OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
6 | 6 |
7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
8 #include <windows.h> | 8 #include <windows.h> |
9 #include <shlobj.h> | 9 #include <shlobj.h> |
10 #endif | 10 #endif |
(...skipping 7050 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7061 for (size_t i = 0; i < lines.size(); i++) { | 7061 for (size_t i = 0; i < lines.size(); i++) { |
7062 int cipher_suite; | 7062 int cipher_suite; |
7063 ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite)); | 7063 ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite)); |
7064 EXPECT_FALSE(IsECDSACipherSuite(cipher_suite)) | 7064 EXPECT_FALSE(IsECDSACipherSuite(cipher_suite)) |
7065 << "ClientHello advertised " << cipher_suite; | 7065 << "ClientHello advertised " << cipher_suite; |
7066 } | 7066 } |
7067 } | 7067 } |
7068 | 7068 |
7069 #endif // OS_WIN | 7069 #endif // OS_WIN |
7070 | 7070 |
7071 class TestSSLConfigService : public SSLConfigService { | |
7072 public: | |
7073 TestSSLConfigService(bool ev_enabled, | |
7074 bool online_rev_checking, | |
7075 bool rev_checking_required_local_anchors) | |
7076 : ev_enabled_(ev_enabled), | |
7077 online_rev_checking_(online_rev_checking), | |
7078 rev_checking_required_local_anchors_( | |
7079 rev_checking_required_local_anchors), | |
7080 fallback_min_version_(0) {} | |
7081 | |
7082 void set_fallback_min_version(uint16 version) { | |
7083 fallback_min_version_ = version; | |
7084 } | |
7085 | |
7086 // SSLConfigService: | |
7087 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { | |
7088 *config = SSLConfig(); | |
7089 config->rev_checking_enabled = online_rev_checking_; | |
7090 config->verify_ev_cert = ev_enabled_; | |
7091 config->rev_checking_required_local_anchors = | |
7092 rev_checking_required_local_anchors_; | |
7093 if (fallback_min_version_) { | |
7094 config->version_fallback_min = fallback_min_version_; | |
7095 } | |
Ryan Sleevi
2014/10/01 21:25:05
nit: no braces
| |
7096 } | |
7097 | |
7098 protected: | |
7099 virtual ~TestSSLConfigService() {} | |
7100 | |
7101 private: | |
7102 const bool ev_enabled_; | |
7103 const bool online_rev_checking_; | |
7104 const bool rev_checking_required_local_anchors_; | |
7105 uint16 fallback_min_version_; | |
7106 }; | |
7107 | |
7108 class FallbackTestURLRequestContext : public TestURLRequestContext { | |
7109 public: | |
7110 explicit FallbackTestURLRequestContext(bool delay_initialization) | |
7111 : TestURLRequestContext(delay_initialization) {} | |
7112 | |
7113 void set_fallback_min_version(uint16 version) { | |
7114 TestSSLConfigService *ssl_config_service = | |
7115 new TestSSLConfigService(true /* check for EV */, | |
7116 false /* online revocation checking */, | |
7117 false /* require rev. checking for local | |
7118 anchors */); | |
7119 ssl_config_service->set_fallback_min_version(version); | |
7120 set_ssl_config_service(ssl_config_service); | |
7121 } | |
7122 }; | |
7123 | |
7071 class HTTPSFallbackTest : public testing::Test { | 7124 class HTTPSFallbackTest : public testing::Test { |
7072 public: | 7125 public: |
7073 HTTPSFallbackTest() : context_(true) { | 7126 HTTPSFallbackTest() : context_(true) {} |
7074 context_.Init(); | |
7075 delegate_.set_allow_certificate_errors(true); | |
7076 } | |
7077 virtual ~HTTPSFallbackTest() {} | 7127 virtual ~HTTPSFallbackTest() {} |
7078 | 7128 |
7079 protected: | 7129 protected: |
7080 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { | 7130 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
7081 DCHECK(!request_); | 7131 DCHECK(!request_); |
7132 context_.Init(); | |
7133 delegate_.set_allow_certificate_errors(true); | |
7134 | |
7082 SpawnedTestServer test_server( | 7135 SpawnedTestServer test_server( |
7083 SpawnedTestServer::TYPE_HTTPS, | 7136 SpawnedTestServer::TYPE_HTTPS, |
7084 ssl_options, | 7137 ssl_options, |
7085 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 7138 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
7086 ASSERT_TRUE(test_server.Start()); | 7139 ASSERT_TRUE(test_server.Start()); |
7087 | 7140 |
7088 request_ = context_.CreateRequest( | 7141 request_ = context_.CreateRequest( |
7089 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate_, NULL); | 7142 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate_, NULL); |
7090 request_->Start(); | 7143 request_->Start(); |
7091 | 7144 |
7092 base::RunLoop().Run(); | 7145 base::RunLoop().Run(); |
7093 } | 7146 } |
7094 | 7147 |
7148 void set_fallback_min_version(uint16 version) { | |
7149 context_.set_fallback_min_version(version); | |
7150 } | |
7151 | |
7095 void ExpectConnection(int version) { | 7152 void ExpectConnection(int version) { |
