Chromium Code Reviews Chromium Code Reviews
Issue 619463002:
net: disable SSLv3 fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 7050 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7061 for (size_t i = 0; i < lines.size(); i++) { | 7061 for (size_t i = 0; i < lines.size(); i++) { |
| 7062 int cipher_suite; | 7062 int cipher_suite; |
| 7063 ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite)); | 7063 ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite)); |
| 7064 EXPECT_FALSE(IsECDSACipherSuite(cipher_suite)) | 7064 EXPECT_FALSE(IsECDSACipherSuite(cipher_suite)) |
| 7065 << "ClientHello advertised " << cipher_suite; | 7065 << "ClientHello advertised " << cipher_suite; |
| 7066 } | 7066 } |
| 7067 } | 7067 } |
| 7068 | 7068 |
| 7069 #endif // OS_WIN | 7069 #endif // OS_WIN |
| 7070 | 7070 |
| 7071 class TestSSLConfigService : public SSLConfigService { | |
| 7072 public: | |
| 7073 TestSSLConfigService(bool ev_enabled, | |
| 7074 bool online_rev_checking, | |
| 7075 bool rev_checking_required_local_anchors) | |
| 7076 : ev_enabled_(ev_enabled), | |
| 7077 online_rev_checking_(online_rev_checking), | |
| 7078 rev_checking_required_local_anchors_( | |
| 7079 rev_checking_required_local_anchors), | |
| 7080 fallback_min_version_(0) {} | |
| 7081 | |
| 7082 void set_fallback_min_version(uint16 version) { | |
| 7083 fallback_min_version_ = version; | |
| 7084 } | |
| 7085 | |
| 7086 // SSLConfigService: | |
| 7087 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { | |
| 7088 *config = SSLConfig(); | |
| 7089 config->rev_checking_enabled = online_rev_checking_; | |
| 7090 config->verify_ev_cert = ev_enabled_; | |
| 7091 config->rev_checking_required_local_anchors = | |
| 7092 rev_checking_required_local_anchors_; | |
| 7093 if (fallback_min_version_) { | |
| 7094 config->version_fallback_min = fallback_min_version_; | |
| 7095 } | |
|
Ryan Sleevi
2014/10/01 21:25:05
nit: no braces
| |
| 7096 } | |
| 7097 | |
| 7098 protected: | |
| 7099 virtual ~TestSSLConfigService() {} | |
| 7100 | |
| 7101 private: | |
| 7102 const bool ev_enabled_; | |
| 7103 const bool online_rev_checking_; | |
| 7104 const bool rev_checking_required_local_anchors_; | |
| 7105 uint16 fallback_min_version_; | |
| 7106 }; | |
| 7107 | |
| 7108 class FallbackTestURLRequestContext : public TestURLRequestContext { | |
| 7109 public: | |
| 7110 explicit FallbackTestURLRequestContext(bool delay_initialization) | |
| 7111 : TestURLRequestContext(delay_initialization) {} | |
| 7112 | |
| 7113 void set_fallback_min_version(uint16 version) { | |
| 7114 TestSSLConfigService *ssl_config_service = | |
| 7115 new TestSSLConfigService(true /* check for EV */, | |
| 7116 false /* online revocation checking */, | |
| 7117 false /* require rev. checking for local | |
| 7118 anchors */); | |
| 7119 ssl_config_service->set_fallback_min_version(version); | |
| 7120 set_ssl_config_service(ssl_config_service); | |
| 7121 } | |
| 7122 }; | |
| 7123 | |
| 7071 class HTTPSFallbackTest : public testing::Test { | 7124 class HTTPSFallbackTest : public testing::Test { |
| 7072 public: | 7125 public: |
| 7073 HTTPSFallbackTest() : context_(true) { | 7126 HTTPSFallbackTest() : context_(true) {} |
| 7074 context_.Init(); | |
| 7075 delegate_.set_allow_certificate_errors(true); | |
| 7076 } | |
| 7077 virtual ~HTTPSFallbackTest() {} | 7127 virtual ~HTTPSFallbackTest() {} |
| 7078 | 7128 |
| 7079 protected: | 7129 protected: |
| 7080 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { | 7130 void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
| 7081 DCHECK(!request_); | 7131 DCHECK(!request_); |
| 7132 context_.Init(); | |
