1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/quic/crypto/quic_crypto_server_config.h"
9 #include "base/stl_util.h"
10 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
11 #include "net/quic/crypto/crypto_handshake_message.h"
12 #include "net/quic/crypto/crypto_secret_boxer.h"
13 #include "net/quic/crypto/crypto_server_config_protobuf.h"
14 #include "net/quic/crypto/quic_random.h"
15 #include "net/quic/crypto/strike_register_client.h"
16 #include "net/quic/quic_flags.h"
17 #include "net/quic/quic_time.h"
18 #include "net/quic/test_tools/mock_clock.h"
19 #include "net/quic/test_tools/quic_test_utils.h"
20 #include "testing/gmock/include/gmock/gmock.h"
21 #include "testing/gtest/include/gtest/gtest.h"
23 using base::StringPiece
;
32 class QuicCryptoServerConfigPeer
{
34 explicit QuicCryptoServerConfigPeer(QuicCryptoServerConfig
* server_config
)
35 : server_config_(server_config
) {}
37 scoped_refptr
<QuicCryptoServerConfig::Config
> GetConfig(string config_id
) {
38 base::AutoLock
locked(server_config_
->configs_lock_
);
39 if (config_id
== "<primary>") {
40 return scoped_refptr
<QuicCryptoServerConfig::Config
>(
41 server_config_
->primary_config_
);
43 return server_config_
->GetConfigWithScid(config_id
);
47 bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id
) {
48 scoped_refptr
<QuicCryptoServerConfig::Config
> config
= GetConfig(config_id
);
49 return config
->source_address_token_boxer
==
50 &(server_config_
->default_source_address_token_boxer_
);
53 string
NewSourceAddressToken(string config_id
,
54 SourceAddressTokens previous_tokens
,
55 const IPAddressNumber
& ip
,
58 CachedNetworkParameters
* cached_network_params
) {
59 return server_config_
->NewSourceAddressToken(*GetConfig(config_id
),
60 previous_tokens
, ip
, rand
, now
,
61 cached_network_params
);
64 HandshakeFailureReason
ValidateSourceAddressToken(string config_id
,
66 const IPAddressNumber
& ip
,
68 return ValidateSourceAddressToken(config_id
, srct
, ip
, now
, NULL
);
71 HandshakeFailureReason
ValidateSourceAddressToken(
74 const IPAddressNumber
& ip
,
76 CachedNetworkParameters
* cached_network_params
) {
77 return server_config_
->ValidateSourceAddressToken(
78 *GetConfig(config_id
), srct
, ip
, now
, cached_network_params
);
81 HandshakeFailureReason
ValidateSourceAddressTokens(string config_id
,
83 const IPAddressNumber ip
,
85 return ValidateSourceAddressTokens(config_id
, srct
, ip
, now
, NULL
);
88 HandshakeFailureReason
ValidateSourceAddressTokens(
91 const IPAddressNumber
& ip
,
93 CachedNetworkParameters
* cached_network_params
) {
94 SourceAddressTokens tokens
;
95 HandshakeFailureReason reason
= server_config_
->ParseSourceAddressToken(
96 *GetConfig(config_id
), srct
, &tokens
);
97 if (reason
!= HANDSHAKE_OK
) {
101 return server_config_
->ValidateSourceAddressTokens(tokens
, ip
, now
,
102 cached_network_params
);
105 string
NewServerNonce(QuicRandom
* rand
, QuicWallTime now
) const {
106 return server_config_
->NewServerNonce(rand
, now
);
109 HandshakeFailureReason
ValidateServerNonce(StringPiece token
,
111 return server_config_
->ValidateServerNonce(token
, now
);
114 base::Lock
* GetStrikeRegisterClientLock() {
115 return &server_config_
->strike_register_client_lock_
;
118 // CheckConfigs compares the state of the Configs in |server_config_| to the
119 // description given as arguments. The arguments are given as
120 // nullptr-terminated pairs. The first of each pair is the server config ID of
121 // a Config. The second is a boolean describing whether the config is the
122 // primary. For example:
123 // CheckConfigs(nullptr); // checks that no Configs are loaded.
