| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 6537 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6548 if (err_allowed) { | 6548 if (err_allowed) { |
| 6549 EXPECT_NE(0, d.bytes_received()); | 6549 EXPECT_NE(0, d.bytes_received()); |
| 6550 CheckSSLInfo(r.ssl_info()); | 6550 CheckSSLInfo(r.ssl_info()); |
| 6551 } else { | 6551 } else { |
| 6552 EXPECT_EQ(0, d.bytes_received()); | 6552 EXPECT_EQ(0, d.bytes_received()); |
| 6553 } | 6553 } |
| 6554 } | 6554 } |
| 6555 } | 6555 } |
| 6556 } | 6556 } |
| 6557 | 6557 |
| 6558 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more | |
| 6559 // than necessary. | |
| 6560 TEST_F(HTTPSRequestTest, TLSv1Fallback) { | |
| 6561 // The OpenSSL library in use may not support TLS 1.1. | |
| 6562 #if !defined(USE_OPENSSL) | |
| 6563 EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1); | |
| 6564 #endif | |
| 6565 if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1) | |
| 6566 return; | |
| 6567 | |
| 6568 SpawnedTestServer::SSLOptions ssl_options( | |
| 6569 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 6570 ssl_options.tls_intolerant = | |
| 6571 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | |
| 6572 SpawnedTestServer test_server( | |
| 6573 SpawnedTestServer::TYPE_HTTPS, | |
| 6574 ssl_options, | |
| 6575 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
| 6576 ASSERT_TRUE(test_server.Start()); | |
| 6577 | |
| 6578 TestDelegate d; | |
| 6579 TestURLRequestContext context(true); | |
| 6580 context.Init(); | |
| 6581 d.set_allow_certificate_errors(true); | |
| 6582 URLRequest r( | |
| 6583 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
| 6584 r.Start(); | |
| 6585 | |
| 6586 base::RunLoop().Run(); | |
| 6587 | |
| 6588 EXPECT_EQ(1, d.response_started_count()); | |
| 6589 EXPECT_NE(0, d.bytes_received()); | |
| 6590 EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1), | |
| 6591 SSLConnectionStatusToVersion(r.ssl_info().connection_status)); | |
| 6592 EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); | |
| 6593 } | |
| 6594 | |
| 6595 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. | |
| 6596 #if defined(USE_OPENSSL) | |
| 6597 TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) { | |
| 6598 #else | |
| 6599 TEST_F(HTTPSRequestTest, FallbackSCSV) { | |
| 6600 #endif | |
| 6601 SpawnedTestServer::SSLOptions ssl_options( | |
| 6602 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 6603 // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger | |
| 6604 // a version fallback. | |
| 6605 ssl_options.tls_intolerant = | |
| 6606 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
| 6607 // Have the server process TLS_FALLBACK_SCSV so that version fallback | |
| 6608 // connections are rejected. | |
| 6609 ssl_options.fallback_scsv_enabled = true; | |
| 6610 | |
| 6611 SpawnedTestServer test_server( | |
| 6612 SpawnedTestServer::TYPE_HTTPS, | |
| 6613 ssl_options, | |
| 6614 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
| 6615 ASSERT_TRUE(test_server.Start()); | |
| 6616 | |
| 6617 TestDelegate d; | |
| 6618 TestURLRequestContext context(true); | |
| 6619 context.Init(); | |
| 6620 d.set_allow_certificate_errors(true); | |
| 6621 URLRequest r( | |
| 6622 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
| 6623 r.Start(); | |
| 6624 | |
| 6625 base::RunLoop().Run(); | |
| 6626 | |
| 6627 EXPECT_EQ(1, d.response_started_count()); | |
| 6628 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version | |
| 6629 // intolerance. If the fallback SCSV is processed when the original error | |
| 6630 // that caused the fallback should be returned, which should be | |
| 6631 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. | |
| 6632 EXPECT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, r.status().error()); | |
| 6633 } | |
| 6634 | |
| 6635 // This tests that a load of www.google.com with a certificate error sets | 6558 // This tests that a load of www.google.com with a certificate error sets |
