relnote: Require QUIC handshakes to require either a valid server nonce or a remote strike register.

net/quic/crypto/crypto_server_test.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <ostream>
 #include <vector>
 
 #include "base/strings/string_number_conversions.h"
 #include "crypto/secure_hash.h"
 #include "net/quic/crypto/cert_compressor.h"
@@ skipping 341 matching lines @@
       ASSERT_EQ(QUIC_NO_ERROR,
                 out_.GetUint64(kRCID, &server_designated_connection_id));
       EXPECT_EQ(rand_for_id_generation_.RandUint64(),
                 server_designated_connection_id);
     }
     rand_for_id_generation_.ChangeValue();
   }
 
   void CheckRejectTag() {
     if (RejectsAreStateless()) {
-      ASSERT_EQ(kSREJ, out_.tag());
+      ASSERT_EQ(kSREJ, out_.tag()) << QuicUtils::TagToString(out_.tag());
     } else {
-      ASSERT_EQ(kREJ, out_.tag());
+      ASSERT_EQ(kREJ, out_.tag()) << QuicUtils::TagToString(out_.tag());
     }
   }
 
   bool RejectsAreStateless() {
     return GetParam().enable_stateless_rejects &&
            GetParam().use_stateless_rejects;
   }
 
   string XlctHexString() {
     const vector<string>* certs;
@@ skipping 379 matching lines @@
     const HandshakeFailureReason kRejectReasons[] = {
         SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, CLIENT_NONCE_INVALID_FAILURE};
     CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons));
   };
 }
 
 TEST_P(CryptoServerTest, ReplayProtection) {
   if (client_version_ > QUIC_VERSION_30) {
     return;
   }
+  FLAGS_require_strike_register_or_server_nonce = false;
   // This tests that disabling replay protection works.
   // clang-format off
   CryptoHandshakeMessage msg = CryptoTestUtils::Message(
       "CHLO",
       "AEAD", "AESG",
       "KEXS", "C255",
       "SCID", scid_hex_.c_str(),
       "#004b5453", srct_hex_.c_str(),
       "PUBS", pub_hex_.c_str(),
       "NONC", nonce_hex_.c_str(),
@@ skipping 17 matching lines @@
   // The message should be accepted now.
   ASSERT_EQ(kSHLO, out_.tag());
   CheckServerHello(out_);
 
   ShouldSucceed(msg);
   // The message should accepted twice when replay protection is off.
   ASSERT_EQ(kSHLO, out_.tag());
   CheckServerHello(out_);
 }
 
+TEST_P(CryptoServerTest, NoServerNonce) {
+  FLAGS_require_strike_register_or_server_nonce = true;
+  // When no server nonce is present and no strike register is configured,
+  // the CHLO should be rejected.
+  // clang-format off
+  CryptoHandshakeMessage msg = CryptoTestUtils::Message(
+      "CHLO",
+      "AEAD", "AESG",
+      "KEXS", "C255",
+      "SCID", scid_hex_.c_str(),
+      "#004b5453", srct_hex_.c_str(),
+      "PUBS", pub_hex_.c_str(),
+      "NONC", nonce_hex_.c_str(),
+      "XLCT", XlctHexString().c_str(),
+      "VER\0", client_version_string_.c_str(),
+      "$padding", static_cast<int>(kClientHelloMinimumSize),
+      nullptr);
+  // clang-format on
+
+  ShouldSucceed(msg);
+
+  CheckRejectTag();
+  const HandshakeFailureReason kRejectReasons[] = {
+      SERVER_NONCE_REQUIRED_FAILURE};
+  CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons));
+}
+
 TEST_P(CryptoServerTest, ProofForSuppliedServerConfig) {
   ValueRestore<bool> old_flag(&FLAGS_quic_use_primary_config_for_proof, true);
   client_address_ = IPEndPoint(Loopback6(), 1234);
   // clang-format off
   CryptoHandshakeMessage msg = CryptoTestUtils::Message(
       "CHLO",
       "AEAD", "AESG",
       "KEXS", "C255",
       "PDMD", "X509",
       "SCID", kOldConfigId,
@@ skipping 353 matching lines @@
 
   strike_register_client_->RunPendingVerifications();
   ASSERT_TRUE(called);
   EXPECT_EQ(0, strike_register_client_->PendingVerifications());
   // The message should be rejected now.
   CheckRejectTag();
 }
 
 }  // namespace test
 }  // namespace net