options( | |
9016 SpawnedTestServer::SSLOptions::CERT_OK); | |
9017 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | |
9018 // a version fallback. | |
9019 ssl_options.tls_intolerant = | |
9020 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | |
9021 // Have the server process TLS_FALLBACK_SCSV so that version fallback | |
9022 // connections are rejected. | |
9023 ssl_options.fallback_scsv_enabled = true; | |
9024 | |
9025 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
9026 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
9027 | |
9028 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version | |
9029 // intolerance. If the fallback SCSV is processed when the original error | |
9030 // that caused the fallback should be returned, which should be | |
9031 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. | |
9032 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); | 8935 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
9033 } | 8936 } |
9034 | 8937 |
9035 // Tests that we don't fallback, even if enabled, on connection closed with | |
9036 // servers that implement TLS_FALLBACK_SCSV. Also ensure that the original error | |
9037 // code is reported. | |
9038 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { | |
9039 SpawnedTestServer::SSLOptions ssl_options( | |
9040 SpawnedTestServer::SSLOptions::CERT_OK); | |
9041 // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger | |
9042 // a version fallback. | |
9043 ssl_options.tls_intolerant = | |
9044 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | |
9045 ssl_options.tls_intolerance_type = | |
9046 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | |
9047 // Have the server process TLS_FALLBACK_SCSV so that version fallback | |
9048 // connections are rejected. | |
9049 ssl_options.fallback_scsv_enabled = true; | |
9050 | |
9051 set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
9052 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
9053 | |
9054 // The original error should be replayed on rejected fallback. | |
9055 ExpectFailure(ERR_CONNECTION_CLOSED); | |
9056 } | |
9057 | |
9058 // Test that fallback probe connections don't cause sessions to be cached. | |
9059 TEST_F(HTTPSRequestTest, FallbackProbeNoCache) { | |
9060 SpawnedTestServer::SSLOptions ssl_options( | |
9061 SpawnedTestServer::SSLOptions::CERT_OK); | |
9062 ssl_options.tls_intolerant = | |
9063 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_2; | |
9064 ssl_options.tls_intolerance_type = | |
9065 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | |
9066 ssl_options.record_resume = true; | |
9067 | |
9068 SpawnedTestServer test_server( | |
9069 SpawnedTestServer::TYPE_HTTPS, | |
9070 ssl_options, | |
9071 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
9072 ASSERT_TRUE(test_server.Start()); | |
9073 | |
9074 SSLClientSocket::ClearSessionCache(); | |
9075 | |
9076 // Make a connection that does a probe fallback to TLSv1.1 but fails because | |
9077 // fallback is disabled. We don't wish a session for this connection to be | |
9078 // inserted locally. | |
9079 { | |
9080 TestDelegate delegate; | |
9081 FallbackTestURLRequestContext context(true); | |
9082 | |
9083 context.Init(); | |
9084 std::unique_ptr<URLRequest> request(context.CreateRequest( | |
9085 test_server.GetURL("/"), DEFAULT_PRIORITY, &delegate)); | |
9086 request->Start(); | |
9087 | |
9088 base::RunLoop().Run(); | |
9089 | |
9090 EXPECT_EQ(1, delegate.response_started_count()); | |
9091 EXPECT_FALSE(request->status().is_success()); | |
9092 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); | |
9093 EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, | |
9094 request->status().error()); | |
9095 } | |
9096 | |
9097 // Now allow TLSv1.1 fallback connections and request the session cache log. | |
9098 { | |
9099 TestDelegate delegate; | |
9100 FallbackTestURLRequestContext context(true); | |
9101 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1_1); | |
9102 | |
9103 context.Init(); | |
9104 std::unique_ptr<URLRequest> request(context.CreateRequest( | |
9105 test_server.GetURL("ssl-session-cache"), DEFAULT_PRIORITY, &delegate)); | |
9106 request->Start(); | |
9107 | |
9108 base::RunLoop().Run(); | |
9109 | |
9110 EXPECT_EQ(1, delegate.response_started_count()); | |
9111 EXPECT_NE(0, delegate.bytes_received()); | |
9112 EXPECT_EQ( | |
9113 SSL_CONNECTION_VERSION_TLS1_1, | |
9114 SSLConnectionStatusToVersion(request->ssl_info().connection_status)); | |
9115 EXPECT_TRUE(request->ssl_info().connection_status & | |
9116 SSL_CONNECTION_VERSION_FALLBACK); | |
9117 | |
9118 std::vector<std::string> lines; | |
9119 // If no sessions were cached then the server should have seen two sessions | |
9120 // inserted with no lookups. | |
9121 AssertTwoDistinctSessionsInserted(delegate.data_received()); | |
9122 } | |
9123 } | |
9124 | |
9125 class HTTPSSessionTest : public testing::Test { | 8938 class HTTPSSessionTest : public testing::Test { |
9126 public: | 8939 public: |
9127 HTTPSSessionTest() : default_context_(true) { | 8940 HTTPSSessionTest() : default_context_(true) { |
9128 cert_verifier_.set_default_result(OK); | 8941 cert_verifier_.set_default_result(OK); |
9129 | 8942 |
9130 default_context_.set_network_delegate(&default_network_delegate_); | 8943 default_context_.set_network_delegate(&default_network_delegate_); |
9131 default_context_.set_cert_verifier(&cert_verifier_); | 8944 default_context_.set_cert_verifier(&cert_verifier_); |
9132 default_context_.Init(); | 8945 default_context_.Init(); |
9133 } | 8946 } |
9134 ~HTTPSSessionTest() override {} | 8947 ~HTTPSSessionTest() override {} |
(...skipping 1013 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
10148 AddTestInterceptor()->set_main_intercept_job(std::move(job)); | 9961 AddTestInterceptor()->set_main_intercept_job(std::move(job)); |
10149 | 9962 |
10150 req->Start(); | 9963 req->Start(); |
10151 req->Cancel(); | 9964 req->Cancel(); |
10152 base::RunLoop().RunUntilIdle(); | 9965 base::RunLoop().RunUntilIdle(); |
10153 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); | 9966 EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status()); |
10154 EXPECT_EQ(0, d.received_redirect_count()); | 9967 EXPECT_EQ(0, d.received_redirect_count()); |
10155 } | 9968 } |
10156 | 9969 |
10157 } // namespace net | 9970 } // namespace net |
OLD | NEW |