125 // // Checks that exactly three Configs are loaded with the given IDs and
132 void CheckConfigs(const char* server_config_id1
, ...) {
134 va_start(ap
, server_config_id1
);
136 vector
<pair
<ServerConfigID
, bool> > expected
;
139 const char* server_config_id
;
141 server_config_id
= server_config_id1
;
144 server_config_id
= va_arg(ap
, const char*);
147 if (!server_config_id
) {
151 // varargs will promote the value to an int so we have to read that from
152 // the stack and cast down.
153 const bool is_primary
= static_cast<bool>(va_arg(ap
, int));
154 expected
.push_back(std::make_pair(server_config_id
, is_primary
));
159 base::AutoLock
locked(server_config_
->configs_lock_
);
161 ASSERT_EQ(expected
.size(), server_config_
->configs_
.size())
164 for (QuicCryptoServerConfig::ConfigMap::const_iterator
165 i
= server_config_
->configs_
.begin();
166 i
!= server_config_
->configs_
.end(); ++i
) {
168 for (vector
<pair
<ServerConfigID
, bool> >::iterator j
= expected
.begin();
169 j
!= expected
.end(); ++j
) {
170 if (i
->first
== j
->first
&& i
->second
->is_primary
== j
->second
) {
177 ASSERT_TRUE(found
) << "Failed to find match for " << i
->first
178 << " in configs:\n" << ConfigsDebug();
182 // ConfigsDebug returns a string that contains debugging information about
183 // the set of Configs loaded in |server_config_| and their status.
184 // ConfigsDebug() should be called after acquiring
185 // server_config_->configs_lock_.
186 string
ConfigsDebug() {
187 if (server_config_
->configs_
.empty()) {
188 return "No Configs in QuicCryptoServerConfig";
193 for (QuicCryptoServerConfig::ConfigMap::const_iterator
194 i
= server_config_
->configs_
.begin();
195 i
!= server_config_
->configs_
.end(); ++i
) {
196 const scoped_refptr
<QuicCryptoServerConfig::Config
> config
= i
->second
;
197 if (config
->is_primary
) {
209 void SelectNewPrimaryConfig(int seconds
) {
210 base::AutoLock
locked(server_config_
->configs_lock_
);
211 server_config_
->SelectNewPrimaryConfig(
212 QuicWallTime::FromUNIXSeconds(seconds
));
216 const QuicCryptoServerConfig
* server_config_
;
219 class TestStrikeRegisterClient
: public StrikeRegisterClient
{
221 explicit TestStrikeRegisterClient(QuicCryptoServerConfig
* config
)
223 is_known_orbit_called_(false) {
226 bool IsKnownOrbit(StringPiece orbit
) const override
{
227 // Ensure that the strike register client lock is not held.
228 QuicCryptoServerConfigPeer
peer(config_
);
229 base::Lock
* m
= peer
.GetStrikeRegisterClientLock();
230 // In Chromium, we will dead lock if the lock is held by the current thread.
231 // Chromium doesn't have AssertNotHeld API call.
