OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
6 | 6 |
7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
8 #include <windows.h> | 8 #include <windows.h> |
9 #include <shlobj.h> | 9 #include <shlobj.h> |
10 #endif | 10 #endif |
(...skipping 6537 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6548 if (err_allowed) { | 6548 if (err_allowed) { |
6549 EXPECT_NE(0, d.bytes_received()); | 6549 EXPECT_NE(0, d.bytes_received()); |
6550 CheckSSLInfo(r.ssl_info()); | 6550 CheckSSLInfo(r.ssl_info()); |
6551 } else { | 6551 } else { |
6552 EXPECT_EQ(0, d.bytes_received()); | 6552 EXPECT_EQ(0, d.bytes_received()); |
6553 } | 6553 } |
6554 } | 6554 } |
6555 } | 6555 } |
6556 } | 6556 } |
6557 | 6557 |
6558 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more | |
6559 // than necessary. | |
6560 TEST_F(HTTPSRequestTest, TLSv1Fallback) { | |
6561 // The OpenSSL library in use may not support TLS 1.1. | |
6562 #if !defined(USE_OPENSSL) | |
6563 EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1); | |
6564 #endif | |
6565 if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1) | |
6566 return; | |
6567 | |
6568 SpawnedTestServer::SSLOptions ssl_options( | |
6569 SpawnedTestServer::SSLOptions::CERT_OK); | |
6570 ssl_options.tls_intolerant = | |
6571 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | |
6572 SpawnedTestServer test_server( | |
6573 SpawnedTestServer::TYPE_HTTPS, | |
6574 ssl_options, | |
6575 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
6576 ASSERT_TRUE(test_server.Start()); | |
6577 | |
6578 TestDelegate d; | |
6579 TestURLRequestContext context(true); | |
6580 context.Init(); | |
6581 d.set_allow_certificate_errors(true); | |
6582 URLRequest r( | |
6583 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
6584 r.Start(); | |
6585 | |
6586 base::RunLoop().Run(); | |
6587 | |
6588 EXPECT_EQ(1, d.response_started_count()); | |
6589 EXPECT_NE(0, d.bytes_received()); | |
6590 EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1), | |
6591 SSLConnectionStatusToVersion(r.ssl_info().connection_status)); | |
6592 EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); | |
6593 } | |
6594 | |
6595 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. | |
6596 #if defined(USE_OPENSSL) | |
6597 TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) { | |
6598 #else | |
6599 TEST_F(HTTPSRequestTest, FallbackSCSV) { | |
6600 #endif | |
6601 SpawnedTestServer::SSLOptions ssl_options( | |
6602 SpawnedTestServer::SSLOptions::CERT_OK); | |
6603 // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger | |
6604 // a version fallback. | |
6605 ssl_options.tls_intolerant = | |
6606 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
6607 // Have the server process TLS_FALLBACK_SCSV so that version fallback | |
6608 // connections are rejected. | |
6609 ssl_options.fallback_scsv_enabled = true; | |
6610 | |
6611 SpawnedTestServer test_server( | |
6612 SpawnedTestServer::TYPE_HTTPS, | |
6613 ssl_options, | |
6614 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
6615 ASSERT_TRUE(test_server.Start()); | |
6616 | |
6617 TestDelegate d; | |
6618 TestURLRequestContext context(true); | |
6619 context.Init(); | |
6620 d.set_allow_certificate_errors(true); | |
6621 URLRequest r( | |
6622 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
6623 r.Start(); | |
6624 | |
6625 base::RunLoop().Run(); | |
6626 | |
6627 EXPECT_EQ(1, d.response_started_count()); | |
6628 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version | |
6629 // intolerance. If the fallback SCSV is processed when the original error | |
6630 // that caused the fallback should be returned, which should be | |
6631 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. | |
6632 EXPECT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, r.status().error()); | |
6633 } | |
6634 | |
