OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
6 | 6 |
7 #include <errno.h> | 7 #include <errno.h> |
8 #include <string.h> | 8 #include <string.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 787 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
798 base::Time delete_begin, | 798 base::Time delete_begin, |
799 base::Time delete_end, | 799 base::Time delete_end, |
800 const base::Closure& completion_callback) override {} | 800 const base::Closure& completion_callback) override {} |
801 void DeleteAll(const base::Closure& completion_callback) override {} | 801 void DeleteAll(const base::Closure& completion_callback) override {} |
802 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {} | 802 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {} |
803 int GetChannelIDCount() override { return 0; } | 803 int GetChannelIDCount() override { return 0; } |
804 void SetForceKeepSessionState() override {} | 804 void SetForceKeepSessionState() override {} |
805 bool IsEphemeral() override { return true; } | 805 bool IsEphemeral() override { return true; } |
806 }; | 806 }; |
807 | 807 |
808 // A mock ExpectCTReporter that remembers the latest violation that was | |
809 // reported and the number of violations reported. | |
810 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { | |
811 public: | |
812 MockExpectCTReporter() : num_failures_(0) {} | |
813 ~MockExpectCTReporter() override {} | |
814 | |
815 void OnExpectCTFailed(const HostPortPair& host_port_pair, | |
816 const GURL& report_uri, | |
817 const X509Certificate* served_certificate_chain, | |
818 const X509Certificate* validated_certificate_chain, | |
819 const SignedCertificateTimestampAndStatusList& | |
820 signed_certificate_timestamps) override { | |
821 num_failures_++; | |
822 host_port_pair_ = host_port_pair; | |
823 report_uri_ = report_uri; | |
824 served_certificate_chain_ = served_certificate_chain; | |
825 validated_certificate_chain_ = validated_certificate_chain; | |
826 signed_certificate_timestamps_ = signed_certificate_timestamps; | |
827 } | |
828 | |
829 const HostPortPair& host_port_pair() { return host_port_pair_; } | |
830 const GURL& report_uri() { return report_uri_; } | |
831 uint32_t num_failures() { return num_failures_; } | |
832 const X509Certificate* served_certificate_chain() { | |
833 return served_certificate_chain_; | |
834 } | |
835 const X509Certificate* validated_certificate_chain() { | |
836 return validated_certificate_chain_; | |
837 } | |
838 const SignedCertificateTimestampAndStatusList& | |
839 signed_certificate_timestamps() { | |
840 return signed_certificate_timestamps_; | |
841 } | |
842 | |
843 private: | |
844 HostPortPair host_port_pair_; | |
845 GURL report_uri_; | |
846 uint32_t num_failures_; | |
847 const X509Certificate* served_certificate_chain_; | |
848 const X509Certificate* validated_certificate_chain_; | |
849 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; | |
850 }; | |
851 | |
808 // A mock CTVerifier that records every call to Verify but doesn't verify | 852 // A mock CTVerifier that records every call to Verify but doesn't verify |
809 // anything. | 853 // anything. |
810 class MockCTVerifier : public CTVerifier { | 854 class MockCTVerifier : public CTVerifier { |
811 public: | 855 public: |
812 MOCK_METHOD5(Verify, | 856 MOCK_METHOD5(Verify, |
813 void(X509Certificate*, | 857 void(X509Certificate*, |
814 base::StringPiece, | 858 base::StringPiece, |
815 base::StringPiece, | 859 base::StringPiece, |
816 SignedCertificateTimestampAndStatusList*, | 860 SignedCertificateTimestampAndStatusList*, |
817 const NetLogWithSource&)); | 861 const NetLogWithSource&)); |
(...skipping 2653 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3471 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 3515 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
3472 SSLInfo ssl_info; | 3516 SSLInfo ssl_info; |
3473 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | 3517 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
3474 | 3518 |
3475 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); | 3519 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); |
3476 EXPECT_TRUE(ssl_info.cert_status & | 3520 EXPECT_TRUE(ssl_info.cert_status & |
3477 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); | 3521 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
3478 EXPECT_TRUE(sock_->IsConnected()); | 3522 EXPECT_TRUE(sock_->IsConnected()); |
