We started redesigning GpuMemoryBuffer interface to handle multiple buffers [0].
[chromium-blink-merge.git] / net / quic / crypto / quic_crypto_server_config_test.cc
blob248d35cd815a45df3114b673f96f6d36fe738825
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/crypto/quic_crypto_server_config.h"
7 #include <stdarg.h>
9 #include "base/stl_util.h"
10 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
11 #include "net/quic/crypto/crypto_handshake_message.h"
12 #include "net/quic/crypto/crypto_secret_boxer.h"
13 #include "net/quic/crypto/crypto_server_config_protobuf.h"
14 #include "net/quic/crypto/quic_random.h"
15 #include "net/quic/crypto/strike_register_client.h"
16 #include "net/quic/quic_flags.h"
17 #include "net/quic/quic_time.h"
18 #include "net/quic/test_tools/mock_clock.h"
19 #include "net/quic/test_tools/quic_test_utils.h"
20 #include "testing/gmock/include/gmock/gmock.h"
21 #include "testing/gtest/include/gtest/gtest.h"
23 using base::StringPiece;
24 using std::map;
25 using std::pair;
26 using std::string;
27 using std::vector;
29 namespace net {
30 namespace test {
32 class QuicCryptoServerConfigPeer {
33 public:
34 explicit QuicCryptoServerConfigPeer(QuicCryptoServerConfig* server_config)
35 : server_config_(server_config) {}
37 scoped_refptr<QuicCryptoServerConfig::Config> GetConfig(string config_id) {
38 base::AutoLock locked(server_config_->configs_lock_);
39 if (config_id == "<primary>") {
40 return scoped_refptr<QuicCryptoServerConfig::Config>(
41 server_config_->primary_config_);
42 } else {
43 return server_config_->GetConfigWithScid(config_id);
47 bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id) {
48 scoped_refptr<QuicCryptoServerConfig::Config> config = GetConfig(config_id);
49 return config->source_address_token_boxer ==
50 &(server_config_->default_source_address_token_boxer_);
53 string NewSourceAddressToken(string config_id,
54 SourceAddressTokens previous_tokens,
55 const IPAddressNumber& ip,
56 QuicRandom* rand,
57 QuicWallTime now,
58 CachedNetworkParameters* cached_network_params) {
59 return server_config_->NewSourceAddressToken(*GetConfig(config_id),
60 previous_tokens, ip, rand, now,
61 cached_network_params);
64 HandshakeFailureReason ValidateSourceAddressToken(string config_id,
65 StringPiece srct,
66 const IPAddressNumber& ip,
67 QuicWallTime now) {
68 return ValidateSourceAddressToken(config_id, srct, ip, now, NULL);
71 HandshakeFailureReason ValidateSourceAddressToken(
72 string config_id,
73 StringPiece srct,
74 const IPAddressNumber& ip,
75 QuicWallTime now,
76 CachedNetworkParameters* cached_network_params) {
77 return server_config_->ValidateSourceAddressToken(
78 *GetConfig(config_id), srct, ip, now, cached_network_params);
81 HandshakeFailureReason ValidateSourceAddressTokens(string config_id,
82 StringPiece srct,
83 const IPAddressNumber ip,
84 QuicWallTime now) {
85 return ValidateSourceAddressTokens(config_id, srct, ip, now, NULL);
88 HandshakeFailureReason ValidateSourceAddressTokens(
89 string config_id,
90 StringPiece srct,
91 const IPAddressNumber& ip,
92 QuicWallTime now,
93 CachedNetworkParameters* cached_network_params) {
94 SourceAddressTokens tokens;
95 HandshakeFailureReason reason = server_config_->ParseSourceAddressToken(
96 *GetConfig(config_id), srct, &tokens);
97 if (reason != HANDSHAKE_OK) {
98 return reason;
101 return server_config_->ValidateSourceAddressTokens(tokens, ip, now,
102 cached_network_params);
105 string NewServerNonce(QuicRandom* rand, QuicWallTime now) const {
106 return server_config_->NewServerNonce(rand, now);
109 HandshakeFailureReason ValidateServerNonce(StringPiece token,
110 QuicWallTime now) {
111 return server_config_->ValidateServerNonce(token, now);
114 base::Lock* GetStrikeRegisterClientLock() {
115 return &server_config_->strike_register_client_lock_;
118 // CheckConfigs compares the state of the Configs in |server_config_| to the
119 // description given as arguments. The arguments are given as
120 // nullptr-terminated pairs. The first of each pair is the server config ID of
121 // a Config. The second is a boolean describing whether the config is the
122 // primary. For example:
123 // CheckConfigs(nullptr); // checks that no Configs are loaded.
