| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/socket/ssl_client_socket.h" | 5 #include "net/socket/ssl_client_socket.h" |
| 6 | 6 |
| 7 #include <errno.h> | 7 #include <errno.h> |
| 8 #include <string.h> | 8 #include <string.h> |
| 9 | 9 |
| 10 #include <algorithm> | 10 #include <algorithm> |
| (...skipping 787 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 798 base::Time delete_begin, | 798 base::Time delete_begin, |
| 799 base::Time delete_end, | 799 base::Time delete_end, |
| 800 const base::Closure& completion_callback) override {} | 800 const base::Closure& completion_callback) override {} |
| 801 void DeleteAll(const base::Closure& completion_callback) override {} | 801 void DeleteAll(const base::Closure& completion_callback) override {} |
| 802 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {} | 802 void GetAllChannelIDs(const GetChannelIDListCallback& callback) override {} |
| 803 int GetChannelIDCount() override { return 0; } | 803 int GetChannelIDCount() override { return 0; } |
| 804 void SetForceKeepSessionState() override {} | 804 void SetForceKeepSessionState() override {} |
| 805 bool IsEphemeral() override { return true; } | 805 bool IsEphemeral() override { return true; } |
| 806 }; | 806 }; |
| 807 | 807 |
| 808 // A mock ExpectCTReporter that remembers the latest violation that was |
| 809 // reported and the number of violations reported. |
| 810 class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter { |
| 811 public: |
| 812 MockExpectCTReporter() : num_failures_(0) {} |
| 813 ~MockExpectCTReporter() override {} |
| 814 |
| 815 void OnExpectCTFailed(const HostPortPair& host_port_pair, |
| 816 const GURL& report_uri, |
| 817 const X509Certificate* validated_certificate_chain, |
| 818 const X509Certificate* served_certificate_chain, |
| 819 const SignedCertificateTimestampAndStatusList& |
| 820 signed_certificate_timestamps) override { |
| 821 num_failures_++; |
| 822 host_port_pair_ = host_port_pair; |
| 823 report_uri_ = report_uri; |
| 824 served_certificate_chain_ = served_certificate_chain; |
| 825 validated_certificate_chain_ = validated_certificate_chain; |
| 826 signed_certificate_timestamps_ = signed_certificate_timestamps; |
| 827 } |
| 828 |
| 829 const HostPortPair& host_port_pair() { return host_port_pair_; } |
| 830 const GURL& report_uri() { return report_uri_; } |
| 831 uint32_t num_failures() { return num_failures_; } |
| 832 const X509Certificate* served_certificate_chain() { |
| 833 return served_certificate_chain_; |
| 834 } |
| 835 const X509Certificate* validated_certificate_chain() { |
| 836 return validated_certificate_chain_; |
| 837 } |
| 838 const SignedCertificateTimestampAndStatusList& |
| 839 signed_certificate_timestamps() { |
| 840 return signed_certificate_timestamps_; |
| 841 } |
| 842 |
| 843 private: |
| 844 HostPortPair host_port_pair_; |
| 845 GURL report_uri_; |
| 846 uint32_t num_failures_; |
| 847 const X509Certificate* served_certificate_chain_; |
| 848 const X509Certificate* validated_certificate_chain_; |
| 849 SignedCertificateTimestampAndStatusList signed_certificate_timestamps_; |
| 850 }; |
| 851 |
| 808 // A mock CTVerifier that records every call to Verify but doesn't verify | 852 // A mock CTVerifier that records every call to Verify but doesn't verify |
| 809 // anything. | 853 // anything. |
| 810 class MockCTVerifier : public CTVerifier { | 854 class MockCTVerifier : public CTVerifier { |
| 811 public: | 855 public: |
| 812 MOCK_METHOD5(Verify, | 856 MOCK_METHOD5(Verify, |
| 813 void(X509Certificate*, | 857 void(X509Certificate*, |
| 814 base::StringPiece, | 858 base::StringPiece, |
| 815 base::StringPiece, | 859 base::StringPiece, |
| 816 SignedCertificateTimestampAndStatusList*, | 860 SignedCertificateTimestampAndStatusList*, |
