net: disable SSLv3 fallback.

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <shlobj.h>
 #endif
@@ skipping 6916 matching lines @@
         EXPECT_EQ("insert", parts[0]);
         session_id = parts[1];
       } else {
         EXPECT_EQ("lookup", parts[0]);
         EXPECT_EQ(session_id, parts[1]);
       }
     }
   }
 }
 
+// AssertTwoDistinctSessionsInserted checks that |session_info|, which must be
+// the result of fetching "ssl-session-cache" from the test server, indicates
+// that exactly two different sessions were inserted, with no lookups etc.
+static void AssertTwoDistinctSessionsInserted(const string& session_info) {
+  std::vector<std::string> lines;
+  base::SplitString(session_info, '\n', &lines);
+  ASSERT_EQ(3u, lines.size()) << session_info;
+
+  std::string session_id;
+  for (size_t i = 0; i < 2; i++) {
+    std::vector<std::string> parts;
+    base::SplitString(lines[i], '\t', &parts);
+    ASSERT_EQ(2u, parts.size());
+    EXPECT_EQ("insert", parts[0]);
+    if (i == 0) {
+      session_id = parts[1];
+    } else {
+      EXPECT_NE(session_id, parts[1]);
+    }
+  }
+}
+
 TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) {
   // Test that sessions aren't resumed when the value of ssl_session_cache_shard
   // differs.
   SpawnedTestServer::SSLOptions ssl_options;
   ssl_options.record_resume = true;
   SpawnedTestServer test_server(
       SpawnedTestServer::TYPE_HTTPS,
       ssl_options,
       base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
   ASSERT_TRUE(test_server.Start());
@@ skipping 43 matching lines @@
     base::RunLoop().Run();
 
     // The response will look like;
     //   insert abc
     //   insert xyz
     //
     // With a newline at the end which makes the split think that there are
     // three lines.
 
     EXPECT_EQ(1, d.response_started_count());
-    std::vector<std::string> lines;
-    base::SplitString(d.data_received(), '\n', &lines);
-    ASSERT_EQ(3u, lines.size());
-
-    std::string session_id;
-    for (size_t i = 0; i < 2; i++) {
-      std::vector<std::string> parts;
-      base::SplitString(lines[i], '\t', &parts);
-      ASSERT_EQ(2u, parts.size());
-      EXPECT_EQ("insert", parts[0]);
-      if (i == 0) {
-        session_id = parts[1];
-      } else {
-        EXPECT_NE(session_id, parts[1]);
-      }
-    }
+    AssertTwoDistinctSessionsInserted(d.data_received());
   }
 }
 
 #if defined(OS_WIN)
 
 namespace {
 
 bool IsECDSACipherSuite(uint16_t cipher_suite) {
   const char* key_exchange;
   const char* cipher;
@@ skipping 34 matching lines @@
   for (size_t i = 0; i < lines.size(); i++) {
     int cipher_suite;
     ASSERT_TRUE(base::StringToInt(lines[i], &cipher_suite));
     EXPECT_FALSE(IsECDSACipherSuite(cipher_suite))
         << "ClientHello advertised " << cipher_suite;
   }
 }
 
 #endif  // OS_WIN
 
+class TestSSLConfigService : public SSLConfigService {
+ public:
+  TestSSLConfigService(bool ev_enabled,
+                       bool online_rev_checking,
+                       bool rev_checking_required_local_anchors)
+      : ev_enabled_(ev_enabled),
+        online_rev_checking_(online_rev_checking),
+        rev_checking_required_local_anchors_(
+            rev_checking_required_local_anchors),
+        fallback_min_version_(0) {}
+
+  void set_fallback_min_version(uint16 version) {
+    fallback_min_version_ = version;
+  }
+
+  // SSLConfigService:
+  virtual void GetSSLConfig(SSLConfig* config) OVERRIDE {
+    *config = SSLConfig();
+    config->rev_checking_enabled = online_rev_checking_;
+    config->verify_ev_cert = ev_enabled_;
+    config->rev_checking_required_local_anchors =
+        rev_checking_required_local_anchors_;
+    if (fallback_min_version_) {
+      config->version_fallback_min = fallback_min_version_;
+    }
+  }
+
+ protected:
+  virtual ~TestSSLConfigService() {}
+
+ private:
+  const bool ev_enabled_;
+  const bool online_rev_checking_;
+  const bool rev_checking_required_local_anchors_;
+  uint16 fallback_min_version_;
+};
+
+class FallbackTestURLRequestContext : public TestURLRequestContext {
+ public:
+  explicit FallbackTestURLRequestContext(bool delay_initialization)
+      : TestURLRequestContext(delay_initialization) {}
+
+  void set_fallback_min_version(uint16 version) {
+    TestSSLConfigService *ssl_config_service =
+        new TestSSLConfigService(true /* check for EV */,
+                                 false /* online revocation checking */,
+                                 false /* require rev. checking for local
+                                          anchors */);
+    ssl_config_service->set_fallback_min_version(version);
+    set_ssl_config_service(ssl_config_service);
+  }
+};
+
 class HTTPSFallbackTest : public testing::Test {
  public:
-  HTTPSFallbackTest() : context_(true) {
-    context_.Init();
-    delegate_.set_allow_certificate_errors(true);
-  }
+  HTTPSFallbackTest() : context_(true) {}
   virtual ~HTTPSFallbackTest() {}
 