| 6636 // the |certificate_errors_are_fatal| flag correctly. This flag will cause | 6559 // the |certificate_errors_are_fatal| flag correctly. This flag will cause |
| 6637 // the interstitial to be fatal. | 6560 // the interstitial to be fatal. |
| 6638 TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) { | 6561 TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) { |
| 6639 SpawnedTestServer::SSLOptions ssl_options( | 6562 SpawnedTestServer::SSLOptions ssl_options( |
| 6640 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME); | 6563 SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME); |
| 6641 SpawnedTestServer test_server( | 6564 SpawnedTestServer test_server( |
| 6642 SpawnedTestServer::TYPE_HTTPS, | 6565 SpawnedTestServer::TYPE_HTTPS, |
| 6643 ssl_options, | 6566 ssl_options, |
| 6644 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 6567 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| (...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 6801 EXPECT_EQ("https", req.url().scheme()); | 6724 EXPECT_EQ("https", req.url().scheme()); |
| 6802 EXPECT_EQ("POST", req.method()); | 6725 EXPECT_EQ("POST", req.method()); |
| 6803 EXPECT_EQ(kData, d.data_received()); | 6726 EXPECT_EQ(kData, d.data_received()); |
| 6804 | 6727 |
| 6805 LoadTimingInfo load_timing_info; | 6728 LoadTimingInfo load_timing_info; |
| 6806 network_delegate.GetLoadTimingInfoBeforeRedirect(&load_timing_info); | 6729 network_delegate.GetLoadTimingInfoBeforeRedirect(&load_timing_info); |
| 6807 // LoadTimingInfo of HSTS redirects is similar to that of network cache hits | 6730 // LoadTimingInfo of HSTS redirects is similar to that of network cache hits |
| 6808 TestLoadTimingCacheHitNoNetwork(load_timing_info); | 6731 TestLoadTimingCacheHitNoNetwork(load_timing_info); |
| 6809 } | 6732 } |
| 6810 | 6733 |
| 6811 TEST_F(HTTPSRequestTest, SSLv3Fallback) { | |
| 6812 SpawnedTestServer::SSLOptions ssl_options( | |
| 6813 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 6814 ssl_options.tls_intolerant = | |
| 6815 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
| 6816 SpawnedTestServer test_server( | |
| 6817 SpawnedTestServer::TYPE_HTTPS, | |
| 6818 ssl_options, | |
| 6819 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | |
| 6820 ASSERT_TRUE(test_server.Start()); | |
| 6821 | |
| 6822 TestDelegate d; | |
| 6823 TestURLRequestContext context(true); | |
| 6824 context.Init(); | |
| 6825 d.set_allow_certificate_errors(true); | |
| 6826 URLRequest r( | |
| 6827 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); | |
| 6828 r.Start(); | |
| 6829 | |
| 6830 base::RunLoop().Run(); | |
| 6831 | |
| 6832 EXPECT_EQ(1, d.response_started_count()); | |
| 6833 EXPECT_NE(0, d.bytes_received()); | |
| 6834 EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3), | |
| 6835 SSLConnectionStatusToVersion(r.ssl_info().connection_status)); | |
| 6836 EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); | |
| 6837 } | |
| 6838 | |
| 6839 namespace { | 6734 namespace { |
| 6840 | 6735 |
| 6841 class SSLClientAuthTestDelegate : public TestDelegate { | 6736 class SSLClientAuthTestDelegate : public TestDelegate { |
| 6842 public: | 6737 public: |
| 6843 SSLClientAuthTestDelegate() : on_certificate_requested_count_(0) { | 6738 SSLClientAuthTestDelegate() : on_certificate_requested_count_(0) { |
| 6844 } | 6739 } |
| 6845 virtual void OnCertificateRequested( | 6740 virtual void OnCertificateRequested( |
| 6846 URLRequest* request, | 6741 URLRequest* request, |
| 6847 SSLCertRequestInfo* cert_request_info) OVERRIDE { | 6742 SSLCertRequestInfo* cert_request_info) OVERRIDE { |
| 6848 on_certificate_requested_count_++; | 6743 on_certificate_requested_count_++; |
| (...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 7052 EXPECT_EQ("insert", parts[0]); | 6947 EXPECT_EQ("insert", parts[0]); |
| 7053 if (i == 0) { | 6948 if (i == 0) { |