3479 } | 3523 } |
3480 | 3524 |
3525 // Test that when CT is required (in this case, by an Expect-CT opt-in), the | |
3526 // absence of CT information is a socket error. | |
3527 TEST_F(SSLClientSocketTest, CTIsRequiredByExpectCT) { | |
mattm
2017/05/02 23:32:52
Test other combinations of having a header and dif
estark
2017/05/04 01:18:30
Done. The logic for checking compliance results is
| |
3528 base::test::ScopedFeatureList feature_list; | |
3529 feature_list.InitAndEnableFeature( | |
3530 TransportSecurityState::kDynamicExpectCTFeature); | |
3531 | |
3532 SpawnedTestServer::SSLOptions ssl_options; | |
3533 ASSERT_TRUE(StartTestServer(ssl_options)); | |
3534 scoped_refptr<X509Certificate> server_cert = | |
3535 spawned_test_server()->GetCertificate(); | |
3536 | |
3537 // Certificate is trusted and chains to a public root. | |
3538 CertVerifyResult verify_result; | |
3539 verify_result.is_issued_by_known_root = true; | |
3540 verify_result.verified_cert = server_cert; | |
3541 verify_result.public_key_hashes = MakeHashValueVector(0); | |
3542 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); | |
3543 | |
3544 // Set up the Expect-CT opt-in. | |
3545 const base::Time current_time(base::Time::Now()); | |
3546 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
3547 transport_security_state_->AddExpectCT( | |
3548 spawned_test_server()->host_port_pair().host(), expiry, | |
3549 true /* enforce */, GURL("https://example-report.test")); | |
3550 MockExpectCTReporter reporter; | |
3551 transport_security_state_->SetExpectCTReporter(&reporter); | |
3552 | |
3553 EXPECT_CALL(*ct_policy_enforcer_, | |
3554 DoesConformToCertPolicy(server_cert.get(), _, _)) | |
3555 .WillRepeatedly( | |
3556 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); | |
3557 | |
3558 SSLConfig ssl_config; | |
3559 int rv; | |
3560 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | |
3561 SSLInfo ssl_info; | |
3562 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | |
3563 | |
3564 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); | |
3565 EXPECT_TRUE(ssl_info.cert_status & | |
3566 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); | |
3567 EXPECT_TRUE(sock_->IsConnected()); | |
3568 | |
3569 EXPECT_EQ(1u, reporter.num_failures()); | |
3570 EXPECT_EQ(GURL("https://example-report.test"), reporter.report_uri()); | |
3571 EXPECT_EQ(ssl_info.unverified_cert.get(), | |
3572 reporter.served_certificate_chain()); | |
3573 EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain()); | |
3574 EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size()); | |
3575 } | |
3576 | |
3481 // When both HPKP and CT are required for a host, and both fail, the more | 3577 // When both HPKP and CT are required for a host, and both fail, the more |
3482 // serious error is that the HPKP pin validation failed. | 3578 // serious error is that the HPKP pin validation failed. |
3483 TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) { | 3579 TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) { |
3484 SpawnedTestServer::SSLOptions ssl_options; | 3580 SpawnedTestServer::SSLOptions ssl_options; |
3485 ASSERT_TRUE(StartTestServer(ssl_options)); | 3581 ASSERT_TRUE(StartTestServer(ssl_options)); |
3486 scoped_refptr<X509Certificate> server_cert = | 3582 scoped_refptr<X509Certificate> server_cert = |
3487 spawned_test_server()->GetCertificate(); | 3583 spawned_test_server()->GetCertificate(); |
3488 | 3584 |
3489 // Certificate is trusted, but chains to a public root that doesn't match the | 3585 // Certificate is trusted, but chains to a public root that doesn't match the |
3490 // pin hashes. | 3586 // pin hashes. |
(...skipping 419 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
3910 // The read buffer should be released. | 4006 // The read buffer should be released. |
3911 StreamSocket::SocketMemoryStats stats; | 4007 StreamSocket::SocketMemoryStats stats; |
3912 client->DumpMemoryStats(&stats); | 4008 client->DumpMemoryStats(&stats); |
3913 EXPECT_EQ(0u, stats.buffer_size); | 4009 EXPECT_EQ(0u, stats.buffer_size); |
3914 EXPECT_EQ(1u, stats.cert_count); | 4010 EXPECT_EQ(1u, stats.cert_count); |
3915 EXPECT_LT(0u, stats.cert_size); | 4011 EXPECT_LT(0u, stats.cert_size); |
3916 EXPECT_EQ(stats.cert_size, stats.total_size); | 4012 EXPECT_EQ(stats.cert_size, stats.total_size); |
3917 } | 4013 } |
3918 | 4014 |
3919 } // namespace net | 4015 } // namespace net |
OLD | NEW |