| 7133 delegate_.set_allow_certificate_errors(true); | |
| 7134 | |
| 7082 SpawnedTestServer test_server( | 7135 SpawnedTestServer test_server( |
| 7083 SpawnedTestServer::TYPE_HTTPS, | 7136 SpawnedTestServer::TYPE_HTTPS, |
| 7084 ssl_options, | 7137 ssl_options, |
| 7085 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); | 7138 base::FilePath(FILE_PATH_LITERAL("net/data/ssl"))); |
| 7086 ASSERT_TRUE(test_server.Start()); | 7139 ASSERT_TRUE(test_server.Start()); |
| 7087 | 7140 |
| 7088 request_ = context_.CreateRequest( | 7141 request_ = context_.CreateRequest( |
| 7089 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate_, NULL); | 7142 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate_, NULL); |
| 7090 request_->Start(); | 7143 request_->Start(); |
| 7091 | 7144 |
| 7092 base::RunLoop().Run(); | 7145 base::RunLoop().Run(); |
| 7093 } | 7146 } |
| 7094 | 7147 |
| 7148 void set_fallback_min_version(uint16 version) { | |
| 7149 context_.set_fallback_min_version(version); | |
| 7150 } | |
| 7151 | |
| 7095 void ExpectConnection(int version) { | 7152 void ExpectConnection(int version) { |
| 7096 EXPECT_EQ(1, delegate_.response_started_count()); | 7153 EXPECT_EQ(1, delegate_.response_started_count()); |
| 7097 EXPECT_NE(0, delegate_.bytes_received()); | 7154 EXPECT_NE(0, delegate_.bytes_received()); |
| 7098 EXPECT_EQ(version, SSLConnectionStatusToVersion( | 7155 EXPECT_EQ(version, SSLConnectionStatusToVersion( |
| 7099 request_->ssl_info().connection_status)); | 7156 request_->ssl_info().connection_status)); |
| 7100 EXPECT_TRUE(request_->ssl_info().connection_status & | 7157 EXPECT_TRUE(request_->ssl_info().connection_status & |
| 7101 SSL_CONNECTION_VERSION_FALLBACK); | 7158 SSL_CONNECTION_VERSION_FALLBACK); |
| 7102 } | 7159 } |
| 7103 | 7160 |
| 7104 void ExpectFailure(int error) { | 7161 void ExpectFailure(int error) { |
| 7105 EXPECT_EQ(1, delegate_.response_started_count()); | 7162 EXPECT_EQ(1, delegate_.response_started_count()); |
| 7106 EXPECT_FALSE(request_->status().is_success()); | 7163 EXPECT_FALSE(request_->status().is_success()); |
| 7107 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); | 7164 EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status()); |
| 7108 EXPECT_EQ(error, request_->status().error()); | 7165 EXPECT_EQ(error, request_->status().error()); |
| 7109 } | 7166 } |
| 7110 | 7167 |
| 7111 private: | 7168 private: |
| 7112 TestDelegate delegate_; | 7169 TestDelegate delegate_; |
| 7113 TestURLRequestContext context_; | 7170 FallbackTestURLRequestContext context_; |
| 7114 scoped_ptr<URLRequest> request_; | 7171 scoped_ptr<URLRequest> request_; |
| 7115 }; | 7172 }; |
| 7116 | 7173 |
| 7117 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more | 7174 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more |
| 7118 // than necessary. | 7175 // than necessary. |
| 7119 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { | 7176 TEST_F(HTTPSFallbackTest, TLSv1Fallback) { |
| 7120 SpawnedTestServer::SSLOptions ssl_options( | 7177 SpawnedTestServer::SSLOptions ssl_options( |
| 7121 SpawnedTestServer::SSLOptions::CERT_OK); | 7178 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7122 ssl_options.tls_intolerant = | 7179 ssl_options.tls_intolerant = |
| 7123 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; | 7180 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1; |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7179 // Have the server process TLS_FALLBACK_SCSV so that version fallback | 7236 // Have the server process TLS_FALLBACK_SCSV so that version fallback |
