OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 19 matching lines...) Expand all Loading... |
30 | 30 |
31 #if defined(USE_OPENSSL) | 31 #if defined(USE_OPENSSL) |
32 #include "crypto/openssl_util.h" | 32 #include "crypto/openssl_util.h" |
33 #else | 33 #else |
34 #include "crypto/nss_util.h" | 34 #include "crypto/nss_util.h" |
35 #endif | 35 #endif |
36 | 36 |
37 namespace net { | 37 namespace net { |
38 | 38 |
39 class TransportSecurityStateTest : public testing::Test { | 39 class TransportSecurityStateTest : public testing::Test { |
| 40 public: |
40 virtual void SetUp() { | 41 virtual void SetUp() { |
41 #if defined(USE_OPENSSL) | 42 #if defined(USE_OPENSSL) |
42 crypto::EnsureOpenSSLInit(); | 43 crypto::EnsureOpenSSLInit(); |
43 #else | 44 #else |
44 crypto::EnsureNSSInit(); | 45 crypto::EnsureNSSInit(); |
45 #endif | 46 #endif |
46 } | 47 } |
47 | 48 |
| 49 static void DisableStaticPins(TransportSecurityState* state) { |
| 50 state->enable_static_pins_ = false; |
| 51 } |
| 52 |
| 53 static void EnableStaticPins(TransportSecurityState* state) { |
| 54 state->enable_static_pins_ = true; |
| 55 } |
| 56 |
48 protected: | 57 protected: |
49 bool GetStaticDomainState(TransportSecurityState* state, | 58 bool GetStaticDomainState(TransportSecurityState* state, |
50 const std::string& host, | 59 const std::string& host, |
51 bool sni_enabled, | 60 bool sni_enabled, |
52 TransportSecurityState::DomainState* result) { | 61 TransportSecurityState::DomainState* result) { |
53 return state->GetStaticDomainState(host, sni_enabled, result); | 62 return state->GetStaticDomainState(host, sni_enabled, result); |
54 } | 63 } |
55 | 64 |
56 void EnableHost(TransportSecurityState* state, | 65 void EnableHost(TransportSecurityState* state, |
57 const std::string& host, | 66 const std::string& host, |
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
155 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 164 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
156 bool include_subdomains = false; | 165 bool include_subdomains = false; |
157 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 166 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
158 | 167 |
159 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 168 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); |
160 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); | 169 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); |
161 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 170 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
162 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 171 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); |
163 } | 172 } |
164 | 173 |
| 174 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
| 175 TransportSecurityState state; |
| 176 TransportSecurityState::DomainState domain_state; |
| 177 |
| 178 EnableStaticPins(&state); |
| 179 |
| 180 EXPECT_TRUE( |
| 181 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
| 182 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 183 } |
| 184 |
| 185 TEST_F(TransportSecurityStateTest, DisableStaticPins) { |
| 186 TransportSecurityState state; |
| 187 TransportSecurityState::DomainState domain_state; |
| 188 |
| 189 DisableStaticPins(&state); |
| 190 EXPECT_TRUE( |
| 191 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
| 192 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty()); |
| 193 } |
| 194 |
165 TEST_F(TransportSecurityStateTest, IsPreloaded) { | 195 TEST_F(TransportSecurityStateTest, IsPreloaded) { |
166 const std::string paypal = "paypal.com"; | 196 const std::string paypal = "paypal.com"; |
167 const std::string www_paypal = "www.paypal.com"; | 197 const std::string www_paypal = "www.paypal.com"; |
168 const std::string foo_paypal = "foo.paypal.com"; | 198 const std::string foo_paypal = "foo.paypal.com"; |
169 const std::string a_www_paypal = "a.www.paypal.com"; | 199 const std::string a_www_paypal = "a.www.paypal.com"; |
170 const std::string abc_paypal = "a.b.c.paypal.com"; | 200 const std::string abc_paypal = "a.b.c.paypal.com"; |
171 const std::string example = "example.com"; | 201 const std::string example = "example.com"; |
172 const std::string aypal = "aypal.com"; | 202 const std::string aypal = "aypal.com"; |
173 | 203 |
174 TransportSecurityState state; | 204 TransportSecurityState state; |
175 TransportSecurityState::DomainState domain_state; | 205 TransportSecurityState::DomainState domain_state; |
176 | 206 |
177 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); | 207 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); |
178 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); | 208 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); |
179 EXPECT_FALSE(domain_state.sts.include_subdomains); | 209 EXPECT_FALSE(domain_state.sts.include_subdomains); |
180 EXPECT_FALSE(domain_state.pkp.include_subdomains); | |
181 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); | 210 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); |
182 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); | 211 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); |
183 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); | 212 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); |