  protected:
   void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) {
     DCHECK(!request_);
+    context_.Init();
+    delegate_.set_allow_certificate_errors(true);
+
     SpawnedTestServer test_server(
         SpawnedTestServer::TYPE_HTTPS,
         ssl_options,
         base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
     ASSERT_TRUE(test_server.Start());
 
     request_ = context_.CreateRequest(
         test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate_, NULL);
     request_->Start();
 
     base::RunLoop().Run();
   }
 
+  void set_fallback_min_version(uint16 version) {
+    context_.set_fallback_min_version(version);
+  }
+
   void ExpectConnection(int version) {
     EXPECT_EQ(1, delegate_.response_started_count());
     EXPECT_NE(0, delegate_.bytes_received());
     EXPECT_EQ(version, SSLConnectionStatusToVersion(
         request_->ssl_info().connection_status));
     EXPECT_TRUE(request_->ssl_info().connection_status &
                 SSL_CONNECTION_VERSION_FALLBACK);
   }
 
   void ExpectFailure(int error) {
     EXPECT_EQ(1, delegate_.response_started_count());
     EXPECT_FALSE(request_->status().is_success());
     EXPECT_EQ(URLRequestStatus::FAILED, request_->status().status());
     EXPECT_EQ(error, request_->status().error());
   }
 
  private:
   TestDelegate delegate_;
-  TestURLRequestContext context_;
+  FallbackTestURLRequestContext context_;
   scoped_ptr<URLRequest> request_;
 };
 
 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more
 // than necessary.
 TEST_F(HTTPSFallbackTest, TLSv1Fallback) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1;
@@ skipping 55 matching lines @@
   // Have the server process TLS_FALLBACK_SCSV so that version fallback
   // connections are rejected.
   ssl_options.fallback_scsv_enabled = true;
 
   ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options));
 
   // The original error should be replayed on rejected fallback.
   ExpectFailure(ERR_CONNECTION_CLOSED);
 }
 
-// Tests that the SSLv3 fallback triggers on alert.
+// Tests that the SSLv3 fallback doesn't happen by default.
 TEST_F(HTTPSFallbackTest, SSLv3Fallback) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
 
   ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options));
+  ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION);
+}
+
+// Tests that the SSLv3 fallback works when explicitly enabled.
+TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3);
+
+  ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options));
   ExpectConnection(SSL_CONNECTION_VERSION_SSL3);
 }
 
-// Tests that the SSLv3 fallback triggers on closed connections.
+// Tests that the SSLv3 fallback triggers on closed connections when explicitly
+// enabled.
 TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
   ssl_options.tls_intolerance_type =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE;
+  set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3);
 
   ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options));
   ExpectConnection(SSL_CONNECTION_VERSION_SSL3);
 }
 
+// Test that SSLv3 fallback probe connections don't cause sessions to be cached.
+TEST_F(HTTPSFallbackTest, SSLv3FallbackNoCache) {
+  SpawnedTestServer::SSLOptions ssl_options(
+      SpawnedTestServer::SSLOptions::CERT_OK);
+  ssl_options.tls_intolerant =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+  ssl_options.tls_intolerance_type =
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE;
+  ssl_options.record_resume = true;
+
+  SpawnedTestServer test_server(
+      SpawnedTestServer::TYPE_HTTPS,
+      ssl_options,
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  ASSERT_TRUE(test_server.Start());
+
+  SSLClientSocket::ClearSessionCache();
+
+  // Make a connection that does a probe fallback to SSLv3 but fails because
+  // SSLv3 fallback is disabled. We don't wish a session for this connection to
+  // be inserted locally.
+  {
+    TestDelegate delegate;
+    FallbackTestURLRequestContext context(true);
+
+    context.Init();
+    scoped_ptr<URLRequest> request(context.CreateRequest(
+        test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate, NULL));
+    request->Start();
+
+    base::RunLoop().Run();
+
+    EXPECT_EQ(1, delegate.response_started_count());
+    EXPECT_FALSE(request->status().is_success());
+    EXPECT_EQ(URLRequestStatus::FAILED, request->status().status());
+    EXPECT_EQ(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION,
+              request->status().error());
+  }
+
+  // Now allow SSLv3 connections and request the session cache log.
+  {
+    TestDelegate delegate;
+    FallbackTestURLRequestContext context(true);
+    context.set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3);
+
+    context.Init();
+    scoped_ptr<URLRequest> request(
+        context.CreateRequest(test_server.GetURL("ssl-session-cache"),
+                               DEFAULT_PRIORITY,

