Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(71)

Side by Side Diff: net/http/http_network_transaction_ssl_unittest.cc

Issue 14125003: Do not roll back to SSL 3.0 for Google properties. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Cleanup. Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/http_network_transaction_spdy3_unittest.cc ('k') | net/net.gyp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <string>
6
7 #include "base/memory/ref_counted.h"
8 #include "base/memory/scoped_ptr.h"
9 #include "net/base/net_util.h"
10 #include "net/base/request_priority.h"
11 #include "net/dns/mock_host_resolver.h"
12 #include "net/http/http_auth_handler_mock.h"
13 #include "net/http/http_network_session.h"
14 #include "net/http/http_network_transaction.h"
15 #include "net/http/http_request_info.h"
16 #include "net/http/http_server_properties_impl.h"
17 #include "net/http/transport_security_state.h"
18 #include "net/proxy/proxy_service.h"
19 #include "net/socket/socket_test_util.h"
20 #include "testing/gtest/include/gtest/gtest.h"
21
22 namespace net {
23
24 namespace {
25
26 class TLS10SSLConfigService : public SSLConfigService {
27 public:
28 TLS10SSLConfigService() {
29 ssl_config_.version_min = SSL_PROTOCOL_VERSION_SSL3;
30 ssl_config_.version_max = SSL_PROTOCOL_VERSION_TLS1;
31 }
32
33 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE {
34 *config = ssl_config_;
35 }
36
37 private:
38 virtual ~TLS10SSLConfigService() {}
39
40 SSLConfig ssl_config_;
41 };
42
43 class TLS11SSLConfigService : public SSLConfigService {
44 public:
45 TLS11SSLConfigService() {
46 ssl_config_.version_min = SSL_PROTOCOL_VERSION_SSL3;
47 ssl_config_.version_max = SSL_PROTOCOL_VERSION_TLS1_1;
48 }
49
50 virtual void GetSSLConfig(SSLConfig* config) OVERRIDE {
51 *config = ssl_config_;
52 }
53
54 private:
55 virtual ~TLS11SSLConfigService() {}
56
57 SSLConfig ssl_config_;
58 };
59
60 } // namespace
61
62 class HttpNetworkTransactionSSLTest : public testing::Test {
63 protected:
64 virtual void SetUp() {
65 ssl_config_service_ = new TLS10SSLConfigService;
66 session_params_.ssl_config_service = ssl_config_service_.get();
67
68 auth_handler_factory_.reset(new HttpAuthHandlerMock::Factory());
69 session_params_.http_auth_handler_factory = auth_handler_factory_.get();
70
71 proxy_service_.reset(ProxyService::CreateDirect());
72 session_params_.proxy_service = proxy_service_.get();
73
74 session_params_.client_socket_factory = &mock_socket_factory_;
75 session_params_.host_resolver = &mock_resolver_;
76 session_params_.http_server_properties = &http_server_properties_;
77 session_params_.transport_security_state = &transport_security_state_;
78 }
79
80 HttpRequestInfo* GetRequestInfo(std::string url) {
81 HttpRequestInfo* request_info = new HttpRequestInfo;
82 request_info->url = GURL(url);
83 request_info->method = "GET";
84 return request_info;
85 }
86
87 SSLConfig& GetServerSSLConfig(HttpNetworkTransaction* trans) {
88 return trans->server_ssl_config_;
89 }
90
91 scoped_refptr<SSLConfigService> ssl_config_service_;
92 scoped_ptr<HttpAuthHandlerMock::Factory> auth_handler_factory_;
93 scoped_ptr<ProxyService> proxy_service_;
94
95 MockClientSocketFactory mock_socket_factory_;
96 MockHostResolver mock_resolver_;
97 HttpServerPropertiesImpl http_server_properties_;
98 TransportSecurityState transport_security_state_;
99 HttpNetworkSession::Params session_params_;
100 };
101
102 // Tests that HttpNetworkTransaction does not attempt to
103 // fallback to SSL 3.0 when a TLS 1.0 handshake fails and:
104 // * the site is pinned to the Google pin list (indicating that
105 // it is a Google site);
106 // * unrestricted SSL 3.0 fallback is disabled.
107 TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Google) {
108 // |ssl_data1| is for the first handshake (TLS 1.0), which will fail for
109 // protocol reasons (e.g., simulating a version rollback attack).
110 // Because unrestricted SSL 3.0 fallback is disabled, only this simulated
111 // SSL handshake is consumed.