184 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); | 213 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); |
185 } | 214 } |
186 | 215 |
187 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 216 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
188 TransportSecurityState state; | 217 TransportSecurityState state; |
189 TransportSecurityState::DomainState domain_state; | 218 TransportSecurityState::DomainState domain_state; |
190 | 219 |
(...skipping 16 matching lines...) Expand all Loading... |
207 } | 236 } |
208 | 237 |
209 static bool HasStaticState(const char* hostname) { | 238 static bool HasStaticState(const char* hostname) { |
210 TransportSecurityState state; | 239 TransportSecurityState state; |
211 TransportSecurityState::DomainState domain_state; | 240 TransportSecurityState::DomainState domain_state; |
212 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); | 241 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); |
213 } | 242 } |
214 | 243 |
215 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { | 244 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { |
216 TransportSecurityState state; | 245 TransportSecurityState state; |
| 246 TransportSecurityStateTest::EnableStaticPins(&state); |
217 TransportSecurityState::DomainState domain_state; | 247 TransportSecurityState::DomainState domain_state; |
218 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) | 248 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) |
219 return false; | 249 return false; |
220 | 250 |
221 return domain_state.HasPublicKeyPins(); | 251 return domain_state.HasPublicKeyPins(); |
222 } | 252 } |
223 | 253 |
224 static bool HasStaticPublicKeyPins(const char* hostname) { | 254 static bool HasStaticPublicKeyPins(const char* hostname) { |
225 return HasStaticPublicKeyPins(hostname, true); | 255 return HasStaticPublicKeyPins(hostname, true); |
226 } | 256 } |
227 | 257 |
228 static bool OnlyPinningInStaticState(const char* hostname) { | 258 static bool OnlyPinningInStaticState(const char* hostname) { |
229 TransportSecurityState state; | 259 TransportSecurityState state; |
| 260 TransportSecurityStateTest::EnableStaticPins(&state); |
230 TransportSecurityState::DomainState domain_state; | 261 TransportSecurityState::DomainState domain_state; |
231 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) | 262 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) |
232 return false; | 263 return false; |
233 | 264 |
234 return (domain_state.pkp.spki_hashes.size() > 0 || | 265 return (domain_state.pkp.spki_hashes.size() > 0 || |
235 domain_state.pkp.bad_spki_hashes.size() > 0) && | 266 domain_state.pkp.bad_spki_hashes.size() > 0) && |
236 !domain_state.ShouldUpgradeToSSL(); | 267 !domain_state.ShouldUpgradeToSSL(); |
237 } | 268 } |
238 | 269 |
239 TEST_F(TransportSecurityStateTest, Preloaded) { | 270 TEST_F(TransportSecurityStateTest, Preloaded) { |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
278 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); | 309 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); |
279 EXPECT_TRUE(StaticShouldRedirect("gmail.com")); | 310 EXPECT_TRUE(StaticShouldRedirect("gmail.com")); |
280 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); | 311 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); |
281 EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); | 312 EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); |
282 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); | 313 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); |
283 EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); | 314 EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); |
284 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); | 315 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); |
285 EXPECT_FALSE(HasStaticState("m.gmail.com")); | 316 EXPECT_FALSE(HasStaticState("m.gmail.com")); |
286 EXPECT_FALSE(HasStaticState("m.googlemail.com")); | 317 EXPECT_FALSE(HasStaticState("m.googlemail.com")); |
287 | 318 |
288 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); | |
289 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); | |
290 EXPECT_TRUE(OnlyPinningInStaticState("google.com")); | |
291 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com")); | |
292 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com")); | |
293 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); | |
294 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); | |
295 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); | |
296 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); | |
297 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com")); | |
298 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); | |
299 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); | |
300 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); | |
301 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); | |
302 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); | |
303 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); | |
304 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); | |
305 | |
306 // Tests for domains that don't work without SNI. | 319 // Tests for domains that don't work without SNI. |
