blob: df4216d3d3d012d0ed03903dbbb0f217150c2982 [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/third_party/quic/core/quic_crypto_server_stream.h"
#include <map>
#include <memory>
#include <vector>
#include "net/third_party/quic/core/crypto/aes_128_gcm_12_encrypter.h"
#include "net/third_party/quic/core/crypto/crypto_framer.h"
#include "net/third_party/quic/core/crypto/crypto_handshake.h"
#include "net/third_party/quic/core/crypto/crypto_protocol.h"
#include "net/third_party/quic/core/crypto/crypto_utils.h"
#include "net/third_party/quic/core/crypto/quic_crypto_server_config.h"
#include "net/third_party/quic/core/crypto/quic_decrypter.h"
#include "net/third_party/quic/core/crypto/quic_encrypter.h"
#include "net/third_party/quic/core/crypto/quic_random.h"
#include "net/third_party/quic/core/quic_crypto_client_stream.h"
#include "net/third_party/quic/core/quic_packets.h"
#include "net/third_party/quic/core/quic_session.h"
#include "net/third_party/quic/core/quic_utils.h"
#include "net/third_party/quic/core/tls_client_handshaker.h"
#include "net/third_party/quic/core/tls_server_handshaker.h"
#include "net/third_party/quic/platform/api/quic_flags.h"
#include "net/third_party/quic/platform/api/quic_logging.h"
#include "net/third_party/quic/platform/api/quic_ptr_util.h"
#include "net/third_party/quic/platform/api/quic_socket_address.h"
#include "net/third_party/quic/platform/api/quic_test.h"
#include "net/third_party/quic/test_tools/crypto_test_utils.h"
#include "net/third_party/quic/test_tools/failing_proof_source.h"
#include "net/third_party/quic/test_tools/fake_proof_source.h"
#include "net/third_party/quic/test_tools/quic_crypto_server_config_peer.h"
#include "net/third_party/quic/test_tools/quic_test_utils.h"
namespace quic {
class QuicConnection;
class QuicStream;
} // namespace quic
using testing::_;
using testing::NiceMock;
namespace quic {
namespace test {
class QuicCryptoServerStreamPeer {
public:
static bool DoesPeerSupportStatelessRejects(
const CryptoHandshakeMessage& message) {
return QuicCryptoServerStream::DoesPeerSupportStatelessRejects(message);
}
};
namespace {
const char kServerHostname[] = "test.example.com";
const uint16_t kServerPort = 443;
class QuicCryptoServerStreamTest : public QuicTestWithParam<bool> {
public:
QuicCryptoServerStreamTest()
: QuicCryptoServerStreamTest(crypto_test_utils::ProofSourceForTesting()) {
}
explicit QuicCryptoServerStreamTest(std::unique_ptr<ProofSource> proof_source)
: server_crypto_config_(QuicCryptoServerConfig::TESTING,
QuicRandom::GetInstance(),
std::move(proof_source),
KeyExchangeSource::Default(),
TlsServerHandshaker::CreateSslCtx()),
server_compressed_certs_cache_(
QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
server_id_(kServerHostname, kServerPort, false),
client_crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
TlsClientHandshaker::CreateSslCtx()) {
SetQuicReloadableFlag(enable_quic_stateless_reject_support, false);
}
void Initialize() { InitializeServer(); }
~QuicCryptoServerStreamTest() override {
// Ensure that anything that might reference |helpers_| is destroyed before
// |helpers_| is destroyed.
server_session_.reset();
client_session_.reset();
helpers_.clear();
alarm_factories_.clear();
}
// Initializes the crypto server stream state for testing. May be
// called multiple times.