[davidben, 2014/10/08 02:54:37]

Nit: indentation

+                               &delegate,
+                               NULL));
+    request->Start();
+
+    base::RunLoop().Run();
+
+    EXPECT_EQ(1, delegate.response_started_count());
+    EXPECT_NE(0, delegate.bytes_received());
+    EXPECT_EQ(SSL_CONNECTION_VERSION_SSL3, SSLConnectionStatusToVersion(
+        request->ssl_info().connection_status));
+    EXPECT_TRUE(request->ssl_info().connection_status &
+                SSL_CONNECTION_VERSION_FALLBACK);
+
+    std::vector<std::string> lines;
+    // If no sessions were cached then the server should have seen two sessions
+    // inserted with no lookups.
+    AssertTwoDistinctSessionsInserted(delegate.data_received());
+  }
+}
+
 // This test is disabled on Android because the remote test server doesn't cause
 // a TCP reset.
 #if !defined(OS_ANDROID)
 // Tests that a reset connection does not fallback down to SSL3.
 TEST_F(HTTPSFallbackTest, SSLv3NoFallbackReset) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
   ssl_options.tls_intolerant =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
   ssl_options.tls_intolerance_type =
@@ skipping 72 matching lines @@
     // With a newline at the end which makes the split think that there are
     // three lines.
     //
     // If a session was presented (eg: a bug), then the response would look
     // like;
     //   insert abc
     //   lookup abc
     //   insert xyz
 
     EXPECT_EQ(1, d.response_started_count());
-    std::vector<std::string> lines;
-    base::SplitString(d.data_received(), '\n', &lines);
-    ASSERT_EQ(3u, lines.size()) << d.data_received();
-
-    std::string session_id;
-    for (size_t i = 0; i < 2; i++) {
-      std::vector<std::string> parts;
-      base::SplitString(lines[i], '\t', &parts);
-      ASSERT_EQ(2u, parts.size());
-      EXPECT_EQ("insert", parts[0]);
-      if (i == 0) {
-        session_id = parts[1];
-      } else {
-        EXPECT_NE(session_id, parts[1]);
-      }
-    }
+    AssertTwoDistinctSessionsInserted(d.data_received());
   }
 }
 
-class TestSSLConfigService : public SSLConfigService {
- public:
-  TestSSLConfigService(bool ev_enabled,
-                       bool online_rev_checking,
-                       bool rev_checking_required_local_anchors)
-      : ev_enabled_(ev_enabled),
-        online_rev_checking_(online_rev_checking),
-        rev_checking_required_local_anchors_(
-            rev_checking_required_local_anchors) {}
-
-  // SSLConfigService:
-  virtual void GetSSLConfig(SSLConfig* config) OVERRIDE {
-    *config = SSLConfig();
-    config->rev_checking_enabled = online_rev_checking_;
-    config->verify_ev_cert = ev_enabled_;
-    config->rev_checking_required_local_anchors =
-        rev_checking_required_local_anchors_;
-  }
-
- protected:
-  virtual ~TestSSLConfigService() {}
-
- private:
-  const bool ev_enabled_;
-  const bool online_rev_checking_;
-  const bool rev_checking_required_local_anchors_;
-};
-
 // This the fingerprint of the "Testing CA" certificate used by the testserver.
 // See net/data/ssl/certificates/ocsp-test-root.pem.
 static const SHA1HashValue kOCSPTestCertFingerprint =
   { { 0xf1, 0xad, 0xf6, 0xce, 0x42, 0xac, 0xe7, 0xb4, 0xf4, 0x24,
       0xdb, 0x1a, 0xf7, 0xa0, 0x9f, 0x09, 0xa1, 0xea, 0xf1, 0x5c } };
 
 // This is the SHA256, SPKI hash of the "Testing CA" certificate used by the
 // testserver.
 static const SHA256HashValue kOCSPTestCertSPKI = { {
   0xee, 0xe6, 0x51, 0x2d, 0x4c, 0xfa, 0xf7, 0x3e,
@@ skipping 816 matching lines @@
 
     EXPECT_FALSE(r->is_pending());
     EXPECT_EQ(1, d->response_started_count());
     EXPECT_FALSE(d->received_data_before_response());
     EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size));
   }
 }
 #endif  // !defined(DISABLE_FTP_SUPPORT)
 
 }  // namespace net