232 // m->AssertNotHeld();
233 base::AutoLock
lock(*m
);
235 is_known_orbit_called_
= true;
239 void VerifyNonceIsValidAndUnique(StringPiece nonce
,
241 ResultCallback
* cb
) override
{
242 LOG(FATAL
) << "Not implemented";
245 bool is_known_orbit_called() { return is_known_orbit_called_
; }
248 QuicCryptoServerConfig
* config_
;
249 mutable bool is_known_orbit_called_
;
252 TEST(QuicCryptoServerConfigTest
, ServerConfig
) {
253 QuicRandom
* rand
= QuicRandom::GetInstance();
254 QuicCryptoServerConfig
server(QuicCryptoServerConfig::TESTING
, rand
);
257 scoped_ptr
<CryptoHandshakeMessage
>(
258 server
.AddDefaultConfig(rand
, &clock
,
259 QuicCryptoServerConfig::ConfigOptions()));
262 TEST(QuicCryptoServerConfigTest
, GetOrbitIsCalledWithoutTheStrikeRegisterLock
) {
263 QuicRandom
* rand
= QuicRandom::GetInstance();
264 QuicCryptoServerConfig
server(QuicCryptoServerConfig::TESTING
, rand
);
267 TestStrikeRegisterClient
* strike_register
=
268 new TestStrikeRegisterClient(&server
);
269 server
.SetStrikeRegisterClient(strike_register
);
271 QuicCryptoServerConfig::ConfigOptions options
;
272 scoped_ptr
<CryptoHandshakeMessage
>(
273 server
.AddDefaultConfig(rand
, &clock
, options
));
274 EXPECT_TRUE(strike_register
->is_known_orbit_called());
277 class SourceAddressTokenTest
: public ::testing::Test
{
279 SourceAddressTokenTest()
281 ip4_dual_(ConvertIPv4NumberToIPv6Number(ip4_
)),
283 original_time_(QuicWallTime::Zero()),
284 rand_(QuicRandom::GetInstance()),
285 server_(QuicCryptoServerConfig::TESTING
, rand_
),
287 // Advance the clock to some non-zero time.
288 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
289 original_time_
= clock_
.WallNow();
291 primary_config_
.reset(server_
.AddDefaultConfig(
292 rand_
, &clock_
, QuicCryptoServerConfig::ConfigOptions()));
294 // Add a config that overrides the default boxer.
295 QuicCryptoServerConfig::ConfigOptions options
;
296 options
.id
= kOverride
;
297 override_config_protobuf_
.reset(
298 QuicCryptoServerConfig::GenerateConfig(rand_
, &clock_
, options
));
299 override_config_protobuf_
->set_source_address_token_secret_override(
301 // Lower priority than the default config.
302 override_config_protobuf_
->set_priority(1);
303 override_config_
.reset(
304 server_
.AddConfig(override_config_protobuf_
.get(), original_time_
));
307 string
NewSourceAddressToken(string config_id
, const IPAddressNumber
& ip
) {
308 return NewSourceAddressToken(config_id
, ip
, NULL
);
311 string
NewSourceAddressToken(string config_id
,
312 const IPAddressNumber
& ip
,
313 const SourceAddressTokens
& previous_tokens
) {
314 return peer_
.NewSourceAddressToken(config_id
, previous_tokens
, ip
, rand_
,
315 clock_
.WallNow(), NULL
);
318 string
NewSourceAddressToken(string config_id
,
319 const IPAddressNumber
& ip
,
320 CachedNetworkParameters
* cached_network_params
) {
321 SourceAddressTokens previous_tokens
;
322 return peer_
.NewSourceAddressToken(config_id
, previous_tokens
, ip
, rand_
,
323 clock_
.WallNow(), cached_network_params
);
326 HandshakeFailureReason
ValidateSourceAddressToken(string config_id
,
328 const IPAddressNumber
& ip
) {
329 return ValidateSourceAddressToken(config_id
, srct
, ip
, NULL
);
332 HandshakeFailureReason
ValidateSourceAddressToken(
335 const IPAddressNumber
& ip
,
336 CachedNetworkParameters
* cached_network_params
) {
337 return peer_
.ValidateSourceAddressToken(
338 config_id
, srct
, ip
, clock_
.WallNow(), cached_network_params
);
341 HandshakeFailureReason
ValidateSourceAddressTokens(
344 const IPAddressNumber
& ip
) {
345 return ValidateSourceAddressTokens(config_id
, srct
, ip
, NULL
);
348 HandshakeFailureReason
ValidateSourceAddressTokens(
351 const IPAddressNumber
& ip
,
352 CachedNetworkParameters
* cached_network_params
) {
353 return peer_
.ValidateSourceAddressTokens(
354 config_id
, srct
, ip
, clock_
.WallNow(), cached_network_params
);
357 const string kPrimary
= "<primary>";
358 const string kOverride
= "Config with custom source address token key";
360 IPAddressNumber ip4_
;
361 IPAddressNumber ip4_dual_
;
362 IPAddressNumber ip6_
;
365 QuicWallTime original_time_
;
366 QuicRandom
* rand_
= QuicRandom::GetInstance();
367 QuicCryptoServerConfig server_
;
368 QuicCryptoServerConfigPeer peer_
;
369 // Stores the primary config.