void InitializeServer() {
TestQuicSpdyServerSession* server_session = nullptr;
helpers_.push_back(QuicMakeUnique<NiceMock<MockQuicConnectionHelper>>());
alarm_factories_.push_back(QuicMakeUnique<MockAlarmFactory>());
CreateServerSessionForTest(
server_id_, QuicTime::Delta::FromSeconds(100000), supported_versions_,
helpers_.back().get(), alarm_factories_.back().get(),
&server_crypto_config_, &server_compressed_certs_cache_,
&server_connection_, &server_session);
CHECK(server_session);
server_session_.reset(server_session);
EXPECT_CALL(*server_session_->helper(), CanAcceptClientHello(_, _, _, _, _))
.Times(testing::AnyNumber());
EXPECT_CALL(*server_session_->helper(), GenerateConnectionIdForReject(_, _))
.Times(testing::AnyNumber());
crypto_test_utils::FakeServerOptions options;
options.token_binding_params = QuicTagVector{kTB10};
crypto_test_utils::SetupCryptoServerConfigForTest(
server_connection_->clock(), server_connection_->random_generator(),
&server_crypto_config_, options);
server_session_->GetMutableCryptoStream()->OnSuccessfulVersionNegotiation(
supported_versions_.front());
}
QuicCryptoServerStream* server_stream() {
return server_session_->GetMutableCryptoStream();
}
QuicCryptoClientStream* client_stream() {
return client_session_->GetMutableCryptoStream();
}
// Initializes a fake client, and all its associated state, for
// testing. May be called multiple times.
void InitializeFakeClient(bool supports_stateless_rejects) {
TestQuicSpdyClientSession* client_session = nullptr;
helpers_.push_back(QuicMakeUnique<NiceMock<MockQuicConnectionHelper>>());
alarm_factories_.push_back(QuicMakeUnique<MockAlarmFactory>());
CreateClientSessionForTest(
server_id_, supports_stateless_rejects,
QuicTime::Delta::FromSeconds(100000), supported_versions_,
helpers_.back().get(), alarm_factories_.back().get(),
&client_crypto_config_, &client_connection_, &client_session);
CHECK(client_session);
client_session_.reset(client_session);
}
int CompleteCryptoHandshake() {
CHECK(server_connection_);
CHECK(server_session_ != nullptr);
return crypto_test_utils::HandshakeWithFakeClient(
helpers_.back().get(), alarm_factories_.back().get(),
server_connection_, server_stream(), server_id_, client_options_);
}
// Performs a single round of handshake message-exchange between the
// client and server.
void AdvanceHandshakeWithFakeClient() {
CHECK(server_connection_);
CHECK(client_session_ != nullptr);
EXPECT_CALL(*client_session_, OnProofValid(_)).Times(testing::AnyNumber());
EXPECT_CALL(*client_session_, OnProofVerifyDetailsAvailable(_))
.Times(testing::AnyNumber());
EXPECT_CALL(*client_connection_, OnCanWrite()).Times(testing::AnyNumber());
EXPECT_CALL(*server_connection_, OnCanWrite()).Times(testing::AnyNumber());
client_stream()->CryptoConnect();
crypto_test_utils::AdvanceHandshake(client_connection_, client_stream(), 0,
server_connection_, server_stream(), 0);
}
protected:
// Every connection gets its own MockQuicConnectionHelper and
// MockAlarmFactory, tracked separately from the server and client state so
// their lifetimes persist through the whole test.
std::vector<std::unique_ptr<MockQuicConnectionHelper>> helpers_;
std::vector<std::unique_ptr<MockAlarmFactory>> alarm_factories_;
// Server state.
PacketSavingConnection* server_connection_;
std::unique_ptr<TestQuicSpdyServerSession> server_session_;
QuicCryptoServerConfig server_crypto_config_;
QuicCompressedCertsCache server_compressed_certs_cache_;
QuicServerId server_id_;
// Client state.
PacketSavingConnection* client_connection_;
QuicCryptoClientConfig client_crypto_config_;
std::unique_ptr<TestQuicSpdyClientSession> client_session_;
CryptoHandshakeMessage message_;
crypto_test_utils::FakeClientOptions client_options_;
// Which QUIC versions the client and server support.
ParsedQuicVersionVector supported_versions_ = AllSupportedVersions();
};
INSTANTIATE_TEST_SUITE_P(Tests, QuicCryptoServerStreamTest, testing::Bool());
TEST_P(QuicCryptoServerStreamTest, NotInitiallyConected) {
Initialize();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, NotInitiallySendingStatelessRejects) {
Initialize();
EXPECT_FALSE(server_stream()->UseStatelessRejectsIfPeerSupported());
EXPECT_FALSE(server_stream()->PeerSupportsStatelessRejects());
}
TEST_P(QuicCryptoServerStreamTest, ConnectedAfterCHLO) {
// CompleteCryptoHandshake returns the number of client hellos sent. This
// test should send:
// * One to get a source-address token and certificates.
// * One to complete the handshake.
Initialize();
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
// Cobalt does not support TLSHandshaker and it is disabled right now.