7096 EXPECT_EQ(1, delegate_.response_started_count()); | 7153 EXPECT_EQ(1, delegate_.response_started_count()); |
7097 EXPECT_NE(0, delegate_.bytes_received()); | 7154 EXPECT_NE(0, delegate_.bytes_received()); |
7098 EXPECT_EQ(version, SSLConnectionStatusToVersion( | 7155 EXPECT_EQ(version, SSLConnectionStatusToVersion( |
7099 request_->ssl_info().connection_status)); | 7156 request_->ssl_info().connection_status)); |
7100 EXPECT_TRUE(request_->ssl_info().connection_status & | 7157 EXPECT_TRUE(request_->ssl_info().connection_status & |
7101 SSL_CONNECTION_VERSION_FALLBACK); | 7158 SSL_CONNECTION_VERSION_FALLBACK); |
7102 } | 7159 } |
7103 | 7160 |
7104 void ExpectFailure(int error) { | 7161 void ExpectFailure(int error) { |
7105 EXPECT_EQ(1, delegate_.response_started_count()); | 7162 EXPECT_EQ(1, delegate_.response_started_count()); |
7106 EXPECT_FALSE(request_->status().is_success()); | 7163 EXPECT_FALSE(request_->status().is_success()); |
7107 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); | 7164 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
7108 EXPECT_EQ(error, request_->status().error()); | 7165 EXPECT_EQ(error, request_->status().error()); |
7109 } | 7166 } |
7110 | 7167 |
7111 private: | 7168 private: |
7112 TestDelegate delegate_; | 7169 TestDelegate delegate_; |
7113 TestURLRequestContext context_; | 7170 FallbackTestURLRequestContext context_; |
7114 scoped_ptr<URLRequest> request_; | 7171 scoped_ptr<URLRequest> request_; |
7115 }; | 7172 }; |
7116 | 7173 |
7117 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more | 7174 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
7118 // than necessary. | 7175 // than necessary. |
7119 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { | 7176 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { |
7120 SpawnedTestServer::SSLOptions ssl_options( | 7177 SpawnedTestServer::SSLOptions ssl_options( |
7121 SpawnedTestServer::SSLOptions::CERT_OK); | 7178 SpawnedTestServer::SSLOptions::CERT_OK); |
7122 ssl_options.tls_intolerant = | 7179 ssl_options.tls_intolerant = |
7123 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 7180 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7179 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 7236 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
7180 // connections are rejected. | 7237 // connections are rejected. |
7181 ssl_options.fallback_scsv_enabled = true; | 7238 ssl_options.fallback_scsv_enabled = true; |
7182 | 7239 |
7183 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7240 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
7184 | 7241 |
7185 // The original error should be replayed on rejected fallback. | 7242 // The original error should be replayed on rejected fallback. |
7186 ExpectFailure(ERR_CONNECTION_CLOSED); | 7243 ExpectFailure(ERR_CONNECTION_CLOSED); |
7187 } | 7244 } |
7188 | 7245 |
7189 // Tests that the SSLv3 fallback triggers on alert. | 7246 // Tests that the SSLv3 fallback doesn't happen by default. |
7190 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { | 7247 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
7191 SpawnedTestServer::SSLOptions ssl_options( | 7248 SpawnedTestServer::SSLOptions ssl_options( |
7192 SpawnedTestServer::SSLOptions::CERT_OK); | 7249 SpawnedTestServer::SSLOptions::CERT_OK); |
7193 ssl_options.tls_intolerant = | 7250 ssl_options.tls_intolerant = |
7194 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7251 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
7195 | 7252 |
7196 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7253 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
7254 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | |
7255 } | |
7256 | |
7257 // Tests that the SSLv3 fallback works when explicitly enabled. | |
7258 TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { | |
7259 SpawnedTestServer::SSLOptions ssl_options( | |
7260 SpawnedTestServer::SSLOptions::CERT_OK); | |
7261 ssl_options.tls_intolerant = | |
7262 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
7263 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
7264 | |
7265 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
7197 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | 7266 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
7198 } | 7267 } |
7199 | 7268 |
7200 // Tests that the SSLv3 fallback triggers on closed connections. | 7269 // Tests that the SSLv3 fallback triggers on closed connections when explicitly |
7270 // enabled. | |
7201 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { | 7271 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
7202 SpawnedTestServer::SSLOptions ssl_options( | 7272 SpawnedTestServer::SSLOptions ssl_options( |