| 7054 session_id = parts[1]; | 6949 session_id = parts[1]; |
| 7055 } else { | 6950 } else { |
| 7056 EXPECT_NE(session_id, parts[1]); | 6951 EXPECT_NE(session_id, parts[1]); |
| 7057 } | 6952 } |
| 7058 } | 6953 } |
| 7059 } | 6954 } |
| 7060 } | 6955 } |
| 7061 | 6956 |
| 6957 class HTTPSFallbackTest : public testing::Test { |
| 6958 public: |
| 6959 HTTPSFallbackTest() : context_(true) { |
| 6960 context_.Init(); |
| 6961 delegate_.set_allow_certificate_errors(true); |
| 6962 } |
| 6963 virtual ~HTTPSFallbackTest() {} |
| 6964 |
| 6965 protected: |
| 6966 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
| 6967 DCHECK(!request_); |
| 6968 SpawnedTestServer test_server( |
| 6969 SpawnedTestServer::TYPE_HTTPS, |
| 6970 ssl_options, |
| 6971 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 6972 ASSERT_TRUE(test_server.Start()); |
| 6973 |
| 6974 request_.reset(new URLRequest( |
| 6975 test_server.GetURL(std::string()), DEFAULT_PRIORITY, |
| 6976 &delegate_, &context_)); |
| 6977 request_->Start(); |
| 6978 |
| 6979 base::RunLoop().Run(); |
| 6980 } |
| 6981 |
| 6982 void ExpectConnection(int version) { |
| 6983 EXPECT_EQ(1, delegate_.response_started_count()); |
| 6984 EXPECT_NE(0, delegate_.bytes_received()); |
| 6985 EXPECT_EQ(version, SSLConnectionStatusToVersion( |
| 6986 request_->ssl_info().connection_status)); |
| 6987 EXPECT_TRUE(request_->ssl_info().connection_status & |
| 6988 SSL_CONNECTION_VERSION_FALLBACK); |
| 6989 } |
| 6990 |
| 6991 void ExpectFailure(int error) { |
| 6992 EXPECT_EQ(1, delegate_.response_started_count()); |
| 6993 EXPECT_FALSE(request_->status().is_success()); |
| 6994 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
| 6995 EXPECT_EQ(error, request_->status().error()); |
| 6996 } |
| 6997 |
| 6998 private: |
| 6999 TestDelegate delegate_; |
| 7000 TestURLRequestContext context_; |
| 7001 scoped_ptr<URLRequest> request_; |
| 7002 }; |
| 7003 |
| 7004 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
| 7005 // than necessary. |
| 7006 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { |
| 7007 SpawnedTestServer::SSLOptions ssl_options( |
| 7008 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7009 ssl_options.tls_intolerant = |
| 7010 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 7011 |
| 7012 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7013 ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
| 7014 } |
| 7015 |
| 7016 // This test is disabled on Android because the remote test server doesn't cause |
| 7017 // a TCP reset. |
| 7018 #if !defined(OS_ANDROID) |
| 7019 // Tests fallback to TLS 1.0 on connection reset. |
| 7020 TEST_F(HTTPSFallbackTest, TLSv1FallbackReset) { |
| 7021 SpawnedTestServer::SSLOptions ssl_options( |
| 7022 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7023 ssl_options.tls_intolerant = |
| 7024 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| 7025 ssl_options.tls_intolerance_type = |
| 7026 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
| 7027 |
| 7028 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7029 ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
| 7030 } |
| 7031 #endif // !OS_ANDROID |
| 7032 |
| 7033 // Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. |
| 7034 #if defined(USE_OPENSSL) |
| 7035 TEST_F(HTTPSFallbackTest, DISABLED_FallbackSCSV) { |
| 7036 #else |
| 7037 TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
| 7038 #endif |
| 7039 SpawnedTestServer::SSLOptions ssl_options( |
| 7040 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7041 // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger |
| 7042 // a version fallback. |
| 7043 ssl_options.tls_intolerant = |
| 7044 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7045 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 7046 // connections are rejected. |
| 7047 ssl_options.fallback_scsv_enabled = true; |
| 7048 |
| 7049 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7050 |