6635 // This tests that a load of www.google.com with a certificate error sets | 6558 // This tests that a load of www.google.com with a certificate error sets |
6636 // the |certificate_errors_are_fatal| flag correctly. This flag will cause | 6559 // the |certificate_errors_are_fatal| flag correctly. This flag will cause |
6637 // the interstitial to be fatal. | 6560 // the interstitial to be fatal. |
6638 TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) { | 6561 TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) { |
6639 SpawnedTestServer::SSLOptions ssl_options( | 6562 SpawnedTestServer::SSLOptions ssl_options( |
6640 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME); | 6563 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME); |
6641 SpawnedTestServer test_server( | 6564 SpawnedTestServer test_server( |
6642 SpawnedTestServer::TYPE_HTTPS, | 6565 SpawnedTestServer::TYPE_HTTPS, |
6643 ssl_options, | 6566 ssl_options, |
6644 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 6567 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
(...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
6801 EXPECT_EQ("https", req.url().scheme()); | 6724 EXPECT_EQ("https", req.url().scheme()); |
6802 EXPECT_EQ("POST", req.method()); | 6725 EXPECT_EQ("POST", req.method()); |
6803 EXPECT_EQ(kData, d.data_received()); | 6726 EXPECT_EQ(kData, d.data_received()); |
6804 | 6727 |
6805 LoadTimingInfo load_timing_info; | 6728 LoadTimingInfo load_timing_info; |
6806 network_delegate.GetLoadTimingInfoBeforeRedirect(&load_timing_info); | 6729 network_delegate.GetLoadTimingInfoBeforeRedirect(&load_timing_info); |
6807 // LoadTimingInfo of HSTS redirects is similar to that of network cache hits | 6730 // LoadTimingInfo of HSTS redirects is similar to that of network cache hits |
6808 TestLoadTimingCacheHitNoNetwork(load_timing_info); | 6731 TestLoadTimingCacheHitNoNetwork(load_timing_info); |
6809 } | 6732 } |
6810 | 6733 |
6811 TEST_F(HTTPSRequestTest, SSLv3Fallback) { | |
6812 SpawnedTestServer::SSLOptions ssl_options( | |
6813 SpawnedTestServer::SSLOptions::CERT_OK); | |
6814 ssl_options.tls_intolerant = | |
6815 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
6816 SpawnedTestServer test_server( | |
6817 SpawnedTestServer::TYPE_HTTPS, | |
6818 ssl_options, | |
6819 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
6820 ASSERT_TRUE(test_server.Start()); | |
6821 | |
6822 TestDelegate d; | |
6823 TestURLRequestContext context(true); | |
6824 context.Init(); | |
6825 d.set_allow_certificate_errors(true); | |
6826 URLRequest r( | |
6827 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
6828 r.Start(); | |
6829 | |
6830 base::RunLoop().Run(); | |
6831 | |
6832 EXPECT_EQ(1, d.response_started_count()); | |
6833 EXPECT_NE(0, d.bytes_received()); | |
6834 EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3), | |
6835 SSLConnectionStatusToVersion(r.ssl_info().connection_status)); | |
6836 EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); | |
6837 } | |
6838 | |
6839 namespace { | 6734 namespace { |
6840 | 6735 |
6841 class SSLClientAuthTestDelegate : public TestDelegate { | 6736 class SSLClientAuthTestDelegate : public TestDelegate { |
6842 public: | 6737 public: |
6843 SSLClientAuthTestDelegate() : on_certificate_requested_count_(0) { | 6738 SSLClientAuthTestDelegate() : on_certificate_requested_count_(0) { |
6844 } | 6739 } |
6845 virtual void OnCertificateRequested( | 6740 virtual void OnCertificateRequested( |
6846 URLRequest* request, | 6741 URLRequest* request, |
6847 SSLCertRequestInfo* cert_request_info) OVERRIDE { | 6742 SSLCertRequestInfo* cert_request_info) OVERRIDE { |
6848 on_certificate_requested_count_++; | 6743 on_certificate_requested_count_++; |
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
7052 EXPECT_EQ("insert", parts[0]); | 6947 EXPECT_EQ("insert", parts[0]); |