370 scoped_ptr
<CryptoHandshakeMessage
> primary_config_
;
371 scoped_ptr
<QuicServerConfigProtobuf
> override_config_protobuf_
;
372 scoped_ptr
<CryptoHandshakeMessage
> override_config_
;
375 TEST_F(SourceAddressTokenTest
, SourceAddressToken
) {
376 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
379 EXPECT_TRUE(peer_
.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary
));
380 EXPECT_FALSE(peer_
.ConfigHasDefaultSourceAddressTokenBoxer(kOverride
));
382 // Primary config generates configs that validate successfully.
383 const string token4
= NewSourceAddressToken(kPrimary
, ip4_
);
384 const string token4d
= NewSourceAddressToken(kPrimary
, ip4_dual_
);
385 const string token6
= NewSourceAddressToken(kPrimary
, ip6_
);
386 EXPECT_EQ(HANDSHAKE_OK
, ValidateSourceAddressToken(kPrimary
, token4
, ip4_
));
387 ASSERT_EQ(HANDSHAKE_OK
,
388 ValidateSourceAddressToken(kPrimary
, token4
, ip4_dual_
));
389 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
390 ValidateSourceAddressToken(kPrimary
, token4
, ip6_
));
391 ASSERT_EQ(HANDSHAKE_OK
, ValidateSourceAddressToken(kPrimary
, token4d
, ip4_
));
392 ASSERT_EQ(HANDSHAKE_OK
,
393 ValidateSourceAddressToken(kPrimary
, token4d
, ip4_dual_
));
394 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
395 ValidateSourceAddressToken(kPrimary
, token4d
, ip6_
));
396 ASSERT_EQ(HANDSHAKE_OK
, ValidateSourceAddressToken(kPrimary
, token6
, ip6_
));
398 // Override config generates configs that validate successfully.
399 const string override_token4
= NewSourceAddressToken(kOverride
, ip4_
);
400 const string override_token6
= NewSourceAddressToken(kOverride
, ip6_
);
401 ASSERT_EQ(HANDSHAKE_OK
,
402 ValidateSourceAddressToken(kOverride
, override_token4
, ip4_
));
403 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
404 ValidateSourceAddressToken(kOverride
, override_token4
, ip6_
));
405 ASSERT_EQ(HANDSHAKE_OK
,
406 ValidateSourceAddressToken(kOverride
, override_token6
, ip6_
));
408 // Tokens generated by the primary config do not validate
409 // successfully against the override config, and vice versa.
410 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
411 ValidateSourceAddressToken(kOverride
, token4
, ip4_
));
412 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
413 ValidateSourceAddressToken(kOverride
, token6
, ip6_
));
414 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
415 ValidateSourceAddressToken(kPrimary
, override_token4
, ip4_
));
416 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
417 ValidateSourceAddressToken(kPrimary
, override_token6
, ip6_
));
420 TEST_F(SourceAddressTokenTest
, SourceAddressTokenExpiration
) {
421 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
424 const string token
= NewSourceAddressToken(kPrimary
, ip4_
);
426 // Validation fails if the token is from the future.
427 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(-3600 * 2));
428 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE
,
429 ValidateSourceAddressToken(kPrimary
, token
, ip4_
));
431 // Validation fails after tokens expire.
