Commit 9f3533f1 authored by David Benjamin's avatar David Benjamin Committed by Commit Bot

Switch the TLS13DowngradeEnforced test to a TEST_P

This test does not produce much output, but the debugging information
added to diagnose https://crbug.com/869227 caused this test to send too
much output. Switch it to a TEST_P to divide it back up.

Bug: 1017036
Change-Id: I54e5582859ae271401c69e3241f47bd5f12ff42e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1879971
Auto-Submit: David Benjamin <davidben@chromium.org>
Reviewed-by: default avatarSteven Valdez <svaldez@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#709183}
parent e812f172
...@@ -5363,61 +5363,69 @@ TEST_F(SSLClientSocketTest, Tag) { ...@@ -5363,61 +5363,69 @@ TEST_F(SSLClientSocketTest, Tag) {
#endif // OS_ANDROID #endif // OS_ANDROID
} }
// Test downgrade enforcement behaves as expected. class TLS13DowngradeTest
// Failed on macOS. See https://crbug.com/1017036 : public SSLClientSocketTest,
#if defined(OS_MACOSX) public ::testing::WithParamInterface<
#define MAYBE_TLS13DowngradeEnforced DISABLED_TLS13DowngradeEnforced std::tuple<SpawnedTestServer::SSLOptions::TLSMaxVersion,
#else /* simulate_tls13_downgrade */ bool,
#define MAYBE_TLS13DowngradeEnforced TLS13DowngradeEnforced /* enable_for_local_anchors */ bool,
#endif /* known_root */ bool>> {
TEST_F(SSLClientSocketTest, MAYBE_TLS13DowngradeEnforced) { public:
for (auto tls_max_version : TLS13DowngradeTest() {}
{SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_0, ~TLS13DowngradeTest() {}
SpawnedTestServer::SSLOptions::TLSMaxVersion tls_max_version() const {
return std::get<0>(GetParam());
}
bool simulate_tls13_downgrade() const { return std::get<1>(GetParam()); }
bool enable_for_local_anchors() const { return std::get<2>(GetParam()); }
bool known_root() const { return std::get<3>(GetParam()); }
};
INSTANTIATE_TEST_SUITE_P(
/* no prefix */,
TLS13DowngradeTest,
::testing::Combine(
::testing::Values(
SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_0,
SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_1, SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_1,
SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_2}) { SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_2),
for (bool downgrade : {false, true}) { ::testing::Values(false, true),
SCOPED_TRACE(downgrade); ::testing::Values(false, true),
SCOPED_TRACE(tls_max_version); ::testing::Values(false, true)));
TEST_P(TLS13DowngradeTest, DowngradeEnforced) {
SpawnedTestServer::SSLOptions ssl_options; SpawnedTestServer::SSLOptions ssl_options;
ssl_options.simulate_tls13_downgrade = downgrade; ssl_options.simulate_tls13_downgrade = simulate_tls13_downgrade();
ssl_options.tls_max_version = tls_max_version; ssl_options.tls_max_version = tls_max_version();
ASSERT_TRUE(StartTestServer(ssl_options)); ASSERT_TRUE(StartTestServer(ssl_options));
scoped_refptr<X509Certificate> server_cert = scoped_refptr<X509Certificate> server_cert =
spawned_test_server()->GetCertificate(); spawned_test_server()->GetCertificate();
for (bool enable_for_local_anchors : {false, true}) {
SCOPED_TRACE(enable_for_local_anchors);
SSLContextConfig config; SSLContextConfig config;
config.version_max = SSL_PROTOCOL_VERSION_TLS1_3; config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
config.tls13_hardening_for_local_anchors_enabled = config.tls13_hardening_for_local_anchors_enabled = enable_for_local_anchors();
enable_for_local_anchors;
ssl_config_service_->UpdateSSLConfigAndNotify(config); ssl_config_service_->UpdateSSLConfigAndNotify(config);
for (bool known_root : {false, true}) {
SCOPED_TRACE(known_root);
CertVerifyResult verify_result; CertVerifyResult verify_result;
verify_result.is_issued_by_known_root = known_root; verify_result.is_issued_by_known_root = known_root();
verify_result.verified_cert = server_cert; verify_result.verified_cert = server_cert;
cert_verifier_->ClearRules(); cert_verifier_->ClearRules();
cert_verifier_->AddResultForCert(server_cert.get(), verify_result, cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
OK);
bool should_enforce = known_root || enable_for_local_anchors; bool should_enforce = known_root() || enable_for_local_anchors();
ssl_client_session_cache_->Flush(); ssl_client_session_cache_->Flush();
int rv; int rv;
ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv)); ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
if (should_enforce && downgrade) { if (should_enforce && simulate_tls13_downgrade()) {
EXPECT_THAT(rv, IsError(ERR_TLS13_DOWNGRADE_DETECTED)); EXPECT_THAT(rv, IsError(ERR_TLS13_DOWNGRADE_DETECTED));
EXPECT_FALSE(sock_->IsConnected()); EXPECT_FALSE(sock_->IsConnected());
} else { } else {
EXPECT_THAT(rv, IsOk()); EXPECT_THAT(rv, IsOk());
EXPECT_TRUE(sock_->IsConnected()); EXPECT_TRUE(sock_->IsConnected());
} }
}
}
}
}
} }
struct TLS13DowngradeMetricsParams { struct TLS13DowngradeMetricsParams {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment