Skip to content

Commit 89bb4cd

Browse files
pluknetpluknet
committed
Tests: QUIC address validation tests.
While here, fixed establishing connection after receiving a Retry packet, broken after conversion to HTTP3 package.
1 parent 0641426 commit 89bb4cd

File tree

2 files changed

+155
-25
lines changed

2 files changed

+155
-25
lines changed

lib/Test/Nginx/HTTP3.pm

Lines changed: 37 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ sub new {
3939
);
4040

4141
$self->{repeat} = 0;
42-
$self->{token} = '';
42+
$self->{token} = $extra{token} || '';
4343
$self->{psk_list} = $extra{psk_list} || [];
4444

4545
$self->{sni} = exists $extra{sni} ? $extra{sni} : 'localhost';
@@ -56,23 +56,7 @@ sub new {
5656
$self->{buf} = '';
5757

5858
$self->init();
59-
$self->init_key_schedule();
60-
$self->initial();
61-
return $self if $extra{probe};
62-
$self->handshake() or return;
63-
64-
# RFC 9204, 4.3.1. Set Dynamic Table Capacity
65-
66-
my $buf = pack("B*", '001' . ipack(5, $extra{capacity} || 400));
67-
$self->{encoder_offset} = length($buf) + 1;
68-
$buf = "\x08\x02\x02" . $buf;
69-
70-
# RFC 9114, 6.2.1. Control Streams
71-
72-
$buf = "\x0a\x06\x03\x00\x04\x00" . $buf;
73-
$self->{control_offset} = 3;
74-
75-
$self->raw_write($buf);
59+
$self->retry(%extra) or return;
7660

7761
return $self;
7862
}
@@ -99,12 +83,10 @@ sub init {
9983
. "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a";
10084
$self->{ncid} = [];
10185
$self->{early_data} = $early_data;
102-
103-
$self->retry();
10486
}
10587

10688
sub retry {
107-
my ($self) = @_;
89+
my ($self, %extra) = @_;
10890
my $prk = Crypt::KeyDerivation::hkdf_extract($self->{dcid},
10991
$self->{salt}, 'SHA256');
11092

@@ -114,6 +96,24 @@ sub retry {
11496

11597
$self->set_traffic_keys('tls13 client in', 'SHA256', 32, 0, 'w', $prk);
11698
$self->set_traffic_keys('tls13 server in', 'SHA256', 32, 0, 'r', $prk);
99+
100+
$self->init_key_schedule();
101+
$self->initial();
102+
return $self if $extra{probe};
103+
$self->handshake() or return;
104+
105+
# RFC 9204, 4.3.1. Set Dynamic Table Capacity
106+
107+
my $buf = pack("B*", '001' . ipack(5, $extra{capacity} || 400));
108+
$self->{encoder_offset} = length($buf) + 1;
109+
$buf = "\x08\x02\x02" . $buf;
110+
111+
# RFC 9114, 6.2.1. Control Streams
112+
113+
$buf = "\x0a\x06\x03\x00\x04\x00" . $buf;
114+
$self->{control_offset} = 3;
115+
116+
$self->raw_write($buf);
117117
}
118118

119119
sub init_key_schedule {
@@ -1803,15 +1803,27 @@ sub decrypt_retry {
18031803
my $tag = substr($buf, -16);
18041804
my $pseudo = pack("C", length($self->{odcid})) . $self->{odcid}
18051805
. substr($buf, 0, -16);
1806-
return ($tag, retry_verify_tag($pseudo), $token);
1806+
$self->{retry} = { token => $token, tag => $tag, pseudo => $pseudo };
1807+
return $tag, '', $token;
1808+
}
1809+
1810+
sub retry_token {
1811+
my ($self) = @_;
1812+
return $self->{retry}{token};
1813+
}
1814+
1815+
sub retry_tag {
1816+
my ($self) = @_;
1817+
return $self->{retry}{tag};
18071818
}
18081819

18091820
sub retry_verify_tag {
1821+
my ($self) = @_;
18101822
my $key = "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a"
18111823
. "\x1d\x76\x6b\x54\xe3\x68\xc8\x4e";
18121824
my $nonce = "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb";
18131825
my (undef, $tag) = Crypt::AuthEnc::GCM::gcm_encrypt_authenticate('AES',
1814-
$key, $nonce, shift, '');
1826+
$key, $nonce, $self->{retry}{pseudo}, '');
18151827
return $tag;
18161828
}
18171829

