| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 63 return state->EnableHost(host, domain_state); | 63 return state->EnableHost(host, domain_state); |
| 64 } | 64 } |
| 65 }; | 65 }; |
| 66 | 66 |
| 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 67 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
| 68 TransportSecurityState state; | 68 TransportSecurityState state; |
| 69 TransportSecurityState::DomainState domain_state; | 69 TransportSecurityState::DomainState domain_state; |
| 70 const base::Time current_time(base::Time::Now()); | 70 const base::Time current_time(base::Time::Now()); |
| 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 71 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 72 | 72 |
| 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 73 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 74 bool include_subdomains = false; | 74 bool include_subdomains = false; |
| 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 75 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 76 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 77 } | 77 } |
| 78 | 78 |
| 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { | 79 TEST_F(TransportSecurityStateTest, MatchesCase1) { |
| 80 TransportSecurityState state; | 80 TransportSecurityState state; |
| 81 TransportSecurityState::DomainState domain_state; | 81 TransportSecurityState::DomainState domain_state; |
| 82 const base::Time current_time(base::Time::Now()); | 82 const base::Time current_time(base::Time::Now()); |
| 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 83 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 84 | 84 |
| 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 85 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 86 bool include_subdomains = false; | 86 bool include_subdomains = false; |
| 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | 87 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); |
| 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 88 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 89 } | 89 } |
| 90 | 90 |
| 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 91 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
| 92 TransportSecurityState state; | 92 TransportSecurityState state; |
| 93 TransportSecurityState::DomainState domain_state; | 93 TransportSecurityState::DomainState domain_state; |
| 94 const base::Time current_time(base::Time::Now()); | 94 const base::Time current_time(base::Time::Now()); |
| 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 95 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 96 | 96 |
| 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); | 97 EXPECT_FALSE(state.GetDomainState("YAhoo.coM", true, &domain_state)); |
| 98 bool include_subdomains = false; | 98 bool include_subdomains = false; |
| 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 99 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, true, &domain_state)); | 100 EXPECT_TRUE(state.GetDomainState("YAhoo.coM", true, &domain_state)); |
| 101 } | 101 } |
| 102 | 102 |
| 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 103 TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
| 104 TransportSecurityState state; | 104 TransportSecurityState state; |
| 105 TransportSecurityState::DomainState domain_state; | 105 TransportSecurityState::DomainState domain_state; |
| 106 const base::Time current_time(base::Time::Now()); | 106 const base::Time current_time(base::Time::Now()); |
| 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 107 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 108 | 108 |
| 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 109 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 110 bool include_subdomains = true; | 110 bool include_subdomains = true; |
| 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 111 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 112 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, true, &domain_state)); | 113 EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state)); |
| 114 EXPECT_TRUE( | 114 EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state)); |
| 115 state.GetDomainState("foo.bar.yahoo.com", true, true, &domain_state)); | 115 EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true, |
| 116 EXPECT_TRUE( | 116 &domain_state)); |
| 117 state.GetDomainState("foo.bar.baz.yahoo.com", true, true, &domain_state)); | 117 EXPECT_FALSE(state.GetDomainState("com", true, &domain_state)); |
| 118 EXPECT_FALSE(state.GetDomainState("com", true, true, &domain_state)); | |
| 119 } | 118 } |
