1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/crypto/quic_crypto_client_config.h"
7 #include "net/quic/crypto/proof_verifier.h"
8 #include "net/quic/quic_server_id.h"
9 #include "net/quic/test_tools/mock_random.h"
10 #include "net/quic/test_tools/quic_test_utils.h"
11 #include "testing/gtest/include/gtest/gtest.h"
20 class TestProofVerifyDetails
: public ProofVerifyDetails
{
21 ~TestProofVerifyDetails() override
{}
23 // ProofVerifyDetails implementation
24 ProofVerifyDetails
* Clone() const override
{
25 return new TestProofVerifyDetails
;
31 TEST(QuicCryptoClientConfigTest
, CachedState_IsEmpty
) {
32 QuicCryptoClientConfig::CachedState state
;
33 EXPECT_TRUE(state
.IsEmpty());
36 TEST(QuicCryptoClientConfigTest
, CachedState_IsComplete
) {
37 QuicCryptoClientConfig::CachedState state
;
38 EXPECT_FALSE(state
.IsComplete(QuicWallTime::FromUNIXSeconds(0)));
41 TEST(QuicCryptoClientConfigTest
, CachedState_GenerationCounter
) {
42 QuicCryptoClientConfig::CachedState state
;
43 EXPECT_EQ(0u, state
.generation_counter());
44 state
.SetProofInvalid();
45 EXPECT_EQ(1u, state
.generation_counter());
48 TEST(QuicCryptoClientConfigTest
, CachedState_SetProofVerifyDetails
) {
49 QuicCryptoClientConfig::CachedState state
;
50 EXPECT_TRUE(state
.proof_verify_details() == nullptr);
51 ProofVerifyDetails
* details
= new TestProofVerifyDetails
;
52 state
.SetProofVerifyDetails(details
);
53 EXPECT_EQ(details
, state
.proof_verify_details());
56 TEST(QuicCryptoClientConfigTest
, CachedState_InitializeFrom
) {
57 QuicCryptoClientConfig::CachedState state
;
58 QuicCryptoClientConfig::CachedState other
;
59 state
.set_source_address_token("TOKEN");
60 // TODO(rch): Populate other fields of |state|.
61 other
.InitializeFrom(state
);
62 EXPECT_EQ(state
.server_config(), other
.server_config());
63 EXPECT_EQ(state
.source_address_token(), other
.source_address_token());
64 EXPECT_EQ(state
.certs(), other
.certs());
65 EXPECT_EQ(1u, other
.generation_counter());
68 TEST(QuicCryptoClientConfigTest
, InchoateChlo
) {
69 QuicCryptoClientConfig::CachedState state
;
70 QuicCryptoClientConfig config
;
71 QuicCryptoNegotiatedParameters params
;
72 CryptoHandshakeMessage msg
;
73 QuicServerId
server_id("www.google.com", 80, false, PRIVACY_MODE_DISABLED
);
74 config
.FillInchoateClientHello(server_id
, QuicVersionMax(), &state
,
78 EXPECT_EQ(QUIC_NO_ERROR
, msg
.GetUint32(kVER
, &cver
));
79 EXPECT_EQ(QuicVersionToQuicTag(QuicVersionMax()), cver
);
82 TEST(QuicCryptoClientConfigTest
, PreferAesGcm
) {
83 QuicCryptoClientConfig config
;
84 if (config
.aead
.size() > 1)
85 EXPECT_NE(kAESG
, config
.aead
[0]);
86 config
.PreferAesGcm();
87 EXPECT_EQ(kAESG
, config
.aead
[0]);
90 TEST(QuicCryptoClientConfigTest
, InchoateChloSecure
) {
