普通文本  |  304行  |  9.63 KB

// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/quic/crypto/strike_register.h"

#include <set>
#include <string>

#include "base/basictypes.h"
#include "testing/gtest/include/gtest/gtest.h"

namespace {

using net::StrikeRegister;
using std::set;
using std::string;

const uint8 kOrbit[8] = { 1, 2, 3, 4, 5, 6, 7, 8 };

// StrikeRegisterTests don't look at the random bytes so this function can
// simply set the random bytes to 0.
void SetNonce(uint8 nonce[32], unsigned time, const uint8 orbit[8]) {
  nonce[0] = time >> 24;
  nonce[1] = time >> 16;
  nonce[2] = time >> 8;
  nonce[3] = time;
  memcpy(nonce + 4, orbit, 8);
  memset(nonce + 12, 0, 20);
}

TEST(StrikeRegisterTest, SimpleHorizon) {
  // The set must reject values created on or before its own creation time.
  StrikeRegister set(10 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[32];
  SetNonce(nonce, 999, kOrbit);
  ASSERT_FALSE(set.Insert(nonce, 1000));
  SetNonce(nonce, 1000, kOrbit);
  ASSERT_FALSE(set.Insert(nonce, 1000));
}

TEST(StrikeRegisterTest, NoStartupMode) {
  // Check that a strike register works immediately if NO_STARTUP_PERIOD_NEEDED
  // is specified.
  StrikeRegister set(10 /* max size */, 0 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::NO_STARTUP_PERIOD_NEEDED);
  uint8 nonce[32];
  SetNonce(nonce, 0, kOrbit);
  ASSERT_TRUE(set.Insert(nonce, 0));
  ASSERT_FALSE(set.Insert(nonce, 0));
}

TEST(StrikeRegisterTest, WindowFuture) {
  // The set must reject values outside the window.
  StrikeRegister set(10 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[32];
  SetNonce(nonce, 1101, kOrbit);
  ASSERT_FALSE(set.Insert(nonce, 1000));
  SetNonce(nonce, 999, kOrbit);
  ASSERT_FALSE(set.Insert(nonce, 1100));
}

TEST(StrikeRegisterTest, BadOrbit) {
  // The set must reject values with the wrong orbit
  StrikeRegister set(10 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[32];
  static const uint8 kBadOrbit[8] = { 0, 0, 0, 0, 1, 1, 1, 1 };
  SetNonce(nonce, 1101, kBadOrbit);
  ASSERT_FALSE(set.Insert(nonce, 1100));
}

TEST(StrikeRegisterTest, OneValue) {
  StrikeRegister set(10 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[32];
  SetNonce(nonce, 1101, kOrbit);
  ASSERT_TRUE(set.Insert(nonce, 1100));
}

TEST(StrikeRegisterTest, RejectDuplicate) {
  // The set must reject values with the wrong orbit
  StrikeRegister set(10 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[32];
  SetNonce(nonce, 1101, kOrbit);
  ASSERT_TRUE(set.Insert(nonce, 1100));
  ASSERT_FALSE(set.Insert(nonce, 1100));
}

TEST(StrikeRegisterTest, HorizonUpdating) {
  StrikeRegister set(5 /* max size */, 1000 /* current time */,
                     100 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);
  uint8 nonce[6][32];
  for (unsigned i = 0; i < 5; i++) {
    SetNonce(nonce[i], 1101, kOrbit);
    nonce[i][31] = i;
    ASSERT_TRUE(set.Insert(nonce[i], 1100));
  }

  // This should push the oldest value out and force the horizon to be updated.
  SetNonce(nonce[5], 1102, kOrbit);
  ASSERT_TRUE(set.Insert(nonce[5], 1100));

  // This should be behind the horizon now:
  SetNonce(nonce[5], 1101, kOrbit);
  nonce[5][31] = 10;
  ASSERT_FALSE(set.Insert(nonce[5], 1100));
}

TEST(StrikeRegisterTest, InsertMany) {
  StrikeRegister set(5000 /* max size */, 1000 /* current time */,
                     500 /* window secs */, kOrbit,
                     StrikeRegister::DENY_REQUESTS_AT_STARTUP);

  uint8 nonce[32];
  SetNonce(nonce, 1101, kOrbit);
  for (unsigned i = 0; i < 100000; i++) {
    SetNonce(nonce, 1101 + i/500, kOrbit);
    memcpy(nonce + 12, &i, sizeof(i));
    set.Insert(nonce, 1100);
  }
}


// For the following test we create a slow, but simple, version of a
// StrikeRegister. The behaviour of this object is much easier to understand
// than the fully fledged version. We then create a test to show, empirically,
// that the two objects have identical behaviour.