125 // // Checks that exactly three Configs are loaded with the given IDs and
126 // // status.
127 // CheckConfigs(
128 // "id1", false,
129 // "id2", true,
130 // "id3", false,
131 // nullptr);
132 void CheckConfigs(const char* server_config_id1, ...) {
133 va_list ap;
134 va_start(ap, server_config_id1);
136 vector<pair<ServerConfigID, bool> > expected;
137 bool first = true;
138 for (;;) {
139 const char* server_config_id;
140 if (first) {
141 server_config_id = server_config_id1;
142 first = false;
143 } else {
144 server_config_id = va_arg(ap, const char*);
147 if (!server_config_id) {
148 break;
151 // varargs will promote the value to an int so we have to read that from
152 // the stack and cast down.
153 const bool is_primary = static_cast<bool>(va_arg(ap, int));
154 expected.push_back(std::make_pair(server_config_id, is_primary));
157 va_end(ap);
159 base::AutoLock locked(server_config_->configs_lock_);
161 ASSERT_EQ(expected.size(), server_config_->configs_.size())
162 << ConfigsDebug();
164 for (QuicCryptoServerConfig::ConfigMap::const_iterator
165 i = server_config_->configs_.begin();
166 i != server_config_->configs_.end(); ++i) {
167 bool found = false;
168 for (vector<pair<ServerConfigID, bool> >::iterator j = expected.begin();
169 j != expected.end(); ++j) {
170 if (i->first == j->first && i->second->is_primary == j->second) {
171 found = true;
172 j->first.clear();
173 break;
177 ASSERT_TRUE(found) << "Failed to find match for " << i->first
178 << " in configs:\n" << ConfigsDebug();
182 // ConfigsDebug returns a string that contains debugging information about
183 // the set of Configs loaded in |server_config_| and their status.
184 // ConfigsDebug() should be called after acquiring
185 // server_config_->configs_lock_.
186 string ConfigsDebug() {
187 if (server_config_->configs_.empty()) {
188 return "No Configs in QuicCryptoServerConfig";
191 string s;
193 for (QuicCryptoServerConfig::ConfigMap::const_iterator
194 i = server_config_->configs_.begin();
195 i != server_config_->configs_.end(); ++i) {
196 const scoped_refptr<QuicCryptoServerConfig::Config> config = i->second;
197 if (config->is_primary) {
198 s += "(primary) ";
199 } else {
200 s += " ";
202 s += config->id;
203 s += "\n";
206 return s;
209 void SelectNewPrimaryConfig(int seconds) {
210 base::AutoLock locked(server_config_->configs_lock_);
211 server_config_->SelectNewPrimaryConfig(
212 QuicWallTime::FromUNIXSeconds(seconds));
215 private:
216 const QuicCryptoServerConfig* server_config_;
219 class TestStrikeRegisterClient : public StrikeRegisterClient {
220 public:
221 explicit TestStrikeRegisterClient(QuicCryptoServerConfig* config)
222 : config_(config),
223 is_known_orbit_called_(false) {
226 bool IsKnownOrbit(StringPiece orbit) const override {
227 // Ensure that the strike register client lock is not held.
228 QuicCryptoServerConfigPeer peer(config_);
229 base::Lock* m = peer.GetStrikeRegisterClientLock();
230 // In Chromium, we will dead lock if the lock is held by the current thread.
231 // Chromium doesn't have AssertNotHeld API call.
