Google Git
Sign in
chromium / chromium / src / f2168263f19ab4f81c56d6258db7d9e6fa0b07fb / . / net / quic / quic_crypto_server_stream_test.cc
blob: 1cf2d5cd3812bc60ae83c73b6535d1c68b738f25 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/quic/quic_crypto_server_stream.h"
#include <map>
#include <memory>
#include <vector>
#include "base/stl_util.h"
#include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
#include "net/quic/crypto/crypto_framer.h"
#include "net/quic/crypto/crypto_handshake.h"
#include "net/quic/crypto/crypto_protocol.h"
#include "net/quic/crypto/crypto_utils.h"
#include "net/quic/crypto/quic_crypto_server_config.h"
#include "net/quic/crypto/quic_decrypter.h"
#include "net/quic/crypto/quic_encrypter.h"
#include "net/quic/crypto/quic_random.h"
#include "net/quic/quic_crypto_client_stream.h"
#include "net/quic/quic_flags.h"
#include "net/quic/quic_protocol.h"
#include "net/quic/quic_session.h"
#include "net/quic/test_tools/crypto_test_utils.h"
#include "net/quic/test_tools/delayed_verify_strike_register_client.h"
#include "net/quic/test_tools/quic_crypto_server_config_peer.h"
#include "net/quic/test_tools/quic_test_utils.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace net {
class QuicConnection;
class ReliableQuicStream;
} // namespace net
using std::pair;
using std::string;
using testing::_;
namespace net {
namespace test {
class QuicCryptoServerStreamPeer {
public:
static bool DoesPeerSupportStatelessRejects(
const CryptoHandshakeMessage& message) {
return net::QuicCryptoServerStream::DoesPeerSupportStatelessRejects(
message);
}
};
namespace {
const char kServerHostname[] = "test.example.com";
const uint16_t kServerPort = 443;
class QuicCryptoServerStreamTest : public ::testing::TestWithParam<bool> {
public:
QuicCryptoServerStreamTest()
: server_crypto_config_(QuicCryptoServerConfig::TESTING,
QuicRandom::GetInstance(),
CryptoTestUtils::ProofSourceForTesting()),
server_compressed_certs_cache_(
QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
server_id_(kServerHostname, kServerPort, PRIVACY_MODE_DISABLED),
client_crypto_config_(CryptoTestUtils::ProofVerifierForTesting()) {
FLAGS_enable_quic_stateless_reject_support = false;
server_crypto_config_.set_strike_register_no_startup_period();
}
void Initialize() {
InitializeServer();
if (AsyncStrikeRegisterVerification()) {
QuicCryptoServerConfigPeer peer(&server_crypto_config_);
strike_register_client_ = new DelayedVerifyStrikeRegisterClient(
10000, // strike_register_max_entries
static_cast<uint32_t>(
server_connection_->clock()->WallNow().ToUNIXSeconds()),
60, // strike_register_window_secs
peer.GetPrimaryConfig()->orbit,
StrikeRegister::NO_STARTUP_PERIOD_NEEDED);
strike_register_client_->StartDelayingVerification();
server_crypto_config_.SetStrikeRegisterClient(strike_register_client_);
}
}
~QuicCryptoServerStreamTest() override {
// Ensure that anything that might reference |helpers_| is destroyed before
// |helpers_| is destroyed.
server_session_.reset();
client_session_.reset();
STLDeleteElements(&helpers_);
STLDeleteElements(&alarm_factories_);
}
// Initializes the crypto server stream state for testing. May be
// called multiple times.
void InitializeServer() {
TestQuicSpdyServerSession* server_session = nullptr;
helpers_.push_back(new MockQuicConnectionHelper);
alarm_factories_.push_back(new MockAlarmFactory);
CreateServerSessionForTest(
server_id_, QuicTime::Delta::FromSeconds(100000), supported_versions_,
helpers_.back(), alarm_factories_.back(), &server_crypto_config_,
&server_compressed_certs_cache_, &server_connection_, &server_session);
CHECK(server_session);
server_session_.reset(server_session);
CryptoTestUtils::FakeServerOptions options;
options.token_binding_enabled = true;
CryptoTestUtils::SetupCryptoServerConfigForTest(
server_connection_->clock(), server_connection_->random_generator(),
server_session_->config(), &server_crypto_config_, options);
}
QuicCryptoServerStream* server_stream() {
return server_session_->GetCryptoStream();
}
QuicCryptoClientStream* client_stream() {
return client_session_->GetCryptoStream();
}
// Initializes a fake client, and all its associated state, for
// testing. May be called multiple times.