| 817 const NetLogWithSource&)); | 861 const NetLogWithSource&)); |
| (...skipping 2653 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3471 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); | 3515 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3472 SSLInfo ssl_info; | 3516 SSLInfo ssl_info; |
| 3473 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); | 3517 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3474 | 3518 |
| 3475 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); | 3519 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); |
| 3476 EXPECT_TRUE(ssl_info.cert_status & | 3520 EXPECT_TRUE(ssl_info.cert_status & |
| 3477 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); | 3521 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
| 3478 EXPECT_TRUE(sock_->IsConnected()); | 3522 EXPECT_TRUE(sock_->IsConnected()); |
| 3479 } | 3523 } |
| 3480 | 3524 |
| 3525 // Test that when CT is required (in this case, by an Expect-CT opt-in), the |
| 3526 // absence of CT information is a socket error. |
| 3527 TEST_F(SSLClientSocketTest, CTIsRequiredByExpectCT) { |
| 3528 base::test::ScopedFeatureList feature_list; |
| 3529 feature_list.InitAndEnableFeature( |
| 3530 TransportSecurityState::kDynamicExpectCTFeature); |
| 3531 |
| 3532 SpawnedTestServer::SSLOptions ssl_options; |
| 3533 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 3534 scoped_refptr<X509Certificate> server_cert = |
| 3535 spawned_test_server()->GetCertificate(); |
| 3536 |
| 3537 // Certificate is trusted and chains to a public root. |
| 3538 CertVerifyResult verify_result; |
| 3539 verify_result.is_issued_by_known_root = true; |
| 3540 verify_result.verified_cert = server_cert; |
| 3541 verify_result.public_key_hashes = MakeHashValueVector(0); |
| 3542 cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK); |
| 3543 |
| 3544 // Set up the Expect-CT opt-in. |
| 3545 const base::Time current_time(base::Time::Now()); |
| 3546 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 3547 transport_security_state_->AddExpectCT( |
| 3548 spawned_test_server()->host_port_pair().host(), expiry, |
| 3549 true /* enforce */, GURL("https://example-report.test")); |
| 3550 MockExpectCTReporter reporter; |
| 3551 transport_security_state_->SetExpectCTReporter(&reporter); |
| 3552 |
| 3553 EXPECT_CALL(*ct_policy_enforcer_, |
| 3554 DoesConformToCertPolicy(server_cert.get(), _, _)) |
| 3555 .WillRepeatedly( |
| 3556 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS)); |
| 3557 |
| 3558 SSLConfig ssl_config; |
| 3559 int rv; |
| 3560 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3561 SSLInfo ssl_info; |
| 3562 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3563 |
| 3564 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); |
| 3565 EXPECT_TRUE(ssl_info.cert_status & |
| 3566 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
| 3567 EXPECT_TRUE(sock_->IsConnected()); |
| 3568 |
| 3569 EXPECT_EQ(1u, reporter.num_failures()); |
| 3570 EXPECT_EQ(GURL("https://example-report.test"), reporter.report_uri()); |
| 3571 EXPECT_EQ(ssl_info.unverified_cert.get(), |
| 3572 reporter.served_certificate_chain()); |
| 3573 EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain()); |
| 3574 EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size()); |
| 3575 |
| 3576 EXPECT_CALL(*ct_policy_enforcer_, |
| 3577 DoesConformToCertPolicy(server_cert.get(), _, _)) |
| 3578 .WillRepeatedly( |
| 3579 Return(ct::CertPolicyCompliance::CERT_POLICY_NOT_DIVERSE_SCTS)); |
| 3580 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3581 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3582 |
| 3583 EXPECT_THAT(rv, IsError(ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)); |