232 // m->AssertNotHeld();
233 base::AutoLock lock(*m);
235 is_known_orbit_called_ = true;
236 return true;
239 void VerifyNonceIsValidAndUnique(StringPiece nonce,
240 QuicWallTime now,
241 ResultCallback* cb) override {
242 LOG(FATAL) << "Not implemented";
245 bool is_known_orbit_called() { return is_known_orbit_called_; }
247 private:
248 QuicCryptoServerConfig* config_;
249 mutable bool is_known_orbit_called_;
252 TEST(QuicCryptoServerConfigTest, ServerConfig) {
253 QuicRandom* rand = QuicRandom::GetInstance();
254 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
255 MockClock clock;
257 scoped_ptr<CryptoHandshakeMessage>(
258 server.AddDefaultConfig(rand, &clock,
259 QuicCryptoServerConfig::ConfigOptions()));
262 TEST(QuicCryptoServerConfigTest, GetOrbitIsCalledWithoutTheStrikeRegisterLock) {
263 QuicRandom* rand = QuicRandom::GetInstance();
264 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
265 MockClock clock;
267 TestStrikeRegisterClient* strike_register =
268 new TestStrikeRegisterClient(&server);
269 server.SetStrikeRegisterClient(strike_register);
271 QuicCryptoServerConfig::ConfigOptions options;
272 scoped_ptr<CryptoHandshakeMessage>(
273 server.AddDefaultConfig(rand, &clock, options));
274 EXPECT_TRUE(strike_register->is_known_orbit_called());
277 class SourceAddressTokenTest : public ::testing::Test {
278 public:
279 SourceAddressTokenTest()
280 : ip4_(Loopback4()),
281 ip4_dual_(ConvertIPv4NumberToIPv6Number(ip4_)),
282 ip6_(Loopback6()),
283 original_time_(QuicWallTime::Zero()),
284 rand_(QuicRandom::GetInstance()),
285 server_(QuicCryptoServerConfig::TESTING, rand_),
286 peer_(&server_) {
287 // Advance the clock to some non-zero time.
288 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
289 original_time_ = clock_.WallNow();
291 primary_config_.reset(server_.AddDefaultConfig(
292 rand_, &clock_, QuicCryptoServerConfig::ConfigOptions()));
294 // Add a config that overrides the default boxer.
295 QuicCryptoServerConfig::ConfigOptions options;
296 options.id = kOverride;
297 override_config_protobuf_.reset(
298 QuicCryptoServerConfig::GenerateConfig(rand_, &clock_, options));
299 override_config_protobuf_->set_source_address_token_secret_override(
300 "a secret key");
301 // Lower priority than the default config.
302 override_config_protobuf_->set_priority(1);
303 override_config_.reset(
304 server_.AddConfig(override_config_protobuf_.get(), original_time_));
307 string NewSourceAddressToken(string config_id, const IPAddressNumber& ip) {
308 return NewSourceAddressToken(config_id, ip, NULL);
311 string NewSourceAddressToken(string config_id,
312 const IPAddressNumber& ip,
313 const SourceAddressTokens& previous_tokens) {
314 return peer_.NewSourceAddressToken(config_id, previous_tokens, ip, rand_,
315 clock_.WallNow(), NULL);
318 string NewSourceAddressToken(string config_id,
319 const IPAddressNumber& ip,
320 CachedNetworkParameters* cached_network_params) {
321 SourceAddressTokens previous_tokens;
322 return peer_.NewSourceAddressToken(config_id, previous_tokens, ip, rand_,
323 clock_.WallNow(), cached_network_params);
326 HandshakeFailureReason ValidateSourceAddressToken(string config_id,
327 StringPiece srct,
328 const IPAddressNumber& ip) {
329 return ValidateSourceAddressToken(config_id, srct, ip, NULL);
332 HandshakeFailureReason ValidateSourceAddressToken(
333 string config_id,
334 StringPiece srct,
335 const IPAddressNumber& ip,
336 CachedNetworkParameters* cached_network_params) {
337 return peer_.ValidateSourceAddressToken(
338 config_id, srct, ip, clock_.WallNow(), cached_network_params);
341 HandshakeFailureReason ValidateSourceAddressTokens(
342 string config_id,
343 StringPiece srct,
344 const IPAddressNumber& ip) {
345 return ValidateSourceAddressTokens(config_id, srct, ip, NULL);
348 HandshakeFailureReason ValidateSourceAddressTokens(
349 string config_id,
350 StringPiece srct,
351 const IPAddressNumber& ip,
352 CachedNetworkParameters* cached_network_params) {
353 return peer_.ValidateSourceAddressTokens(
354 config_id, srct, ip, clock_.WallNow(), cached_network_params);
357 const string kPrimary = "<primary>";
358 const string kOverride = "Config with custom source address token key";
360 IPAddressNumber ip4_;
361 IPAddressNumber ip4_dual_;
362 IPAddressNumber ip6_;
364 MockClock clock_;
365 QuicWallTime original_time_;
366 QuicRandom* rand_ = QuicRandom::GetInstance();
367 QuicCryptoServerConfig server_;
368 QuicCryptoServerConfigPeer peer_;
369 // Stores the primary config.