| 120 | 119 |
| 121 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | 120 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 122 TransportSecurityState state; | 121 TransportSecurityState state; |
| 123 TransportSecurityState::DomainState domain_state; | 122 TransportSecurityState::DomainState domain_state; |
| 124 const base::Time current_time(base::Time::Now()); | 123 const base::Time current_time(base::Time::Now()); |
| 125 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 124 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 126 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | 125 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 127 | 126 |
| 128 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 127 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 129 bool include_subdomains = false; | 128 bool include_subdomains = false; |
| 130 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 129 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 131 | 130 |
| 132 state.DeleteAllDynamicDataSince(expiry); | 131 state.DeleteAllDynamicDataSince(expiry); |
| 133 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 132 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 134 state.DeleteAllDynamicDataSince(older); | 133 state.DeleteAllDynamicDataSince(older); |
| 135 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 134 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 136 } | 135 } |
| 137 | 136 |
| 138 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | 137 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| 139 TransportSecurityState state; | 138 TransportSecurityState state; |
| 140 TransportSecurityState::DomainState domain_state; | 139 TransportSecurityState::DomainState domain_state; |
| 141 const base::Time current_time(base::Time::Now()); | 140 const base::Time current_time(base::Time::Now()); |
| 142 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 141 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 143 bool include_subdomains = false; | 142 bool include_subdomains = false; |
| 144 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 143 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 145 | 144 |
| 146 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 145 EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 147 EXPECT_FALSE(state.GetDomainState("example.com", true, true, &domain_state)); | 146 EXPECT_FALSE(state.GetDomainState("example.com", true, &domain_state)); |
| 148 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 147 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
| 149 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, true, &domain_state)); | 148 EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state)); |
| 150 } | 149 } |
| 151 | 150 |
| 152 TEST_F(TransportSecurityStateTest, IsPreloaded) { | 151 TEST_F(TransportSecurityStateTest, IsPreloaded) { |
| 153 const std::string paypal = CanonicalizeHost("paypal.com"); | 152 const std::string paypal = CanonicalizeHost("paypal.com"); |
| 154 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); | 153 const std::string www_paypal = CanonicalizeHost("www.paypal.com"); |
| 155 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); | 154 const std::string foo_paypal = CanonicalizeHost("foo.paypal.com"); |
| 156 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); | 155 const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com"); |
| 157 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); | 156 const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com"); |
| 158 const std::string example = CanonicalizeHost("example.com"); | 157 const std::string example = CanonicalizeHost("example.com"); |
| 159 const std::string aypal = CanonicalizeHost("aypal.com"); | 158 const std::string aypal = CanonicalizeHost("aypal.com"); |
| (...skipping 10 matching lines...) Expand all Loading... |
| 170 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | 169 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); |
| 171 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | 170 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); |
| 172 } | 171 } |
| 173 | 172 |
| 174 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 173 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
| 175 TransportSecurityState state; | 174 TransportSecurityState state; |
| 176 TransportSecurityState::DomainState domain_state; | 175 TransportSecurityState::DomainState domain_state; |
| 177 | 176 |
| 178 // The domain wasn't being set, leading to a blank string in the | 177 // The domain wasn't being set, leading to a blank string in the |