| 3584 EXPECT_TRUE(ssl_info.cert_status & |
| 3585 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
| 3586 EXPECT_TRUE(sock_->IsConnected()); |
| 3587 |
| 3588 EXPECT_EQ(2u, reporter.num_failures()); |
| 3589 EXPECT_EQ(GURL("https://example-report.test"), reporter.report_uri()); |
| 3590 EXPECT_EQ(ssl_info.unverified_cert.get(), |
| 3591 reporter.served_certificate_chain()); |
| 3592 EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain()); |
| 3593 EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size()); |
| 3594 |
| 3595 // If the connection is CT compliant, then there should be no socket error nor |
| 3596 // a report. |
| 3597 EXPECT_CALL(*ct_policy_enforcer_, |
| 3598 DoesConformToCertPolicy(server_cert.get(), _, _)) |
| 3599 .WillRepeatedly( |
| 3600 Return(ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS)); |
| 3601 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3602 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3603 |
| 3604 EXPECT_EQ(net::OK, rv); |
| 3605 EXPECT_FALSE(ssl_info.cert_status & |
| 3606 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
| 3607 EXPECT_TRUE(sock_->IsConnected()); |
| 3608 EXPECT_EQ(2u, reporter.num_failures()); |
| 3609 |
| 3610 EXPECT_CALL(*ct_policy_enforcer_, |
| 3611 DoesConformToCertPolicy(server_cert.get(), _, _)) |
| 3612 .WillRepeatedly( |
| 3613 Return(ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY)); |
| 3614 ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv)); |
| 3615 ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info)); |
| 3616 |
| 3617 EXPECT_EQ(net::OK, rv); |
| 3618 EXPECT_FALSE(ssl_info.cert_status & |
| 3619 CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED); |
| 3620 EXPECT_TRUE(sock_->IsConnected()); |
| 3621 EXPECT_EQ(2u, reporter.num_failures()); |
| 3622 } |
| 3623 |
| 3481 // When both HPKP and CT are required for a host, and both fail, the more | 3624 // When both HPKP and CT are required for a host, and both fail, the more |
| 3482 // serious error is that the HPKP pin validation failed. | 3625 // serious error is that the HPKP pin validation failed. |
| 3483 TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) { | 3626 TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) { |
| 3484 SpawnedTestServer::SSLOptions ssl_options; | 3627 SpawnedTestServer::SSLOptions ssl_options; |
| 3485 ASSERT_TRUE(StartTestServer(ssl_options)); | 3628 ASSERT_TRUE(StartTestServer(ssl_options)); |
| 3486 scoped_refptr<X509Certificate> server_cert = | 3629 scoped_refptr<X509Certificate> server_cert = |
| 3487 spawned_test_server()->GetCertificate(); | 3630 spawned_test_server()->GetCertificate(); |
| 3488 | 3631 |
| 3489 // Certificate is trusted, but chains to a public root that doesn't match the | 3632 // Certificate is trusted, but chains to a public root that doesn't match the |
| 3490 // pin hashes. | 3633 // pin hashes. |
| (...skipping 419 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3910 // The read buffer should be released. | 4053 // The read buffer should be released. |
| 3911 StreamSocket::SocketMemoryStats stats; | 4054 StreamSocket::SocketMemoryStats stats; |
| 3912 client->DumpMemoryStats(&stats); | 4055 client->DumpMemoryStats(&stats); |
| 3913 EXPECT_EQ(0u, stats.buffer_size); | 4056 EXPECT_EQ(0u, stats.buffer_size); |
| 3914 EXPECT_EQ(1u, stats.cert_count); | 4057 EXPECT_EQ(1u, stats.cert_count); |
| 3915 EXPECT_LT(0u, stats.cert_size); | 4058 EXPECT_LT(0u, stats.cert_size); |
| 3916 EXPECT_EQ(stats.cert_size, stats.total_size); | 4059 EXPECT_EQ(stats.cert_size, stats.total_size); |
| 3917 } | 4060 } |
| 3918 | 4061 |
| 3919 } // namespace net | 4062 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2850033002:
Check Expect-CT at connection setup (Closed)