91 QuicCryptoClientConfig::CachedState state
;
92 QuicCryptoClientConfig config
;
93 QuicCryptoNegotiatedParameters params
;
94 CryptoHandshakeMessage msg
;
95 QuicServerId
server_id("www.google.com", 443, true, PRIVACY_MODE_DISABLED
);
96 config
.FillInchoateClientHello(server_id
, QuicVersionMax(), &state
,
100 EXPECT_EQ(QUIC_NO_ERROR
, msg
.GetUint32(kPDMD
, &pdmd
));
101 EXPECT_EQ(kX509
, pdmd
);
104 TEST(QuicCryptoClientConfigTest
, InchoateChloSecureNoEcdsa
) {
105 QuicCryptoClientConfig::CachedState state
;
106 QuicCryptoClientConfig config
;
107 config
.DisableEcdsa();
108 QuicCryptoNegotiatedParameters params
;
109 CryptoHandshakeMessage msg
;
110 QuicServerId
server_id("www.google.com", 443, true, PRIVACY_MODE_DISABLED
);
111 config
.FillInchoateClientHello(server_id
, QuicVersionMax(), &state
,
115 EXPECT_EQ(QUIC_NO_ERROR
, msg
.GetUint32(kPDMD
, &pdmd
));
116 EXPECT_EQ(kX59R
, pdmd
);
119 TEST(QuicCryptoClientConfigTest
, FillClientHello
) {
120 QuicCryptoClientConfig::CachedState state
;
121 QuicCryptoClientConfig config
;
122 QuicCryptoNegotiatedParameters params
;
123 QuicConnectionId kConnectionId
= 1234;
124 string error_details
;
126 CryptoHandshakeMessage chlo
;
127 QuicServerId
server_id("www.google.com", 80, false, PRIVACY_MODE_DISABLED
);
128 config
.FillClientHello(server_id
,
132 QuicWallTime::Zero(),
134 nullptr, // channel_id_key
139 // Verify that certain QuicTags have been set correctly in the CHLO.
141 EXPECT_EQ(QUIC_NO_ERROR
, chlo
.GetUint32(kVER
, &cver
));
142 EXPECT_EQ(QuicVersionToQuicTag(QuicVersionMax()), cver
);
145 TEST(QuicCryptoClientConfigTest
, ProcessServerDowngradeAttack
) {
146 QuicVersionVector supported_versions
= QuicSupportedVersions();
147 if (supported_versions
.size() == 1) {
148 // No downgrade attack is possible if the client only supports one version.
151 QuicTagVector supported_version_tags
;
152 for (size_t i
= supported_versions
.size(); i
> 0; --i
) {
153 supported_version_tags
.push_back(
154 QuicVersionToQuicTag(supported_versions
[i
- 1]));
156 CryptoHandshakeMessage msg
;
158 msg
.SetVector(kVER
, supported_version_tags
);
160 QuicCryptoClientConfig::CachedState cached
;
161 QuicCryptoNegotiatedParameters out_params
;
163 QuicCryptoClientConfig config
;
164 EXPECT_EQ(QUIC_VERSION_NEGOTIATION_MISMATCH
,
165 config
.ProcessServerHello(msg
, 0, supported_versions
,
166 &cached
, &out_params
, &error
));
167 EXPECT_EQ("Downgrade attack detected", error
);
170 TEST(QuicCryptoClientConfigTest
, InitializeFrom
) {
171 QuicCryptoClientConfig config
;
172 QuicServerId
canonical_server_id("www.google.com", 80, false,
173 PRIVACY_MODE_DISABLED
);
174 QuicCryptoClientConfig::CachedState
* state
=
175 config
.LookupOrCreate(canonical_server_id
);
176 // TODO(rch): Populate other fields of |state|.