| 179 // chrome://net-internals/#hsts UI. So test that. | 178 // chrome://net-internals/#hsts UI. So test that. |
| 180 EXPECT_TRUE( | 179 EXPECT_TRUE(state.GetDomainState("market.android.com", true, &domain_state)); |
| 181 state.GetDomainState("market.android.com", true, true, &domain_state)); | |
| 182 EXPECT_EQ(domain_state.domain, "market.android.com"); | 180 EXPECT_EQ(domain_state.domain, "market.android.com"); |
| 183 EXPECT_TRUE(state.GetDomainState( | 181 EXPECT_TRUE(state.GetDomainState("sub.market.android.com", true, |
| 184 "sub.market.android.com", true, true, &domain_state)); | 182 &domain_state)); |
| 185 EXPECT_EQ(domain_state.domain, "market.android.com"); | 183 EXPECT_EQ(domain_state.domain, "market.android.com"); |
| 186 } | 184 } |
| 187 | 185 |
| 188 static bool ShouldRedirect(const char* hostname) { | 186 static bool ShouldRedirect(const char* hostname) { |
| 189 TransportSecurityState state; | 187 TransportSecurityState state; |
| 190 TransportSecurityState::DomainState domain_state; | 188 TransportSecurityState::DomainState domain_state; |
| 191 return state.GetDomainState( | 189 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state) && |
| 192 hostname, true /* SNI ok */, true, &domain_state) && | |
| 193 domain_state.ShouldUpgradeToSSL(); | 190 domain_state.ShouldUpgradeToSSL(); |
| 194 } | 191 } |
| 195 | 192 |
| 196 static bool HasState(const char* hostname) { | 193 static bool HasState(const char* hostname) { |
| 197 TransportSecurityState state; | 194 TransportSecurityState state; |
| 198 TransportSecurityState::DomainState domain_state; | 195 TransportSecurityState::DomainState domain_state; |
| 199 return state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state); | 196 return state.GetDomainState(hostname, true /* SNI ok */, &domain_state); |
| 200 } | 197 } |
| 201 | 198 |
| 202 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { | 199 static bool HasPublicKeyPins(const char* hostname, bool sni_enabled) { |
| 203 TransportSecurityState state; | 200 TransportSecurityState state; |
| 204 TransportSecurityState::DomainState domain_state; | 201 TransportSecurityState::DomainState domain_state; |
| 205 if (!state.GetDomainState(hostname, sni_enabled, true, &domain_state)) | 202 if (!state.GetDomainState(hostname, sni_enabled, &domain_state)) |
| 206 return false; | 203 return false; |
| 207 | 204 |
| 208 return domain_state.HasPublicKeyPins(); | 205 return domain_state.HasPublicKeyPins(); |
| 209 } | 206 } |
| 210 | 207 |
| 211 static bool HasPublicKeyPins(const char* hostname) { | 208 static bool HasPublicKeyPins(const char* hostname) { |
| 212 return HasPublicKeyPins(hostname, true); | 209 return HasPublicKeyPins(hostname, true); |
| 213 } | 210 } |
| 214 | 211 |
| 215 static bool OnlyPinning(const char *hostname) { | 212 static bool OnlyPinning(const char *hostname) { |
| 216 TransportSecurityState state; | 213 TransportSecurityState state; |
| 217 TransportSecurityState::DomainState domain_state; | 214 TransportSecurityState::DomainState domain_state; |
| 218 if (!state.GetDomainState(hostname, true /* SNI ok */, true, &domain_state)) | 215 if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state)) |
| 219 return false; | 216 return false; |
| 220 | 217 |
| 221 return (domain_state.static_spki_hashes.size() > 0 || | 218 return (domain_state.static_spki_hashes.size() > 0 || |
| 222 domain_state.bad_static_spki_hashes.size() > 0 || | 219 domain_state.bad_static_spki_hashes.size() > 0 || |
| 223 domain_state.dynamic_spki_hashes.size() > 0) && | 220 domain_state.dynamic_spki_hashes.size() > 0) && |
| 224 !domain_state.ShouldUpgradeToSSL(); | 221 !domain_state.ShouldUpgradeToSSL(); |
| 225 } | 222 } |
| 226 | 223 |
| 227 TEST_F(TransportSecurityStateTest, Preloaded) { | 224 TEST_F(TransportSecurityStateTest, Preloaded) { |
| 228 TransportSecurityState state; | 225 TransportSecurityState state; |
| 229 TransportSecurityState::DomainState domain_state; | 226 TransportSecurityState::DomainState domain_state; |
| 230 | 227 |
| 231 // We do more extensive checks for the first domain. | 228 // We do more extensive checks for the first domain. |
| 232 EXPECT_TRUE( | 229 EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state)); |
| 233 state.GetDomainState("www.paypal.com", true, true, &domain_state)); | |
| 234 EXPECT_EQ(domain_state.upgrade_mode, | 230 EXPECT_EQ(domain_state.upgrade_mode, |
| 235 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); | 231 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 236 EXPECT_FALSE(domain_state.sts_include_subdomains); | 232 EXPECT_FALSE(domain_state.sts_include_subdomains); |
