Add tests for TLS fallback on connection reset and close.

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <shlobj.h>
 #endif
@@ skipping 6574 matching lines @@
 
   base::RunLoop().Run();
 
   EXPECT_EQ(1, d.response_started_count());
   EXPECT_NE(0, d.bytes_received());
   EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1),
             SSLConnectionStatusToVersion(r.ssl_info().connection_status));
   EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
 }
 
+// This test is disabled on Android because the remote test server doesn't cause
+// a TCP reset.
+#if !defined(OS_ANDROID)
+// Tests fallback to TLS 1.0 on connection reset.
+TEST_F(HTTPSRequestTest, TLSv1FallbackReset) {
+  // The OpenSSL library in use may not support TLS 1.1.
+#if !defined(USE_OPENSSL)

[wtc, 2014/06/24 21:33:29]

I think we should delete this check now. Please also remove the check from lines
6561-6562.

[davidben, 2014/06/25 21:19:56]

Good idea. We don't support building against old OpenSSLs anyway. Done.

+  EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1);
+#endif
+  if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1)
+    return;
+
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET;

[wtc, 2014/06/24 21:33:29]

Rather than duplicating the code of TLSv1Fallback, can you try to iterate over
an array of ssl_options.tls_intolerance_type values?

You can either add a for loop inside TLSv1Fallback manually, or use
INSTANTIATE_TEST_CASE_P.

Note: Same for the SSLv3Fallback test below.

[davidben, 2014/06/25 21:19:56]

I moved it to a fixture but didn't use INSTANTIATE_TEST_CASE_P since it seemed
messier with the reset case being so different.

+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  EXPECT_NE(0, d.bytes_received());
+  EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1),
+            SSLConnectionStatusToVersion(r.ssl_info().connection_status));
+  EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
+}
+#endif  // !OS_ANDROID
+
 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV.
 #if defined(USE_OPENSSL)
 TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) {
 #else
 TEST_F(HTTPSRequestTest, FallbackSCSV) {
 #endif
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger
   // a version fallback.
@@ skipping 196 matching lines @@
   EXPECT_EQ("https", req.url().scheme());
   EXPECT_EQ("POST", req.method());
   EXPECT_EQ(kData, d.data_received());
 
   LoadTimingInfo load_timing_info;
   network_delegate.GetLoadTimingInfoBeforeRedirect(&load_timing_info);
   // LoadTimingInfo of HSTS redirects is similar to that of network cache hits
   TestLoadTimingCacheHitNoNetwork(load_timing_info);
 }
 
+// Tests that the SSLv3 fallback triggers on alert.
 TEST_F(HTTPSRequestTest, SSLv3Fallback) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_ALERT;
   SpawnedTestServer test_server(
       SpawnedTestServer::TYPE_HTTPS,
       ssl_options,
       base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
   ASSERT_TRUE(test_server.Start());
 
   TestDelegate d;
   TestURLRequestContext context(true);
   context.Init();
   d.set_allow_certificate_errors(true);
   URLRequest r(
       test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
   r.Start();
 
   base::RunLoop().Run();
 
   EXPECT_EQ(1, d.response_started_count());
   EXPECT_NE(0, d.bytes_received());
   EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3),
             SSLConnectionStatusToVersion(r.ssl_info().connection_status));
   EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
 }
 
+// Tests that the SSLv3 fallback triggers on closed connections.
+TEST_F(HTTPSRequestTest, SSLv3FallbackClosed) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE;
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_EQ(1, d.response_started_count());
+  EXPECT_NE(0, d.bytes_received());
+  EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3),
+            SSLConnectionStatusToVersion(r.ssl_info().connection_status));
+  EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK);
+}
+
+// This test is disabled on Android because the remote test server doesn't cause
+// a TCP reset. It also does not pass on OpenSSL. https://crbug.com/372849
+#if !defined(OS_ANDROID) && !defined(USE_OPENSSL)
+// Tests that a reset connection does not fallback down to SSL3.
+TEST_F(HTTPSRequestTest, SSLv3NoFallbackReset) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET;
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  TestDelegate d;
+  TestURLRequestContext context(true);
+  context.Init();
+  d.set_allow_certificate_errors(true);
+  URLRequest r(
+      test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context);
+  r.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_FALSE(r.status().is_success());
+  EXPECT_EQ(URLRequestStatus::FAILED, r.status().status());
+  EXPECT_EQ(ERR_CONNECTION_RESET, r.status().error());
+}
+#endif  // !OS_ANDROID && !USE_OPENSSL
+
 namespace {
 
 class SSLClientAuthTestDelegate : public TestDelegate {
  public:
   SSLClientAuthTestDelegate() : on_certificate_requested_count_(0) {
   }
   virtual void OnCertificateRequested(
       URLRequest* request,
       SSLCertRequestInfo* cert_request_info) OVERRIDE {
     on_certificate_requested_count_++;
@@ skipping 1179 matching lines @@
 
     EXPECT_FALSE(r.is_pending());
     EXPECT_EQ(1, d->response_started_count());
     EXPECT_FALSE(d->received_data_before_response());
     EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size));
   }
 }
 #endif  // !defined(DISABLE_FTP_SUPPORT)
 
 }  // namespace net