| OLD | NEW |
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <ostream> | 5 #include <ostream> |
| 6 #include <vector> | 6 #include <vector> |
| 7 | 7 |
| 8 #include "base/strings/string_number_conversions.h" | 8 #include "base/strings/string_number_conversions.h" |
| 9 #include "crypto/secure_hash.h" | 9 #include "crypto/secure_hash.h" |
| 10 #include "net/quic/crypto/cert_compressor.h" | 10 #include "net/quic/crypto/cert_compressor.h" |
| (...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 122 return params; | 122 return params; |
| 123 } | 123 } |
| 124 | 124 |
| 125 class CryptoServerTest : public ::testing::TestWithParam<TestParams> { | 125 class CryptoServerTest : public ::testing::TestWithParam<TestParams> { |
| 126 public: | 126 public: |
| 127 CryptoServerTest() | 127 CryptoServerTest() |
| 128 : rand_(QuicRandom::GetInstance()), | 128 : rand_(QuicRandom::GetInstance()), |
| 129 client_address_(Loopback4(), 1234), | 129 client_address_(Loopback4(), 1234), |
| 130 config_(QuicCryptoServerConfig::TESTING, | 130 config_(QuicCryptoServerConfig::TESTING, |
| 131 rand_, | 131 rand_, |
| 132 CryptoTestUtils::ProofSourceForTesting()) { | 132 CryptoTestUtils::ProofSourceForTesting()), |
| 133 compressed_certs_cache_( |
| 134 QuicCompressedCertsCache::kQuicCompressedCertsCacheSize) { |
| 133 supported_versions_ = GetParam().supported_versions; | 135 supported_versions_ = GetParam().supported_versions; |
| 134 config_.set_enable_serving_sct(true); | 136 config_.set_enable_serving_sct(true); |
| 135 | 137 |
| 136 client_version_ = supported_versions_.front(); | 138 client_version_ = supported_versions_.front(); |
| 137 client_version_string_ = | 139 client_version_string_ = |
| 138 QuicUtils::TagToString(QuicVersionToQuicTag(client_version_)); | 140 QuicUtils::TagToString(QuicVersionToQuicTag(client_version_)); |
| 139 | 141 |
| 140 FLAGS_use_early_return_when_verifying_chlo = | 142 FLAGS_use_early_return_when_verifying_chlo = |
| 141 GetParam().use_early_return_when_verifying_chlo; | 143 GetParam().use_early_return_when_verifying_chlo; |
| 142 FLAGS_enable_quic_stateless_reject_support = | 144 FLAGS_enable_quic_stateless_reject_support = |
| (...skipping 148 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 291 bool should_succeed, | 293 bool should_succeed, |
| 292 const char* error_substr) { | 294 const char* error_substr) { |
| 293 IPAddress server_ip; | 295 IPAddress server_ip; |
| 294 string error_details; | 296 string error_details; |
| 295 QuicConnectionId server_designated_connection_id = | 297 QuicConnectionId server_designated_connection_id = |
| 296 rand_for_id_generation_.RandUint64(); | 298 rand_for_id_generation_.RandUint64(); |
| 297 QuicErrorCode error = config_.ProcessClientHello( | 299 QuicErrorCode error = config_.ProcessClientHello( |
| 298 result, 1 /* ConnectionId */, server_ip, client_address_, | 300 result, 1 /* ConnectionId */, server_ip, client_address_, |
| 299 supported_versions_.front(), supported_versions_, | 301 supported_versions_.front(), supported_versions_, |
| 300 use_stateless_rejects_, server_designated_connection_id, &clock_, rand_, | 302 use_stateless_rejects_, server_designated_connection_id, &clock_, rand_, |
| 301 ¶ms_, &crypto_proof_, &out_, &error_details); | 303 &compressed_certs_cache_, ¶ms_, &crypto_proof_, &out_, |
| 304 &error_details); |
| 302 | 305 |
| 303 if (should_succeed) { | 306 if (should_succeed) { |