432 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(86400 * 7));
433 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE
,
434 ValidateSourceAddressToken(kPrimary
, token
, ip4_
));
437 TEST_F(SourceAddressTokenTest
, SourceAddressTokenWithNetworkParams
) {
438 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
441 // Make sure that if the source address token contains CachedNetworkParameters
442 // that this gets written to ValidateSourceAddressToken output argument.
443 CachedNetworkParameters cached_network_params_input
;
444 cached_network_params_input
.set_bandwidth_estimate_bytes_per_second(1234);
445 const string token4_with_cached_network_params
=
446 NewSourceAddressToken(kPrimary
, ip4_
, &cached_network_params_input
);
448 CachedNetworkParameters cached_network_params_output
;
450 // TODO(rtenneti): For server, enable the following check after serialization
451 // of optional CachedNetworkParameters is implemented.
452 EXPECT_NE(cached_network_params_output
.DebugString(),
453 cached_network_params_input
.DebugString());
455 ValidateSourceAddressToken(kPrimary
, token4_with_cached_network_params
, ip4_
,
456 &cached_network_params_output
);
458 // TODO(rtenneti): For server, enable the following check after serialization
459 // of optional CachedNetworkParameters is implemented.
460 EXPECT_EQ(cached_network_params_output
.DebugString(),
461 cached_network_params_input
.DebugString());
465 // Test basic behavior of source address tokens including being specific
466 // to a single IP address and server config.
468 // TODO(rtenneti): For server, enable the following test after serialization of
469 // SourceAddressTokens is implemented.
470 TEST_F(SourceAddressTokenTest
, DISABLED_NewSourceAddressToken
) {
471 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
474 // Primary config generates configs that validate successfully.
475 const string token4
= NewSourceAddressToken(kPrimary
, ip4_
);
476 const string token4d
= NewSourceAddressToken(kPrimary
, ip4_dual_
);
477 const string token6
= NewSourceAddressToken(kPrimary
, ip6_
);
478 EXPECT_EQ(HANDSHAKE_OK
, ValidateSourceAddressTokens(kPrimary
, token4
, ip4_
));
479 ASSERT_EQ(HANDSHAKE_OK
,
480 ValidateSourceAddressTokens(kPrimary
, token4
, ip4_dual_
));
481 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
482 ValidateSourceAddressTokens(kPrimary
, token4
, ip6_
));
483 ASSERT_EQ(HANDSHAKE_OK
, ValidateSourceAddressTokens(kPrimary
, token4d
, ip4_
));
484 ASSERT_EQ(HANDSHAKE_OK
,
485 ValidateSourceAddressTokens(kPrimary
, token4d
, ip4_dual_
));
486 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
487 ValidateSourceAddressTokens(kPrimary
, token4d
, ip6_
));
488 ASSERT_EQ(HANDSHAKE_OK
, ValidateSourceAddressTokens(kPrimary
, token6
, ip6_
));
490 // Override config generates configs that validate successfully.
491 const string override_token4
= NewSourceAddressToken(kOverride
, ip4_
);
492 const string override_token6
= NewSourceAddressToken(kOverride
, ip6_
);
493 ASSERT_EQ(HANDSHAKE_OK
,
494 ValidateSourceAddressTokens(kOverride
, override_token4
, ip4_
));
495 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE
,
496 ValidateSourceAddressTokens(kOverride
, override_token4
, ip6_
));
497 ASSERT_EQ(HANDSHAKE_OK
,
498 ValidateSourceAddressTokens(kOverride
, override_token6
, ip6_
));
500 // Tokens generated by the primary config do not validate
501 // successfully against the override config, and vice versa.
502 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
503 ValidateSourceAddressTokens(kOverride
, token4
, ip4_
));
504 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
505 ValidateSourceAddressTokens(kOverride
, token6
, ip6_
));
506 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
507 ValidateSourceAddressTokens(kPrimary
, override_token4
, ip4_
));
508 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE
,
509 ValidateSourceAddressTokens(kPrimary
, override_token6
, ip6_
));
512 // TODO(rtenneti): For server, enable the following test after serialization of
513 // SourceAddressTokens is implemented.