| 7051 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
| 7052 // intolerance. If the fallback SCSV is processed when the original error |
| 7053 // that caused the fallback should be returned, which should be |
| 7054 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
| 7055 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 7056 } |
| 7057 |
| 7058 // Tests that the SSLv3 fallback triggers on alert. |
| 7059 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| 7060 SpawnedTestServer::SSLOptions ssl_options( |
| 7061 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7062 ssl_options.tls_intolerant = |
| 7063 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7064 |
| 7065 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7066 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7067 } |
| 7068 |
| 7069 // Tests that the SSLv3 fallback triggers on closed connections. |
| 7070 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| 7071 SpawnedTestServer::SSLOptions ssl_options( |
| 7072 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7073 ssl_options.tls_intolerant = |
| 7074 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7075 ssl_options.tls_intolerance_type = |
| 7076 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 7077 |
| 7078 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7079 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7080 } |
| 7081 |
| 7082 // This test is disabled on Android because the remote test server doesn't cause |
| 7083 // a TCP reset. It also does not pass on OpenSSL. https://crbug.com/372849 |
| 7084 #if !defined(OS_ANDROID) && !defined(USE_OPENSSL) |
| 7085 // Tests that a reset connection does not fallback down to SSL3. |
| 7086 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { |
| 7087 SpawnedTestServer::SSLOptions ssl_options( |
| 7088 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7089 ssl_options.tls_intolerant = |
| 7090 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7091 ssl_options.tls_intolerance_type = |
| 7092 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
| 7093 |
| 7094 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7095 ExpectFailure(ERR_CONNECTION_RESET); |
| 7096 } |
| 7097 #endif // !OS_ANDROID && !USE_OPENSSL |
| 7098 |
| 7062 class HTTPSSessionTest : public testing::Test { | 7099 class HTTPSSessionTest : public testing::Test { |
| 7063 public: | 7100 public: |
| 7064 HTTPSSessionTest() : default_context_(true) { | 7101 HTTPSSessionTest() : default_context_(true) { |
| 7065 cert_verifier_.set_default_result(net::OK); | 7102 cert_verifier_.set_default_result(net::OK); |
| 7066 | 7103 |
| 7067 default_context_.set_network_delegate(&default_network_delegate_); | 7104 default_context_.set_network_delegate(&default_network_delegate_); |
| 7068 default_context_.set_cert_verifier(&cert_verifier_); | 7105 default_context_.set_cert_verifier(&cert_verifier_); |
| 7069 default_context_.Init(); | 7106 default_context_.Init(); |
| 7070 } | 7107 } |
| 7071 virtual ~HTTPSSessionTest() {} | 7108 virtual ~HTTPSSessionTest() {} |
| (...skipping 956 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 8028 | 8065 |
| 8029 EXPECT_FALSE(r.is_pending()); | 8066 EXPECT_FALSE(r.is_pending()); |
| 8030 EXPECT_EQ(1, d->response_started_count()); | 8067 EXPECT_EQ(1, d->response_started_count()); |
| 8031 EXPECT_FALSE(d->received_data_before_response()); | 8068 EXPECT_FALSE(d->received_data_before_response()); |
| 8032 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 8069 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
| 8033 } | 8070 } |
| 8034 } | 8071 } |
| 8035 #endif // !defined(DISABLE_FTP_SUPPORT) | 8072 #endif // !defined(DISABLE_FTP_SUPPORT) |
| 8036 | 8073 |
| 8037 } // namespace net | 8074 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 342793003:
Add tests for TLS fallback on connection reset and close. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src