| 237 EXPECT_FALSE(domain_state.pkp_include_subdomains); | 233 EXPECT_FALSE(domain_state.pkp_include_subdomains); |
| 238 | 234 |
| 239 EXPECT_TRUE(HasState("paypal.com")); | 235 EXPECT_TRUE(HasState("paypal.com")); |
| 240 EXPECT_FALSE(HasState("www2.paypal.com")); | 236 EXPECT_FALSE(HasState("www2.paypal.com")); |
| 241 EXPECT_FALSE(HasState("www2.paypal.com")); | 237 EXPECT_FALSE(HasState("www2.paypal.com")); |
| 242 | 238 |
| 243 // Google hosts: | 239 // Google hosts: |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 285 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); | 281 EXPECT_TRUE(OnlyPinning("www.google-analytics.com")); |
| 286 EXPECT_TRUE(OnlyPinning("googleapis.com")); | 282 EXPECT_TRUE(OnlyPinning("googleapis.com")); |
| 287 EXPECT_TRUE(OnlyPinning("googleadservices.com")); | 283 EXPECT_TRUE(OnlyPinning("googleadservices.com")); |
| 288 EXPECT_TRUE(OnlyPinning("googlecode.com")); | 284 EXPECT_TRUE(OnlyPinning("googlecode.com")); |
| 289 EXPECT_TRUE(OnlyPinning("appspot.com")); | 285 EXPECT_TRUE(OnlyPinning("appspot.com")); |
| 290 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); | 286 EXPECT_TRUE(OnlyPinning("googlesyndication.com")); |
| 291 EXPECT_TRUE(OnlyPinning("doubleclick.net")); | 287 EXPECT_TRUE(OnlyPinning("doubleclick.net")); |
| 292 EXPECT_TRUE(OnlyPinning("googlegroups.com")); | 288 EXPECT_TRUE(OnlyPinning("googlegroups.com")); |
| 293 | 289 |
| 294 // Tests for domains that don't work without SNI. | 290 // Tests for domains that don't work without SNI. |
| 295 EXPECT_FALSE(state.GetDomainState("gmail.com", false, true, &domain_state)); | 291 EXPECT_FALSE(state.GetDomainState("gmail.com", false, &domain_state)); |
| 296 EXPECT_FALSE( | 292 EXPECT_FALSE(state.GetDomainState("www.gmail.com", false, &domain_state)); |
| 297 state.GetDomainState("www.gmail.com", false, true, &domain_state)); | 293 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, &domain_state)); |
| 298 EXPECT_FALSE(state.GetDomainState("m.gmail.com", false, true, &domain_state)); | 294 EXPECT_FALSE(state.GetDomainState("googlemail.com", false, &domain_state)); |
| 299 EXPECT_FALSE( | 295 EXPECT_FALSE(state.GetDomainState("www.googlemail.com", false, |
| 300 state.GetDomainState("googlemail.com", false, true, &domain_state)); | 296 &domain_state)); |
| 301 EXPECT_FALSE( | 297 EXPECT_FALSE(state.GetDomainState("m.googlemail.com", false, &domain_state)); |
| 302 state.GetDomainState("www.googlemail.com", false, true, &domain_state)); | |
| 303 EXPECT_FALSE( | |
| 304 state.GetDomainState("m.googlemail.com", false, true, &domain_state)); | |
| 305 | 298 |
| 306 // Other hosts: | 299 // Other hosts: |
| 307 | 300 |
| 308 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); | 301 EXPECT_TRUE(ShouldRedirect("aladdinschools.appspot.com")); |
| 309 | 302 |
| 310 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); | 303 EXPECT_TRUE(ShouldRedirect("ottospora.nl")); |
| 311 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); | 304 EXPECT_TRUE(ShouldRedirect("www.ottospora.nl")); |
| 312 | 305 |
| 313 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); | 306 EXPECT_TRUE(ShouldRedirect("www.paycheckrecords.com")); |
| 314 | 307 |
| (...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 388 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); | 381 EXPECT_TRUE(ShouldRedirect("simon.butcher.name")); |
| 389 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); | 382 EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name")); |
| 390 | 383 |
| 391 EXPECT_TRUE(ShouldRedirect("linx.net")); | 384 EXPECT_TRUE(ShouldRedirect("linx.net")); |
| 392 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); | 385 EXPECT_TRUE(ShouldRedirect("foo.linx.net")); |
| 393 | 386 |
| 394 EXPECT_TRUE(ShouldRedirect("dropcam.com")); | 387 EXPECT_TRUE(ShouldRedirect("dropcam.com")); |
| 395 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); | 388 EXPECT_TRUE(ShouldRedirect("www.dropcam.com")); |
| 396 EXPECT_FALSE(HasState("foo.dropcam.com")); | 389 EXPECT_FALSE(HasState("foo.dropcam.com")); |
| 397 | 390 |
| 398 EXPECT_TRUE( | 391 EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state)); |
| 399 state.GetDomainState("torproject.org", false, true, &domain_state)); | |
| 400 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 392 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 401 EXPECT_TRUE( | 393 EXPECT_TRUE(state.GetDomainState("www.torproject.org", false, |
| 402 state.GetDomainState("www.torproject.org", false, true, &domain_state)); | 394 &domain_state)); |
