1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,145 @@
1.4 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
1.6 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +#include "nsNSSIOLayer.h"
1.11 +#include "sslproto.h"
1.12 +
1.13 +#include "gtest/gtest.h"
1.14 +
1.15 +NS_NAMED_LITERAL_CSTRING(HOST, "example.org");
1.16 +const int16_t PORT = 443;
1.17 +
1.18 +class TLSIntoleranceTest : public ::testing::Test
1.19 +{
1.20 +protected:
1.21 + nsSSLIOLayerHelpers helpers;
1.22 +};
1.23 +
1.24 +TEST_F(TLSIntoleranceTest, Test_1_2_through_3_0)
1.25 +{
1.26 + // No adjustment made when there is no entry for the site.
1.27 + {
1.28 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.29 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.30 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.31 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.32 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
1.33 +
1.34 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.35 + range.min, range.max));
1.36 + }
1.37 +
1.38 + {
1.39 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.40 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.41 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.42 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.43 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
1.44 +
1.45 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.46 + range.min, range.max));
1.47 + }
1.48 +
1.49 + {
1.50 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.51 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.52 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.53 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.54 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
1.55 +
1.56 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.57 + range.min, range.max));
1.58 + }
1.59 +
1.60 + {
1.61 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.62 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.63 +
1.64 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.65 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.66 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.max);
1.67 +
1.68 + // false because we reached the floor set by range.min
1.69 + ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.70 + range.min, range.max));
1.71 + }
1.72 +
1.73 + {
1.74 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.75 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.76 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.77 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.78 + // When rememberIntolerantAtVersion returns false, it also resets the
1.79 + // intolerance information for the server.
1.80 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
1.81 + }
1.82 +}
1.83 +
1.84 +TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_1)
1.85 +{
1.86 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.87 + SSL_LIBRARY_VERSION_3_0,
1.88 + SSL_LIBRARY_VERSION_TLS_1_0));
1.89 + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0);
1.90 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.91 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.92 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.93 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.94 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_0, range.max);
1.95 +}
1.96 +
1.97 +TEST_F(TLSIntoleranceTest, Test_Tolerant_Overrides_Intolerant_2)
1.98 +{
1.99 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.100 + SSL_LIBRARY_VERSION_3_0,
1.101 + SSL_LIBRARY_VERSION_TLS_1_0));
1.102 + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_1);
1.103 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.104 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.105 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.106 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.107 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
1.108 +}
1.109 +
1.110 +TEST_F(TLSIntoleranceTest, Test_Intolerant_Does_Not_Override_Tolerant)
1.111 +{
1.112 + // No adjustment made when there is no entry for the site.
1.113 + helpers.rememberTolerantAtVersion(HOST, PORT, SSL_LIBRARY_VERSION_TLS_1_0);
1.114 + // false because we reached the floor set by rememberTolerantAtVersion.
1.115 + ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, PORT,
1.116 + SSL_LIBRARY_VERSION_3_0,
1.117 + SSL_LIBRARY_VERSION_TLS_1_0));
1.118 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.119 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.120 + helpers.adjustForTLSIntolerance(HOST, PORT, range);
1.121 + ASSERT_EQ(SSL_LIBRARY_VERSION_3_0, range.min);
1.122 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
1.123 +}
1.124 +
1.125 +TEST_F(TLSIntoleranceTest, Test_Port_Is_Relevant)
1.126 +{
1.127 + helpers.rememberTolerantAtVersion(HOST, 1, SSL_LIBRARY_VERSION_TLS_1_2);
1.128 + ASSERT_FALSE(helpers.rememberIntolerantAtVersion(HOST, 1,
1.129 + SSL_LIBRARY_VERSION_3_0,
1.130 + SSL_LIBRARY_VERSION_TLS_1_2));
1.131 + ASSERT_TRUE(helpers.rememberIntolerantAtVersion(HOST, 2,
1.132 + SSL_LIBRARY_VERSION_3_0,
1.133 + SSL_LIBRARY_VERSION_TLS_1_2));
1.134 +
1.135 + {
1.136 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.137 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.138 + helpers.adjustForTLSIntolerance(HOST, 1, range);
1.139 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_2, range.max);
1.140 + }
1.141 +
1.142 + {
1.143 + SSLVersionRange range = { SSL_LIBRARY_VERSION_3_0,
1.144 + SSL_LIBRARY_VERSION_TLS_1_2 };
1.145 + helpers.adjustForTLSIntolerance(HOST, 2, range);
1.146 + ASSERT_EQ(SSL_LIBRARY_VERSION_TLS_1_1, range.max);
1.147 + }
1.148 +}