514 TEST_F(SourceAddressTokenTest
, DISABLED_NewSourceAddressTokenExpiration
) {
515 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
518 const string token
= NewSourceAddressToken(kPrimary
, ip4_
);
520 // Validation fails if the token is from the future.
521 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(-3600 * 2));
522 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE
,
523 ValidateSourceAddressTokens(kPrimary
, token
, ip4_
));
525 // Validation fails after tokens expire.
526 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(86400 * 7));
527 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE
,
528 ValidateSourceAddressTokens(kPrimary
, token
, ip4_
));
531 TEST_F(SourceAddressTokenTest
, NewSourceAddressTokenWithNetworkParams
) {
532 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
535 // Make sure that if the source address token contains CachedNetworkParameters
536 // that this gets written to ValidateSourceAddressToken output argument.
537 CachedNetworkParameters cached_network_params_input
;
538 cached_network_params_input
.set_bandwidth_estimate_bytes_per_second(1234);
539 const string token4_with_cached_network_params
=
540 NewSourceAddressToken(kPrimary
, ip4_
, &cached_network_params_input
);
542 CachedNetworkParameters cached_network_params_output
;
544 // TODO(rtenneti): For server, enable the following check after serialization
545 // of optional CachedNetworkParameters is implemented.
546 EXPECT_NE(cached_network_params_output
.DebugString(),
547 cached_network_params_input
.DebugString());
549 ValidateSourceAddressTokens(kPrimary
, token4_with_cached_network_params
, ip4_
,
550 &cached_network_params_output
);
552 // TODO(rtenneti): For server, enable the following check after serialization
553 // of optional CachedNetworkParameters is implemented.
554 EXPECT_EQ(cached_network_params_output
.DebugString(),
555 cached_network_params_input
.DebugString());
559 // Test the ability for a source address token to be valid for multiple
562 // TODO(rtenneti): For server, enable the following test after serialization of
563 // SourceAddressTokens is implemented.
564 TEST_F(SourceAddressTokenTest
, DISABLED_SourceAddressTokenMultipleAddresses
) {
565 ValueRestore
<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens
,
568 QuicWallTime now
= clock_
.WallNow();
570 // Now create a token which is usable for both addresses.
571 SourceAddressToken previous_token
;
572 IPAddressNumber ip_address
= ip6_
;
573 if (ip6_
.size() == kIPv4AddressSize
) {
574 ip_address
= ConvertIPv4NumberToIPv6Number(ip_address
);
576 previous_token
.set_ip(IPAddressToPackedString(ip_address
));
577 previous_token
.set_timestamp(now
.ToUNIXSeconds());
578 SourceAddressTokens previous_tokens
;
579 (*previous_tokens
.add_tokens()) = previous_token
;
580 const string token4or6
=
581 NewSourceAddressToken(kPrimary
, ip4_
, previous_tokens
);
583 EXPECT_EQ(HANDSHAKE_OK
,
584 ValidateSourceAddressTokens(kPrimary
, token4or6
, ip4_
));
585 ASSERT_EQ(HANDSHAKE_OK
,
586 ValidateSourceAddressTokens(kPrimary
, token4or6
, ip6_
));
589 TEST(QuicCryptoServerConfigTest
, ValidateServerNonce
) {
590 QuicRandom
* rand
= QuicRandom::GetInstance();
591 QuicCryptoServerConfig
server(QuicCryptoServerConfig::TESTING
, rand
);
592 QuicCryptoServerConfigPeer
peer(&server
);
594 StringPiece
message("hello world");
