1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string>
#include <vector>
#include "base/memory/ref_counted.h"
#include "base/memory/scoped_ptr.h"
#include "net/base/net_util.h"
#include "net/base/request_priority.h"
#include "net/dns/mock_host_resolver.h"
#include "net/http/http_auth_handler_mock.h"
#include "net/http/http_network_session.h"
#include "net/http/http_network_transaction.h"
#include "net/http/http_request_info.h"
#include "net/http/http_server_properties_impl.h"
#include "net/http/transport_security_state.h"
#include "net/proxy/proxy_service.h"
#include "net/socket/socket_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace net {
namespace {
class TLS10SSLConfigService : public SSLConfigService {
public:
TLS10SSLConfigService() {
ssl_config_.version_min = SSL_PROTOCOL_VERSION_TLS1;
ssl_config_.version_max = SSL_PROTOCOL_VERSION_TLS1;
}
void GetSSLConfig(SSLConfig* config) override { *config = ssl_config_; }
private:
~TLS10SSLConfigService() override {}
SSLConfig ssl_config_;
};
class TLS12SSLConfigService : public SSLConfigService {
public:
TLS12SSLConfigService() {
ssl_config_.version_min = SSL_PROTOCOL_VERSION_TLS1;
ssl_config_.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
}
void GetSSLConfig(SSLConfig* config) override { *config = ssl_config_; }
private:
~TLS12SSLConfigService() override {}
SSLConfig ssl_config_;
};
} // namespace
class HttpNetworkTransactionSSLTest : public testing::Test {
protected:
void SetUp() override {
ssl_config_service_ = new TLS10SSLConfigService;
session_params_.ssl_config_service = ssl_config_service_.get();
auth_handler_factory_.reset(new HttpAuthHandlerMock::Factory());
session_params_.http_auth_handler_factory = auth_handler_factory_.get();
proxy_service_ = ProxyService::CreateDirect();
session_params_.proxy_service = proxy_service_.get();
session_params_.client_socket_factory = &mock_socket_factory_;
session_params_.host_resolver = &mock_resolver_;
session_params_.http_server_properties =
http_server_properties_.GetWeakPtr();
session_params_.transport_security_state = &transport_security_state_;
}
HttpRequestInfo* GetRequestInfo(const std::string& url) {
HttpRequestInfo* request_info = new HttpRequestInfo;
request_info->url = GURL(url);
request_info->method = "GET";
request_info_vector_.push_back(make_scoped_ptr(request_info));
return request_info;
}
SSLConfig& GetServerSSLConfig(HttpNetworkTransaction* trans) {
return trans->server_ssl_config_;
}
scoped_refptr<SSLConfigService> ssl_config_service_;
scoped_ptr<HttpAuthHandlerMock::Factory> auth_handler_factory_;
scoped_ptr<ProxyService> proxy_service_;
MockClientSocketFactory mock_socket_factory_;
MockHostResolver mock_resolver_;
HttpServerPropertiesImpl http_server_properties_;
TransportSecurityState transport_security_state_;
HttpNetworkSession::Params session_params_;
std::vector<scoped_ptr<HttpRequestInfo>> request_info_vector_;
};
// Tests that HttpNetworkTransaction attempts to fallback from
// TLS 1.2 to TLS 1.1, then from TLS 1.1 to TLS 1.0.
TEST_F(HttpNetworkTransactionSSLTest, SSLFallback) {
ssl_config_service_ = new TLS12SSLConfigService;
session_params_.ssl_config_service = ssl_config_service_.get();
// |ssl_data1| is for the first handshake (TLS 1.2), which will fail
// for protocol reasons (e.g., simulating a version rollback attack).
SSLSocketDataProvider ssl_data1(ASYNC, ERR_SSL_PROTOCOL_ERROR);
mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data1);
StaticSocketDataProvider data1(NULL, 0, NULL, 0);
mock_socket_factory_.AddSocketDataProvider(&data1);
// |ssl_data2| contains the handshake result for a TLS 1.1
// handshake which will be attempted after the TLS 1.2
// handshake fails.
SSLSocketDataProvider ssl_data2(ASYNC, ERR_SSL_PROTOCOL_ERROR);
mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data2);
StaticSocketDataProvider data2(NULL, 0, NULL, 0);
mock_socket_factory_.AddSocketDataProvider(&data2);
// |ssl_data3| contains the handshake result for a TLS 1.0
// handshake which will be attempted after the TLS 1.1
// handshake fails.
SSLSocketDataProvider ssl_data3(ASYNC, ERR_SSL_PROTOCOL_ERROR);
mock_socket_factory_.AddSSLSocketDataProvider(&ssl_data3);
StaticSocketDataProvider data3(NULL, 0, NULL, 0);
mock_socket_factory_.AddSocketDataProvider(&data3);
HttpNetworkSession session(session_params_);
HttpNetworkTransaction trans(DEFAULT_PRIORITY, &session);
TestCompletionCallback callback;
// This will consume |ssl_data1|, |ssl_data2| and |ssl_data3|.
int rv =
callback.GetResult(trans.Start(GetRequestInfo("https://www.paypal.com/"),
callback.callback(), BoundNetLog()));
EXPECT_EQ(ERR_SSL_PROTOCOL_ERROR, rv);
SocketDataProviderArray<SocketDataProvider>& mock_data =
mock_socket_factory_.mock_data();
// Confirms that |ssl_data1|, |ssl_data2| and |ssl_data3| are consumed.
EXPECT_EQ(3u, mock_data.next_index());
SSLConfig& ssl_config = GetServerSSLConfig(&trans);
// |version_max| fallbacks to TLS 1.0.
EXPECT_EQ(SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_max);
EXPECT_TRUE(ssl_config.version_fallback);
}
} // namespace net
|