Chromium Code Reviews Chromium Code Reviews
Issue 649413004:
net: disable SSLv3. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "build/build_config.h" | 5 #include "build/build_config.h" |
| 6 | 6 |
| 7 #if defined(OS_WIN) | 7 #if defined(OS_WIN) |
| 8 #include <windows.h> | 8 #include <windows.h> |
| 9 #include <shlobj.h> | 9 #include <shlobj.h> |
| 10 #endif | 10 #endif |
| (...skipping 7062 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7073 public: | 7073 public: |
| 7074 TestSSLConfigService(bool ev_enabled, | 7074 TestSSLConfigService(bool ev_enabled, |
| 7075 bool online_rev_checking, | 7075 bool online_rev_checking, |
| 7076 bool rev_checking_required_local_anchors) | 7076 bool rev_checking_required_local_anchors) |
| 7077 : ev_enabled_(ev_enabled), | 7077 : ev_enabled_(ev_enabled), |
| 7078 online_rev_checking_(online_rev_checking), | 7078 online_rev_checking_(online_rev_checking), |
| 7079 rev_checking_required_local_anchors_( | 7079 rev_checking_required_local_anchors_( |
| 7080 rev_checking_required_local_anchors), | 7080 rev_checking_required_local_anchors), |
| 7081 fallback_min_version_(0) {} | 7081 fallback_min_version_(0) {} |
| 7082 | 7082 |
| 7083 void set_min_version(uint16 version) { | |
| 7084 min_version_ = version; | |
| 7085 } | |
| 7086 | |
| 7083 void set_fallback_min_version(uint16 version) { | 7087 void set_fallback_min_version(uint16 version) { |
| 7084 fallback_min_version_ = version; | 7088 fallback_min_version_ = version; |
| 7085 } | 7089 } |
| 7086 | 7090 |
| 7087 // SSLConfigService: | 7091 // SSLConfigService: |
| 7088 void GetSSLConfig(SSLConfig* config) override { | 7092 void GetSSLConfig(SSLConfig* config) override { |
| 7089 *config = SSLConfig(); | 7093 *config = SSLConfig(); |
| 7090 config->rev_checking_enabled = online_rev_checking_; | 7094 config->rev_checking_enabled = online_rev_checking_; |
| 7091 config->verify_ev_cert = ev_enabled_; | 7095 config->verify_ev_cert = ev_enabled_; |
| 7092 config->rev_checking_required_local_anchors = | 7096 config->rev_checking_required_local_anchors = |
| 7093 rev_checking_required_local_anchors_; | 7097 rev_checking_required_local_anchors_; |
| 7094 if (fallback_min_version_) { | 7098 if (fallback_min_version_) { |
| 7095 config->version_fallback_min = fallback_min_version_; | 7099 config->version_fallback_min = fallback_min_version_; |
| 7096 } | 7100 } |
| 7101 if (min_version_) { | |
| 7102 config->version_min = min_version_; | |
| 7103 } | |
| 7097 } | 7104 } |
| 7098 | 7105 |
| 7099 protected: | 7106 protected: |
| 7100 ~TestSSLConfigService() override {} | 7107 ~TestSSLConfigService() override {} |
| 7101 | 7108 |
| 7102 private: | 7109 private: |
| 7103 const bool ev_enabled_; | 7110 const bool ev_enabled_; |
| 7104 const bool online_rev_checking_; | 7111 const bool online_rev_checking_; |
| 7105 const bool rev_checking_required_local_anchors_; | 7112 const bool rev_checking_required_local_anchors_; |
| 7113 uint16 min_version_; | |
| 7106 uint16 fallback_min_version_; | 7114 uint16 fallback_min_version_; |
| 7107 }; | 7115 }; |
| 7108 | 7116 |
| 7109 class FallbackTestURLRequestContext : public TestURLRequestContext { | 7117 class FallbackTestURLRequestContext : public TestURLRequestContext { |
| 7110 public: | 7118 public: |
| 7111 explicit FallbackTestURLRequestContext(bool delay_initialization) | 7119 explicit FallbackTestURLRequestContext(bool delay_initialization) |
| 7112 : TestURLRequestContext(delay_initialization) {} | 7120 : TestURLRequestContext(delay_initialization) {} |
| 7113 | 7121 |
| 7114 void set_fallback_min_version(uint16 version) { | 7122 void set_fallback_min_version(uint16 version) { |
| 7115 TestSSLConfigService *ssl_config_service = | 7123 TestSSLConfigService *ssl_config_service = |
| 7116 new TestSSLConfigService(true /* check for EV */, | 7124 new TestSSLConfigService(true /* check for EV */, |
| 7117 false /* online revocation checking */, | 7125 false /* online revocation checking */, |
| 7118 false /* require rev. checking for local | 7126 false /* require rev. checking for local |
| 7119 anchors */); | 7127 anchors */); |
| 7128 ssl_config_service->set_min_version(SSL_PROTOCOL_VERSION_SSL3); | |
| 7120 ssl_config_service->set_fallback_min_version(version); | 7129 ssl_config_service->set_fallback_min_version(version); |
| 7121 set_ssl_config_service(ssl_config_service); | 7130 set_ssl_config_service(ssl_config_service); |
| 7122 } | 7131 } |
| 7123 }; | 7132 }; |
| 7124 | 7133 |
| 7125 class HTTPSFallbackTest : public testing::Test { | 7134 class HTTPSFallbackTest : public testing::Test { |
| 7126 public: | 7135 public: |
