// Copyright 2012 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifdef UNSAFE_BUFFERS_BUILD // TODO(crbug.com/40284755): Remove this and spanify to fix the errors. #pragma allow_unsafe_buffers #endif #include "net/http/transport_security_state.h" #include <stdint.h> #include <algorithm> #include <iterator> #include <memory> #include <string> #include <vector> #include "base/base64.h" #include "base/files/file_path.h" #include "base/functional/callback_helpers.h" #include "base/json/json_reader.h" #include "base/memory/raw_ptr.h" #include "base/metrics/field_trial.h" #include "base/metrics/field_trial_param_associator.h" #include "base/rand_util.h" #include "base/stl_util.h" #include "base/strings/stringprintf.h" #include "base/test/metrics/histogram_tester.h" #include "base/test/mock_entropy_provider.h" #include "base/test/scoped_feature_list.h" #include "base/time/time.h" #include "base/values.h" #include "build/build_config.h" #include "crypto/sha2.h" #include "net/base/features.h" #include "net/base/hash_value.h" #include "net/base/host_port_pair.h" #include "net/base/net_errors.h" #include "net/base/schemeful_site.h" #include "net/base/test_completion_callback.h" #include "net/cert/asn1_util.h" #include "net/cert/cert_verifier.h" #include "net/cert/cert_verify_result.h" #include "net/cert/ct_policy_status.h" #include "net/cert/test_root_certs.h" #include "net/cert/x509_certificate.h" #include "net/extras/preload_data/decoder.h" #include "net/http/http_status_code.h" #include "net/http/http_util.h" #include "net/http/transport_security_state_source.h" #include "net/net_buildflags.h" #include "net/ssl/ssl_info.h" #include "net/test/cert_test_util.h" #include "net/test/test_data_directory.h" #include "net/test/test_with_task_environment.h" #include "net/tools/huffman_trie/bit_writer.h" #include "net/tools/huffman_trie/trie/trie_bit_buffer.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/origin.h" namespace net { namespace { namespace test_default { #include "net/http/transport_security_state_static_unittest_default.h" } namespace test1 { #include "net/http/transport_security_state_static_unittest1.h" } namespace test2 { #include "net/http/transport_security_state_static_unittest2.h" } namespace test3 { #include "net/http/transport_security_state_static_unittest3.h" } const char kHost[] = …; const uint16_t kPort = …; const char* const kGoodPath[] = …; const char* const kBadPath[] = …; class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate { … }; bool operator==(const TransportSecurityState::STSState& lhs, const TransportSecurityState::STSState& rhs) { … } bool operator==(const TransportSecurityState::PKPState& lhs, const TransportSecurityState::PKPState& rhs) { … } } // namespace class TransportSecurityStateTest : public ::testing::Test, public WithTaskEnvironment { … }; TEST_F(TransportSecurityStateTest, DomainNameOddities) { … } TEST_F(TransportSecurityStateTest, SimpleMatches) { … } TEST_F(TransportSecurityStateTest, MatchesCase1) { … } TEST_F(TransportSecurityStateTest, MatchesCase2) { … } TEST_F(TransportSecurityStateTest, SubdomainMatches) { … } // Tests that a more-specific HSTS rule without the includeSubDomains bit does // not override a less-specific rule with includeSubDomains. Applicability is // checked before specificity. See https://crbug.com/821811. TEST_F(TransportSecurityStateTest, STSSubdomainNoOverride) { … } // Tests that a more-specific HPKP rule overrides a less-specific rule // with it, regardless of the includeSubDomains bit. Note this behavior does not // match HSTS. See https://crbug.com/821811. TEST_F(TransportSecurityStateTest, PKPSubdomainCarveout) { … } TEST_F(TransportSecurityStateTest, FatalSSLErrors) { … } // Tests that HPKP and HSTS state both expire. Also tests that expired entries // are pruned. TEST_F(TransportSecurityStateTest, Expiration) { … } // Tests that HPKP and HSTS state are queried independently for subdomain // matches. TEST_F(TransportSecurityStateTest, IndependentSubdomain) { … } // Tests that HPKP and HSTS state are inserted and overridden independently. TEST_F(TransportSecurityStateTest, IndependentInsertion) { … } // Tests