// TLSHanshaker is enabled by FLAGS_quic_supports_tls_handshake.
// m74 TLSHandshaker depends on updated boringSSL(compared to m70) which has
// standard QUIC APIs.
#if !defined(COBALT_QUIC46)
TEST_P(QuicCryptoServerStreamTest, ConnectedAfterTlsHandshake) {
FLAGS_quic_supports_tls_handshake = true;
client_options_.only_tls_versions = true;
supported_versions_.clear();
for (QuicTransportVersion transport_version :
AllSupportedTransportVersions()) {
supported_versions_.push_back(
ParsedQuicVersion(PROTOCOL_TLS1_3, transport_version));
}
Initialize();
CompleteCryptoHandshake();
EXPECT_EQ(PROTOCOL_TLS1_3, server_stream()->handshake_protocol());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
#endif
TEST_P(QuicCryptoServerStreamTest, ForwardSecureAfterCHLO) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Now do another handshake, with the blocking SHLO connection option.
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
AdvanceHandshakeWithFakeClient();
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
EXPECT_EQ(ENCRYPTION_FORWARD_SECURE,
server_session_->connection()->encryption_level());
}
TEST_P(QuicCryptoServerStreamTest, StatelessRejectAfterCHLO) {
SetQuicReloadableFlag(enable_quic_stateless_reject_support, true);
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ true);
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT, _, _));
EXPECT_CALL(*client_connection_,
CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT, _, _));
AdvanceHandshakeWithFakeClient();
// Check the server to make the sure the handshake did not succeed.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Check the client state to make sure that it received a server-designated
// connection id.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_TRUE(client_state->has_server_nonce());
ASSERT_FALSE(client_state->GetNextServerNonce().empty());
ASSERT_FALSE(client_state->has_server_nonce());
ASSERT_TRUE(client_state->has_server_designated_connection_id());
const QuicConnectionId server_designated_connection_id =
client_state->GetNextServerDesignatedConnectionId();
const QuicConnectionId expected_id = QuicUtils::CreateRandomConnectionId(
server_connection_->random_generator());
EXPECT_EQ(expected_id, server_designated_connection_id);
EXPECT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
}
TEST_P(QuicCryptoServerStreamTest, ConnectedAfterStatelessHandshake) {
SetQuicReloadableFlag(enable_quic_stateless_reject_support, true);
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ true);
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT, _, _));
EXPECT_CALL(*client_connection_,
CloseConnection(QUIC_CRYPTO_HANDSHAKE_STATELESS_REJECT, _, _));
AdvanceHandshakeWithFakeClient();
// On the first round, encryption will not be established.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
EXPECT_EQ(1, server_stream()->NumHandshakeMessages());
EXPECT_EQ(0, server_stream()->NumHandshakeMessagesWithServerNonces());
// Now check the client state.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_TRUE(client_state->has_server_designated_connection_id());
const QuicConnectionId server_designated_connection_id =
client_state->GetNextServerDesignatedConnectionId();
const QuicConnectionId expected_id = QuicUtils::CreateRandomConnectionId(
server_connection_->random_generator());
EXPECT_EQ(expected_id, server_designated_connection_id);
EXPECT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
// Now create new client and server streams with the existing config
// and try the handshake again (0-RTT handshake).
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ true);
// In the stateless case, the second handshake contains a server-nonce, so the
// AsyncStrikeRegisterVerification() case will still succeed (unlike a 0-RTT
// handshake).
AdvanceHandshakeWithFakeClient();
// On the second round, encryption will be established.
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
EXPECT_EQ(1, server_stream()->NumHandshakeMessages());
EXPECT_EQ(1, server_stream()->NumHandshakeMessagesWithServerNonces());
}
TEST_P(QuicCryptoServerStreamTest, NoStatelessRejectIfNoClientSupport) {
SetQuicReloadableFlag(enable_quic_stateless_reject_support, true);
Initialize();
// The server is configured to use stateless rejects, but the client does not
// support it.
InitializeFakeClient(/* supports_stateless_rejects= */ false);
AdvanceHandshakeWithFakeClient();
// Check the server to make the sure the handshake did not succeed.
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
// Check the client state to make sure that it did not receive a
// server-designated connection id.
