QUIC Crypto - return the reasons for reject message. Reject reason

net/quic/crypto/quic_crypto_server_config_test.cc

Index: net/quic/crypto/quic_crypto_server_config_test.cc
diff --git a/net/quic/crypto/quic_crypto_server_config_test.cc b/net/quic/crypto/quic_crypto_server_config_test.cc
index 069c5238478a8a83c5da2b39426f46fe7f48c559..22bfd2c6cc6c120c8e8d5ea0dc73aea6bd60221f 100644
--- a/net/quic/crypto/quic_crypto_server_config_test.cc
+++ b/net/quic/crypto/quic_crypto_server_config_test.cc
@@ -9,6 +9,7 @@
 #include "base/stl_util.h"
 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
 #include "net/quic/crypto/crypto_handshake_message.h"
+#include "net/quic/crypto/crypto_secret_boxer.h"
 #include "net/quic/crypto/crypto_server_config_protobuf.h"
 #include "net/quic/crypto/quic_random.h"
 #include "net/quic/crypto/strike_register_client.h"
@@ -58,14 +59,23 @@ class QuicCryptoServerConfigPeer {
         *GetConfig(config_id), ip, rand, now);
   }
 
-  bool ValidateSourceAddressToken(string config_id,
-                                  StringPiece srct,
-                                  IPEndPoint ip,
-                                  QuicWallTime now) {
+  HandshakeFailureReason ValidateSourceAddressToken(string config_id,
+                                                    StringPiece srct,
+                                                    IPEndPoint ip,
+                                                    QuicWallTime now) {
     return server_config_->ValidateSourceAddressToken(
         *GetConfig(config_id), srct, ip, now);
   }
 
+  string NewServerNonce(QuicRandom* rand, QuicWallTime now) const {
+    return server_config_->NewServerNonce(rand, now);
+  }
+
+  HandshakeFailureReason ValidateServerNonce(StringPiece token,
+                                             QuicWallTime now) {
+    return server_config_->ValidateServerNonce(token, now);
+  }
+
   base::Lock* GetStrikeRegisterClientLock() {
     return &server_config_->strike_register_client_lock_;
   }
@@ -270,41 +280,84 @@ TEST(QuicCryptoServerConfigTest, SourceAddressTokens) {
   const string token4 = peer.NewSourceAddressToken(kPrimary, ip4, rand, now);
   const string token4d = peer.NewSourceAddressToken(kPrimary, ip4d, rand, now);
   const string token6 = peer.NewSourceAddressToken(kPrimary, ip6, rand, now);
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4d, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip6, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4d, ip4, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token4d, ip4d, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4d, ip6, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(kPrimary, token6, ip6, now));
+  EXPECT_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
+      kPrimary, token4, ip4, now));
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
+      kPrimary, token4, ip4d, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, token4, ip6, now));
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
+      kPrimary, token4d, ip4, now));
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
+      kPrimary, token4d, ip4d, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, token4d, ip6, now));
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
+      kPrimary, token6, ip6, now));
 
   // Override config generates configs that validate successfully.
   const string override_token4 = peer.NewSourceAddressToken(
       kOverride, ip4, rand, now);
   const string override_token6 = peer.NewSourceAddressToken(
       kOverride, ip6, rand, now);
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
       kOverride, override_token4, ip4, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(
-      kOverride, override_token4, ip6, now));
-  EXPECT_TRUE(peer.ValidateSourceAddressToken(
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE,
+            peer.ValidateSourceAddressToken(kOverride, override_token4, ip6,
+                                            now));
+  DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken(
       kOverride, override_token6, ip6, now));
 
   // Tokens generated by the primary config do not validate
   // successfully against the override config, and vice versa.
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token4, ip4, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kOverride, token6, ip6, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(
-      kPrimary, override_token4, ip4, now));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(
-      kPrimary, override_token6, ip6, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
+            peer.ValidateSourceAddressToken(kOverride, token4, ip4, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
+            peer.ValidateSourceAddressToken(kOverride, token6, ip6, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, override_token4, ip4,
+                                            now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, override_token6, ip6,
+                                            now));
 
   // Validation fails after tokens expire.
   now = original_time.Add(QuicTime::Delta::FromSeconds(86400 * 7));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
 
   now = original_time.Subtract(QuicTime::Delta::FromSeconds(3600 * 2));
-  EXPECT_FALSE(peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
+  DCHECK_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE,
+            peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now));
+}
+
+TEST(QuicCryptoServerConfigTest, ValidateServerNonce) {
+  QuicRandom* rand = QuicRandom::GetInstance();
+  QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand);
+  QuicCryptoServerConfigPeer peer(&server);
+
+  StringPiece message("hello world");
+  const size_t key_size = CryptoSecretBoxer::GetKeySize();
+  scoped_ptr<uint8[]> key(new uint8[key_size]);
+  memset(key.get(), 0x11, key_size);
+
+  CryptoSecretBoxer boxer;
+  boxer.SetKey(StringPiece(reinterpret_cast<char*>(key.get()), key_size));
+  const string box = boxer.Box(rand, message);
+  MockClock clock;
+  QuicWallTime now = clock.WallNow();
+  const QuicWallTime original_time = now;
+  EXPECT_EQ(SERVER_NONCE_DECRYPTION_FAILURE,
+            peer.ValidateServerNonce(box, now));
+
+  string server_nonce = peer.NewServerNonce(rand, now);
+  EXPECT_EQ(HANDSHAKE_OK, peer.ValidateServerNonce(server_nonce, now));
+  EXPECT_EQ(SERVER_NONCE_NOT_UNIQUE_FAILURE,
+            peer.ValidateServerNonce(server_nonce, now));
+
+  now = original_time.Add(QuicTime::Delta::FromSeconds(1000 * 7));
+  server_nonce = peer.NewServerNonce(rand, now);
+  EXPECT_EQ(HANDSHAKE_OK, peer.ValidateServerNonce(server_nonce, now));
 }
 
 class CryptoServerConfigsTest : public ::testing::Test {