177 state
->set_source_address_token("TOKEN");
178 state
->SetProofValid();
180 QuicServerId
other_server_id("mail.google.com", 80, false,
181 PRIVACY_MODE_DISABLED
);
182 config
.InitializeFrom(other_server_id
, canonical_server_id
, &config
);
183 QuicCryptoClientConfig::CachedState
* other
=
184 config
.LookupOrCreate(other_server_id
);
186 EXPECT_EQ(state
->server_config(), other
->server_config());
187 EXPECT_EQ(state
->source_address_token(), other
->source_address_token());
188 EXPECT_EQ(state
->certs(), other
->certs());
189 EXPECT_EQ(1u, other
->generation_counter());
192 TEST(QuicCryptoClientConfigTest
, Canonical
) {
193 QuicCryptoClientConfig config
;
194 config
.AddCanonicalSuffix(".google.com");
195 QuicServerId
canonical_id1("www.google.com", 80, false,
196 PRIVACY_MODE_DISABLED
);
197 QuicServerId
canonical_id2("mail.google.com", 80, false,
198 PRIVACY_MODE_DISABLED
);
199 QuicCryptoClientConfig::CachedState
* state
=
200 config
.LookupOrCreate(canonical_id1
);
201 // TODO(rch): Populate other fields of |state|.
202 state
->set_source_address_token("TOKEN");
203 state
->SetProofValid();
205 QuicCryptoClientConfig::CachedState
* other
=
206 config
.LookupOrCreate(canonical_id2
);
208 EXPECT_TRUE(state
->IsEmpty());
209 EXPECT_EQ(state
->server_config(), other
->server_config());
210 EXPECT_EQ(state
->source_address_token(), other
->source_address_token());
211 EXPECT_EQ(state
->certs(), other
->certs());
212 EXPECT_EQ(1u, other
->generation_counter());
214 QuicServerId
different_id("mail.google.org", 80, false,
215 PRIVACY_MODE_DISABLED
);
216 EXPECT_TRUE(config
.LookupOrCreate(different_id
)->IsEmpty());
219 TEST(QuicCryptoClientConfigTest
, CanonicalNotUsedIfNotValid
) {
220 QuicCryptoClientConfig config
;
221 config
.AddCanonicalSuffix(".google.com");
222 QuicServerId
canonical_id1("www.google.com", 80, false,
223 PRIVACY_MODE_DISABLED
);
224 QuicServerId
canonical_id2("mail.google.com", 80, false,
225 PRIVACY_MODE_DISABLED
);
226 QuicCryptoClientConfig::CachedState
* state
=
227 config
.LookupOrCreate(canonical_id1
);
228 // TODO(rch): Populate other fields of |state|.
229 state
->set_source_address_token("TOKEN");
231 // Do not set the proof as valid, and check that it is not used
232 // as a canonical entry.
233 EXPECT_TRUE(config
.LookupOrCreate(canonical_id2
)->IsEmpty());
236 TEST(QuicCryptoClientConfigTest
, ClearCachedStates
) {
237 QuicCryptoClientConfig config
;
238 QuicServerId
server_id("www.google.com", 80, false, PRIVACY_MODE_DISABLED
);
239 QuicCryptoClientConfig::CachedState
* state
= config
.LookupOrCreate(server_id
);
240 // TODO(rch): Populate other fields of |state|.
241 vector
<string
> certs(1);
242 certs
[0] = "Hello Cert";
243 state
->SetProof(certs
, "signature");
244 state
->set_source_address_token("TOKEN");
245 state
->SetProofValid();
246 EXPECT_EQ(1u, state
->generation_counter());
248 // Verify LookupOrCreate returns the same data.
249 QuicCryptoClientConfig::CachedState
* other
= config
.LookupOrCreate(server_id
);
251 EXPECT_EQ(state
, other
);
252 EXPECT_EQ(1u, other
->generation_counter());
254 // Clear the cached states.
255 config
.ClearCachedStates();
257 // Verify LookupOrCreate doesn't have any data.
258 QuicCryptoClientConfig::CachedState
* cleared_cache
=
259 config
.LookupOrCreate(server_id
);
261 EXPECT_EQ(state
, cleared_cache
);
262 EXPECT_FALSE(cleared_cache
->proof_valid());
263 EXPECT_TRUE(cleared_cache
->server_config().empty());
264 EXPECT_TRUE(cleared_cache
->certs().empty());
265 EXPECT_TRUE(cleared_cache
->signature().empty());
266 EXPECT_EQ(2u, cleared_cache
->generation_counter());