1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/net/ssl_config_service_manager.h"
7 #include "base/command_line.h"
8 #include "base/memory/ref_counted.h"
9 #include "base/message_loop/message_loop.h"
10 #include "base/prefs/pref_registry_simple.h"
11 #include "base/prefs/testing_pref_store.h"
12 #include "base/values.h"
13 #include "chrome/browser/prefs/pref_service_mock_factory.h"
14 #include "chrome/common/chrome_switches.h"
15 #include "chrome/common/pref_names.h"
16 #include "chrome/test/base/testing_pref_service_syncable.h"
17 #include "chrome/test/base/testing_profile.h"
18 #include "components/content_settings/core/browser/host_content_settings_map.h"
19 #include "components/content_settings/core/common/content_settings.h"
20 #include "content/public/test/test_browser_thread.h"
21 #include "net/socket/ssl_client_socket.h"
22 #include "net/ssl/ssl_config_service.h"
23 #include "testing/gtest/include/gtest/gtest.h"
25 using base::ListValue
;
27 using content::BrowserThread
;
29 using net::SSLConfigService
;
31 class SSLConfigServiceManagerPrefTest
: public testing::Test
{
33 SSLConfigServiceManagerPrefTest()
34 : ui_thread_(BrowserThread::UI
, &message_loop_
),
35 io_thread_(BrowserThread::IO
, &message_loop_
) {}
38 base::MessageLoop message_loop_
;
39 content::TestBrowserThread ui_thread_
;
40 content::TestBrowserThread io_thread_
;
43 // Test channel id with no user prefs.
44 TEST_F(SSLConfigServiceManagerPrefTest
, ChannelIDWithoutUserPrefs
) {
45 TestingPrefServiceSimple local_state
;
46 SSLConfigServiceManager::RegisterPrefs(local_state
.registry());
48 scoped_ptr
<SSLConfigServiceManager
> config_manager(
49 SSLConfigServiceManager::CreateDefaultManager(&local_state
));
50 ASSERT_TRUE(config_manager
.get());
51 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
52 ASSERT_TRUE(config_service
.get());
55 config_service
->GetSSLConfig(&config
);
56 EXPECT_TRUE(config
.channel_id_enabled
);
59 // Test that cipher suites can be disabled. "Good" refers to the fact that
60 // every value is expected to be successfully parsed into a cipher suite.
61 TEST_F(SSLConfigServiceManagerPrefTest
, GoodDisabledCipherSuites
) {
62 TestingPrefServiceSimple local_state
;
63 SSLConfigServiceManager::RegisterPrefs(local_state
.registry());
65 scoped_ptr
<SSLConfigServiceManager
> config_manager(
66 SSLConfigServiceManager::CreateDefaultManager(&local_state
));
67 ASSERT_TRUE(config_manager
.get());
68 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
69 ASSERT_TRUE(config_service
.get());
72 config_service
->GetSSLConfig(&old_config
);
73 EXPECT_TRUE(old_config
.disabled_cipher_suites
.empty());
75 base::ListValue
* list_value
= new base::ListValue();
76 list_value
->Append(new base::StringValue("0x0004"));
77 list_value
->Append(new base::StringValue("0x0005"));
78 local_state
.SetUserPref(prefs::kCipherSuiteBlacklist
, list_value
);
80 // Pump the message loop to notify the SSLConfigServiceManagerPref that the
81 // preferences changed.
82 message_loop_
.RunUntilIdle();
85 config_service
->GetSSLConfig(&config
);
87 EXPECT_NE(old_config
.disabled_cipher_suites
, config
.disabled_cipher_suites
);
88 ASSERT_EQ(2u, config
.disabled_cipher_suites
.size());
89 EXPECT_EQ(0x0004, config
.disabled_cipher_suites
[0]);
90 EXPECT_EQ(0x0005, config
.disabled_cipher_suites
[1]);
93 // Test that cipher suites can be disabled. "Bad" refers to the fact that
94 // there are one or more non-cipher suite strings in the preference. They
96 TEST_F(SSLConfigServiceManagerPrefTest
, BadDisabledCipherSuites
) {
97 TestingPrefServiceSimple local_state
;
98 SSLConfigServiceManager::RegisterPrefs(local_state
.registry());
100 scoped_ptr
<SSLConfigServiceManager
> config_manager(
101 SSLConfigServiceManager::CreateDefaultManager(&local_state
));
102 ASSERT_TRUE(config_manager
.get());
103 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
104 ASSERT_TRUE(config_service
.get());
106 SSLConfig old_config
;
107 config_service
->GetSSLConfig(&old_config
);
108 EXPECT_TRUE(old_config
.disabled_cipher_suites
.empty());
110 base::ListValue
* list_value
= new base::ListValue();
111 list_value
->Append(new base::StringValue("0x0004"));
112 list_value
->Append(new base::StringValue("TLS_NOT_WITH_A_CIPHER_SUITE"));
113 list_value
->Append(new base::StringValue("0x0005"));
114 list_value
->Append(new base::StringValue("0xBEEFY"));
115 local_state
.SetUserPref(prefs::kCipherSuiteBlacklist
, list_value
);
117 // Pump the message loop to notify the SSLConfigServiceManagerPref that the
118 // preferences changed.
119 message_loop_
.RunUntilIdle();
122 config_service
->GetSSLConfig(&config
);
124 EXPECT_NE(old_config
.disabled_cipher_suites
, config
.disabled_cipher_suites
);
125 ASSERT_EQ(2u, config
.disabled_cipher_suites
.size());
126 EXPECT_EQ(0x0004, config
.disabled_cipher_suites
[0]);
127 EXPECT_EQ(0x0005, config
.disabled_cipher_suites
[1]);
130 // Test that without command-line settings for minimum and maximum SSL versions,
131 // TLS versions from 1.0 up to 1.1 or 1.2 are enabled.