| 403 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 395 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 404 EXPECT_TRUE( | 396 EXPECT_TRUE(state.GetDomainState("check.torproject.org", false, |
| 405 state.GetDomainState("check.torproject.org", false, true, &domain_state)); | 397 &domain_state)); |
| 406 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 398 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 407 EXPECT_TRUE( | 399 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false, |
| 408 state.GetDomainState("blog.torproject.org", false, true, &domain_state)); | 400 &domain_state)); |
| 409 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); | 401 EXPECT_FALSE(domain_state.static_spki_hashes.empty()); |
| 410 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); | 402 EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn")); |
| 411 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); | 403 EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn")); |
| 412 | 404 |
| 413 EXPECT_TRUE(ShouldRedirect("epoxate.com")); | 405 EXPECT_TRUE(ShouldRedirect("epoxate.com")); |
| 414 EXPECT_FALSE(HasState("foo.epoxate.com")); | 406 EXPECT_FALSE(HasState("foo.epoxate.com")); |
| 415 | 407 |
| 416 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); | 408 EXPECT_TRUE(HasPublicKeyPins("torproject.org")); |
| 417 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); | 409 EXPECT_TRUE(HasPublicKeyPins("www.torproject.org")); |
| 418 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); | 410 EXPECT_TRUE(HasPublicKeyPins("check.torproject.org")); |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 470 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); | 462 EXPECT_TRUE(HasPublicKeyPins("www.twitter.com")); |
| 471 } | 463 } |
| 472 | 464 |
| 473 TEST_F(TransportSecurityStateTest, LongNames) { | 465 TEST_F(TransportSecurityStateTest, LongNames) { |
| 474 TransportSecurityState state; | 466 TransportSecurityState state; |
| 475 const char kLongName[] = | 467 const char kLongName[] = |
| 476 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | 468 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" |
| 477 "WaveletIdDomainAndBlipBlipid"; | 469 "WaveletIdDomainAndBlipBlipid"; |
| 478 TransportSecurityState::DomainState domain_state; | 470 TransportSecurityState::DomainState domain_state; |
| 479 // Just checks that we don't hit a NOTREACHED. | 471 // Just checks that we don't hit a NOTREACHED. |
| 480 EXPECT_FALSE(state.GetDomainState(kLongName, true, true, &domain_state)); | 472 EXPECT_FALSE(state.GetDomainState(kLongName, true, &domain_state)); |
| 481 } | 473 } |
| 482 | 474 |
| 483 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 475 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
| 484 TransportSecurityState state; | 476 TransportSecurityState state; |
| 485 TransportSecurityState::DomainState domain_state; | 477 TransportSecurityState::DomainState domain_state; |
| 486 | 478 |
| 487 EXPECT_TRUE( | 479 EXPECT_TRUE(state.GetDomainState("chrome.google.com", true, &domain_state)); |
| 488 state.GetDomainState("chrome.google.com", true, true, &domain_state)); | |
| 489 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); | 480 EXPECT_TRUE(HasPublicKeyPins("chrome.google.com")); |
| 490 | 481 |
| 491 HashValueVector hashes; | 482 HashValueVector hashes; |
| 492 // Checks that a built-in list does exist. | 483 // Checks that a built-in list does exist. |
| 493 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); | 484 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes)); |
| 494 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); | 485 EXPECT_FALSE(HasPublicKeyPins("www.paypal.com")); |
| 495 | 486 |
| 496 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); | 487 EXPECT_TRUE(HasPublicKeyPins("docs.google.com")); |
| 497 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); | 488 EXPECT_TRUE(HasPublicKeyPins("1.docs.google.com")); |
| 498 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); | 489 EXPECT_TRUE(HasPublicKeyPins("sites.google.com")); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 566 | 557 |
| 567 for (size_t i = 0; kGoodPath[i]; i++) { | 558 for (size_t i = 0; kGoodPath[i]; i++) { |
| 568 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 559 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 569 } | 560 } |
| 570 for (size_t i = 0; kBadPath[i]; i++) { | 561 for (size_t i = 0; kBadPath[i]; i++) { |
| 571 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 562 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 572 } | 563 } |
| 573 | 564 |
