Index: net/url_request/url_request_unittest.cc |
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
index 42a083505ef04493c2dc1e976f108ca144a4f0d9..8810e5a78e8f56c3b45aa30df150eac23217ab4c 100644 |
--- a/net/url_request/url_request_unittest.cc |
+++ b/net/url_request/url_request_unittest.cc |
@@ -6555,83 +6555,6 @@ TEST_F(HTTPSRequestTest, HTTPSExpiredTest) { |
} |
} |
-// Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
-// than necessary. |
-TEST_F(HTTPSRequestTest, TLSv1Fallback) { |
- // The OpenSSL library in use may not support TLS 1.1. |
-#if !defined(USE_OPENSSL) |
- EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1); |
-#endif |
- if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1) |
- return; |
- |
- SpawnedTestServer::SSLOptions ssl_options( |
- SpawnedTestServer::SSLOptions::CERT_OK); |
- ssl_options.tls_intolerant = |
- SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
- SpawnedTestServer test_server( |
- SpawnedTestServer::TYPE_HTTPS, |
- ssl_options, |
- base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
- ASSERT_TRUE(test_server.Start()); |
- |
- TestDelegate d; |
- TestURLRequestContext context(true); |
- context.Init(); |
- d.set_allow_certificate_errors(true); |
- URLRequest r( |
- test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
- r.Start(); |
- |
- base::RunLoop().Run(); |
- |
- EXPECT_EQ(1, d.response_started_count()); |
- EXPECT_NE(0, d.bytes_received()); |
- EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_TLS1), |
- SSLConnectionStatusToVersion(r.ssl_info().connection_status)); |
- EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
-} |
- |
-// Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. |
-#if defined(USE_OPENSSL) |
-TEST_F(HTTPSRequestTest, DISABLED_FallbackSCSV) { |
-#else |
-TEST_F(HTTPSRequestTest, FallbackSCSV) { |
-#endif |
- SpawnedTestServer::SSLOptions ssl_options( |
- SpawnedTestServer::SSLOptions::CERT_OK); |
- // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger |
- // a version fallback. |
- ssl_options.tls_intolerant = |
- SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
- // Have the server process TLS_FALLBACK_SCSV so that version fallback |
- // connections are rejected. |
- ssl_options.fallback_scsv_enabled = true; |
- |
- SpawnedTestServer test_server( |
- SpawnedTestServer::TYPE_HTTPS, |
- ssl_options, |
- base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
- ASSERT_TRUE(test_server.Start()); |
- |
- TestDelegate d; |
- TestURLRequestContext context(true); |
- context.Init(); |
- d.set_allow_certificate_errors(true); |
- URLRequest r( |
- test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
- r.Start(); |
- |
- base::RunLoop().Run(); |
- |
- EXPECT_EQ(1, d.response_started_count()); |
- // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
- // intolerance. If the fallback SCSV is processed when the original error |
- // that caused the fallback should be returned, which should be |
- // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
- EXPECT_EQ(ERR_SSL_VERSION_OR_CIPHER_MISMATCH, r.status().error()); |
-} |
- |
// This tests that a load of www.google.com with a certificate error sets |
// the |certificate_errors_are_fatal| flag correctly. This flag will cause |
// the interstitial to be fatal. |
@@ -6808,34 +6731,6 @@ TEST_F(HTTPSRequestTest, HSTSPreservesPosts) { |
TestLoadTimingCacheHitNoNetwork(load_timing_info); |
} |
-TEST_F(HTTPSRequestTest, SSLv3Fallback) { |
- SpawnedTestServer::SSLOptions ssl_options( |
- SpawnedTestServer::SSLOptions::CERT_OK); |
- ssl_options.tls_intolerant = |
- SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
- SpawnedTestServer test_server( |
- SpawnedTestServer::TYPE_HTTPS, |
- ssl_options, |
- base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
- ASSERT_TRUE(test_server.Start()); |
- |
- TestDelegate d; |
- TestURLRequestContext context(true); |
- context.Init(); |
- d.set_allow_certificate_errors(true); |
- URLRequest r( |
- test_server.GetURL(std::string()), DEFAULT_PRIORITY, &d, &context); |
- r.Start(); |
- |
- base::RunLoop().Run(); |
- |
- EXPECT_EQ(1, d.response_started_count()); |
- EXPECT_NE(0, d.bytes_received()); |
- EXPECT_EQ(static_cast<int>(SSL_CONNECTION_VERSION_SSL3), |
- SSLConnectionStatusToVersion(r.ssl_info().connection_status)); |
- EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_VERSION_FALLBACK); |
-} |
- |
namespace { |
class SSLClientAuthTestDelegate : public TestDelegate { |
@@ -7059,6 +6954,148 @@ TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) { |
} |
} |
+class HTTPSFallbackTest : public testing::Test { |
+ public: |
+ HTTPSFallbackTest() : context_(true) { |
+ context_.Init(); |
+ delegate_.set_allow_certificate_errors(true); |
+ } |
+ virtual ~HTTPSFallbackTest() {} |
+ |
+ protected: |
+ void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
+ DCHECK(!request_); |
+ SpawnedTestServer test_server( |
+ SpawnedTestServer::TYPE_HTTPS, |
+ ssl_options, |
+ base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
+ ASSERT_TRUE(test_server.Start()); |
+ |
+ request_.reset(new URLRequest( |
+ test_server.GetURL(std::string()), DEFAULT_PRIORITY, |
+ &delegate_, &context_)); |
+ request_->Start(); |
+ |
+ base::RunLoop().Run(); |
+ } |
+ |
+ void ExpectConnection(int version) { |
+ EXPECT_EQ(1, delegate_.response_started_count()); |
+ EXPECT_NE(0, delegate_.bytes_received()); |
+ EXPECT_EQ(version, SSLConnectionStatusToVersion( |
+ request_->ssl_info().connection_status)); |
+ EXPECT_TRUE(request_->ssl_info().connection_status & |
+ SSL_CONNECTION_VERSION_FALLBACK); |
+ } |
+ |
+ void ExpectFailure(int error) { |
+ EXPECT_EQ(1, delegate_.response_started_count()); |
+ EXPECT_FALSE(request_->status().is_success()); |
+ EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
+ EXPECT_EQ(error, request_->status().error()); |
+ } |
+ |
+ private: |
+ TestDelegate delegate_; |
+ TestURLRequestContext context_; |
+ scoped_ptr<URLRequest> request_; |
+}; |
+ |
+// Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
+// than necessary. |
+TEST_F(HTTPSFallbackTest, TLSv1Fallback) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
+} |
+ |
+// This test is disabled on Android because the remote test server doesn't cause |
+// a TCP reset. |
+#if !defined(OS_ANDROID) |
+// Tests fallback to TLS 1.0 on connection reset. |
+TEST_F(HTTPSFallbackTest, TLSv1FallbackReset) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectConnection(SSL_CONNECTION_VERSION_TLS1); |
+} |
+#endif // !OS_ANDROID |
+ |
+// Tests that we don't fallback with servers that implement TLS_FALLBACK_SCSV. |
+#if defined(USE_OPENSSL) |
+TEST_F(HTTPSFallbackTest, DISABLED_FallbackSCSV) { |
+#else |
+TEST_F(HTTPSFallbackTest, FallbackSCSV) { |
+#endif |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger |
+ // a version fallback. |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ // Have the server process TLS_FALLBACK_SCSV so that version fallback |
+ // connections are rejected. |
+ ssl_options.fallback_scsv_enabled = true; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ |
+ // ERR_SSL_VERSION_OR_CIPHER_MISMATCH is how the server simulates version |
+ // intolerance. If the fallback SCSV is processed when the original error |
+ // that caused the fallback should be returned, which should be |
+ // ERR_SSL_VERSION_OR_CIPHER_MISMATCH. |
+ ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
+} |
+ |
+// Tests that the SSLv3 fallback triggers on alert. |
+TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
+} |
+ |
+// Tests that the SSLv3 fallback triggers on closed connections. |
+TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
+} |
+ |
+// This test is disabled on Android because the remote test server doesn't cause |
+// a TCP reset. It also does not pass on OpenSSL. https://crbug.com/372849 |
+#if !defined(OS_ANDROID) && !defined(USE_OPENSSL) |
+// Tests that a reset connection does not fallback down to SSL3. |
+TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { |
+ SpawnedTestServer::SSLOptions ssl_options( |
+ SpawnedTestServer::SSLOptions::CERT_OK); |
+ ssl_options.tls_intolerant = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
+ ssl_options.tls_intolerance_type = |
+ SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_RESET; |
+ |
+ ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
+ ExpectFailure(ERR_CONNECTION_RESET); |
+} |
+#endif // !OS_ANDROID && !USE_OPENSSL |
+ |
class HTTPSSessionTest : public testing::Test { |
public: |
HTTPSSessionTest() : default_context_(true) { |