595 const size_t key_size
= CryptoSecretBoxer::GetKeySize();
596 scoped_ptr
<uint8
[]> key(new uint8
[key_size
]);
597 memset(key
.get(), 0x11, key_size
);
599 CryptoSecretBoxer boxer
;
600 boxer
.SetKey(StringPiece(reinterpret_cast<char*>(key
.get()), key_size
));
601 const string box
= boxer
.Box(rand
, message
);
603 QuicWallTime now
= clock
.WallNow();
604 const QuicWallTime original_time
= now
;
605 EXPECT_EQ(SERVER_NONCE_DECRYPTION_FAILURE
,
606 peer
.ValidateServerNonce(box
, now
));
608 string server_nonce
= peer
.NewServerNonce(rand
, now
);
609 EXPECT_EQ(HANDSHAKE_OK
, peer
.ValidateServerNonce(server_nonce
, now
));
610 EXPECT_EQ(SERVER_NONCE_NOT_UNIQUE_FAILURE
,
611 peer
.ValidateServerNonce(server_nonce
, now
));
613 now
= original_time
.Add(QuicTime::Delta::FromSeconds(1000 * 7));
614 server_nonce
= peer
.NewServerNonce(rand
, now
);
615 EXPECT_EQ(HANDSHAKE_OK
, peer
.ValidateServerNonce(server_nonce
, now
));
618 class CryptoServerConfigsTest
: public ::testing::Test
{
620 CryptoServerConfigsTest()
621 : rand_(QuicRandom::GetInstance()),
622 config_(QuicCryptoServerConfig::TESTING
, rand_
),
623 test_peer_(&config_
) {}
625 void SetUp() override
{
626 clock_
.AdvanceTime(QuicTime::Delta::FromSeconds(1000));
629 // SetConfigs constructs suitable config protobufs and calls SetConfigs on
630 // |config_|. The arguments are given as nullptr-terminated pairs. The first
631 // of each pair is the server config ID of a Config. The second is the
632 // |primary_time| of that Config, given in epoch seconds. (Although note that,
633 // in these tests, time is set to 1000 seconds since the epoch.) For example:
634 // SetConfigs(nullptr); // calls |config_.SetConfigs| with no protobufs.
636 // // Calls |config_.SetConfigs| with two protobufs: one for a Config with
637 // // a |primary_time| of 900 and priority 1, and another with
638 // // a |primary_time| of 1000 and priority 2.
645 // If the server config id starts with "INVALID" then the generated protobuf
647 void SetConfigs(const char* server_config_id1
, ...) {
648 const char kOrbit
[] = "12345678";
651 va_start(ap
, server_config_id1
);
652 bool has_invalid
= false;
653 bool is_empty
= true;
655 vector
<QuicServerConfigProtobuf
*> protobufs
;
658 const char* server_config_id
;
660 server_config_id
= server_config_id1
;
663 server_config_id
= va_arg(ap
, const char*);
666 if (!server_config_id
) {
671 int primary_time
= va_arg(ap
, int);
672 int priority
= va_arg(ap
, int);
674 QuicCryptoServerConfig::ConfigOptions options
;
675 options
.id
= server_config_id
;
676 options
.orbit
= kOrbit
;
677 QuicServerConfigProtobuf
* protobuf(
678 QuicCryptoServerConfig::GenerateConfig(rand_
, &clock_
, options
));
679 protobuf
->set_primary_time(primary_time
);
680 protobuf
->set_priority(priority
);
681 if (string(server_config_id
).find("INVALID") == 0) {
682 protobuf
->clear_key();
685 protobufs
.push_back(protobuf
);
688 ASSERT_EQ(!has_invalid
&& !is_empty
,
689 config_
.SetConfigs(protobufs
, clock_
.WallNow()));
690 STLDeleteElements(&protobufs
);
694 QuicRandom
* const rand_
;
696 QuicCryptoServerConfig config_
;
697 QuicCryptoServerConfigPeer test_peer_
;
700 TEST_F(CryptoServerConfigsTest
, NoConfigs
) {
701 test_peer_
.CheckConfigs(nullptr);
704 TEST_F(CryptoServerConfigsTest
, MakePrimaryFirst
) {
705 // Make sure that "b" is primary even though "a" comes first.