QuicCryptoClientConfig::CachedState* client_state =
client_crypto_config_.LookupOrCreate(server_id_);
ASSERT_FALSE(client_state->has_server_designated_connection_id());
ASSERT_TRUE(client_state->IsComplete(QuicWallTime::FromUNIXSeconds(0)));
}
TEST_P(QuicCryptoServerStreamTest, ZeroRTT) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
EXPECT_FALSE(server_stream()->ZeroRttAttempted());
// Now do another handshake, hopefully in 0-RTT.
QUIC_LOG(INFO) << "Resetting for 0-RTT handshake attempt";
InitializeFakeClient(/* supports_stateless_rejects= */ false);
InitializeServer();
EXPECT_CALL(*client_session_, OnProofValid(_)).Times(testing::AnyNumber());
EXPECT_CALL(*client_session_, OnProofVerifyDetailsAvailable(_))
.Times(testing::AnyNumber());
EXPECT_CALL(*client_connection_, OnCanWrite()).Times(testing::AnyNumber());
client_stream()->CryptoConnect();
EXPECT_CALL(*client_session_, OnProofValid(_)).Times(testing::AnyNumber());
EXPECT_CALL(*client_session_, OnProofVerifyDetailsAvailable(_))
.Times(testing::AnyNumber());
EXPECT_CALL(*client_connection_, OnCanWrite()).Times(testing::AnyNumber());
crypto_test_utils::CommunicateHandshakeMessages(
client_connection_, client_stream(), server_connection_, server_stream());
EXPECT_EQ(1, client_stream()->num_sent_client_hellos());
EXPECT_TRUE(server_stream()->ZeroRttAttempted());
}
TEST_P(QuicCryptoServerStreamTest, FailByPolicy) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
EXPECT_CALL(*server_session_->helper(), CanAcceptClientHello(_, _, _, _, _))
.WillOnce(testing::Return(false));
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_HANDSHAKE_FAILED, _, _));
AdvanceHandshakeWithFakeClient();
}
TEST_P(QuicCryptoServerStreamTest, MessageAfterHandshake) {
Initialize();
CompleteCryptoHandshake();
EXPECT_CALL(
*server_connection_,
CloseConnection(QUIC_CRYPTO_MESSAGE_AFTER_HANDSHAKE_COMPLETE, _, _));
message_.set_tag(kCHLO);
crypto_test_utils::SendHandshakeMessageToStream(server_stream(), message_,
Perspective::IS_CLIENT);
}
TEST_P(QuicCryptoServerStreamTest, BadMessageType) {
Initialize();
message_.set_tag(kSHLO);
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_INVALID_CRYPTO_MESSAGE_TYPE, _, _));
crypto_test_utils::SendHandshakeMessageToStream(server_stream(), message_,
Perspective::IS_SERVER);
}
TEST_P(QuicCryptoServerStreamTest, ChannelID) {
Initialize();
client_options_.channel_id_enabled = true;
client_options_.channel_id_source_async = false;
// CompleteCryptoHandshake verifies
// server_stream()->crypto_negotiated_params().channel_id is correct.
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, ChannelIDAsync) {
Initialize();
client_options_.channel_id_enabled = true;
client_options_.channel_id_source_async = true;
// CompleteCryptoHandshake verifies
// server_stream()->crypto_negotiated_params().channel_id is correct.
EXPECT_EQ(2, CompleteCryptoHandshake());
EXPECT_TRUE(server_stream()->encryption_established());
EXPECT_TRUE(server_stream()->handshake_confirmed());
}
TEST_P(QuicCryptoServerStreamTest, OnlySendSCUPAfterHandshakeComplete) {
// An attempt to send a SCUP before completing handshake should fail.
Initialize();
server_stream()->SendServerConfigUpdate(nullptr);
EXPECT_EQ(0, server_stream()->NumServerConfigUpdateMessagesSent());
}
TEST_P(QuicCryptoServerStreamTest, SendSCUPAfterHandshakeComplete) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
// Do a first handshake in order to prime the client config with the server's
// information.
AdvanceHandshakeWithFakeClient();
// Now do another handshake, with the blocking SHLO connection option.
InitializeServer();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
AdvanceHandshakeWithFakeClient();
// Send a SCUP message and ensure that the client was able to verify it.