| 304 ASSERT_EQ(error, QUIC_NO_ERROR) << "Message failed with error " | 307 ASSERT_EQ(error, QUIC_NO_ERROR) << "Message failed with error " |
| 305 << error_details << ": " | 308 << error_details << ": " |
| 306 << message.DebugString(); | 309 << message.DebugString(); |
| 307 } else { | 310 } else { |
| 308 ASSERT_NE(error, QUIC_NO_ERROR) << "Message didn't fail: " | 311 ASSERT_NE(error, QUIC_NO_ERROR) << "Message didn't fail: " |
| 309 << message.DebugString(); | 312 << message.DebugString(); |
| 310 | 313 |
| 311 EXPECT_TRUE(error_details.find(error_substr) != string::npos) | 314 EXPECT_TRUE(error_details.find(error_substr) != string::npos) |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 394 | 397 |
| 395 protected: | 398 protected: |
| 396 QuicRandom* const rand_; | 399 QuicRandom* const rand_; |
| 397 MockRandom rand_for_id_generation_; | 400 MockRandom rand_for_id_generation_; |
| 398 MockClock clock_; | 401 MockClock clock_; |
| 399 IPEndPoint client_address_; | 402 IPEndPoint client_address_; |
| 400 QuicVersionVector supported_versions_; | 403 QuicVersionVector supported_versions_; |
| 401 QuicVersion client_version_; | 404 QuicVersion client_version_; |
| 402 string client_version_string_; | 405 string client_version_string_; |
| 403 QuicCryptoServerConfig config_; | 406 QuicCryptoServerConfig config_; |
| 407 QuicCompressedCertsCache compressed_certs_cache_; |
| 404 QuicCryptoServerConfig::ConfigOptions config_options_; | 408 QuicCryptoServerConfig::ConfigOptions config_options_; |
| 405 QuicCryptoNegotiatedParameters params_; | 409 QuicCryptoNegotiatedParameters params_; |
| 406 QuicCryptoProof crypto_proof_; | 410 QuicCryptoProof crypto_proof_; |
| 407 CryptoHandshakeMessage out_; | 411 CryptoHandshakeMessage out_; |
| 408 uint8_t orbit_[kOrbitSize]; | 412 uint8_t orbit_[kOrbitSize]; |
| 409 bool use_stateless_rejects_; | 413 bool use_stateless_rejects_; |
| 410 | 414 |
| 411 // These strings contain hex escaped values from the server suitable for using | 415 // These strings contain hex escaped values from the server suitable for using |
| 412 // when constructing client hello messages. | 416 // when constructing client hello messages. |
| 413 string nonce_hex_, pub_hex_, srct_hex_, scid_hex_; | 417 string nonce_hex_, pub_hex_, srct_hex_, scid_hex_; |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 573 "$padding", static_cast<int>(kClientHelloMinimumSize), nullptr); | 577 "$padding", static_cast<int>(kClientHelloMinimumSize), nullptr); |
| 574 // clang-format on | 578 // clang-format on |
| 575 ShouldSucceed(msg); | 579 ShouldSucceed(msg); |
| 576 const HandshakeFailureReason kRejectReasons[] = { | 580 const HandshakeFailureReason kRejectReasons[] = { |
| 577 SERVER_CONFIG_INCHOATE_HELLO_FAILURE}; | 581 SERVER_CONFIG_INCHOATE_HELLO_FAILURE}; |
| 578 CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons)); | 582 CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons)); |
| 579 } | 583 } |
| 580 } | 584 } |
| 581 | 585 |
| 582 TEST_P(CryptoServerTest, BadClientNonce) { | 586 TEST_P(CryptoServerTest, BadClientNonce) { |
| 583 // Invalid nonces should be ignored. | |
| 584 // clang-format off | 587 // clang-format off |
| 585 static const char* const kBadNonces[] = { | 588 static const char* const kBadNonces[] = { |
| 586 "", | 589 "", |
| 587 "#0000", | 590 "#0000", |
| 588 "#0000000000000000000000000000000000000000", | 591 "#0000000000000000000000000000000000000000", |
| 589 }; | 592 }; |
| 590 // clang-format on | 593 // clang-format on |