7053 if (i == 0) { | 6948 if (i == 0) { |
7054 session_id = parts[1]; | 6949 session_id = parts[1]; |
7055 } else { | 6950 } else { |
7056 EXPECT_NE(session_id, parts[1]); | 6951 EXPECT_NE(session_id, parts[1]); |
7057 } | 6952 } |
7058 } | 6953 } |
7059 } | 6954 } |
7060 } | 6955 } |
7061 | 6956 |
| 6957 class HTTPSFallbackTest : public testing::Test { |
| 6958 public: |
| 6959 HTTPSFallbackTest() : context_(true) { |
| 6960 context_.Init(); |
| 6961 delegate_.set_allow_certificate_errors(true); |
| 6962 } |
| 6963 virtual ~HTTPSFallbackTest() {} |
| 6964 |
| 6965 protected: |
| 6966 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
| 6967 DCHECK(!request_); |
| 6968 SpawnedTestServer test_server( |
| 6969 SpawnedTestServer::TYPE_HTTPS, |
| 6970 ssl_options, |
| 6971 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 6972 ASSERT_TRUE(test_server.Start()); |
| 6973 |
| 6974 request_.reset(new URLRequest( |
| 6975 test_server.GetURL(std::string()), DEFAULT_PRIORITY, |
| 6976 &delegate_, &context_)); |
| 6977 request_->Start(); |
| 6978 |
| 6979 base::RunLoop().Run(); |
| 6980 } |
| 6981 |
| 6982 void ExpectConnection(int version) { |
| 6983 EXPECT_EQ(1, delegate_.response_started_count()); |
| 6984 EXPECT_NE(0, delegate_.bytes_received()); |
| 6985 EXPECT_EQ(version, SSLConnectionStatusToVersion( |
| 6986 request_->ssl_info().connection_status)); |
| 6987 EXPECT_TRUE(request_->ssl_info().connection_status & |
| 6988 SSL_CONNECTION_VERSION_FALLBACK); |
| 6989 } |
| 6990 |
| 6991 void ExpectFailure(int error) { |
| 6992 EXPECT_EQ(1, delegate_.response_started_count()); |
| 6993 EXPECT_FALSE(request_->status().is_success()); |
| 6994 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
| 6995 EXPECT_EQ(error, request_->status().error()); |
| 6996 } |
| 6997 |
| 6998 private: |
| 6999 TestDelegate delegate_; |
| 7000 TestURLRequestContext context_; |
| 7001 scoped_ptr<URLRequest> request_; |
| 7002 }; |
| 7003 |
| 7004 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
| 7005 // than necessary. |
| 7006 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { |
| 7007 SpawnedTestServer::SSLOptions ssl_options( |
| 7008 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7009 ssl_options.tls_intolerant = |
| 7010 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 7011 |
| 7012 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7013 ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
| 7014 } |
| 7015 |
| 7016 // This test is disabled on Android because the remote test server doesn't cause |
| 7017 // a TCP reset. |
| 7018 #if !defined(OS_ANDROID) |
| 7019 // Tests fallback to TLS 1.0 on connection reset. |
| 7020 TEST_F(HTTPSFallbackTest, TLSv1FallbackReset) { |
| 7021 SpawnedTestServer::SSLOptions ssl_options( |
| 7022 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7023 ssl_options.tls_intolerant = |
| 7024 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 7025 ssl_options.tls_intolerance_type = |
| 7026 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
| 7027 |
| 7028 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7029 ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
| 7030 } |
| 7031 #endif // !OS_ANDROID |
| 7032 |
| 7033 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. |
| 7034 #if defined(USE_OPENSSL) |
| 7035 TEST_F(HTTPSFallbackTest, DISABLED_FallbackSCSV) { |
| 7036 #else |
| 7037 TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
| 7038 #endif |
| 7039 SpawnedTestServer::SSLOptions ssl_options( |
| 7040 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7041 // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger |
| 7042 // a version fallback. |
| 7043 ssl_options.tls_intolerant = |
| 7044 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7045 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 7046 // connections are rejected. |