EXPECT_CALL(*client_connection_, CloseConnection(_, _, _)).Times(0);
server_stream()->SendServerConfigUpdate(nullptr);
crypto_test_utils::AdvanceHandshake(client_connection_, client_stream(), 1,
server_connection_, server_stream(), 1);
EXPECT_EQ(1, server_stream()->NumServerConfigUpdateMessagesSent());
EXPECT_EQ(1, client_stream()->num_scup_messages_received());
}
TEST_P(QuicCryptoServerStreamTest, DoesPeerSupportStatelessRejects) {
Initialize();
QuicConfig stateless_reject_config = DefaultQuicConfigStatelessRejects();
stateless_reject_config.ToHandshakeMessage(&message_);
EXPECT_TRUE(
QuicCryptoServerStreamPeer::DoesPeerSupportStatelessRejects(message_));
message_.Clear();
QuicConfig stateful_reject_config = DefaultQuicConfig();
stateful_reject_config.ToHandshakeMessage(&message_);
EXPECT_FALSE(
QuicCryptoServerStreamPeer::DoesPeerSupportStatelessRejects(message_));
}
class QuicCryptoServerStreamTestWithFailingProofSource
: public QuicCryptoServerStreamTest {
public:
QuicCryptoServerStreamTestWithFailingProofSource()
: QuicCryptoServerStreamTest(
std::unique_ptr<FailingProofSource>(new FailingProofSource)) {}
};
INSTANTIATE_TEST_SUITE_P(MoreTests,
QuicCryptoServerStreamTestWithFailingProofSource,
testing::Bool());
TEST_P(QuicCryptoServerStreamTestWithFailingProofSource, Test) {
Initialize();
InitializeFakeClient(/* supports_stateless_rejects= */ false);
EXPECT_CALL(*server_session_->helper(), CanAcceptClientHello(_, _, _, _, _))
.WillOnce(testing::Return(true));
EXPECT_CALL(*server_connection_,
CloseConnection(QUIC_HANDSHAKE_FAILED, "Failed to get proof", _));
// Regression test for b/31521252, in which a crash would happen here.
AdvanceHandshakeWithFakeClient();
EXPECT_FALSE(server_stream()->encryption_established());
EXPECT_FALSE(server_stream()->handshake_confirmed());
}
class QuicCryptoServerStreamTestWithFakeProofSource
: public QuicCryptoServerStreamTest {
public:
QuicCryptoServerStreamTestWithFakeProofSource()
: QuicCryptoServerStreamTest(
std::unique_ptr<FakeProofSource>(new FakeProofSource)),
crypto_config_peer_(&server_crypto_config_) {}
FakeProofSource* GetFakeProofSource() const {
return static_cast<FakeProofSource*>(crypto_config_peer_.GetProofSource());
}
protected:
QuicCryptoServerConfigPeer crypto_config_peer_;
};
INSTANTIATE_TEST_SUITE_P(YetMoreTests,
QuicCryptoServerStreamTestWithFakeProofSource,
testing::Bool());
// Regression test for b/35422225, in which multiple CHLOs arriving on the same
// connection in close succession could cause a crash, especially when the use
// of Mentat signing meant that it took a while for each CHLO to be processed.
TEST_P(QuicCryptoServerStreamTestWithFakeProofSource, MultipleChlo) {
Initialize();
GetFakeProofSource()->Activate();
EXPECT_CALL(*server_session_->helper(), CanAcceptClientHello(_, _, _, _, _))
.WillOnce(testing::Return(true));
// Create a minimal CHLO
MockClock clock;
QuicTransportVersion version = AllSupportedTransportVersions().front();
CryptoHandshakeMessage chlo = crypto_test_utils::GenerateDefaultInchoateCHLO(
&clock, version, &server_crypto_config_);
// Send in the CHLO, and check that a callback is now pending in the
// ProofSource.
crypto_test_utils::SendHandshakeMessageToStream(server_stream(), chlo,
Perspective::IS_CLIENT);
EXPECT_EQ(GetFakeProofSource()->NumPendingCallbacks(), 1);
// Send in a second CHLO while processing of the first is still pending.
// Verify that the server closes the connection rather than crashing. Note
// that the crash is a use-after-free, so it may only show up consistently in
// ASAN tests.
EXPECT_CALL(
*server_connection_,
CloseConnection(QUIC_CRYPTO_MESSAGE_WHILE_VALIDATING_CLIENT_HELLO,
"Unexpected handshake message while processing CHLO", _));
crypto_test_utils::SendHandshakeMessageToStream(server_stream(), chlo,
Perspective::IS_CLIENT);
}
} // namespace
} // namespace test
} // namespace quic