| 7180 // connections are rejected. | 7237 // connections are rejected. |
| 7181 ssl_options.fallback_scsv_enabled = true; | 7238 ssl_options.fallback_scsv_enabled = true; |
| 7182 | 7239 |
| 7183 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7240 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7184 | 7241 |
| 7185 // The original error should be replayed on rejected fallback. | 7242 // The original error should be replayed on rejected fallback. |
| 7186 ExpectFailure(ERR_CONNECTION_CLOSED); | 7243 ExpectFailure(ERR_CONNECTION_CLOSED); |
| 7187 } | 7244 } |
| 7188 | 7245 |
| 7189 // Tests that the SSLv3 fallback triggers on alert. | 7246 // Tests that the SSLv3 fallback doesn't happen by default. |
| 7190 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { | 7247 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| 7191 SpawnedTestServer::SSLOptions ssl_options( | 7248 SpawnedTestServer::SSLOptions ssl_options( |
| 7192 SpawnedTestServer::SSLOptions::CERT_OK); | 7249 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7193 ssl_options.tls_intolerant = | 7250 ssl_options.tls_intolerant = |
| 7194 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7251 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7195 | 7252 |
| 7196 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7253 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7254 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | |
| 7255 } | |
| 7256 | |
| 7257 // Tests that the SSLv3 fallback works when explicitly enabled. | |
| 7258 TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { | |
| 7259 SpawnedTestServer::SSLOptions ssl_options( | |
| 7260 SpawnedTestServer::SSLOptions::CERT_OK); | |
| 7261 ssl_options.tls_intolerant = | |
| 7262 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | |
| 7263 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 7264 | |
| 7265 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | |
| 7197 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | 7266 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7198 } | 7267 } |
| 7199 | 7268 |
| 7200 // Tests that the SSLv3 fallback triggers on closed connections. | 7269 // Tests that the SSLv3 fallback triggers on closed connections when explicitly |
| 7270 // enabled. | |
| 7201 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { | 7271 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| 7202 SpawnedTestServer::SSLOptions ssl_options( | 7272 SpawnedTestServer::SSLOptions ssl_options( |
| 7203 SpawnedTestServer::SSLOptions::CERT_OK); | 7273 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7204 ssl_options.tls_intolerant = | 7274 ssl_options.tls_intolerant = |
| 7205 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7275 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7206 ssl_options.tls_intolerance_type = | 7276 ssl_options.tls_intolerance_type = |
| 7207 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; | 7277 SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| 7278 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 7208 | 7279 |
| 7209 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7280 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7210 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); | 7281 ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| 7211 } | 7282 } |
| 7212 | 7283 |
| 7213 // This test is disabled on Android because the remote test server doesn't cause | 7284 // This test is disabled on Android because the remote test server doesn't cause |
| 7214 // a TCP reset. | 7285 // a TCP reset. |
| 7215 #if !defined(OS_ANDROID) | 7286 #if !defined(OS_ANDROID) |