@@ -2040,7 +2052,7 @@ again:
20402052
$self->{buf} = '';
20412053
goto again;
20422054
}
2043-
goto retry if $self->{token};
2055+
$self->retry(), return if $self->{token};
20442056
$self->handle_frames(parse_frames($plaintext), $level);
20452057
@data = $self->parse_stream();
20462058
return @data if @data;
@@ -2101,7 +2113,7 @@ sub read_tls_message {
21012113
(my $level, my $plaintext, $$buf, $self->{token})
21022114
= $self->decrypt_aead($$buf);
21032115
return if !defined $plaintext;
2104-
goto retry if $self->{token};
2116+
$self->retry(), return 1 if $self->{token};
21052117
$self->handle_frames(parse_frames($plaintext), $level);
21062118
return 1 if $type->($self);
21072119
}

quic_retry.t

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
#!/usr/bin/perl
2+
3+
# (C) Sergey Kandaurov
4+
# (C) Nginx, Inc.
5+
6+
# Tests for QUIC address validation.
7+
8+
###############################################################################
9+
10+
use warnings;
11+
use strict;
12+
13+
use Test::More;
14+
15+
BEGIN { use FindBin; chdir($FindBin::Bin); }
16+
17+
use lib 'lib';
18+
use Test::Nginx;
19+
use Test::Nginx::HTTP3;
20+
21+
###############################################################################
22+
23+
select STDERR; $| = 1;
24+
select STDOUT; $| = 1;
25+
26+
my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
27+
->has_daemon('openssl')->plan(7)
28+
->write_file_expand('nginx.conf', <<'EOF');
29+
30+
%%TEST_GLOBALS%%
31+
32+
daemon off;
33+
34+
events {
35+
}
36+
37+
http {
38+
%%TEST_GLOBALS_HTTP%%
39+
40+
ssl_certificate_key localhost.key;
41+
ssl_certificate localhost.crt;
42+
quic_retry on;
43+
44+
server {
45+
listen 127.0.0.1:%%PORT_8980_UDP%% quic;
46+
server_name localhost;
47+
48+
location / { }
49+
}
50+
}
51+
52+
EOF
53+
54+
$t->write_file('openssl.conf', <<EOF);
55+
[ req ]
56+
default_bits = 2048
57+
encrypt_key = no
58+
distinguished_name = req_distinguished_name
59+
[ req_distinguished_name ]
60+
EOF
61+
62+
my $d = $t->testdir();
63+
64+
foreach my $name ('localhost') {
65+
system('openssl req -x509 -new '
66+
. "-config $d/openssl.conf -subj /CN=$name/ "
67+
. "-out $d/$name.crt -keyout $d/$name.key "
68+
. ">>$d/openssl.out 2>&1") == 0
69+
or die "Can't create certificate for $name: $!\n";
70+
}
71+
72+
$t->run();
73+
74+
###############################################################################
75+
76+
my ($s, $sid, $frames, $frame);
77+
78+
$s = Test::Nginx::HTTP3->new(8980);
79+
$sid = $s->new_stream();
80+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }, { type => 'NEW_TOKEN' }]);
81+
82+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
83+
is($frame->{headers}->{':status'}, 403, 'retry success');
84+
85+
is(unpack("H*", $s->retry_tag()), unpack("H*", $s->retry_verify_tag()),
86+
'retry integrity tag');
87+
88+
($frame) = grep { $_->{type} eq "NEW_TOKEN" } @$frames;
89+
ok(my $new_token = $frame->{token}, 'new token received');
90+
ok(my $retry_token = $s->retry_token(), 'retry token received');
91+
92+
# connection with new token
93+
94+
$s = Test::Nginx::HTTP3->new(8980, token => $new_token);
95+
$sid = $s->new_stream();
96+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
97+
98+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
99+
is($frame->{headers}->{':status'}, 403, 'new token success');
100+
101+
# connection with retry token, port won't match
102+
103+
$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
104+
$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);
105+
106+
($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
107+
is($frame->{error}, 11, 'retry token invalid');
108+
109+
# connection with retry token, corrupted
110+
111+
substr($retry_token, 32) ^= "\xff";
112+
$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
113+
$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);
114+
115+
($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
116+
is($frame->{error}, 11, 'retry token decrypt error');
117+
118+
###############################################################################

0 commit comments

Comments
 (0)