void InitializeFakeClient(bool supports_stateless_rejects) {
TestQuicSpdyClientSession* client_session = nullptr;
helpers_.push_back(new MockQuicConnectionHelper);
alarm_factories_.push_back(new MockAlarmFactory);
CreateClientSessionForTest(
server_id_, supports_stateless_rejects,
QuicTime::Delta::FromSeconds(100000), supported_versions_,
helpers_.back(), alarm_factories_.back(), &client_crypto_config_,
&client_connection_, &client_session);
CHECK(client_session);
client_session_.reset(client_session);
}
bool AsyncStrikeRegisterVerification() {
if (server_connection_->version() > QUIC_VERSION_32) {
return false;
}
return GetParam();
}
void ConstructHandshakeMessage() {
CryptoFramer framer;
message_data_.reset(framer.ConstructHandshakeMessage(message_));
}
int CompleteCryptoHandshake() {
CHECK(server_connection_);
CHECK(server_session_ != nullptr);
return CryptoTestUtils::HandshakeWithFakeClient(
helpers_.back(), alarm_factories_.back(), server_connection_,
server_stream(), server_id_, client_options_);
}
// Performs a single round of handshake message-exchange between the
// client and server.
void AdvanceHandshakeWithFakeClient() {
CHECK(server_connection_);
CHECK(client_session_ != nullptr);
EXPECT_CALL(*client_session_, OnProofValid(_)).Times(testing::AnyNumber());
client_stream()->CryptoConnect();
CryptoTestUtils::AdvanceHandshake(client_connection_, client_stream(), 0,
server_connection_, server_stream(), 0);
}
protected:
// Every connection gets its own MockQuicConnectionHelper and
// MockAlarmFactory,
// tracked separately from
// the server and client state so their lifetimes persist through the whole
// test.
std::vector<MockQuicConnectionHelper*> helpers_;
std::vector<MockAlarmFactory*> alarm_factories_;
// Server state
PacketSavingConnection* server_connection_;
std::unique_ptr<TestQuicSpdyServerSession> server_session_;
QuicCryptoServerConfig server_crypto_config_;
QuicCompressedCertsCache server_compressed_certs_cache_;
QuicServerId server_id_;
// Client state
PacketSavingConnection* client_connection_;
QuicCryptoClientConfig client_crypto_config_;
std::unique_ptr<TestQuicSpdyClientSession> client_session_;
CryptoHandshakeMessage message_;
std::unique_ptr<QuicData> message_data_;
CryptoTestUtils::FakeClientOptions client_options_;
DelayedVerifyStrikeRegisterClient* strike_register_client_;
// Which QUIC versions the client and server support.
QuicVersionVector supported_versions_ = QuicSupportedVersions();
};
INSTANTIATE_TEST_CASE_P(Tests, QuicCryptoServerStreamTest, testing::Bool());
TEST_P(QuicCryptoServerStreamTest, NotInitiallyConected) {
Initialize();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, NotInitiallySendingStatelessRejects) {
Initialize();
EXPECT_FALSE(server_stream()->UseStatelessRejectsIfPeerSupported());
EXPECT_FALSE(server_stream()->PeerSupportsStatelessRejects());
}
TEST_P(QuicCryptoServerStreamTest, ConnectedAfterCHLO) {
// CompleteCryptoHandshake returns the number of client hellos sent. This
// test should send:
// * One to get a source-address token and certificates.
// * One to complete the handshake.
Initialize();
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, InitialEncryptionAfterCHLO) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Now do another handshake, with the blocking SHLO connection option.
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
if (FLAGS_quic_default_immediate_forward_secure) {
client_session_->config()->SetConnectionOptionsToSend({kIPFS});
}
AdvanceHandshakeWithFakeClient();
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
EXPECT_EQ(ENCRYPTION_INITIAL,
server_session_->connection()->encryption_level());
}
TEST_P(QuicCryptoServerStreamTest, ForwardSecureAfterCHLO) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Now do another handshake, with the blocking SHLO connection option.
