This change introduces a way to tie source address token keys to specific QUIC server configs

net/quic/crypto/quic_crypto_server_config_test.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/crypto/quic_crypto_server_config.h"
 
 #include <stdarg.h>
 
 #include "base/stl_util.h"
 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
@@ skipping 14 matching lines @@
 using std::vector;
 
 namespace net {
 namespace test {
 
 class QuicCryptoServerConfigPeer {
  public:
   explicit QuicCryptoServerConfigPeer(QuicCryptoServerConfig* server_config)
       : server_config_(server_config) {}
 
-  string NewSourceAddressToken(IPEndPoint ip,
-                               QuicRandom* rand,
-                               QuicWallTime now) {
-    return server_config_->NewSourceAddressToken(ip, rand, now);
+  scoped_refptr<QuicCryptoServerConfig::Config> GetConfig(string config_id) {
+    base::AutoLock locked(server_config_->configs_lock_);
+    if (config_id == "<primary>") {
+      return scoped_refptr<QuicCryptoServerConfig::Config>(
+          server_config_->primary_config_);
+    } else {
+      return server_config_->GetConfigWithScid(config_id);
+    }
   }
 
-  bool ValidateSourceAddressToken(StringPiece srct,
+  bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id) {
+    scoped_refptr<QuicCryptoServerConfig::Config> config = GetConfig(config_id);
+    return config->source_address_token_boxer ==
+        &(server_config_->default_source_address_token_boxer_);
+  }
+
+  string NewSourceAddressToken(
+      string config_id,
+      IPEndPoint ip,
+      QuicRandom* rand,
+      QuicWallTime now) {
+    return server_config_->NewSourceAddressToken(
+        *GetConfig(config_id), ip, rand, now);
+  }
+
+  bool ValidateSourceAddressToken(string config_id,
+                                  StringPiece srct,
                                   IPEndPoint ip,
                                   QuicWallTime now) {
-    return server_config_->ValidateSourceAddressToken(srct, ip, now);
+    return server_config_->ValidateSourceAddressToken(
+        *GetConfig(config_id), srct, ip, now);
   }
 
   base::Lock* GetStrikeRegisterClientLock() {
     return &server_config_->strike_register_client_lock_;
   }
 
   // CheckConfigs compares the state of the Configs in |server_config_| to the
   // description given as arguments. The arguments are given as NULL-terminated
   // pairs. The first of each pair is the server config ID of a Config. The
   // second is a boolean describing whether the config is the primary. For
@@ skipping 147 matching lines @@
       new TestStrikeRegisterClient(&server);
   server.SetStrikeRegisterClient(strike_register);
 
   QuicCryptoServerConfig::ConfigOptions options;
   scoped_ptr<CryptoHandshakeMessage>(
       server.AddDefaultConfig(rand, &clock, options));
   EXPECT_TRUE(strike_register->is_known_orbit_called());
 }
 
 TEST(QuicCryptoServerConfigTest, SourceAddressTokens) {
+  const string kPrimary = "<primary>";
+  const string kOverride = "Config with custom source address token key";
+
+  MockClock clock;
+  clock.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
+
+  QuicWallTime now = clock.WallNow();
+  const QuicWallTime original_time = now;
+
   QuicRandom* rand = QuicRandom::GetInstance();
   QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
+  QuicCryptoServerConfigPeer peer(&server);
+
+  scoped_ptr<CryptoHandshakeMessage>(
+      server.AddDefaultConfig(rand, &clock,
+                              QuicCryptoServerConfig::ConfigOptions()));
+
+  // Add a config that overrides the default boxer.
+  QuicCryptoServerConfig::ConfigOptions options;
+  options.id = kOverride;
+  scoped_ptr<QuicServerConfigProtobuf> protobuf(
+      QuicCryptoServerConfig::GenerateConfig(rand, &clock, options));
+  protobuf->set_source_address_token_secret_override("a secret key");
+  // Lower priority than the default config.
+  protobuf->set_priority(1);
+  scoped_ptr<CryptoHandshakeMessage>(
+      server.AddConfig(protobuf.get(), now));
+
+  EXPECT_TRUE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary));
+  EXPECT_FALSE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kOverride));
+
   IPAddressNumber ip;
   CHECK(ParseIPLiteralToNumber("192.0.2.33", &ip));
   IPEndPoint ip4 = IPEndPoint(ip, 1);
   CHECK(ParseIPLiteralToNumber("2001:db8:0::42", &ip));
   IPEndPoint ip6 = IPEndPoint(ip, 2);
-  MockClock clock;
-  clock.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
-  QuicCryptoServerConfigPeer peer(&server);
 
-  QuicWallTime now = clock.WallNow();
-  const QuicWallTime original_time = now;
+  // Primary config generates configs that validate successfully.
+  const string token4 = peer.NewSourceAddressToken(kPrimary, ip4, rand, now);
+  const string token6 = peer.NewSourceAddressToken(kPrimary, ip6, rand, now);
+  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip6, now));
+  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token6, ip6, now));
 
-  const string token4 = peer.NewSourceAddressToken(ip4, rand, now);
-  const string token6 = peer.NewSourceAddressToken(ip6, rand, now);
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(token4, ip4, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip6, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(token6, ip6, now));
+  // Override config generates configs that validate successfully.
+  const string override_token4 = peer.NewSourceAddressToken(
+      kOverride, ip4, rand, now);
+  const string override_token6 = peer.NewSourceAddressToken(
+      kOverride, ip6, rand, now);
+  EXPECT_TRUE(peer.ValidateSourceAddressToken(
+      kOverride, override_token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(
+      kOverride, override_token4, ip6, now));
+  EXPECT_TRUE(peer.ValidateSourceAddressToken(
+      kOverride, override_token6, ip6, now));
 
+  // Tokens generated by the primary config do not validate
+  // successfully against the override config, and vice versa.
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token6, ip6, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(
+      kPrimary, override_token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(
+      kPrimary, override_token6, ip6, now));
+
+  // Validation fails after tokens expire.
   now = original_time.Add(QuicTime::Delta::FromSeconds(86400 * 7));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
 
   now = original_time.Subtract(QuicTime::Delta::FromSeconds(3600 * 2));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip4, now));
+  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
 }
 
 class CryptoServerConfigsTest : public ::testing::Test {
  public:
   CryptoServerConfigsTest()
       : rand_(QuicRandom::GetInstance()),
         config_(QuicCryptoServerConfig::TESTING, rand_),
         test_peer_(&config_) {}
 
   virtual void SetUp() {
@@ skipping 290 matching lines @@
              NULL);
   test_peer_.CheckConfigs(
       "a", false,
       "b", true,
       "c", false,
       NULL);
 }
 
 }  // namespace test
 }  // namespace net