307 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); | 320 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); |
308 EXPECT_FALSE( | 321 EXPECT_FALSE( |
309 state.GetStaticDomainState("www.gmail.com", false, &domain_state)); | 322 state.GetStaticDomainState("www.gmail.com", false, &domain_state)); |
310 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); | 323 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); |
311 EXPECT_FALSE( | 324 EXPECT_FALSE( |
312 state.GetStaticDomainState("googlemail.com", false, &domain_state)); | 325 state.GetStaticDomainState("googlemail.com", false, &domain_state)); |
313 EXPECT_FALSE( | 326 EXPECT_FALSE( |
314 state.GetStaticDomainState("www.googlemail.com", false, &domain_state)); | 327 state.GetStaticDomainState("www.googlemail.com", false, &domain_state)); |
315 EXPECT_FALSE( | 328 EXPECT_FALSE( |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
400 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name")); | 413 EXPECT_TRUE(StaticShouldRedirect("simon.butcher.name")); |
401 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name")); | 414 EXPECT_TRUE(StaticShouldRedirect("foo.simon.butcher.name")); |
402 | 415 |
403 EXPECT_TRUE(StaticShouldRedirect("linx.net")); | 416 EXPECT_TRUE(StaticShouldRedirect("linx.net")); |
404 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net")); | 417 EXPECT_TRUE(StaticShouldRedirect("foo.linx.net")); |
405 | 418 |
406 EXPECT_TRUE(StaticShouldRedirect("dropcam.com")); | 419 EXPECT_TRUE(StaticShouldRedirect("dropcam.com")); |
407 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com")); | 420 EXPECT_TRUE(StaticShouldRedirect("www.dropcam.com")); |
408 EXPECT_FALSE(HasStaticState("foo.dropcam.com")); | 421 EXPECT_FALSE(HasStaticState("foo.dropcam.com")); |
409 | 422 |
410 EXPECT_TRUE( | |
411 state.GetStaticDomainState("torproject.org", false, &domain_state)); | |
412 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
413 EXPECT_TRUE( | |
414 state.GetStaticDomainState("www.torproject.org", false, &domain_state)); | |
415 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
416 EXPECT_TRUE( | |
417 state.GetStaticDomainState("check.torproject.org", false, &domain_state)); | |
418 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
419 EXPECT_TRUE( | |
420 state.GetStaticDomainState("blog.torproject.org", false, &domain_state)); | |
421 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); | |
422 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn")); | 423 EXPECT_TRUE(StaticShouldRedirect("ebanking.indovinabank.com.vn")); |
423 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn")); | 424 EXPECT_TRUE(StaticShouldRedirect("foo.ebanking.indovinabank.com.vn")); |
424 | 425 |
425 EXPECT_TRUE(StaticShouldRedirect("epoxate.com")); | 426 EXPECT_TRUE(StaticShouldRedirect("epoxate.com")); |
426 EXPECT_FALSE(HasStaticState("foo.epoxate.com")); | 427 EXPECT_FALSE(HasStaticState("foo.epoxate.com")); |
427 | 428 |
428 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); | |
429 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); | |
430 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); | |
431 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); | |
432 EXPECT_FALSE(HasStaticState("foo.torproject.org")); | 429 EXPECT_FALSE(HasStaticState("foo.torproject.org")); |
433 | 430 |
434 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com")); | 431 EXPECT_TRUE(StaticShouldRedirect("www.moneybookers.com")); |
435 EXPECT_FALSE(HasStaticState("moneybookers.com")); | 432 EXPECT_FALSE(HasStaticState("moneybookers.com")); |
436 | 433 |
437 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net")); | 434 EXPECT_TRUE(StaticShouldRedirect("ledgerscope.net")); |
438 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net")); | 435 EXPECT_TRUE(StaticShouldRedirect("www.ledgerscope.net")); |
439 EXPECT_FALSE(HasStaticState("status.ledgerscope.net")); | 436 EXPECT_FALSE(HasStaticState("status.ledgerscope.net")); |
440 | 437 |
441 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com")); | 438 EXPECT_TRUE(StaticShouldRedirect("foo.app.recurly.com")); |
(...skipping 29 matching lines...) Expand all Loading... |
471 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com")); | 468 EXPECT_FALSE(StaticShouldRedirect("foo.www.sandbox.mydigipass.com")); |
472 | 469 |
473 EXPECT_TRUE(StaticShouldRedirect("crypto.cat")); | 470 EXPECT_TRUE(StaticShouldRedirect("crypto.cat")); |
474 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat")); | 471 EXPECT_FALSE(StaticShouldRedirect("foo.crypto.cat")); |
475 | 472 |
476 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net")); | 473 EXPECT_TRUE(StaticShouldRedirect("bigshinylock.minazo.net")); |
477 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net")); | 474 EXPECT_TRUE(StaticShouldRedirect("foo.bigshinylock.minazo.net")); |
478 | 475 |
479 EXPECT_TRUE(StaticShouldRedirect("crate.io")); | 476 EXPECT_TRUE(StaticShouldRedirect("crate.io")); |
480 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); | 477 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); |
| 478 } |
| 479 |
| 480 TEST_F(TransportSecurityStateTest, PreloadedPins) { |
| 481 TransportSecurityState state; |
| 482 EnableStaticPins(&state); |
| 483 TransportSecurityState::DomainState domain_state; |