| 7216 // Tests that a reset connection does not fallback down to SSL3. | 7287 // Tests that a reset connection does not fallback down to SSL3. |
| 7217 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { | 7288 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) { |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7314 EXPECT_EQ("insert", parts[0]); | 7385 EXPECT_EQ("insert", parts[0]); |
| 7315 if (i == 0) { | 7386 if (i == 0) { |
| 7316 session_id = parts[1]; | 7387 session_id = parts[1]; |
| 7317 } else { | 7388 } else { |
| 7318 EXPECT_NE(session_id, parts[1]); | 7389 EXPECT_NE(session_id, parts[1]); |
| 7319 } | 7390 } |
| 7320 } | 7391 } |
| 7321 } | 7392 } |
| 7322 } | 7393 } |
| 7323 | 7394 |
| 7324 class TestSSLConfigService : public SSLConfigService { | |
| 7325 public: | |
| 7326 TestSSLConfigService(bool ev_enabled, | |
| 7327 bool online_rev_checking, | |
| 7328 bool rev_checking_required_local_anchors) | |
| 7329 : ev_enabled_(ev_enabled), | |
| 7330 online_rev_checking_(online_rev_checking), | |
| 7331 rev_checking_required_local_anchors_( | |
| 7332 rev_checking_required_local_anchors) {} | |
| 7333 | |
| 7334 // SSLConfigService: | |
| 7335 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { | |
| 7336 *config = SSLConfig(); | |
| 7337 config->rev_checking_enabled = online_rev_checking_; | |
| 7338 config->verify_ev_cert = ev_enabled_; | |
| 7339 config->rev_checking_required_local_anchors = | |
| 7340 rev_checking_required_local_anchors_; | |
| 7341 } | |
| 7342 | |
| 7343 protected: | |
| 7344 virtual ~TestSSLConfigService() {} | |
| 7345 | |
| 7346 private: | |
| 7347 const bool ev_enabled_; | |
| 7348 const bool online_rev_checking_; | |
| 7349 const bool rev_checking_required_local_anchors_; | |
| 7350 }; | |
| 7351 | |
| 7352 // This the fingerprint of the "Testing CA" certificate used by the testserver. | 7395 // This the fingerprint of the "Testing CA" certificate used by the testserver. |
| 7353 // See net/data/ssl/certificates/ocsp-test-root.pem. | 7396 // See net/data/ssl/certificates/ocsp-test-root.pem. |
| 7354 static const SHA1HashValue kOCSPTestCertFingerprint = | 7397 static const SHA1HashValue kOCSPTestCertFingerprint = |
| 7355 { { 0xf1, 0xad, 0xf6, 0xce, 0x42, 0xac, 0xe7, 0xb4, 0xf4, 0x24, | 7398 { { 0xf1, 0xad, 0xf6, 0xce, 0x42, 0xac, 0xe7, 0xb4, 0xf4, 0x24, |
| 7356 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; | 7399 0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } }; |
| 7357 | 7400 |
| 7358 // This is the SHA256, SPKI hash of the "Testing CA" certificate used by the | 7401 // This is the SHA256, SPKI hash of the "Testing CA" certificate used by the |
| 7359 // testserver. | 7402 // testserver. |
| 7360 static const SHA256HashValue kOCSPTestCertSPKI = { { | 7403 static const SHA256HashValue kOCSPTestCertSPKI = { { |
| 7361 0xee, 0xe6, 0x51, 0x2d, 0x4c, 0xfa, 0xf7, 0x3e, | 7404 0xee, 0xe6, 0x51, 0x2d, 0x4c, 0xfa, 0xf7, 0x3e, |
| (...skipping 816 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8178 | 8221 |
| 8179 EXPECT_FALSE(r->is_pending()); | 8222 EXPECT_FALSE(r->is_pending()); |
| 8180 EXPECT_EQ(1, d->response_started_count()); | 8223 EXPECT_EQ(1, d->response_started_count()); |
| 8181 EXPECT_FALSE(d->received_data_before_response()); | 8224 EXPECT_FALSE(d->received_data_before_response()); |
| 8182 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 8225 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
| 8183 } | 8226 } |
| 8184 } | 8227 } |
| 8185 #endif // !defined(DISABLE_FTP_SUPPORT) | 8228 #endif // !defined(DISABLE_FTP_SUPPORT) |
| 8186 | 8229 |
| 8187 } // namespace net | 8230 } // namespace net |
| OLD | NEW |