// A SlowStrikeRegister has the same public interface as a StrikeRegister, but
// is much slower. Hopefully it is also more obviously correct and we can
// empirically test that their behaviours are identical.
class SlowStrikeRegister {
 public:
  SlowStrikeRegister(unsigned max_entries, uint32 current_time,
                     uint32 window_secs, const uint8 orbit[8])
      : max_entries_(max_entries),
        window_secs_(window_secs),
        creation_time_(current_time),
        horizon_(ExternalTimeToInternal(current_time + window_secs)) {
    memcpy(orbit_, orbit, sizeof(orbit_));
  }

  bool Insert(const uint8 nonce_bytes[32], const uint32 current_time_external) {
    const uint32 current_time = ExternalTimeToInternal(current_time_external);

    // Check to see if the orbit is correct.
    if (memcmp(nonce_bytes + 4, orbit_, sizeof(orbit_))) {
      return false;
    }
    const uint32 nonce_time =
        ExternalTimeToInternal(TimeFromBytes(nonce_bytes));
    // We have dropped one or more nonces with a time value of |horizon_|, so
    // we have to reject anything with a timestamp less than or equal to that.
    if (nonce_time <= horizon_) {
      return false;
    }

    // Check that the timestamp is in the current window.
    if ((current_time > window_secs_ &&
         nonce_time < (current_time - window_secs_)) ||
        nonce_time > (current_time + window_secs_)) {
      return false;
    }

    string nonce;
    nonce.reserve(32);
    nonce +=
        string(reinterpret_cast<const char*>(&nonce_time), sizeof(nonce_time));
    nonce +=
        string(reinterpret_cast<const char*>(nonce_bytes) + sizeof(nonce_time),
               32 - sizeof(nonce_time));

    set<string>::const_iterator it = nonces_.find(nonce);
    if (it != nonces_.end()) {
      return false;
    }

    if (nonces_.size() == max_entries_) {
      DropOldestEntry();
    }

    nonces_.insert(nonce);
    return true;
  }

 private:
  // TimeFromBytes returns a big-endian uint32 from |d|.
  static uint32 TimeFromBytes(const uint8 d[4]) {
    return static_cast<uint32>(d[0]) << 24 |
           static_cast<uint32>(d[1]) << 16 |
           static_cast<uint32>(d[2]) << 8 |
           static_cast<uint32>(d[3]);
  }

  uint32 ExternalTimeToInternal(uint32 external_time) {
    static const uint32 kCreationTimeFromInternalEpoch = 63115200.0;
    uint32 internal_epoch = 0;
    if (creation_time_ > kCreationTimeFromInternalEpoch) {
      internal_epoch = creation_time_ - kCreationTimeFromInternalEpoch;
    }

    return external_time - internal_epoch;
  }

  void DropOldestEntry() {
    set<string>::iterator oldest = nonces_.begin(), it;
    uint32 oldest_time =
        TimeFromBytes(reinterpret_cast<const uint8*>(oldest->data()));

    for (it = oldest; it != nonces_.end(); it++) {
      uint32 t = TimeFromBytes(reinterpret_cast<const uint8*>(it->data()));
      if (t < oldest_time ||
          (t == oldest_time && memcmp(it->data(), oldest->data(), 32) < 0)) {
        oldest_time = t;
        oldest = it;
      }
    }

    nonces_.erase(oldest);
    horizon_ = oldest_time;
  }

  const unsigned max_entries_;
  const unsigned window_secs_;
  const uint32 creation_time_;
  uint8 orbit_[8];
  uint32 horizon_;

  set<string> nonces_;
};

TEST(StrikeRegisterStressTest, Stress) {
  // Fixed seed gives reproducibility for this test.
  srand(42);
  unsigned max_entries = 64;
  uint32 current_time = 10000, window = 200;
  scoped_ptr<StrikeRegister> s1(
      new StrikeRegister(max_entries, current_time, window, kOrbit,
                         StrikeRegister::DENY_REQUESTS_AT_STARTUP));
  scoped_ptr<SlowStrikeRegister> s2(
      new SlowStrikeRegister(max_entries, current_time, window, kOrbit));
  uint64 i;

  // When making changes it's worth removing the limit on this test and running
  // it for a while. For the initial development an opt binary was left running
  // for 10 minutes.
  const uint64 kMaxIterations = 10000;
  for (i = 0; i < kMaxIterations; i++) {
    if (rand() % 1000 == 0) {
      // 0.1% chance of resetting the sets.
      max_entries = rand() % 300 + 2;
      current_time = rand() % 10000;
      window = rand() % 500;
      s1.reset(new StrikeRegister(max_entries, current_time, window, kOrbit,
                                  StrikeRegister::DENY_REQUESTS_AT_STARTUP));
      s2.reset(
          new SlowStrikeRegister(max_entries, current_time, window, kOrbit));
    }

    int32 time_delta = rand() % (window * 4);
    time_delta -= window * 2;
    const uint32 time = current_time + time_delta;
    if (time_delta < 0 && time > current_time) {
      continue;  // overflow
    }

    uint8 nonce[32];
    SetNonce(nonce, time, kOrbit);

    // There are 2048 possible nonce values:
    const uint32 v = rand() % 2048;
    nonce[30] = v >> 8;
    nonce[31] = v;

    const bool r2 = s2->Insert(nonce, time);
    const bool r1 = s1->Insert(nonce, time);

    if (r1 != r2) {
      break;
    }

    if (i % 10 == 0) {
      s1->Validate();
    }
  }

  if (i != kMaxIterations) {
    FAIL() << "Failed after " << i << " iterations";
  }
}

}  // anonymous namespace