| 484 |
| 485 // We do more extensive checks for the first domain. |
| 486 EXPECT_TRUE( |
| 487 state.GetStaticDomainState("www.paypal.com", true, &domain_state)); |
| 488 EXPECT_EQ(domain_state.sts.upgrade_mode, |
| 489 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); |
| 490 EXPECT_FALSE(domain_state.sts.include_subdomains); |
| 491 EXPECT_FALSE(domain_state.pkp.include_subdomains); |
| 492 |
| 493 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); |
| 494 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); |
| 495 EXPECT_TRUE(OnlyPinningInStaticState("google.com")); |
| 496 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com")); |
| 497 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com")); |
| 498 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); |
| 499 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); |
| 500 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); |
| 501 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); |
| 502 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com")); |
| 503 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); |
| 504 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); |
| 505 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); |
| 506 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); |
| 507 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); |
| 508 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); |
| 509 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); |
| 510 |
| 511 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); |
| 512 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); |
| 513 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); |
| 514 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); |
| 515 EXPECT_FALSE(HasStaticState("foo.torproject.org")); |
| 516 |
| 517 EXPECT_TRUE( |
| 518 state.GetStaticDomainState("torproject.org", false, &domain_state)); |
| 519 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 520 EXPECT_TRUE( |
| 521 state.GetStaticDomainState("www.torproject.org", false, &domain_state)); |
| 522 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 523 EXPECT_TRUE( |
| 524 state.GetStaticDomainState("check.torproject.org", false, &domain_state)); |
| 525 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
| 526 EXPECT_TRUE( |
| 527 state.GetStaticDomainState("blog.torproject.org", false, &domain_state)); |
| 528 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); |
481 | 529 |
482 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); | 530 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); |
483 } | 531 } |
484 | 532 |
485 TEST_F(TransportSecurityStateTest, LongNames) { | 533 TEST_F(TransportSecurityStateTest, LongNames) { |
486 TransportSecurityState state; | 534 TransportSecurityState state; |
487 const char kLongName[] = | 535 const char kLongName[] = |
488 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" | 536 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" |
489 "WaveletIdDomainAndBlipBlipid"; | 537 "WaveletIdDomainAndBlipBlipid"; |
490 TransportSecurityState::DomainState domain_state; | 538 TransportSecurityState::DomainState domain_state; |
491 // Just checks that we don't hit a NOTREACHED. | 539 // Just checks that we don't hit a NOTREACHED. |
492 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); | 540 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); |
493 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); | 541 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); |
494 } | 542 } |
495 | 543 |
496 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { | 544 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { |
497 TransportSecurityState state; | 545 TransportSecurityState state; |
| 546 EnableStaticPins(&state); |
498 TransportSecurityState::DomainState domain_state; | 547 TransportSecurityState::DomainState domain_state; |
499 | 548 |
500 EXPECT_TRUE( | 549 EXPECT_TRUE( |
501 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); | 550 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); |
502 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); | 551 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); |
503 | 552 |
504 HashValueVector hashes; | 553 HashValueVector hashes; |
505 std::string failure_log; | 554 std::string failure_log; |
506 // Checks that a built-in list does exist. | 555 // Checks that a built-in list does exist. |
507 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); | 556 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); |
(...skipping 19 matching lines...) Expand all Loading... |
527 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com")); | 576 EXPECT_TRUE(HasStaticPublicKeyPins("plus.google.com")); |
528 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com")); | 577 EXPECT_TRUE(HasStaticPublicKeyPins("groups.google.com")); |
529 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com")); | 578 EXPECT_TRUE(HasStaticPublicKeyPins("apis.google.com")); |
530 | 579 |
531 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com")); | 580 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.gstatic.com")); |
532 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com")); | 581 EXPECT_TRUE(HasStaticPublicKeyPins("gstatic.com")); |