| 7047 ssl_options.fallback_scsv_enabled = true; |
| 7048 |
| 7049 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7050 |
| 7051 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
| 7052 // intolerance. If the fallback SCSV is processed when the original error |
| 7053 // that caused the fallback should be returned, which should be |
| 7054 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
| 7055 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 7056 } |
| 7057 |
| 7058 // Tests that the SSLv3 fallback triggers on alert. |
| 7059 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| 7060 SpawnedTestServer::SSLOptions ssl_options( |
| 7061 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7062 ssl_options.tls_intolerant = |
| 7063 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7064 |
| 7065 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7066 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7067 } |
| 7068 |
| 7069 // Tests that the SSLv3 fallback triggers on closed connections. |
| 7070 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| 7071 SpawnedTestServer::SSLOptions ssl_options( |
| 7072 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7073 ssl_options.tls_intolerant = |
| 7074 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7075 ssl_options.tls_intolerance_type = |
| 7076 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 7077 |
| 7078 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7079 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7080 } |
| 7081 |
| 7082 // This test is disabled on Android because the remote test server doesn't cause |
| 7083 // a TCP reset. It also does not pass on OpenSSL. https://crbug.com/372849 |
| 7084 #if !defined(OS_ANDROID) && !defined(USE_OPENSSL) |
| 7085 // Tests that a reset connection does not fallback down to SSL3. |
| 7086 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { |
| 7087 SpawnedTestServer::SSLOptions ssl_options( |
| 7088 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7089 ssl_options.tls_intolerant = |
| 7090 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7091 ssl_options.tls_intolerance_type = |
| 7092 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
| 7093 |
| 7094 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7095 ExpectFailure(ERR_CONNECTION_RESET); |
| 7096 } |
| 7097 #endif // !OS_ANDROID && !USE_OPENSSL |
| 7098 |
7062 class HTTPSSessionTest : public testing::Test { | 7099 class HTTPSSessionTest : public testing::Test { |
7063 public: | 7100 public: |
7064 HTTPSSessionTest() : default_context_(true) { | 7101 HTTPSSessionTest() : default_context_(true) { |
7065 cert_verifier_.set_default_result(net::OK); | 7102 cert_verifier_.set_default_result(net::OK); |
7066 | 7103 |
7067 default_context_.set_network_delegate(&default_network_delegate_); | 7104 default_context_.set_network_delegate(&default_network_delegate_); |
7068 default_context_.set_cert_verifier(&cert_verifier_); | 7105 default_context_.set_cert_verifier(&cert_verifier_); |
7069 default_context_.Init(); | 7106 default_context_.Init(); |
7070 } | 7107 } |
7071 virtual ~HTTPSSessionTest() {} | 7108 virtual ~HTTPSSessionTest() {} |
(...skipping 956 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
8028 | 8065 |
8029 EXPECT_FALSE(r.is_pending()); | 8066 EXPECT_FALSE(r.is_pending()); |
8030 EXPECT_EQ(1, d->response_started_count()); | 8067 EXPECT_EQ(1, d->response_started_count()); |
8031 EXPECT_FALSE(d->received_data_before_response()); | 8068 EXPECT_FALSE(d->received_data_before_response()); |
8032 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 8069 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
8033 } | 8070 } |
8034 } | 8071 } |
8035 #endif // !defined(DISABLE_FTP_SUPPORT) | 8072 #endif // !defined(DISABLE_FTP_SUPPORT) |
8036 | 8073 |
8037 } // namespace net | 8074 } // namespace net |
OLD | NEW |