Chromium Code Reviews Chromium Code Reviews
Issue 619463002:
net: disable SSLv3 fallback. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/url_request/url_request_unittest.cc |
| diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc |
| index 11c8f571017c40318065fb5732dcc548aef8f52c..a77dac70d01d0bf64cdd307d78d1dd9806f88558 100644 |
| --- a/net/url_request/url_request_unittest.cc |
| +++ b/net/url_request/url_request_unittest.cc |
| @@ -7068,17 +7068,70 @@ TEST_F(HTTPSRequestTest, DISABLED_DisableECDSAOnXP) { |
| #endif // OS_WIN |
| -class HTTPSFallbackTest : public testing::Test { |
| +class TestSSLConfigService : public SSLConfigService { |
| public: |
| - HTTPSFallbackTest() : context_(true) { |
| - context_.Init(); |
| - delegate_.set_allow_certificate_errors(true); |
| + TestSSLConfigService(bool ev_enabled, |
| + bool online_rev_checking, |
| + bool rev_checking_required_local_anchors) |
| + : ev_enabled_(ev_enabled), |
| + online_rev_checking_(online_rev_checking), |
| + rev_checking_required_local_anchors_( |
| + rev_checking_required_local_anchors), |
| + fallback_min_version_(0) {} |
| + |
| + void set_fallback_min_version(uint16 version) { |
| + fallback_min_version_ = version; |
| + } |
| + |
| + // SSLConfigService: |
| + virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { |
| + *config = SSLConfig(); |
| + config->rev_checking_enabled = online_rev_checking_; |
| + config->verify_ev_cert = ev_enabled_; |
| + config->rev_checking_required_local_anchors = |
| + rev_checking_required_local_anchors_; |
| + if (fallback_min_version_) { |
| + config->version_fallback_min = fallback_min_version_; |
| + } |
|
Ryan Sleevi
2014/10/01 21:25:05
nit: no braces
|
| } |
| + |
| + protected: |
| + virtual ~TestSSLConfigService() {} |
| + |
| + private: |
| + const bool ev_enabled_; |
| + const bool online_rev_checking_; |
| + const bool rev_checking_required_local_anchors_; |
| + uint16 fallback_min_version_; |
| +}; |
| + |
| +class FallbackTestURLRequestContext : public TestURLRequestContext { |
| + public: |
| + explicit FallbackTestURLRequestContext(bool delay_initialization) |
| + : TestURLRequestContext(delay_initialization) {} |
| + |
| + void set_fallback_min_version(uint16 version) { |
| + TestSSLConfigService *ssl_config_service = |
| + new TestSSLConfigService(true /* check for EV */, |
| + false /* online revocation checking */, |
| + false /* require rev. checking for local |
| + anchors */); |
| + ssl_config_service->set_fallback_min_version(version); |
| + set_ssl_config_service(ssl_config_service); |
| + } |
| +}; |
| + |
| +class HTTPSFallbackTest : public testing::Test { |
| + public: |
| + HTTPSFallbackTest() : context_(true) {} |
| virtual ~HTTPSFallbackTest() {} |
| protected: |
| void DoFallbackTest(const SpawnedTestServer::SSLOptions& ssl_options) { |
| DCHECK(!request_); |
| + context_.Init(); |
| + delegate_.set_allow_certificate_errors(true); |
| + |
| SpawnedTestServer test_server( |
| SpawnedTestServer::TYPE_HTTPS, |
| ssl_options, |
| @@ -7092,6 +7145,10 @@ class HTTPSFallbackTest : public testing::Test { |
| base::RunLoop().Run(); |
| } |
| + void set_fallback_min_version(uint16 version) { |
| + context_.set_fallback_min_version(version); |
| + } |
| + |
| void ExpectConnection(int version) { |
| EXPECT_EQ(1, delegate_.response_started_count()); |
| EXPECT_NE(0, delegate_.bytes_received()); |
| @@ -7110,7 +7167,7 @@ class HTTPSFallbackTest : public testing::Test { |
| private: |
| TestDelegate delegate_; |
| - TestURLRequestContext context_; |
| + FallbackTestURLRequestContext context_; |
| scoped_ptr<URLRequest> request_; |
| }; |
| @@ -7186,7 +7243,7 @@ TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) { |
| ExpectFailure(ERR_CONNECTION_CLOSED); |
| } |
| -// Tests that the SSLv3 fallback triggers on alert. |
| +// Tests that the SSLv3 fallback doesn't happen by default. |
| TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| SpawnedTestServer::SSLOptions ssl_options( |
| SpawnedTestServer::SSLOptions::CERT_OK); |
| @@ -7194,10 +7251,23 @@ TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| + ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); |
| +} |
| + |
| +// Tests that the SSLv3 fallback works when explicitly enabled. |
| +TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { |
| + SpawnedTestServer::SSLOptions ssl_options( |
| + SpawnedTestServer::SSLOptions::CERT_OK); |
| + ssl_options.tls_intolerant = |
| + SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| + set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); |
| + |
| + ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| } |
| -// Tests that the SSLv3 fallback triggers on closed connections. |
| +// Tests that the SSLv3 fallback triggers on closed connections when explicitly |
| +// enabled. |
| TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| SpawnedTestServer::SSLOptions ssl_options( |
| SpawnedTestServer::SSLOptions::CERT_OK); |
| @@ -7205,6 +7275,7 @@ TEST_F(HTTPSFallbackTest, SSLv3FallbackClosed) { |
| SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| ssl_options.tls_intolerance_type = |
| SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE; |
| + set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); |
| ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| ExpectConnection(SSL_CONNECTION_VERSION_SSL3); |
| @@ -7321,34 +7392,6 @@ TEST_F(HTTPSSessionTest, DontResumeSessionsForInvalidCertificates) { |
| } |
| } |
| -class TestSSLConfigService : public SSLConfigService { |
| - public: |
| - TestSSLConfigService(bool ev_enabled, |
| - bool online_rev_checking, |
| - bool rev_checking_required_local_anchors) |
| - : ev_enabled_(ev_enabled), |
| - online_rev_checking_(online_rev_checking), |
| - rev_checking_required_local_anchors_( |
| - rev_checking_required_local_anchors) {} |
| - |
| - // SSLConfigService: |
| - virtual void GetSSLConfig(SSLConfig* config) OVERRIDE { |
| - *config = SSLConfig(); |
| - config->rev_checking_enabled = online_rev_checking_; |
| - config->verify_ev_cert = ev_enabled_; |
| - config->rev_checking_required_local_anchors = |
| - rev_checking_required_local_anchors_; |
| - } |
| - |
| - protected: |
| - virtual ~TestSSLConfigService() {} |
| - |
| - private: |
| - const bool ev_enabled_; |
| - const bool online_rev_checking_; |
| - const bool rev_checking_required_local_anchors_; |
| -}; |
| - |
| // This the fingerprint of the "Testing CA" certificate used by the testserver. |
| // See net/data/ssl/certificates/ocsp-test-root.pem. |
| static const SHA1HashValue kOCSPTestCertFingerprint = |