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
if (!FLAGS_quic_default_immediate_forward_secure) {
client_session_->config()->SetConnectionOptionsToSend({kIPFS});
}
AdvanceHandshakeWithFakeClient();
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
EXPECT_EQ(ENCRYPTION_FORWARD_SECURE,
server_session_->connection()->encryption_level());
}
TEST_P(QuicCryptoServerStreamTest, StatelessRejectAfterCHLO) {
ValueRestore<bool> old_flag(&FLAGS_enable_quic_stateless_reject_support,
true);
Initialize();
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT, _, _));
InitializeFakeClient(/* supports_stateless_rejects= */ true);
AdvanceHandshakeWithFakeClient();
// Check the server to make the sure the handshake did not succeed.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Check the client state to make sure that it received a server-designated
// connection id.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_TRUE(client_state->has_server_nonce());
ASSERT_FALSE(client_state->GetNextServerNonce().empty());
ASSERT_FALSE(client_state->has_server_nonce());
ASSERT_TRUE(client_state->has_server_designated_connection_id());
const QuicConnectionId server_designated_connection_id =
client_state->GetNextServerDesignatedConnectionId();
const QuicConnectionId expected_id =
server_connection_->random_generator()->RandUint64();
EXPECT_EQ(expected_id, server_designated_connection_id);
EXPECT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
}
TEST_P(QuicCryptoServerStreamTest, ConnectedAfterStatelessHandshake) {
ValueRestore<bool> old_flag(&FLAGS_enable_quic_stateless_reject_support,
true);
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ true);
AdvanceHandshakeWithFakeClient();
// On the first round, encryption will not be established.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
EXPECT_EQ(1, server_stream()->NumHandshakeMessages());
EXPECT_EQ(0, server_stream()->NumHandshakeMessagesWithServerNonces());
// Now check the client state.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_TRUE(client_state->has_server_designated_connection_id());
const QuicConnectionId server_designated_connection_id =
client_state->GetNextServerDesignatedConnectionId();
const QuicConnectionId expected_id =
server_connection_->random_generator()->RandUint64();
EXPECT_EQ(expected_id, server_designated_connection_id);
EXPECT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
// Now create new client and server streams with the existing config
// and try the handshake again (0-RTT handshake).
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ true);
// In the stateless case, the second handshake contains a server-nonce, so the
// AsyncStrikeRegisterVerification() case will still succeed (unlike a 0-RTT
// handshake).
AdvanceHandshakeWithFakeClient();
// On the second round, encryption will be established.
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
EXPECT_EQ(1, server_stream()->NumHandshakeMessages());
EXPECT_EQ(1, server_stream()->NumHandshakeMessagesWithServerNonces());
}
TEST_P(QuicCryptoServerStreamTest, NoStatelessRejectIfNoClientSupport) {
ValueRestore<bool> old_flag(&FLAGS_enable_quic_stateless_reject_support,
true);
Initialize();
// The server is configured to use stateless rejects, but the client does not
// support it.
InitializeFakeClient(/* supports_stateless_rejects= */ false);
AdvanceHandshakeWithFakeClient();
// Check the server to make the sure the handshake did not succeed.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Check the client state to make sure that it did not receive a
// server-designated connection id.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
}
TEST_P(QuicCryptoServerStreamTest, ZeroRTT) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
// Now do another handshake, hopefully in 0-RTT.
DVLOG(1) << "Resetting for 0-RTT handshake attempt";
InitializeFakeClient(/* supports_stateless_rejects= */ false);
InitializeServer();
client_stream()->CryptoConnect();
if (AsyncStrikeRegisterVerification()) {
EXPECT_FALSE(client_stream()->handshake_confirmed());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Advance the handshake. Expect that the server will be stuck waiting for
// client nonce verification to complete.
pair<size_t, size_t> messages_moved = CryptoTestUtils::AdvanceHandshake(
client_connection_, client_stream(), 0, server_connection_,
server_stream(), 0);
EXPECT_EQ(1u, messages_moved.first);
EXPECT_EQ(0u, messages_moved.second);
EXPECT_EQ(1, strike_register_client_->PendingVerifications());
EXPECT_FALSE(client_stream()->handshake_confirmed());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// The server handshake completes once the nonce verification completes.
strike_register_client_->RunPendingVerifications();
EXPECT_FALSE(client_stream()->handshake_confirmed());
EXPECT_TRUE(server_stream()->handshake_confirmed());
messages_moved = CryptoTestUtils::AdvanceHandshake(
client_connection_, client_stream(), messages_moved.first,
server_connection_, server_stream(), messages_moved.second);
EXPECT_EQ(1u, messages_moved.first);
EXPECT_EQ(1u, messages_moved.second);
EXPECT_TRUE(client_stream()->handshake_confirmed());
EXPECT_TRUE(server_stream()->handshake_confirmed());
} else {
CryptoTestUtils::CommunicateHandshakeMessages(
client_connection_, client_stream(), server_connection_,
server_stream());
}
EXPECT_EQ(1, client_stream()->num_sent_client_hellos());
}
TEST_P(QuicCryptoServerStreamTest, FailByPolicy) {
FLAGS_quic_enable_chlo_policy = true;
FLAGS_quic_require_fix = false;
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
EXPECT_CALL(*server_session_->helper(), CanAcceptClientHello(_, _, _))
.WillOnce(testing::Return(false));
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_HANDSHAKE_FAILED, _, _));
AdvanceHandshakeWithFakeClient();
}
TEST_P(QuicCryptoServerStreamTest, MessageAfterHandshake) {
FLAGS_quic_require_fix = false;
Initialize();
CompleteCryptoHandshake();
EXPECT_CALL(
*server_connection_,
CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE, _, _));
message_.set_tag(kCHLO);
ConstructHandshakeMessage();
server_stream()->OnStreamFrame(
QuicStreamFrame(kCryptoStreamId, /*fin=*/false, /*offset=*/0,
message_data_->AsStringPiece()));
}
TEST_P(QuicCryptoServerStreamTest, BadMessageType) {
FLAGS_quic_require_fix = false;
Initialize();
message_.set_tag(kSHLO);
ConstructHandshakeMessage();
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE, _, _));
server_stream()->OnStreamFrame(
QuicStreamFrame(kCryptoStreamId, /*fin=*/false, /*offset=*/0,
message_data_->AsStringPiece()));
}
TEST_P(QuicCryptoServerStreamTest, ChannelID) {
Initialize();
client_options_.channel_id_enabled = true;
client_options_.channel_id_source_async = false;
// CompleteCryptoHandshake verifies
// server_stream()->crypto_negotiated_params().channel_id is correct.