132 TEST_F(SSLConfigServiceManagerPrefTest
, NoCommandLinePrefs
) {
133 scoped_refptr
<TestingPrefStore
> local_state_store(new TestingPrefStore());
135 PrefServiceMockFactory factory
;
136 factory
.set_user_prefs(local_state_store
);
137 scoped_refptr
<PrefRegistrySimple
> registry
= new PrefRegistrySimple
;
138 scoped_ptr
<PrefService
> local_state(factory
.Create(registry
.get()));
140 SSLConfigServiceManager::RegisterPrefs(registry
.get());
142 scoped_ptr
<SSLConfigServiceManager
> config_manager(
143 SSLConfigServiceManager::CreateDefaultManager(local_state
.get()));
144 ASSERT_TRUE(config_manager
.get());
145 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
146 ASSERT_TRUE(config_service
.get());
148 SSLConfig ssl_config
;
149 config_service
->GetSSLConfig(&ssl_config
);
150 // In the absence of command-line options, TLS versions from 1.0 up to 1.1 or
151 // 1.2 (depending on the underlying library and cryptographic implementation)
153 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1
, ssl_config
.version_min
);
154 EXPECT_EQ(net::SSLClientSocket::GetMaxSupportedSSLVersion(),
155 ssl_config
.version_max
);
157 // The settings should not be added to the local_state.
158 EXPECT_FALSE(local_state
->HasPrefPath(prefs::kSSLVersionMin
));
159 EXPECT_FALSE(local_state
->HasPrefPath(prefs::kSSLVersionMax
));
161 // Explicitly double-check the settings are not in the preference store.
162 std::string version_min_str
;
163 std::string version_max_str
;
164 EXPECT_FALSE(local_state_store
->GetString(prefs::kSSLVersionMin
,
166 EXPECT_FALSE(local_state_store
->GetString(prefs::kSSLVersionMax
,
170 // Test that command-line settings for minimum and maximum SSL versions are
171 // respected and that they do not persist to the preferences files.
172 TEST_F(SSLConfigServiceManagerPrefTest
, CommandLinePrefs
) {
173 scoped_refptr
<TestingPrefStore
> local_state_store(new TestingPrefStore());
175 base::CommandLine
command_line(base::CommandLine::NO_PROGRAM
);
176 command_line
.AppendSwitchASCII(switches::kSSLVersionMin
, "tls1.1");
177 command_line
.AppendSwitchASCII(switches::kSSLVersionMax
, "tls1");
179 PrefServiceMockFactory factory
;
180 factory
.set_user_prefs(local_state_store
);
181 factory
.SetCommandLine(&command_line
);
182 scoped_refptr
<PrefRegistrySimple
> registry
= new PrefRegistrySimple
;
183 scoped_ptr
<PrefService
> local_state(factory
.Create(registry
.get()));
185 SSLConfigServiceManager::RegisterPrefs(registry
.get());
187 scoped_ptr
<SSLConfigServiceManager
> config_manager(
188 SSLConfigServiceManager::CreateDefaultManager(local_state
.get()));
189 ASSERT_TRUE(config_manager
.get());
190 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
191 ASSERT_TRUE(config_service
.get());
193 SSLConfig ssl_config
;
194 config_service
->GetSSLConfig(&ssl_config
);
195 // Command-line flags should be respected.
196 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1_1
, ssl_config
.version_min
);
197 EXPECT_EQ(net::SSL_PROTOCOL_VERSION_TLS1
, ssl_config
.version_max
);
199 // Explicitly double-check the settings are not in the preference store.
200 const PrefService::Preference
* version_min_pref
=
201 local_state
->FindPreference(prefs::kSSLVersionMin
);
202 EXPECT_FALSE(version_min_pref
->IsUserModifiable());
204 const PrefService::Preference
* version_max_pref
=
205 local_state
->FindPreference(prefs::kSSLVersionMax
);
206 EXPECT_FALSE(version_max_pref
->IsUserModifiable());
208 std::string version_min_str
;
209 std::string version_max_str
;
210 EXPECT_FALSE(local_state_store
->GetString(prefs::kSSLVersionMin
,
212 EXPECT_FALSE(local_state_store
->GetString(prefs::kSSLVersionMax
,
216 // Tests that "ssl3" is not treated as a valid minimum version.
217 TEST_F(SSLConfigServiceManagerPrefTest
, NoSSL3
) {
218 scoped_refptr
<TestingPrefStore
> local_state_store(new TestingPrefStore());
220 base::CommandLine
command_line(base::CommandLine::NO_PROGRAM
);
221 command_line
.AppendSwitchASCII(switches::kSSLVersionMin
, "ssl3");
223 PrefServiceMockFactory factory
;
224 factory
.set_user_prefs(local_state_store
);
225 factory
.SetCommandLine(&command_line
);
226 scoped_refptr
<PrefRegistrySimple
> registry
= new PrefRegistrySimple
;
227 scoped_ptr
<PrefService
> local_state(factory
.Create(registry
.get()));
229 SSLConfigServiceManager::RegisterPrefs(registry
.get());
231 scoped_ptr
<SSLConfigServiceManager
> config_manager(
232 SSLConfigServiceManager::CreateDefaultManager(local_state
.get()));
233 ASSERT_TRUE(config_manager
.get());
234 scoped_refptr
<SSLConfigService
> config_service(config_manager
->Get());
235 ASSERT_TRUE(config_service
.get());
237 SSLConfig ssl_config
;
238 config_service
->GetSSLConfig(&ssl_config
);
239 // The command-line option must not have been honored.
240 EXPECT_LE(net::SSL_PROTOCOL_VERSION_TLS1
, ssl_config
.version_min
);