1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/net/ssl_config_service_manager.h" 6 7 #include "base/command_line.h" 8 #include "base/memory/ref_counted.h" 9 #include "base/message_loop/message_loop.h" 10 #include "base/prefs/pref_registry_simple.h" 11 #include "base/prefs/testing_pref_store.h" 12 #include "base/values.h" 13 #include "chrome/browser/content_settings/host_content_settings_map.h" 14 #include "chrome/browser/prefs/pref_service_mock_builder.h" 15 #include "chrome/common/chrome_switches.h" 16 #include "chrome/common/content_settings.h" 17 #include "chrome/common/pref_names.h" 18 #include "chrome/test/base/testing_pref_service_syncable.h" 19 #include "chrome/test/base/testing_profile.h" 20 #include "content/public/test/test_browser_thread.h" 21 #include "net/ssl/ssl_config_service.h" 22 #include "testing/gtest/include/gtest/gtest.h" 23 24 using base::ListValue; 25 using base::Value; 26 using content::BrowserThread; 27 using net::SSLConfig; 28 using net::SSLConfigService; 29 30 namespace { 31 32 void SetCookiePref(TestingProfile* profile, ContentSetting setting) { 33 HostContentSettingsMap* host_content_settings_map = 34 profile->GetHostContentSettingsMap(); 35 host_content_settings_map->SetDefaultContentSetting( 36 CONTENT_SETTINGS_TYPE_COOKIES, setting); 37 } 38 39 } // namespace 40 41 class SSLConfigServiceManagerPrefTest : public testing::Test { 42 public: 43 SSLConfigServiceManagerPrefTest() 44 : ui_thread_(BrowserThread::UI, &message_loop_), 45 io_thread_(BrowserThread::IO, &message_loop_) {} 46 47 protected: 48 bool IsChannelIdEnabled(SSLConfigService* config_service) { 49 // Pump the message loop to notify the SSLConfigServiceManagerPref that the 50 // preferences changed. 51 message_loop_.RunUntilIdle(); 52 SSLConfig config; 53 config_service->GetSSLConfig(&config); 54 return config.channel_id_enabled; 55 } 56 57 base::MessageLoop message_loop_; 58 content::TestBrowserThread ui_thread_; 59 content::TestBrowserThread io_thread_; 60 }; 61 62 // Test channel id with no user prefs. 63 TEST_F(SSLConfigServiceManagerPrefTest, ChannelIDWithoutUserPrefs) { 64 TestingPrefServiceSimple local_state; 65 SSLConfigServiceManager::RegisterPrefs(local_state.registry()); 66 local_state.SetUserPref(prefs::kEnableOriginBoundCerts, 67 Value::CreateBooleanValue(false)); 68 69 scoped_ptr<SSLConfigServiceManager> config_manager( 70 SSLConfigServiceManager::CreateDefaultManager(&local_state)); 71 ASSERT_TRUE(config_manager.get()); 72 scoped_refptr<SSLConfigService> config_service(config_manager->Get()); 73 ASSERT_TRUE(config_service.get()); 74 75 SSLConfig config; 76 config_service->GetSSLConfig(&config); 77 EXPECT_FALSE(config.channel_id_enabled); 78 79 local_state.SetUserPref(prefs::kEnableOriginBoundCerts, 80 Value::CreateBooleanValue(true)); 81 // Pump the message loop to notify the SSLConfigServiceManagerPref that the 82 // preferences changed. 83 message_loop_.RunUntilIdle(); 84 config_service->GetSSLConfig(&config); 85 EXPECT_TRUE(config.channel_id_enabled); 86 } 87 88 // Test that cipher suites can be disabled. "Good" refers to the fact that 89 // every value is expected to be successfully parsed into a cipher suite. 90 TEST_F(SSLConfigServiceManagerPrefTest, GoodDisabledCipherSuites) { 91 TestingPrefServiceSimple local_state; 92 SSLConfigServiceManager::RegisterPrefs(local_state.registry()); 93 94 scoped_ptr<SSLConfigServiceManager> config_manager( 95 SSLConfigServiceManager::CreateDefaultManager(&local_state)); 96 ASSERT_TRUE(config_manager.get()); 97 scoped_refptr<SSLConfigService> config_service(config_manager->Get()); 98 ASSERT_TRUE(config_service.get()); 99 100 SSLConfig old_config; 101 config_service->GetSSLConfig(&old_config); 102 EXPECT_TRUE(old_config.disabled_cipher_suites.empty()); 103 104 ListValue* list_value = new ListValue(); 105 list_value->Append(Value::CreateStringValue("0x0004")); 106 list_value->Append(Value::CreateStringValue("0x0005")); 107 local_state.SetUserPref(prefs::kCipherSuiteBlacklist, list_value); 108 109 // Pump the message loop to notify the SSLConfigServiceManagerPref that the 110 // preferences changed. 