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, ChannelIDAsync) {
Initialize();
client_options_.channel_id_enabled = true;
client_options_.channel_id_source_async = true;
// CompleteCryptoHandshake verifies
// server_stream()->crypto_negotiated_params().channel_id is correct.
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, OnlySendSCUPAfterHandshakeComplete) {
// An attempt to send a SCUP before completing handshake should fail.
Initialize();
server_stream()->SendServerConfigUpdate(nullptr);
EXPECT_EQ(0, server_stream()->NumServerConfigUpdateMessagesSent());
}
TEST_P(QuicCryptoServerStreamTest, SendSCUPAfterHandshakeComplete) {
FLAGS_quic_use_hash_in_scup = true;
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
// Now do another handshake, with the blocking SHLO connection option.
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
AdvanceHandshakeWithFakeClient();
// Send a SCUP message and ensure that the client was able to verify it.
EXPECT_CALL(*client_connection_, CloseConnection(_, _, _)).Times(0);
server_stream()->SendServerConfigUpdate(nullptr);
CryptoTestUtils::AdvanceHandshake(client_connection_, client_stream(), 1,
server_connection_, server_stream(), 1);
EXPECT_EQ(1, server_stream()->NumServerConfigUpdateMessagesSent());
EXPECT_EQ(1, client_stream()->num_scup_messages_received());
}
TEST_P(QuicCryptoServerStreamTest, DoesPeerSupportStatelessRejects) {
Initialize();
ConstructHandshakeMessage();
QuicConfig stateless_reject_config = DefaultQuicConfigStatelessRejects();
stateless_reject_config.ToHandshakeMessage(&message_);
EXPECT_TRUE(
QuicCryptoServerStreamPeer::DoesPeerSupportStatelessRejects(message_));
message_.Clear();
QuicConfig stateful_reject_config = DefaultQuicConfig();
stateful_reject_config.ToHandshakeMessage(&message_);
EXPECT_FALSE(
QuicCryptoServerStreamPeer::DoesPeerSupportStatelessRejects(message_));
}
TEST_P(QuicCryptoServerStreamTest, TokenBindingNegotiated) {
Initialize();
client_options_.token_binding_enabled = true;
CompleteCryptoHandshake();
EXPECT_EQ(
kP256,
server_stream()->crypto_negotiated_params().token_binding_key_param);
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, NoTokenBindingWithoutClientSupport) {
Initialize();
CompleteCryptoHandshake();
EXPECT_EQ(
0u, server_stream()->crypto_negotiated_params().token_binding_key_param);
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, CancelRPCBeforeVerificationCompletes) {
// Tests that the client can close the connection while the remote strike
// register verification RPC is still pending.
// Set version to QUIC_VERSION_25 as QUIC_VERSION_26 and later don't support
// asynchronous strike register RPCs.
supported_versions_ = {QUIC_VERSION_25};
Initialize();
if (!AsyncStrikeRegisterVerification()) {
return;
}
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
// Now start another handshake, this time the server will attempt to verify
// the client's nonce with the strike registers.
InitializeFakeClient(/* supports_stateless_rejects= */ false);
InitializeServer();
client_stream()->CryptoConnect();
EXPECT_FALSE(client_stream()->handshake_confirmed());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Advance the handshake. Expect that the server will be stuck waiting for
// client nonce verification to complete.
CryptoTestUtils::AdvanceHandshake(client_connection_, client_stream(), 0,
server_connection_, server_stream(), 0);
EXPECT_EQ(1, strike_register_client_->PendingVerifications());
EXPECT_FALSE(client_stream()->handshake_confirmed());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// While waiting for the asynchronous verification to complete, the client
// decides to close the connection.
server_session_->connection()->CloseConnection(
QUIC_NO_ERROR, "", ConnectionCloseBehavior::SILENT_CLOSE);
// The outstanding nonce verification RPC now completes.
strike_register_client_->RunPendingVerifications();
}
} // namespace
} // namespace test
} // namespace net