7203 SpawnedTestServer::SSLOptions::CERT_OK); | 7273 SpawnedTestServer::SSLOptions::CERT_OK); |
7204 ssl_options.tls_intolerant = | 7274 ssl_options.tls_intolerant = |
7205 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7275 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
7206 ssl_options.tls_intolerance_type = | 7276 ssl_options.tls_intolerance_type = |
7207 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 7277 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
7278 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
7208 | 7279 |
7209 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7280 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
7210 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | 7281 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
7211 } | 7282 } |
7212 | 7283 |
7213 // This test is disabled on Android because the remote test server doesn't cause | 7284 // This test is disabled on Android because the remote test server doesn't cause |
7214 // a TCP reset. | 7285 // a TCP reset. |
7215 #if !defined(OS_ANDROID) | 7286 #if !defined(OS_ANDROID) |
7216 // Tests that a reset connection does not fallback down to SSL3. | 7287 // Tests that a reset connection does not fallback down to SSL3. |
7217 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { | 7288 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { |
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
7314 EXPECT_EQ("insert", parts[0]); | 7385 EXPECT_EQ("insert", parts[0]); |
7315 if (i == 0) { | 7386 if (i == 0) { |
7316 session_id = parts[1]; | 7387 session_id = parts[1]; |
7317 } else { | 7388 } else { |
7318 EXPECT_NE(session_id, parts[1]); | 7389 EXPECT_NE(session_id, parts[1]); |
7319 } | 7390 } |
7320 } | 7391 } |
7321 } | 7392 } |
7322 } | 7393 } |
7323 | 7394 |
7324 class TestSSLConfigService : public SSLConfigService { | |
7325 public: | |
7326 TestSSLConfigService(bool ev_enabled, | |
7327 bool online_rev_checking, | |
7328 bool rev_checking_required_local_anchors) | |
7329 : ev_enabled_(ev_enabled), | |
7330 online_rev_checking_(online_rev_checking), | |
7331 rev_checking_required_local_anchors_( | |
7332 rev_checking_required_local_anchors) {} | |
7333 | |
7334 // SSLConfigService: | |
7335 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { | |
7336 *config = SSLConfig(); | |
7337 config->rev_checking_enabled = online_rev_checking_; | |
7338 config->verify_ev_cert = ev_enabled_; | |
7339 config->rev_checking_required_local_anchors = | |
7340 rev_checking_required_local_anchors_; | |
7341 } | |
7342 | |
7343 protected: | |
7344 virtual ~TestSSLConfigService() {} | |
7345 | |
7346 private: | |
7347 const bool ev_enabled_; | |
7348 const bool online_rev_checking_; | |
7349 const bool rev_checking_required_local_anchors_; | |
7350 }; | |
7351 | |
7352 // This the fingerprint of the "Testing CA" certificate used by the testserver. | 7395 // This the fingerprint of the "Testing CA" certificate used by the testserver. |
7353 // See net/data/ssl/certificates/ocsp-test-root.pem. | 7396 // See net/data/ssl/certificates/ocsp-test-root.pem. |
7354 static const SHA1HashValue kOCSPTestCertFingerprint = | 7397 static const SHA1HashValue kOCSPTestCertFingerprint = |
7355 { { 0xf1, 0xad, 0xf6, 0xce, 0x42, 0xac, 0xe7, 0xb4, 0xf4, 0x24, | 7398 { { 0xf1, 0xad, 0xf6, 0xce, 0x42, 0xac, 0xe7, 0xb4, 0xf4, 0x24, |
7356 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; | 7399 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; |
7357 | 7400 |
7358 // This is the SHA256, SPKI hash of the "Testing CA" certificate used by the | 7401 // This is the SHA256, SPKI hash of the "Testing CA" certificate used by the |
7359 // testserver. | 7402 // testserver. |
7360 static const SHA256HashValue kOCSPTestCertSPKI = { { | 7403 static const SHA256HashValue kOCSPTestCertSPKI = { { |
7361 0xee, 0xe6, 0x51, 0x2d, 0x4c, 0xfa, 0xf7, 0x3e, | 7404 0xee, 0xe6, 0x51, 0x2d, 0x4c, 0xfa, 0xf7, 0x3e, |
(...skipping 816 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
8178 | 8221 |
8179 EXPECT_FALSE(r->is_pending()); | 8222 EXPECT_FALSE(r->is_pending()); |
8180 EXPECT_EQ(1, d->response_started_count()); | 8223 EXPECT_EQ(1, d->response_started_count()); |
8181 EXPECT_FALSE(d->received_data_before_response()); | 8224 EXPECT_FALSE(d->received_data_before_response()); |
8182 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 8225 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
8183 } | 8226 } |
8184 } | 8227 } |
8185 #endif // !defined(DISABLE_FTP_SUPPORT) | 8228 #endif // !defined(DISABLE_FTP_SUPPORT) |
8186 | 8229 |
8187 } // namespace net | 8230 } // namespace net |
OLD | NEW |