112 SSLSocketDataProvider ssl_data1(ASYNC, ERR_SSL_PROTOCOL_ERROR);
113 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data1);
114 StaticSocketDataProvider data1(NULL, 0, NULL, 0);
115 mock_socket_factory_.AddSocketDataProvider(&data1);
116
117 // This extra handshake, which should be unconsumed, is provided to ensure
118 // that even if the behaviour being tested here ever breaks (and Google
119 // properties begin SSL 3.0 fallbacks), this test will not crash (and bring
120 // down all of net_unittests), but it will fail gracefully.
121 SSLSocketDataProvider ssl_data2(ASYNC, ERR_SSL_PROTOCOL_ERROR);
122 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
123 StaticSocketDataProvider data2(NULL, 0, NULL, 0);
124 mock_socket_factory_.AddSocketDataProvider(&data2);
125
126 scoped_refptr<HttpNetworkSession> session(
127 new HttpNetworkSession(session_params_));
128 scoped_ptr<HttpNetworkTransaction> trans(
129 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));
130
131 TestCompletionCallback callback;
132 // This will consume only |ssl_data1|. |ssl_data2| will not be consumed.
133 int rv = callback.GetResult(
134 trans->Start(GetRequestInfo("https://www.google.com/"),
135 callback.callback(), BoundNetLog()));
136 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
137
138 SocketDataProviderArray<SocketDataProvider>& mock_data =
139 mock_socket_factory_.mock_data();
140 // Confirms that only |ssl_data1| is consumed.
141 EXPECT_EQ(1u, mock_data.next_index());
142
143 SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
144 // |version_max| never fallbacks to SSLv3 for Google properties.
145 EXPECT_EQ(SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_max);
146 EXPECT_FALSE(ssl_config.version_fallback);
147 }
148
149 // Tests that HttpNetworkTransaction attempts to fallback to SSL 3.0
150 // when a TLS 1.0 handshake fails and:
151 // * the site is pinned to the Google pin list (indicating that
152 // it is a Google site);
153 // * unrestricted SSL 3.0 fallback is enabled.
154 TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackEnabled_Google) {
155 // |ssl_data1| is for the first handshake (TLS 1.0), which will fail
156 // for protocol reasons (e.g., simulating a version rollback attack).
157 SSLSocketDataProvider ssl_data1(ASYNC, ERR_SSL_PROTOCOL_ERROR);
158 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data1);
159 StaticSocketDataProvider data1(NULL, 0, NULL, 0);
160 mock_socket_factory_.AddSocketDataProvider(&data1);
161
162 // |ssl_data2| contains the handshake result for a SSL 3.0
163 // handshake which will be attempted after the TLS 1.0
164 // handshake fails.
165 SSLSocketDataProvider ssl_data2(ASYNC, ERR_SSL_PROTOCOL_ERROR);
166 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
167 StaticSocketDataProvider data2(NULL, 0, NULL, 0);
168 mock_socket_factory_.AddSocketDataProvider(&data2);
169
170 scoped_refptr<HttpNetworkSession> session(
171 new HttpNetworkSession(session_params_));
172 scoped_ptr<HttpNetworkTransaction> trans(
173 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));
174
175 SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
176 ssl_config.unrestricted_ssl3_fallback_enabled = true;
177
178 TestCompletionCallback callback;
179 // This will consume |ssl_data1| and |ssl_data2|.
180 int rv = callback.GetResult(
181 trans->Start(GetRequestInfo("https://www.google.com/"),
182 callback.callback(), BoundNetLog()));
183 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
184
185 SocketDataProviderArray<SocketDataProvider>& mock_data =
186 mock_socket_factory_.mock_data();
187 // Confirms that both |ssl_data1| and |ssl_data2| are consumed.
188 EXPECT_EQ(2u, mock_data.next_index());
189
190 // |version_max| fallbacks to SSL 3.0 for Google properties when
191 // |unrestricted_ssl3_fallback_enabled| is true.
192 EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max);
193 EXPECT_TRUE(ssl_config.version_fallback);
194 }
195
196 // Tests that HttpNetworkTransaction attempts to fallback to SSL 3.0
197 // when a TLS 1.0 handshake fails and the site is not a Google domain,
198 // even if unrestricted SSL 3.0 fallback is disabled.
199 // TODO(thaidn): revise the above comment and this test when the
200 // SSL 3.0 fallback experiment is applied for non-Google domains.
201 TEST_F(HttpNetworkTransactionSSLTest, SSL3FallbackDisabled_Paypal) {
202 // |ssl_data1| is for the first handshake (TLS 1.0), which will fail
203 // for protocol reasons (e.g., simulating a version rollback attack).