533 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com")); | 582 EXPECT_TRUE(HasStaticPublicKeyPins("www.gstatic.com")); |
534 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com")); | 583 EXPECT_TRUE(HasStaticPublicKeyPins("ssl.google-analytics.com")); |
535 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com")); | 584 EXPECT_TRUE(HasStaticPublicKeyPins("www.googleplex.com")); |
536 | 585 |
537 // Disabled in order to help track down pinning failures --agl | |
538 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com")); | 586 EXPECT_TRUE(HasStaticPublicKeyPins("twitter.com")); |
539 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com")); | 587 EXPECT_FALSE(HasStaticPublicKeyPins("foo.twitter.com")); |
540 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); | 588 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); |
541 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com")); | 589 EXPECT_TRUE(HasStaticPublicKeyPins("api.twitter.com")); |
542 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com")); | 590 EXPECT_TRUE(HasStaticPublicKeyPins("oauth.twitter.com")); |
543 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com")); | 591 EXPECT_TRUE(HasStaticPublicKeyPins("mobile.twitter.com")); |
544 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com")); | 592 EXPECT_TRUE(HasStaticPublicKeyPins("dev.twitter.com")); |
545 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com")); | 593 EXPECT_TRUE(HasStaticPublicKeyPins("business.twitter.com")); |
546 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com")); | 594 EXPECT_TRUE(HasStaticPublicKeyPins("platform.twitter.com")); |
547 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com")); | 595 EXPECT_TRUE(HasStaticPublicKeyPins("si0.twimg.com")); |
(...skipping 30 matching lines...) Expand all Loading... |
578 HashValueVector good_hashes, bad_hashes; | 626 HashValueVector good_hashes, bad_hashes; |
579 | 627 |
580 for (size_t i = 0; kGoodPath[i]; i++) { | 628 for (size_t i = 0; kGoodPath[i]; i++) { |
581 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); | 629 EXPECT_TRUE(AddHash(kGoodPath[i], &good_hashes)); |
582 } | 630 } |
583 for (size_t i = 0; kBadPath[i]; i++) { | 631 for (size_t i = 0; kBadPath[i]; i++) { |
584 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); | 632 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); |
585 } | 633 } |
586 | 634 |
587 TransportSecurityState state; | 635 TransportSecurityState state; |
| 636 EnableStaticPins(&state); |
| 637 |
588 TransportSecurityState::DomainState domain_state; | 638 TransportSecurityState::DomainState domain_state; |
589 EXPECT_TRUE( | 639 EXPECT_TRUE( |
590 state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); | 640 state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); |
591 EXPECT_TRUE(domain_state.HasPublicKeyPins()); | 641 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
592 | 642 |
593 std::string failure_log; | 643 std::string failure_log; |
594 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log)); | 644 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log)); |
595 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log)); | 645 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log)); |
596 } | 646 } |
597 | 647 |
598 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { | 648 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { |
599 TransportSecurityState state; | 649 TransportSecurityState state; |
| 650 EnableStaticPins(&state); |
600 TransportSecurityState::DomainState domain_state; | 651 TransportSecurityState::DomainState domain_state; |
601 | 652 |
602 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); | 653 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); |
603 | 654 |
604 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false)); | 655 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false)); |
605 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); | 656 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); |
606 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); | 657 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); |
607 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); | 658 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); |
608 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); | 659 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); |
609 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); | 660 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
695 // Expect to fail for SNI hosts when not searching the SNI list: | 746 // Expect to fail for SNI hosts when not searching the SNI list: |
696 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 747 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
697 "gmail.com", false)); | 748 "gmail.com", false)); |
698 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 749 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
699 "googlegroups.com", false)); | 750 "googlegroups.com", false)); |
700 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
701 "www.googlegroups.com", false)); | 752 "www.googlegroups.com", false)); |
702 } | 753 } |
703 | 754 |
704 } // namespace net | 755 } // namespace net |
OLD | NEW |