| 574 TransportSecurityState state; | 565 TransportSecurityState state; |
| 575 TransportSecurityState::DomainState domain_state; | 566 TransportSecurityState::DomainState domain_state; |
| 576 EXPECT_TRUE( | 567 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); |
| 577 state.GetDomainState("plus.google.com", true, true, &domain_state)); | |
| 578 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 568 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 579 | 569 |
| 580 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 570 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
| 581 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 571 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
| 582 } | 572 } |
| 583 | 573 |
| 584 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { | 574 TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { |
| 585 // kGoodPath is blog.torproject.org. | 575 // kGoodPath is blog.torproject.org. |
| 586 static const char* kGoodPath[] = { | 576 static const char* kGoodPath[] = { |
| 587 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", | 577 "sha1/m9lHYJYke9k0GtVZ+bXSQYE8nDI=", |
| (...skipping 15 matching lines...) Expand all Loading... |
| 603 | 593 |
| 604 for (size_t i = 0; kGoodPath[i]; i++) { | 594 for (size_t i = 0; kGoodPath[i]; i++) { |
| 605 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 595 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
| 606 } | 596 } |
| 607 for (size_t i = 0; kBadPath[i]; i++) { | 597 for (size_t i = 0; kBadPath[i]; i++) { |
| 608 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 598 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
| 609 } | 599 } |
| 610 | 600 |
| 611 TransportSecurityState state; | 601 TransportSecurityState state; |
| 612 TransportSecurityState::DomainState domain_state; | 602 TransportSecurityState::DomainState domain_state; |
| 613 EXPECT_TRUE( | 603 EXPECT_TRUE(state.GetDomainState("blog.torproject.org", true, &domain_state)); |
| 614 state.GetDomainState("blog.torproject.org", true, true, &domain_state)); | |
| 615 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 604 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 616 | 605 |
| 617 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); | 606 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes)); |
| 618 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); | 607 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes)); |
| 619 } | 608 } |
| 620 | 609 |
| 621 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { | 610 TEST_F(TransportSecurityStateTest, PinValidationWithRejectedCertsMixedHashes) { |
| 622 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; | 611 static const char* ee_sha1 = "sha1/4BjDjn8v2lWeUFQnqSs0BgbIcrU="; |
| 623 static const char* ee_sha256 = | 612 static const char* ee_sha256 = |
| 624 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; | 613 "sha256/sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I="; |
| 625 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; | 614 static const char* google_1024_sha1 = "sha1/QMVAHW+MuvCLAO3vse6H0AWzuc0="; |
| 626 static const char* google_1024_sha256 = | 615 static const char* google_1024_sha256 = |
| 627 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; | 616 "sha256/trlUMquuV/4CDLK3T0+fkXPIxwivyecyrOIyeQR8bQU="; |
| 628 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; | 617 static const char* equifax_sha1 = "sha1/SOZo+SvSspXXR9gjIBBPM5iQn9Q="; |
| 629 static const char* equifax_sha256 = | 618 static const char* equifax_sha256 = |
| 630 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; | 619 "sha256//1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY="; |
| 631 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; | 620 static const char* trustcenter_sha1 = "sha1/gzuEEAB/bkqdQS3EIjk2by7lW+k="; |
| 632 static const char* trustcenter_sha256 = | 621 static const char* trustcenter_sha256 = |
| 633 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; | 622 "sha256/Dq58KIA4NMLsboWMLU8/aTREzaAGEFW+EtUule8dd/M="; |
| 634 | 623 |
| 635 // Good chains for plus.google.com chain up through google_1024_sha{1,256} | 624 // Good chains for plus.google.com chain up through google_1024_sha{1,256} |
| 636 // to equifax_sha{1,256}. Bad chains chain up to Equifax through | 625 // to equifax_sha{1,256}. Bad chains chain up to Equifax through |
| 637 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax | 626 // trustcenter_sha{1,256}, which is a blacklisted key. Even though Equifax |
| 638 // and Google1024 are known-good, the blacklistedness of Trustcenter | 627 // and Google1024 are known-good, the blacklistedness of Trustcenter |