370 scoped_ptr<CryptoHandshakeMessage> primary_config_;
371 scoped_ptr<QuicServerConfigProtobuf> override_config_protobuf_;
372 scoped_ptr<CryptoHandshakeMessage> override_config_;
375 TEST_F(SourceAddressTokenTest, SourceAddressToken) {
376 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
377 false);
379 EXPECT_TRUE(peer_.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary));
380 EXPECT_FALSE(peer_.ConfigHasDefaultSourceAddressTokenBoxer(kOverride));
382 // Primary config generates configs that validate successfully.
383 const string token4 = NewSourceAddressToken(kPrimary, ip4_);
384 const string token4d = NewSourceAddressToken(kPrimary, ip4_dual_);
385 const string token6 = NewSourceAddressToken(kPrimary, ip6_);
386 EXPECT_EQ(HANDSHAKE_OK, ValidateSourceAddressToken(kPrimary, token4, ip4_));
387 ASSERT_EQ(HANDSHAKE_OK,
388 ValidateSourceAddressToken(kPrimary, token4, ip4_dual_));
389 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
390 ValidateSourceAddressToken(kPrimary, token4, ip6_));
391 ASSERT_EQ(HANDSHAKE_OK, ValidateSourceAddressToken(kPrimary, token4d, ip4_));
392 ASSERT_EQ(HANDSHAKE_OK,
393 ValidateSourceAddressToken(kPrimary, token4d, ip4_dual_));
394 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
395 ValidateSourceAddressToken(kPrimary, token4d, ip6_));
396 ASSERT_EQ(HANDSHAKE_OK, ValidateSourceAddressToken(kPrimary, token6, ip6_));
398 // Override config generates configs that validate successfully.
399 const string override_token4 = NewSourceAddressToken(kOverride, ip4_);
400 const string override_token6 = NewSourceAddressToken(kOverride, ip6_);
401 ASSERT_EQ(HANDSHAKE_OK,
402 ValidateSourceAddressToken(kOverride, override_token4, ip4_));
403 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
404 ValidateSourceAddressToken(kOverride, override_token4, ip6_));
405 ASSERT_EQ(HANDSHAKE_OK,
406 ValidateSourceAddressToken(kOverride, override_token6, ip6_));
408 // Tokens generated by the primary config do not validate
409 // successfully against the override config, and vice versa.
410 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
411 ValidateSourceAddressToken(kOverride, token4, ip4_));
412 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
413 ValidateSourceAddressToken(kOverride, token6, ip6_));
414 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
415 ValidateSourceAddressToken(kPrimary, override_token4, ip4_));
416 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
417 ValidateSourceAddressToken(kPrimary, override_token6, ip6_));
420 TEST_F(SourceAddressTokenTest, SourceAddressTokenExpiration) {
421 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
422 false);
424 const string token = NewSourceAddressToken(kPrimary, ip4_);
426 // Validation fails if the token is from the future.
427 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(-3600 * 2));
428 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE,
429 ValidateSourceAddressToken(kPrimary, token, ip4_));
431 // Validation fails after tokens expire.
432 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(86400 * 7));
433 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE,
434 ValidateSourceAddressToken(kPrimary, token, ip4_));
437 TEST_F(SourceAddressTokenTest, SourceAddressTokenWithNetworkParams) {
438 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
439 false);
441 // Make sure that if the source address token contains CachedNetworkParameters
442 // that this gets written to ValidateSourceAddressToken output argument.
443 CachedNetworkParameters cached_network_params_input;
444 cached_network_params_input.set_bandwidth_estimate_bytes_per_second(1234);
445 const string token4_with_cached_network_params =
446 NewSourceAddressToken(kPrimary, ip4_, &cached_network_params_input);
448 CachedNetworkParameters cached_network_params_output;
449 #if 0
450 // TODO(rtenneti): For server, enable the following check after serialization
451 // of optional CachedNetworkParameters is implemented.
