Mercurial > hg > nginx-tests

view quic_migration.t @ 1974:b5036a0f9ae0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: improved compatibility when using recent "openssl" app. Starting with OpenSSL 3.0, "openssl genrsa" generates encrypted keys in PKCS#8 format instead of previously used PKCS#1 format. Further, since OpenSSL 1.1.0 such keys are using PBKDF2 hmacWithSHA256. Such keys are not supported by old SSL libraries, notably by OpenSSL before 1.0.0 (OpenSSL 0.9.8 only supports hmacWithSHA1) and by BoringSSL before May 21, 2019 (support for hmacWithSHA256 was added in 302a4dee6c), and trying to load such keys into nginx compiled with an old SSL library results in "unsupported prf" errors. To facilitate testing with old SSL libraries, keys are now generated with "openssl genrsa -traditional" if the flag is available.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 06 May 2024 00:04:26 +0300
parents 00124c7d0ef1
children
line wrap: on
line source

#!/usr/bin/perl

# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for quic connection migration.

###############################################################################

use warnings;
use strict;

use Test::More;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx;
use Test::Nginx::HTTP3;

###############################################################################

select STDERR; $| = 1;
select STDOUT; $| = 1;

plan(skip_all => '127.0.0.20 local address required')
	unless defined IO::Socket::INET->new( LocalAddr => '127.0.0.20' );

my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
	->has_daemon('openssl')->plan(3);

$t->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

daemon off;

events {
}

http {
    %%TEST_GLOBALS_HTTP%%

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;

    server {
        listen       127.0.0.1:%%PORT_8980_UDP%% quic;
        server_name  localhost;

        location / {
            add_header X-IP $remote_addr;
        }
    }
}

EOF

$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

my $d = $t->testdir();

foreach my $name ('localhost') {
	system('openssl req -x509 -new '
		. "-config $d/openssl.conf -subj /CN=$name/ "
		. "-out $d/$name.crt -keyout $d/$name.key "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";
}

$t->write_file('index.html', '');
$t->run();

###############################################################################

# test that $remote_addr is not truncated after migration (ticket #2488),
# to test, we migrate to another address large enough in text representation,
# then send a request on the new path

my $s = Test::Nginx::HTTP3->new();
$s->new_connection_id(1, 0, "connection_id_1", "reset_token_0001");

my $frames = $s->read(all => [{ type => 'NCID' }]);
my ($frame) = grep { $_->{type} eq "NCID" } @$frames;

$s->{socket} = IO::Socket::INET->new(
	Proto => "udp",
	LocalAddr => '127.0.0.20',
	PeerAddr => '127.0.0.1:' . port(8980),
);
$s->{scid} = "connection_id_1";
$s->{dcid} = $frame->{cid};
$s->ping();

$frames = $s->read(all => [{ type => 'PATH_CHALLENGE' }]);
($frame) = grep { $_->{type} eq "PATH_CHALLENGE" } @$frames;
$s->path_response($frame->{data});

$frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}{'x-ip'}, '127.0.0.20', 'remote addr after migration');

$frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}{'x-ip'}, '127.0.0.20', 'next packets after migration');

# test that $remote_addr is not truncated while in the process of migration;
# the same but migration occurs on receiving a request stream itself,
# which is the first non-probing frame on the new path;
# this might lead to $remote_addr truncation in the following order:
# - stream held original sockaddr/addr_text references on stream creation
# - values were rewritten as part of handling connection migration
# - stream was handled referencing rewritten values, with old local lengths
# sockaddr and addr_text are expected to keep copies on stream creation

$s = Test::Nginx::HTTP3->new();
$s->new_connection_id(1, 0, "connection_id_1", "reset_token_0001");

$frames = $s->read(all => [{ type => 'NCID' }]);
($frame) = grep { $_->{type} eq "NCID" } @$frames;

$s->{socket} = IO::Socket::INET->new(
	Proto => "udp",
	LocalAddr => '127.0.0.20',
	PeerAddr => '127.0.0.1:' . port(8980),
);
$s->{scid} = "connection_id_1";
$s->{dcid} = $frame->{cid};

my $sid = $s->new_stream();

$frames = $s->read(all => [{ type => 'PATH_CHALLENGE' }]);
($frame) = grep { $_->{type} eq "PATH_CHALLENGE" } @$frames;
$s->path_response($frame->{data});

$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}{'x-ip'}, '127.0.0.1', 'remote addr on migration');

###############################################################################