706 SetConfigs("a", 1100, 1,
709 test_peer_
.CheckConfigs(
715 TEST_F(CryptoServerConfigsTest
, MakePrimarySecond
) {
716 // Make sure that a remains primary after b is added.
717 SetConfigs("a", 900, 1,
720 test_peer_
.CheckConfigs(
726 TEST_F(CryptoServerConfigsTest
, Delete
) {
727 // Ensure that configs get deleted when removed.
728 SetConfigs("a", 800, 1,
732 test_peer_
.CheckConfigs(
737 SetConfigs("b", 900, 1,
740 test_peer_
.CheckConfigs(
746 TEST_F(CryptoServerConfigsTest
, DeletePrimary
) {
747 // Ensure that deleting the primary config works.
748 SetConfigs("a", 800, 1,
752 test_peer_
.CheckConfigs(
757 SetConfigs("a", 800, 1,
760 test_peer_
.CheckConfigs(
766 TEST_F(CryptoServerConfigsTest
, FailIfDeletingAllConfigs
) {
767 // Ensure that configs get deleted when removed.
768 SetConfigs("a", 800, 1,
771 test_peer_
.CheckConfigs(
776 // Config change is rejected, still using old configs.
777 test_peer_
.CheckConfigs(
783 TEST_F(CryptoServerConfigsTest
, ChangePrimaryTime
) {
784 // Check that updates to primary time get picked up.
785 SetConfigs("a", 400, 1,
789 test_peer_
.SelectNewPrimaryConfig(500);
790 test_peer_
.CheckConfigs(
795 SetConfigs("a", 1200, 1,
799 test_peer_
.SelectNewPrimaryConfig(500);
800 test_peer_
.CheckConfigs(
807 TEST_F(CryptoServerConfigsTest
, AllConfigsInThePast
) {
808 // Check that the most recent config is selected.
809 SetConfigs("a", 400, 1,
813 test_peer_
.SelectNewPrimaryConfig(1500);
814 test_peer_
.CheckConfigs(
821 TEST_F(CryptoServerConfigsTest
, AllConfigsInTheFuture
) {
822 // Check that the first config is selected.
823 SetConfigs("a", 400, 1,
827 test_peer_
.SelectNewPrimaryConfig(100);
828 test_peer_
.CheckConfigs(
835 TEST_F(CryptoServerConfigsTest
, SortByPriority
) {
836 // Check that priority is used to decide on a primary config when
837 // configs have the same primary time.
838 SetConfigs("a", 900, 1,
842 test_peer_
.CheckConfigs(
847 test_peer_
.SelectNewPrimaryConfig(800);
848 test_peer_
.CheckConfigs(
853 test_peer_
.SelectNewPrimaryConfig(1000);
854 test_peer_
.CheckConfigs(
860 // Change priorities and expect sort order to change.
861 SetConfigs("a", 900, 2,
865 test_peer_
.CheckConfigs(
870 test_peer_
.SelectNewPrimaryConfig(800);
871 test_peer_
.CheckConfigs(
876 test_peer_
.SelectNewPrimaryConfig(1000);
877 test_peer_
.CheckConfigs(
884 TEST_F(CryptoServerConfigsTest
, AdvancePrimary
) {
885 // Check that a new primary config is enabled at the right time.
886 SetConfigs("a", 900, 1,
889 test_peer_
.SelectNewPrimaryConfig(1000);
890 test_peer_
.CheckConfigs(
894 test_peer_
.SelectNewPrimaryConfig(1101);
895 test_peer_
.CheckConfigs(
901 TEST_F(CryptoServerConfigsTest
, InvalidConfigs
) {
902 // Ensure that invalid configs don't change anything.
903 SetConfigs("a", 800, 1,
907 test_peer_
.CheckConfigs(
912 SetConfigs("a", 800, 1,
916 test_peer_
.CheckConfigs(