452 EXPECT_NE(cached_network_params_output.DebugString(),
453 cached_network_params_input.DebugString());
454 #endif
455 ValidateSourceAddressToken(kPrimary, token4_with_cached_network_params, ip4_,
456 &cached_network_params_output);
457 #if 0
458 // TODO(rtenneti): For server, enable the following check after serialization
459 // of optional CachedNetworkParameters is implemented.
460 EXPECT_EQ(cached_network_params_output.DebugString(),
461 cached_network_params_input.DebugString());
462 #endif
465 // Test basic behavior of source address tokens including being specific
466 // to a single IP address and server config.
468 // TODO(rtenneti): For server, enable the following test after serialization of
469 // SourceAddressTokens is implemented.
470 TEST_F(SourceAddressTokenTest, DISABLED_NewSourceAddressToken) {
471 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
472 true);
474 // Primary config generates configs that validate successfully.
475 const string token4 = NewSourceAddressToken(kPrimary, ip4_);
476 const string token4d = NewSourceAddressToken(kPrimary, ip4_dual_);
477 const string token6 = NewSourceAddressToken(kPrimary, ip6_);
478 EXPECT_EQ(HANDSHAKE_OK, ValidateSourceAddressTokens(kPrimary, token4, ip4_));
479 ASSERT_EQ(HANDSHAKE_OK,
480 ValidateSourceAddressTokens(kPrimary, token4, ip4_dual_));
481 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
482 ValidateSourceAddressTokens(kPrimary, token4, ip6_));
483 ASSERT_EQ(HANDSHAKE_OK, ValidateSourceAddressTokens(kPrimary, token4d, ip4_));
484 ASSERT_EQ(HANDSHAKE_OK,
485 ValidateSourceAddressTokens(kPrimary, token4d, ip4_dual_));
486 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
487 ValidateSourceAddressTokens(kPrimary, token4d, ip6_));
488 ASSERT_EQ(HANDSHAKE_OK, ValidateSourceAddressTokens(kPrimary, token6, ip6_));
490 // Override config generates configs that validate successfully.
491 const string override_token4 = NewSourceAddressToken(kOverride, ip4_);
492 const string override_token6 = NewSourceAddressToken(kOverride, ip6_);
493 ASSERT_EQ(HANDSHAKE_OK,
494 ValidateSourceAddressTokens(kOverride, override_token4, ip4_));
495 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
496 ValidateSourceAddressTokens(kOverride, override_token4, ip6_));
497 ASSERT_EQ(HANDSHAKE_OK,
498 ValidateSourceAddressTokens(kOverride, override_token6, ip6_));
500 // Tokens generated by the primary config do not validate
501 // successfully against the override config, and vice versa.
502 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
503 ValidateSourceAddressTokens(kOverride, token4, ip4_));
504 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
505 ValidateSourceAddressTokens(kOverride, token6, ip6_));
506 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
507 ValidateSourceAddressTokens(kPrimary, override_token4, ip4_));
508 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
509 ValidateSourceAddressTokens(kPrimary, override_token6, ip6_));
512 // TODO(rtenneti): For server, enable the following test after serialization of
513 // SourceAddressTokens is implemented.
514 TEST_F(SourceAddressTokenTest, DISABLED_NewSourceAddressTokenExpiration) {
515 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
516 true);
518 const string token = NewSourceAddressToken(kPrimary, ip4_);
520 // Validation fails if the token is from the future.
521 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(-3600 * 2));
522 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE,
523 ValidateSourceAddressTokens(kPrimary, token, ip4_));
525 // Validation fails after tokens expire.
526 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(86400 * 7));
527 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE,
528 ValidateSourceAddressTokens(kPrimary, token, ip4_));
531 TEST_F(SourceAddressTokenTest, NewSourceAddressTokenWithNetworkParams) {
532 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
533 true);
535 // Make sure that if the source address token contains CachedNetworkParameters
536 // that this gets written to ValidateSourceAddressToken output argument.
537 CachedNetworkParameters cached_network_params_input;
538 cached_network_params_input.set_bandwidth_estimate_bytes_per_second(1234);
539 const string token4_with_cached_network_params =
540 NewSourceAddressToken(kPrimary, ip4_, &cached_network_params_input);
542 CachedNetworkParameters cached_network_params_output;
543 #if 0
544 // TODO(rtenneti): For server, enable the following check after serialization
545 // of optional CachedNetworkParameters is implemented.
546 EXPECT_NE(cached_network_params_output.DebugString(),
547 cached_network_params_input.DebugString());
548 #endif
549 ValidateSourceAddressTokens(kPrimary, token4_with_cached_network_params, ip4_,
550 &cached_network_params_output);
551 #if 0
552 // TODO(rtenneti): For server, enable the following check after serialization
553 // of optional CachedNetworkParameters is implemented.
554 EXPECT_EQ(cached_network_params_output.DebugString(),
555 cached_network_params_input.DebugString());
556 #endif
559 // Test the ability for a source address token to be valid for multiple
560 // addresses.
562 // TODO(rtenneti): For server, enable the following test after serialization of
563 // SourceAddressTokens is implemented.
564 TEST_F(SourceAddressTokenTest, DISABLED_SourceAddressTokenMultipleAddresses) {
565 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens,
566 true);
568 QuicWallTime now = clock_.WallNow();
570 // Now create a token which is usable for both addresses.
571 SourceAddressToken previous_token;
572 IPAddressNumber ip_address = ip6_;
573 if (ip6_.size() == kIPv4AddressSize) {
574 ip_address = ConvertIPv4NumberToIPv6Number(ip_address);
576 previous_token.set_ip(IPAddressToPackedString(ip_address));
577 previous_token.set_timestamp(now.ToUNIXSeconds());
578 SourceAddressTokens previous_tokens;
579 (*previous_tokens.add_tokens()) = previous_token;
580 const string token4or6 =
581 NewSourceAddressToken(kPrimary, ip4_, previous_tokens);
583 EXPECT_EQ(HANDSHAKE_OK,
584 ValidateSourceAddressTokens(kPrimary, token4or6, ip4_));
585 ASSERT_EQ(HANDSHAKE_OK,
586 ValidateSourceAddressTokens(kPrimary, token4or6, ip6_));
589 TEST(QuicCryptoServerConfigTest, ValidateServerNonce) {
590 QuicRandom* rand = QuicRandom::GetInstance();
591 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
592 QuicCryptoServerConfigPeer peer(&server);
594 StringPiece message("hello world");
595 const size_t key_size = CryptoSecretBoxer::GetKeySize();
596 scoped_ptr<uint8[]> key(new uint8[key_size]);
597 memset(key.get(), 0x11, key_size);
599 CryptoSecretBoxer boxer;
600 boxer.SetKey(StringPiece(reinterpret_cast<char*>(key.get()), key_size));
601 const string box = boxer.Box(rand, message);
602 MockClock clock;
603 QuicWallTime now = clock.WallNow();
604 const QuicWallTime original_time = now;
605 EXPECT_EQ(SERVER_NONCE_DECRYPTION_FAILURE,
606 peer.ValidateServerNonce(box, now));
608 string server_nonce = peer.NewServerNonce(rand, now);
609 EXPECT_EQ(HANDSHAKE_OK, peer.ValidateServerNonce(server_nonce, now));
610 EXPECT_EQ(SERVER_NONCE_NOT_UNIQUE_FAILURE,
611 peer.ValidateServerNonce(server_nonce, now));
613 now = original_time.Add(QuicTime::Delta::FromSeconds(1000 * 7));
614 server_nonce = peer.NewServerNonce(rand, now);
615 EXPECT_EQ(HANDSHAKE_OK, peer.ValidateServerNonce(server_nonce, now));
618 class CryptoServerConfigsTest : public ::testing::Test {
619 public:
620 CryptoServerConfigsTest()
621 : rand_(QuicRandom::GetInstance()),
622 config_(QuicCryptoServerConfig::TESTING, rand_),
623 test_peer_(&config_) {}
625 void SetUp() override {
626 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1000));
629 // SetConfigs constructs suitable config protobufs and calls SetConfigs on
630 // |config_|. The arguments are given as nullptr-terminated pairs. The first
631 // of each pair is the server config ID of a Config. The second is the
632 // |primary_time| of that Config, given in epoch seconds. (Although note that,
633 // in these tests, time is set to 1000 seconds since the epoch.) For example:
634 // SetConfigs(nullptr); // calls |config_.SetConfigs| with no protobufs.
636 // // Calls |config_.SetConfigs| with two protobufs: one for a Config with
637 // // a |primary_time| of 900 and priority 1, and another with
638 // // a |primary_time| of 1000 and priority 2.
