| Index: net/quic/crypto/quic_crypto_server_config_test.cc
|
| diff --git a/net/quic/crypto/quic_crypto_server_config_test.cc b/net/quic/crypto/quic_crypto_server_config_test.cc
|
| index fbf25f0947d51ca46b0a4b66669a43af999355bd..de787620259b38fe2a0a4d3f6c77e3aff2ef05ea 100644
|
| --- a/net/quic/crypto/quic_crypto_server_config_test.cc
|
| +++ b/net/quic/crypto/quic_crypto_server_config_test.cc
|
| @@ -32,16 +32,37 @@ class QuicCryptoServerConfigPeer {
|
| explicit QuicCryptoServerConfigPeer(QuicCryptoServerConfig* server_config)
|
| : server_config_(server_config) {}
|
|
|
| - string NewSourceAddressToken(IPEndPoint ip,
|
| - QuicRandom* rand,
|
| - QuicWallTime now) {
|
| - return server_config_->NewSourceAddressToken(ip, rand, now);
|
| + scoped_refptr<QuicCryptoServerConfig::Config> GetConfig(string config_id) {
|
| + base::AutoLock locked(server_config_->configs_lock_);
|
| + if (config_id == "<primary>") {
|
| + return scoped_refptr<QuicCryptoServerConfig::Config>(
|
| + server_config_->primary_config_);
|
| + } else {
|
| + return server_config_->GetConfigWithScid(config_id);
|
| + }
|
| + }
|
| +
|
| + bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id) {
|
| + scoped_refptr<QuicCryptoServerConfig::Config> config = GetConfig(config_id);
|
| + return config->source_address_token_boxer ==
|
| + &(server_config_->default_source_address_token_boxer_);
|
| }
|
|
|
| - bool ValidateSourceAddressToken(StringPiece srct,
|
| + string NewSourceAddressToken(
|
| + string config_id,
|
| + IPEndPoint ip,
|
| + QuicRandom* rand,
|
| + QuicWallTime now) {
|
| + return server_config_->NewSourceAddressToken(
|
| + GetConfig(config_id).get(), ip, rand, now);
|
| + }
|
| +
|
| + bool ValidateSourceAddressToken(string config_id,
|
| + StringPiece srct,
|
| IPEndPoint ip,
|
| QuicWallTime now) {
|
| - return server_config_->ValidateSourceAddressToken(srct, ip, now);
|
| + return server_config_->ValidateSourceAddressToken(
|
| + GetConfig(config_id).get(), srct, ip, now);
|
| }
|
|
|
| base::Lock* GetStrikeRegisterClientLock() {
|
| @@ -209,31 +230,77 @@ TEST(QuicCryptoServerConfigTest, GetOrbitIsCalledWithoutTheStrikeRegisterLock) {
|
| }
|
|
|
| TEST(QuicCryptoServerConfigTest, SourceAddressTokens) {
|
| + const string kPrimary = "<primary>";
|
| + const string kOverride = "Config with custom source address token key";
|
| +
|
| + MockClock clock;
|
| + clock.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
|
| +
|
| + QuicWallTime now = clock.WallNow();
|
| + const QuicWallTime original_time = now;
|
| +
|
| QuicRandom* rand = QuicRandom::GetInstance();
|
| QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
|
| + QuicCryptoServerConfigPeer peer(&server);
|
| +
|
| + scoped_ptr<CryptoHandshakeMessage>(
|
| + server.AddDefaultConfig(rand, &clock,
|
| + QuicCryptoServerConfig::ConfigOptions()));
|
| +
|
| + // Add a config that overrides the default boxer.
|
| + QuicCryptoServerConfig::ConfigOptions options;
|
| + options.id = kOverride;
|
| + scoped_ptr<QuicServerConfigProtobuf> protobuf(
|
| + QuicCryptoServerConfig::GenerateConfig(rand, &clock, options));
|
| + protobuf->set_source_address_token_secret_override("a secret key");
|
| + // Lower priority than the default config.
|
| + protobuf->set_priority(1);
|
| + scoped_ptr<CryptoHandshakeMessage>(
|
| + server.AddConfig(protobuf.get(), now));
|
| +
|
| + EXPECT_TRUE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary));
|
| + EXPECT_FALSE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kOverride));
|
| +
|
| IPAddressNumber ip;
|
| CHECK(ParseIPLiteralToNumber("192.0.2.33", &ip));
|
| IPEndPoint ip4 = IPEndPoint(ip, 1);
|
| CHECK(ParseIPLiteralToNumber("2001:db8:0::42", &ip));
|
| IPEndPoint ip6 = IPEndPoint(ip, 2);
|
| - MockClock clock;
|
| - clock.AdvanceTime(QuicTime::Delta::FromSeconds(1000000));
|
| - QuicCryptoServerConfigPeer peer(&server);
|
| -
|
| - QuicWallTime now = clock.WallNow();
|
| - const QuicWallTime original_time = now;
|
| -
|
| - const string token4 = peer.NewSourceAddressToken(ip4, rand, now);
|
| - const string token6 = peer.NewSourceAddressToken(ip6, rand, now);
|
| - EXPECT_TRUE(peer.ValidateSourceAddressToken(token4, ip4, now));
|
| - EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip6, now));
|
| - EXPECT_TRUE(peer.ValidateSourceAddressToken(token6, ip6, now));
|
|
|
| + // Primary config generates configs that validate successfully.
|
| + const string token4 = peer.NewSourceAddressToken(kPrimary, ip4, rand, now);
|
| + const string token6 = peer.NewSourceAddressToken(kPrimary, ip6, rand, now);
|
| + EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip6, now));
|
| + EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token6, ip6, now));
|
| +
|
| + // Override config generates configs that validate successfully.
|
| + const string override_token4 = peer.NewSourceAddressToken(
|
| + kOverride, ip4, rand, now);
|
| + const string override_token6 = peer.NewSourceAddressToken(
|
| + kOverride, ip6, rand, now);
|
| + EXPECT_TRUE(peer.ValidateSourceAddressToken(
|
| + kOverride, override_token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(
|
| + kOverride, override_token4, ip6, now));
|
| + EXPECT_TRUE(peer.ValidateSourceAddressToken(
|
| + kOverride, override_token6, ip6, now));
|
| +
|
| + // Tokens generated by the primary config do not validate
|
| + // successfully against the override config, and vice versa.
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token6, ip6, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(
|
| + kPrimary, override_token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(
|
| + kPrimary, override_token6, ip6, now));
|
| +
|
| + // Validation fails after tokens expire.
|
| now = original_time.Add(QuicTime::Delta::FromSeconds(86400 * 7));
|
| - EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
|
|
|
| now = original_time.Subtract(QuicTime::Delta::FromSeconds(3600 * 2));
|
| - EXPECT_FALSE(peer.ValidateSourceAddressToken(token4, ip4, now));
|
| + EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
|
| }
|
|
|
| class CryptoServerConfigsTest : public ::testing::Test {
|
|
|
Chromium Code Reviews
Issue 213473003:
This change introduces a way to tie source address token keys to specific QUIC server configs (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src