| 591 | 594 |
| 592 for (size_t i = 0; i < arraysize(kBadNonces); i++) { | 595 for (size_t i = 0; i < arraysize(kBadNonces); i++) { |
| 596 // Invalid nonces should be ignored, in an inchoate CHLO. |
| 593 // clang-format off | 597 // clang-format off |
| 594 CryptoHandshakeMessage msg = CryptoTestUtils::Message( | 598 CryptoHandshakeMessage msg = CryptoTestUtils::Message( |
| 595 "CHLO", | 599 "CHLO", |
| 596 "NONC", kBadNonces[i], | 600 "NONC", kBadNonces[i], |
| 597 "VER\0", client_version_string_.c_str(), | 601 "VER\0", client_version_string_.c_str(), |
| 598 "$padding", static_cast<int>(kClientHelloMinimumSize), | 602 "$padding", static_cast<int>(kClientHelloMinimumSize), |
| 599 nullptr); | 603 nullptr); |
| 600 // clang-format on | 604 // clang-format on |
| 601 ShouldSucceed(msg); | 605 ShouldSucceed(msg); |
| 602 const HandshakeFailureReason kRejectReasons[] = { | 606 const HandshakeFailureReason kRejectReasons[] = { |
| 603 SERVER_CONFIG_INCHOATE_HELLO_FAILURE}; | 607 SERVER_CONFIG_INCHOATE_HELLO_FAILURE}; |
| 604 CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons)); | 608 CheckRejectReasons(kRejectReasons, arraysize(kRejectReasons)); |
| 609 |
| 610 // Invalid nonces should result in CLIENT_NONCE_INVALID_FAILURE. |
| 611 // clang-format off |
| 612 CryptoHandshakeMessage msg1 = CryptoTestUtils::Message( |
| 613 "CHLO", |
| 614 "AEAD", "AESG", |
| 615 "KEXS", "C255", |
| 616 "SCID", scid_hex_.c_str(), |
| 617 "#004b5453", srct_hex_.c_str(), |
| 618 "PUBS", pub_hex_.c_str(), |
| 619 "NONC", kBadNonces[i], |
| 620 "NONP", kBadNonces[i], |
| 621 "XLCT", XlctHexString().c_str(), |
| 622 "VER\0", client_version_string_.c_str(), |
| 623 "$padding", static_cast<int>(kClientHelloMinimumSize), |
| 624 nullptr); |
| 625 // clang-format on |
| 626 |
| 627 ShouldSucceed(msg1); |
| 628 |
| 629 CheckRejectTag(); |
| 630 const HandshakeFailureReason kRejectReasons1[] = { |
| 631 CLIENT_NONCE_INVALID_FAILURE}; |
| 632 CheckRejectReasons(kRejectReasons1, arraysize(kRejectReasons1)); |
| 605 } | 633 } |
| 606 } | 634 } |
| 607 | 635 |
| 608 TEST_P(CryptoServerTest, DowngradeAttack) { | 636 TEST_P(CryptoServerTest, DowngradeAttack) { |
| 609 if (supported_versions_.size() == 1) { | 637 if (supported_versions_.size() == 1) { |
| 610 // No downgrade attack is possible if the server only supports one version. | 638 // No downgrade attack is possible if the server only supports one version. |
| 611 return; | 639 return; |
| 612 } | 640 } |
| 613 // Set the client's preferred version to a supported version that | 641 // Set the client's preferred version to a supported version that |
| 614 // is not the "current" version (supported_versions_.front()). | 642 // is not the "current" version (supported_versions_.front()). |
| (...skipping 510 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1125 | 1153 |
| 1126 strike_register_client_->RunPendingVerifications(); | 1154 strike_register_client_->RunPendingVerifications(); |
| 1127 ASSERT_TRUE(called); | 1155 ASSERT_TRUE(called); |
| 1128 EXPECT_EQ(0, strike_register_client_->PendingVerifications()); | 1156 EXPECT_EQ(0, strike_register_client_->PendingVerifications()); |
| 1129 // The message should be rejected now. | 1157 // The message should be rejected now. |
| 1130 CheckRejectTag(); | 1158 CheckRejectTag(); |
| 1131 } | 1159 } |
| 1132 | 1160 |
| 1133 } // namespace test | 1161 } // namespace test |
| 1134 } // namespace net | 1162 } // namespace net |
| OLD | NEW |