640 // CheckConfigs(
641 // "id1", 900, 1,
642 // "id2", 1000, 2,
643 // nullptr);
645 // If the server config id starts with "INVALID" then the generated protobuf
646 // will be invalid.
647 void SetConfigs(const char* server_config_id1, ...) {
648 const char kOrbit[] = "12345678";
650 va_list ap;
651 va_start(ap, server_config_id1);
652 bool has_invalid = false;
653 bool is_empty = true;
655 vector<QuicServerConfigProtobuf*> protobufs;
656 bool first = true;
657 for (;;) {
658 const char* server_config_id;
659 if (first) {
660 server_config_id = server_config_id1;
661 first = false;
662 } else {
663 server_config_id = va_arg(ap, const char*);
666 if (!server_config_id) {
667 break;
670 is_empty = false;
671 int primary_time = va_arg(ap, int);
672 int priority = va_arg(ap, int);
674 QuicCryptoServerConfig::ConfigOptions options;
675 options.id = server_config_id;
676 options.orbit = kOrbit;
677 QuicServerConfigProtobuf* protobuf(
678 QuicCryptoServerConfig::GenerateConfig(rand_, &clock_, options));
679 protobuf->set_primary_time(primary_time);
680 protobuf->set_priority(priority);
681 if (string(server_config_id).find("INVALID") == 0) {
682 protobuf->clear_key();
683 has_invalid = true;
685 protobufs.push_back(protobuf);
688 ASSERT_EQ(!has_invalid && !is_empty,
689 config_.SetConfigs(protobufs, clock_.WallNow()));
690 STLDeleteElements(&protobufs);
693 protected:
694 QuicRandom* const rand_;
695 MockClock clock_;
696 QuicCryptoServerConfig config_;
697 QuicCryptoServerConfigPeer test_peer_;
700 TEST_F(CryptoServerConfigsTest, NoConfigs) {
701 test_peer_.CheckConfigs(nullptr);
704 TEST_F(CryptoServerConfigsTest, MakePrimaryFirst) {
705 // Make sure that "b" is primary even though "a" comes first.
706 SetConfigs("a", 1100, 1,
707 "b", 900, 1,
708 nullptr);
709 test_peer_.CheckConfigs(
710 "a", false,
711 "b", true,
712 nullptr);
715 TEST_F(CryptoServerConfigsTest, MakePrimarySecond) {
716 // Make sure that a remains primary after b is added.
717 SetConfigs("a", 900, 1,
718 "b", 1100, 1,
719 nullptr);
720 test_peer_.CheckConfigs(
721 "a", true,
722 "b", false,
723 nullptr);
726 TEST_F(CryptoServerConfigsTest, Delete) {
727 // Ensure that configs get deleted when removed.
728 SetConfigs("a", 800, 1,
729 "b", 900, 1,
730 "c", 1100, 1,
731 nullptr);
732 test_peer_.CheckConfigs(
733 "a", false,
734 "b", true,
735 "c", false,
736 nullptr);
737 SetConfigs("b", 900, 1,
738 "c", 1100, 1,
739 nullptr);
740 test_peer_.CheckConfigs(
741 "b", true,
742 "c", false,
743 nullptr);
746 TEST_F(CryptoServerConfigsTest, DeletePrimary) {
747 // Ensure that deleting the primary config works.
748 SetConfigs("a", 800, 1,
749 "b", 900, 1,
750 "c", 1100, 1,
751 nullptr);
752 test_peer_.CheckConfigs(
753 "a", false,
754 "b", true,
755 "c", false,
756 nullptr);
757 SetConfigs("a", 800, 1,
758 "c", 1100, 1,
759 nullptr);
760 test_peer_.CheckConfigs(
761 "a", true,
762 "c", false,
763 nullptr);
766 TEST_F(CryptoServerConfigsTest, FailIfDeletingAllConfigs) {
767 // Ensure that configs get deleted when removed.
768 SetConfigs("a", 800, 1,
769 "b", 900, 1,
770 nullptr);
771 test_peer_.CheckConfigs(
772 "a", false,
773 "b", true,
774 nullptr);
775 SetConfigs(nullptr);
776 // Config change is rejected, still using old configs.
777 test_peer_.CheckConfigs(
778 "a", false,
779 "b", true,
780 nullptr);
783 TEST_F(CryptoServerConfigsTest, ChangePrimaryTime) {
784 // Check that updates to primary time get picked up.