111 message_loop_.RunUntilIdle(); 112 113 SSLConfig config; 114 config_service->GetSSLConfig(&config); 115 116 EXPECT_NE(old_config.disabled_cipher_suites, config.disabled_cipher_suites); 117 ASSERT_EQ(2u, config.disabled_cipher_suites.size()); 118 EXPECT_EQ(0x0004, config.disabled_cipher_suites[0]); 119 EXPECT_EQ(0x0005, config.disabled_cipher_suites[1]); 120 } 121 122 // Test that cipher suites can be disabled. "Bad" refers to the fact that 123 // there are one or more non-cipher suite strings in the preference. They 124 // should be ignored. 125 TEST_F(SSLConfigServiceManagerPrefTest, BadDisabledCipherSuites) { 126 TestingPrefServiceSimple local_state; 127 SSLConfigServiceManager::RegisterPrefs(local_state.registry()); 128 129 scoped_ptr<SSLConfigServiceManager> config_manager( 130 SSLConfigServiceManager::CreateDefaultManager(&local_state)); 131 ASSERT_TRUE(config_manager.get()); 132 scoped_refptr<SSLConfigService> config_service(config_manager->Get()); 133 ASSERT_TRUE(config_service.get()); 134 135 SSLConfig old_config; 136 config_service->GetSSLConfig(&old_config); 137 EXPECT_TRUE(old_config.disabled_cipher_suites.empty()); 138 139 ListValue* list_value = new ListValue(); 140 list_value->Append(Value::CreateStringValue("0x0004")); 141 list_value->Append(Value::CreateStringValue("TLS_NOT_WITH_A_CIPHER_SUITE")); 142 list_value->Append(Value::CreateStringValue("0x0005")); 143 list_value->Append(Value::CreateStringValue("0xBEEFY")); 144 local_state.SetUserPref(prefs::kCipherSuiteBlacklist, list_value); 145 146 // Pump the message loop to notify the SSLConfigServiceManagerPref that the 147 // preferences changed. 148 message_loop_.RunUntilIdle(); 149 150 SSLConfig config; 151 config_service->GetSSLConfig(&config); 152 153 EXPECT_NE(old_config.disabled_cipher_suites, config.disabled_cipher_suites); 154 ASSERT_EQ(2u, config.disabled_cipher_suites.size()); 155 EXPECT_EQ(0x0004, config.disabled_cipher_suites[0]); 156 EXPECT_EQ(0x0005, config.disabled_cipher_suites[1]); 157 } 158 159 // Test that 160 // * without command-line settings for minimum and maximum SSL versions, 161 // SSL 3.0 ~ default_version_max() are enabled; 162 // * without --enable-unrestricted-ssl3-fallback, 163 // |unrestricted_ssl3_fallback_enabled| is false. 164 // TODO(thaidn): |unrestricted_ssl3_fallback_enabled| is true by default 165 // temporarily until we have fixed deployment issues. 166 TEST_F(SSLConfigServiceManagerPrefTest, NoCommandLinePrefs) { 167 scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore()); 168 169 PrefServiceMockBuilder builder; 170 builder.WithUserPrefs(local_state_store.get()); 171 scoped_refptr<PrefRegistrySimple> registry = new PrefRegistrySimple; 172 scoped_ptr<PrefService> local_state(builder.Create(registry.get())); 173 174 SSLConfigServiceManager::RegisterPrefs(registry.get()); 175 176 scoped_ptr<SSLConfigServiceManager> config_manager( 177 SSLConfigServiceManager::CreateDefaultManager(local_state.get())); 178 ASSERT_TRUE(config_manager.get()); 179 scoped_refptr<SSLConfigService> config_service(config_manager->Get()); 180 ASSERT_TRUE(config_service.get()); 181 182 SSLConfig ssl_config; 183 config_service->GetSSLConfig(&ssl_config); 184 // The default value in the absence of command-line options is that 185 // SSL 3.0 ~ default_version_max() are enabled. 