204 SSLSocketDataProvider ssl_data1(ASYNC, ERR_SSL_PROTOCOL_ERROR);
205 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data1);
206 StaticSocketDataProvider data1(NULL, 0, NULL, 0);
207 mock_socket_factory_.AddSocketDataProvider(&data1);
208
209 // |ssl_data2| contains the handshake result for a SSL 3.0
210 // handshake which will be attempted after the TLS 1.0
211 // handshake fails.
212 SSLSocketDataProvider ssl_data2(ASYNC, ERR_SSL_PROTOCOL_ERROR);
213 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
214 StaticSocketDataProvider data2(NULL, 0, NULL, 0);
215 mock_socket_factory_.AddSocketDataProvider(&data2);
216
217 scoped_refptr<HttpNetworkSession> session(
218 new HttpNetworkSession(session_params_));
219 scoped_ptr<HttpNetworkTransaction> trans(
220 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));
221
222 TestCompletionCallback callback;
223 // This will consume |ssl_data1| and |ssl_data2|.
224 int rv = callback.GetResult(
225 trans->Start(GetRequestInfo("https://www.paypal.com/"),
226 callback.callback(), BoundNetLog()));
227 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
228
229 SocketDataProviderArray<SocketDataProvider>& mock_data =
230 mock_socket_factory_.mock_data();
231 // Confirms that both |ssl_data1| and |ssl_data2| are consumed.
232 EXPECT_EQ(2u, mock_data.next_index());
233
234 SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
235 // |version_max| fallbacks to SSL 3.0.
236 EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max);
237 EXPECT_TRUE(ssl_config.version_fallback);
238 }
239
240 // Tests that HttpNetworkTransaction attempts to fallback from
241 // TLS 1.1 to TLS 1.0, then from TLS 1.0 to SSL 3.0.
242 TEST_F(HttpNetworkTransactionSSLTest, SSLFallback) {
243 ssl_config_service_ = new TLS11SSLConfigService;
244 session_params_.ssl_config_service = ssl_config_service_.get();
245 // |ssl_data1| is for the first handshake (TLS 1.1), which will fail
246 // for protocol reasons (e.g., simulating a version rollback attack).
247 SSLSocketDataProvider ssl_data1(ASYNC, ERR_SSL_PROTOCOL_ERROR);
248 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data1);
249 StaticSocketDataProvider data1(NULL, 0, NULL, 0);
250 mock_socket_factory_.AddSocketDataProvider(&data1);
251
252 // |ssl_data2| contains the handshake result for a TLS 1.0
253 // handshake which will be attempted after the TLS 1.1
254 // handshake fails.
255 SSLSocketDataProvider ssl_data2(ASYNC, ERR_SSL_PROTOCOL_ERROR);
256 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
257 StaticSocketDataProvider data2(NULL, 0, NULL, 0);
258 mock_socket_factory_.AddSocketDataProvider(&data2);
259
260 // |ssl_data3| contains the handshake result for a SSL 3.0
261 // handshake which will be attempted after the TLS 1.0
262 // handshake fails.
263 SSLSocketDataProvider ssl_data3(ASYNC, ERR_SSL_PROTOCOL_ERROR);
264 mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data3);
265 StaticSocketDataProvider data3(NULL, 0, NULL, 0);
266 mock_socket_factory_.AddSocketDataProvider(&data3);
267
268 scoped_refptr<HttpNetworkSession> session(
269 new HttpNetworkSession(session_params_));
270 scoped_ptr<HttpNetworkTransaction> trans(
271 new HttpNetworkTransaction(DEFAULT_PRIORITY, session));
272
273 TestCompletionCallback callback;
274 // This will consume |ssl_data1|, |ssl_data2| and |ssl_data3|.
275 int rv = callback.GetResult(
276 trans->Start(GetRequestInfo("https://www.paypal.com/"),
277 callback.callback(), BoundNetLog()));
278 EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
279
280 SocketDataProviderArray<SocketDataProvider>& mock_data =
281 mock_socket_factory_.mock_data();
282 // Confirms that |ssl_data1|, |ssl_data2| and |ssl_data3| are consumed.
283 EXPECT_EQ(3u, mock_data.next_index());
284
285 SSLConfig& ssl_config = GetServerSSLConfig(trans.get());
286 // |version_max| fallbacks to SSL 3.0.
287 EXPECT_EQ(SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max);
288 EXPECT_TRUE(ssl_config.version_fallback);
289 }
290
291 } // namespace net
292
OLDNEW
« no previous file with comments | « net/http/http_network_transaction_spdy3_unittest.cc ('k') | net/net.gyp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698