785 SetConfigs("a", 400, 1,
786 "b", 800, 1,
787 "c", 1200, 1,
788 nullptr);
789 test_peer_.SelectNewPrimaryConfig(500);
790 test_peer_.CheckConfigs(
791 "a", true,
792 "b", false,
793 "c", false,
794 nullptr);
795 SetConfigs("a", 1200, 1,
796 "b", 800, 1,
797 "c", 400, 1,
798 nullptr);
799 test_peer_.SelectNewPrimaryConfig(500);
800 test_peer_.CheckConfigs(
801 "a", false,
802 "b", false,
803 "c", true,
804 nullptr);
807 TEST_F(CryptoServerConfigsTest, AllConfigsInThePast) {
808 // Check that the most recent config is selected.
809 SetConfigs("a", 400, 1,
810 "b", 800, 1,
811 "c", 1200, 1,
812 nullptr);
813 test_peer_.SelectNewPrimaryConfig(1500);
814 test_peer_.CheckConfigs(
815 "a", false,
816 "b", false,
817 "c", true,
818 nullptr);
821 TEST_F(CryptoServerConfigsTest, AllConfigsInTheFuture) {
822 // Check that the first config is selected.
823 SetConfigs("a", 400, 1,
824 "b", 800, 1,
825 "c", 1200, 1,
826 nullptr);
827 test_peer_.SelectNewPrimaryConfig(100);
828 test_peer_.CheckConfigs(
829 "a", true,
830 "b", false,
831 "c", false,
832 nullptr);
835 TEST_F(CryptoServerConfigsTest, SortByPriority) {
836 // Check that priority is used to decide on a primary config when
837 // configs have the same primary time.
838 SetConfigs("a", 900, 1,
839 "b", 900, 2,
840 "c", 900, 3,
841 nullptr);
842 test_peer_.CheckConfigs(
843 "a", true,
844 "b", false,
845 "c", false,
846 nullptr);
847 test_peer_.SelectNewPrimaryConfig(800);
848 test_peer_.CheckConfigs(
849 "a", true,
850 "b", false,
851 "c", false,
852 nullptr);
853 test_peer_.SelectNewPrimaryConfig(1000);
854 test_peer_.CheckConfigs(
855 "a", true,
856 "b", false,
857 "c", false,
858 nullptr);
860 // Change priorities and expect sort order to change.
861 SetConfigs("a", 900, 2,
862 "b", 900, 1,
863 "c", 900, 0,
864 nullptr);
865 test_peer_.CheckConfigs(
866 "a", false,
867 "b", false,
868 "c", true,
869 nullptr);
870 test_peer_.SelectNewPrimaryConfig(800);
871 test_peer_.CheckConfigs(
872 "a", false,
873 "b", false,
874 "c", true,
875 nullptr);
876 test_peer_.SelectNewPrimaryConfig(1000);
877 test_peer_.CheckConfigs(
878 "a", false,
879 "b", false,
880 "c", true,
881 nullptr);
884 TEST_F(CryptoServerConfigsTest, AdvancePrimary) {
885 // Check that a new primary config is enabled at the right time.
886 SetConfigs("a", 900, 1,
887 "b", 1100, 1,
888 nullptr);
889 test_peer_.SelectNewPrimaryConfig(1000);
890 test_peer_.CheckConfigs(
891 "a", true,
892 "b", false,
893 nullptr);
894 test_peer_.SelectNewPrimaryConfig(1101);
895 test_peer_.CheckConfigs(
896 "a", false,
897 "b", true,
898 nullptr);
901 TEST_F(CryptoServerConfigsTest, InvalidConfigs) {
902 // Ensure that invalid configs don't change anything.
903 SetConfigs("a", 800, 1,
904 "b", 900, 1,
905 "c", 1100, 1,
906 nullptr);
907 test_peer_.CheckConfigs(
908 "a", false,
909 "b", true,
910 "c", false,
911 nullptr);
912 SetConfigs("a", 800, 1,
913 "c", 1100, 1,
914 "INVALID1", 1000, 1,
915 nullptr);
916 test_peer_.CheckConfigs(
917 "a", false,
918 "b", true,
919 "c", false,
920 nullptr);
923 } // namespace test
924 } // namespace net