| 7127 HTTPSFallbackTest() : context_(true) {} | 7136 HTTPSFallbackTest() : context_(true) {} |
| 7128 ~HTTPSFallbackTest() override {} | 7137 ~HTTPSFallbackTest() override {} |
| 7129 | 7138 |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7245 } | 7254 } |
| 7246 | 7255 |
| 7247 // Tests that the SSLv3 fallback doesn't happen by default. | 7256 // Tests that the SSLv3 fallback doesn't happen by default. |
| 7248 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { | 7257 TEST_F(HTTPSFallbackTest, SSLv3Fallback) { |
| 7249 SpawnedTestServer::SSLOptions ssl_options( | 7258 SpawnedTestServer::SSLOptions ssl_options( |
| 7250 SpawnedTestServer::SSLOptions::CERT_OK); | 7259 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7251 ssl_options.tls_intolerant = | 7260 ssl_options.tls_intolerant = |
| 7252 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7261 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7253 | 7262 |
| 7254 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); | 7263 ASSERT_NO_FATAL_FAILURE(DoFallbackTest(ssl_options)); |
| 7255 ExpectFailure(ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION); | 7264 ExpectFailure(ERR_SSL_VERSION_OR_CIPHER_MISMATCH); |
| 7256 } | 7265 } |
| 7257 | 7266 |
| 7258 // Tests that the SSLv3 fallback works when explicitly enabled. | 7267 // Tests that the SSLv3 fallback works when explicitly enabled. |
| 7259 TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { | 7268 TEST_F(HTTPSFallbackTest, SSLv3FallbackEnabled) { |
| 7260 SpawnedTestServer::SSLOptions ssl_options( | 7269 SpawnedTestServer::SSLOptions ssl_options( |
| 7261 SpawnedTestServer::SSLOptions::CERT_OK); | 7270 SpawnedTestServer::SSLOptions::CERT_OK); |
| 7262 ssl_options.tls_intolerant = | 7271 ssl_options.tls_intolerant = |
| 7263 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; | 7272 SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL; |
| 7264 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); | 7273 set_fallback_min_version(SSL_PROTOCOL_VERSION_SSL3); |
| 7265 | 7274 |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 7300 | 7309 |
| 7301 SSLClientSocket::ClearSessionCache(); | 7310 SSLClientSocket::ClearSessionCache(); |
| 7302 | 7311 |
| 7303 // Make a connection that does a probe fallback to SSLv3 but fails because | 7312 // Make a connection that does a probe fallback to SSLv3 but fails because |
| 7304 // SSLv3 fallback is disabled. We don't wish a session for this connection to | 7313 // SSLv3 fallback is disabled. We don't wish a session for this connection to |
| 7305 // be inserted locally. | 7314 // be inserted locally. |
| 7306 { | 7315 { |
| 7307 TestDelegate delegate; | 7316 TestDelegate delegate; |
| 7308 FallbackTestURLRequestContext context(true); | 7317 FallbackTestURLRequestContext context(true); |
| 7309 | 7318 |
| 7319 context.set_fallback_min_version(SSL_PROTOCOL_VERSION_TLS1); | |
|
davidben
2014/10/29 00:32:05
To make sure I'm not missing something, this is ju
agl
2014/10/29 01:01:18
This triggers a TestSSLConfigService which sets th
davidben
2014/10/29 19:19:33
Acknowledged.
| |
| 7310 context.Init(); | 7320 context.Init(); |
| 7311 scoped_ptr<URLRequest> request(context.CreateRequest( | 7321 scoped_ptr<URLRequest> request(context.CreateRequest( |
| 7312 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate, NULL)); | 7322 test_server.GetURL(std::string()), DEFAULT_PRIORITY, &delegate, NULL)); |
| 7313 request->Start(); | 7323 request->Start(); |
| 7314 | 7324 |
| 7315 base::RunLoop().Run(); | 7325 base::RunLoop().Run(); |
| 7316 | 7326 |
| 7317 EXPECT_EQ(1, delegate.response_started_count()); | 7327 EXPECT_EQ(1, delegate.response_started_count()); |
| 7318 EXPECT_FALSE(request->status().is_success()); | 7328 EXPECT_FALSE(request->status().is_success()); |
| 7319 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); | 7329 EXPECT_EQ(URLRequestStatus::FAILED, request->status().status()); |
| (...skipping 956 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8276 | 8286 |
| 8277 EXPECT_FALSE(r->is_pending()); | 8287 EXPECT_FALSE(r->is_pending()); |
| 8278 EXPECT_EQ(1, d->response_started_count()); | 8288 EXPECT_EQ(1, d->response_started_count()); |
| 8279 EXPECT_FALSE(d->received_data_before_response()); | 8289 EXPECT_FALSE(d->received_data_before_response()); |
| 8280 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); | 8290 EXPECT_EQ(d->bytes_received(), static_cast<int>(file_size)); |
| 8281 } | 8291 } |
| 8282 } | 8292 } |
| 8283 #endif // !defined(DISABLE_FTP_SUPPORT) | 8293 #endif // !defined(DISABLE_FTP_SUPPORT) |
| 8284 | 8294 |
| 8285 } // namespace net | 8295 } // namespace net |
| OLD | NEW |