| 639 // should override and cause pin validation failure. | 628 // should override and cause pin validation failure. |
| 640 | 629 |
| 641 TransportSecurityState state; | 630 TransportSecurityState state; |
| 642 TransportSecurityState::DomainState domain_state; | 631 TransportSecurityState::DomainState domain_state; |
| 643 EXPECT_TRUE( | 632 EXPECT_TRUE(state.GetDomainState("plus.google.com", true, &domain_state)); |
| 644 state.GetDomainState("plus.google.com", true, true, &domain_state)); | |
| 645 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 633 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
| 646 | 634 |
| 647 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins | 635 // The statically-defined pins are all SHA-1, so we add some SHA-256 pins |
| 648 // manually: | 636 // manually: |
| 649 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); | 637 EXPECT_TRUE(AddHash(google_1024_sha256, &domain_state.static_spki_hashes)); |
| 650 EXPECT_TRUE(AddHash(trustcenter_sha256, | 638 EXPECT_TRUE(AddHash(trustcenter_sha256, |
| 651 &domain_state.bad_static_spki_hashes)); | 639 &domain_state.bad_static_spki_hashes)); |
| 652 | 640 |
| 653 // Try an all-good SHA1 chain. | 641 // Try an all-good SHA1 chain. |
| 654 HashValueVector validated_chain; | 642 HashValueVector validated_chain; |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 746 EXPECT_FALSE(ShouldRedirect("google.com")); | 734 EXPECT_FALSE(ShouldRedirect("google.com")); |
| 747 EXPECT_FALSE(ShouldRedirect("www.google.com")); | 735 EXPECT_FALSE(ShouldRedirect("www.google.com")); |
| 748 | 736 |
| 749 TransportSecurityState state; | 737 TransportSecurityState state; |
| 750 TransportSecurityState::DomainState domain_state; | 738 TransportSecurityState::DomainState domain_state; |
| 751 const base::Time current_time(base::Time::Now()); | 739 const base::Time current_time(base::Time::Now()); |
| 752 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 740 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 753 domain_state.upgrade_expiry = expiry; | 741 domain_state.upgrade_expiry = expiry; |
| 754 EnableHost(&state, "www.google.com", domain_state); | 742 EnableHost(&state, "www.google.com", domain_state); |
| 755 | 743 |
| 756 EXPECT_TRUE( | 744 EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state)); |
| 757 state.GetDomainState("www.google.com", true, true, &domain_state)); | |
| 758 } | 745 } |
| 759 | 746 |
| 760 static const uint8 kSidePinLeafSPKI[] = { | 747 static const uint8 kSidePinLeafSPKI[] = { |
| 761 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, | 748 0x30, 0x5c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, |
| 762 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, | 749 0x01, 0x01, 0x05, 0x00, 0x03, 0x4b, 0x00, 0x30, 0x48, 0x02, 0x41, 0x00, 0xe4, |
| 763 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, | 750 0x1d, 0xcc, 0xf2, 0x92, 0xe7, 0x7a, 0xc6, 0x36, 0xf7, 0x1a, 0x62, 0x31, 0x7d, |
| 764 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, | 751 0x37, 0xea, 0x0d, 0xa2, 0xa8, 0x12, 0x2b, 0xc2, 0x1c, 0x82, 0x3e, 0xa5, 0x70, |
| 765 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, | 752 0x4a, 0x83, 0x5d, 0x9b, 0x84, 0x82, 0x70, 0xa4, 0x88, 0x98, 0x98, 0x41, 0x29, |
| 766 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, | 753 0x31, 0xcb, 0x6e, 0x2a, 0x54, 0x65, 0x14, 0x60, 0xcc, 0x00, 0xe8, 0x10, 0x30, |
| 767 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, | 754 0x0a, 0x4a, 0xd1, 0xa7, 0x52, 0xfe, 0x2d, 0x31, 0x2a, 0x1d, 0x0d, 0x02, 0x03, |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 846 // Expect to fail for SNI hosts when not searching the SNI list: | 833 // Expect to fail for SNI hosts when not searching the SNI list: |
| 847 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 834 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 848 "gmail.com", false)); | 835 "gmail.com", false)); |
| 849 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 836 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 850 "googlegroups.com", false)); | 837 "googlegroups.com", false)); |
| 851 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 838 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
| 852 "www.googlegroups.com", false)); | 839 "www.googlegroups.com", false)); |
| 853 } | 840 } |
| 854 | 841 |
| 855 } // namespace net | 842 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 24251011:
Revert 224269 "Don't persist HPKP if PrivacyMode is enabled." (Closed)
Base URL: svn://svn.chromium.org/chrome/