186 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_min); 187 EXPECT_EQ(net::SSLConfigService::default_version_max(), 188 ssl_config.version_max); 189 EXPECT_TRUE(ssl_config.unrestricted_ssl3_fallback_enabled); 190 191 // The settings should not be added to the local_state. 192 EXPECT_FALSE(local_state->HasPrefPath(prefs::kSSLVersionMin)); 193 EXPECT_FALSE(local_state->HasPrefPath(prefs::kSSLVersionMax)); 194 EXPECT_FALSE(local_state->HasPrefPath( 195 prefs::kEnableUnrestrictedSSL3Fallback)); 196 197 // Explicitly double-check the settings are not in the preference store. 198 std::string version_min_str; 199 std::string version_max_str; 200 EXPECT_FALSE(local_state_store->GetString(prefs::kSSLVersionMin, 201 &version_min_str)); 202 EXPECT_FALSE(local_state_store->GetString(prefs::kSSLVersionMax, 203 &version_max_str)); 204 bool unrestricted_ssl3_fallback_enabled; 205 EXPECT_FALSE(local_state_store->GetBoolean( 206 prefs::kEnableUnrestrictedSSL3Fallback, 207 &unrestricted_ssl3_fallback_enabled)); 208 } 209 210 // Test that command-line settings for minimum and maximum SSL versions are 211 // respected and that they do not persist to the preferences files. 212 TEST_F(SSLConfigServiceManagerPrefTest, CommandLinePrefs) { 213 scoped_refptr<TestingPrefStore> local_state_store(new TestingPrefStore()); 214 215 CommandLine command_line(CommandLine::NO_PROGRAM); 216 command_line.AppendSwitchASCII(switches::kSSLVersionMin, "tls1"); 217 command_line.AppendSwitchASCII(switches::kSSLVersionMax, "ssl3"); 218 command_line.AppendSwitch(switches::kEnableUnrestrictedSSL3Fallback); 219 220 PrefServiceMockBuilder builder; 221 builder.WithUserPrefs(local_state_store.get()); 222 builder.WithCommandLine(&command_line); 223 scoped_refptr<PrefRegistrySimple> registry = new PrefRegistrySimple; 224 scoped_ptr<PrefService> local_state(builder.Create(registry.get())); 225 226 SSLConfigServiceManager::RegisterPrefs(registry.get()); 227 228 scoped_ptr<SSLConfigServiceManager> config_manager( 229 SSLConfigServiceManager::CreateDefaultManager(local_state.get())); 230 ASSERT_TRUE(config_manager.get()); 231 scoped_refptr<SSLConfigService> config_service(config_manager->Get()); 232 ASSERT_TRUE(config_service.get()); 233 234 SSLConfig ssl_config; 235 config_service->GetSSLConfig(&ssl_config); 236 // Command-line flags should be respected. 237 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1, ssl_config.version_min); 238 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_SSL3, ssl_config.version_max); 239 EXPECT_TRUE(ssl_config.unrestricted_ssl3_fallback_enabled); 240 241 // Explicitly double-check the settings are not in the preference store. 242 const PrefService::Preference* version_min_pref = 243 local_state->FindPreference(prefs::kSSLVersionMin); 244 EXPECT_FALSE(version_min_pref->IsUserModifiable()); 245 246 const PrefService::Preference* version_max_pref = 247 local_state->FindPreference(prefs::kSSLVersionMax); 248 EXPECT_FALSE(version_max_pref->IsUserModifiable()); 249 250 const PrefService::Preference* ssl3_fallback_pref = 251 local_state->FindPreference(prefs::kEnableUnrestrictedSSL3Fallback); 252 EXPECT_FALSE(ssl3_fallback_pref->IsUserModifiable()); 253 254 std::string version_min_str; 255 std::string version_max_str; 256 EXPECT_FALSE(local_state_store->GetString(prefs::kSSLVersionMin, 257 &version_min_str)); 258 EXPECT_FALSE(local_state_store->GetString(prefs::kSSLVersionMax, 259 &version_max_str)); 260 bool unrestricted_ssl3_fallback_enabled; 261 EXPECT_FALSE(local_state_store->GetBoolean( 262 prefs::kEnableUnrestrictedSSL3Fallback, 263 &unrestricted_ssl3_fallback_enabled)); 264 } 265