that GetDynamic[PKP|STS]State returns the correct data and that the // states are not mixed together. TEST_F(TransportSecurityStateTest, DynamicDomainState) { … } // Tests that GetSSLUpgradeDecision() matches the result of ShouldUpgradeToSSL() // and correctly identifies the source of the decision. TEST_F(TransportSecurityStateTest, StaticOrDynamicSource) { … } // Tests that new pins always override previous pins. This should be true for // both pins at the same domain or includeSubdomains pins at a parent domain. TEST_F(TransportSecurityStateTest, NewPinsOverride) { … } TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataBetween) { … } TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { … } TEST_F(TransportSecurityStateTest, LongNames) { … } static bool AddHash(const std::string& type_and_base64, HashValueVector* out) { … } TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) { … } // Simple test for the HSTS preload process. The trie (generated from // transport_security_state_static_unittest1.json) contains 1 entry. Test that // the lookup methods can find the entry and correctly decode the different // preloaded states (HSTS and HPKP). TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) { … } // More advanced test for the HSTS preload process where the trie (generated // from transport_security_state_static_unittest2.json) contains multiple // entries with a common prefix. Test that the lookup methods can find all // entries and correctly decode the different preloaded states (HSTS and HPKP) // for each entry. TEST_F(TransportSecurityStateTest, DecodePreloadedMultiplePrefix) { … } // More advanced test for the HSTS preload process where the trie (generated // from transport_security_state_static_unittest3.json) contains a mix of // entries. Some entries share a prefix with the prefix also having its own // preloaded state while others share no prefix. This results in a trie with // several different internal structures. Test that the lookup methods can find // all entries and correctly decode the different preloaded states (HSTS and // HPKP) for each entry. TEST_F(TransportSecurityStateTest, DecodePreloadedMultipleMix) { … } TEST_F(TransportSecurityStateTest, HstsHostBypassList) { … } // Tests that TransportSecurityState always consults the RequireCTDelegate, // if supplied. TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) { … } // Tests that the emergency disable flags cause CT to stop being required // regardless of host or delegate status. TEST(CTEmergencyDisableTest, CTEmergencyDisable) { … } #if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) class TransportSecurityStateStaticTest : public TransportSecurityStateTest { … }; static bool StaticShouldRedirect(const char* hostname) { … } static bool HasStaticState(const char* hostname) { … } static bool HasStaticPublicKeyPins(const char* hostname) { … } static bool OnlyPinningInStaticState(const char* hostname) { … } TEST_F(TransportSecurityStateStaticTest, EnableStaticPins) { … } TEST_F(TransportSecurityStateStaticTest, DisableStaticPins) { … } TEST_F(TransportSecurityStateStaticTest, IsPreloaded) { … } TEST_F(TransportSecurityStateStaticTest, PreloadedDomainSet) { … } TEST_F(TransportSecurityStateStaticTest, Preloaded) { … } TEST_F(TransportSecurityStateStaticTest, PreloadedPins) { … } TEST_F(TransportSecurityStateStaticTest, BuiltinCertPins) { … } TEST_F(TransportSecurityStateStaticTest, OptionalHSTSCertPins) { … } TEST_F(TransportSecurityStateStaticTest, OverrideBuiltins) { … } TEST_F(TransportSecurityStateTest, WriteSizeDecodeSize) { … } TEST_F(TransportSecurityStateTest, DecodeSizeFour) { … } #endif // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomains) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsIncludeSubdomainsTLD) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsDontIncludeSubdomains) { … } TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) { … } class TransportSecurityStatePinningKillswitchTest : public TransportSecurityStateTest { … }; TEST_F(TransportSecurityStatePinningKillswitchTest, PinningKillswitchSet) { … } } // namespace net
Codebase Browser
chromium