nginx-tests: quic_retry.t annotate

annotate quic_retry.t @ 1933:9bafe7cddd3c

Tests: improved QUIC key update tests with old keys. On unsuccessful protection removal, it is now retried with old keys. Otherwise, old keys are removed to ensure they're no longer in use.

author	Sergey Kandaurov <pluknet@nginx.com>
date	Mon, 21 Aug 2023 17:26:47 +0400
parents	161dc73812b3
children	24482e311749

rev	line source
1915 15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	1 #!/usr/bin/perl
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	2
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	3 # (C) Sergey Kandaurov
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	4 # (C) Nginx, Inc.
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	5
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	6 # Tests for QUIC address validation.
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	7
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	8 ###############################################################################
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	9
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	10 use warnings;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	11 use strict;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	12
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	13 use Test::More;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	14
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	15 BEGIN { use FindBin; chdir($FindBin::Bin); }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	16
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	17 use lib 'lib';
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	18 use Test::Nginx;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	19 use Test::Nginx::HTTP3;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	20
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	21 ###############################################################################
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	22
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	23 select STDERR; $\| = 1;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	24 select STDOUT; $\| = 1;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	25
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	27 ->has_daemon('openssl')->plan(7)
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	28 ->write_file_expand('nginx.conf', <<'EOF');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	29
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	30 %%TEST_GLOBALS%%
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	31
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	32 daemon off;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	33
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	34 events {
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	35 }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	36
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	37 http {
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	38 %%TEST_GLOBALS_HTTP%%
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	39
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	40 ssl_certificate_key localhost.key;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	41 ssl_certificate localhost.crt;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	42 quic_retry on;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	43
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	44 server {
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	45 listen 127.0.0.1:%%PORT_8980_UDP%% quic;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	46 server_name localhost;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	47
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	48 location / { }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	49 }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	50 }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	51
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	52 EOF
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	53
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	54 $t->write_file('openssl.conf', <<EOF);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	55 [ req ]
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	56 default_bits = 2048
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	57 encrypt_key = no
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	58 distinguished_name = req_distinguished_name
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	59 [ req_distinguished_name ]
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	60 EOF
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	61
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	62 my $d = $t->testdir();
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	63
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	64 foreach my $name ('localhost') {
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	65 system('openssl req -x509 -new '
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	66 . "-config $d/openssl.conf -subj /CN=$name/ "
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	67 . "-out $d/$name.crt -keyout $d/$name.key "
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	68 . ">>$d/openssl.out 2>&1") == 0
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	69 or die "Can't create certificate for $name: $!\n";
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	70 }
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	71
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	72 $t->run();
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	73
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	74 ###############################################################################
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	75
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	76 my ($s, $sid, $frames, $frame);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	77
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	78 $s = Test::Nginx::HTTP3->new(8980);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	79 $sid = $s->new_stream();
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	80 $frames = $s->read(all => [{ sid => $sid, fin => 1 }, { type => 'NEW_TOKEN' }]);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	81
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	82 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	83 is($frame->{headers}->{':status'}, 403, 'retry success');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	84
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	85 is(unpack("H", $s->retry_tag()), unpack("H", $s->retry_verify_tag()),
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	86 'retry integrity tag');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	87
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	88 ($frame) = grep { $_->{type} eq "NEW_TOKEN" } @$frames;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	89 ok(my $new_token = $frame->{token}, 'new token received');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	90 ok(my $retry_token = $s->retry_token(), 'retry token received');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	91
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	92 # connection with new token
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	93
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	94 $s = Test::Nginx::HTTP3->new(8980, token => $new_token);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	95 $sid = $s->new_stream();
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	96 $frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	97
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	98 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	99 is($frame->{headers}->{':status'}, 403, 'new token success');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	100
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	101 # connection with retry token, port won't match
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	102
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	103 $s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	104 $frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	105
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	106 ($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	107 is($frame->{error}, 11, 'retry token invalid');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	108
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	109 # connection with retry token, corrupted
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	110
1919 161dc73812b3 Tests: keep QUIC TODOs for a while. Sergey Kandaurov <pluknet@nginx.com> parents: 1915 diff changeset	111 TODO: {
161dc73812b3 Tests: keep QUIC TODOs for a while. Sergey Kandaurov <pluknet@nginx.com> parents: 1915 diff changeset	112 local $TODO = 'not yet' unless $t->has_version('1.25.2');
161dc73812b3 Tests: keep QUIC TODOs for a while. Sergey Kandaurov <pluknet@nginx.com> parents: 1915 diff changeset	113
1915 15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	114 substr($retry_token, 32) ^= "\xff";
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	115 $s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	116 $frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	117
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	118 ($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	119 is($frame->{error}, 11, 'retry token decrypt error');
15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	120
1919 161dc73812b3 Tests: keep QUIC TODOs for a while. Sergey Kandaurov <pluknet@nginx.com> parents: 1915 diff changeset	121 }
161dc73812b3 Tests: keep QUIC TODOs for a while. Sergey Kandaurov <pluknet@nginx.com> parents: 1915 diff changeset	122
1915 15131dd931a0 Tests: QUIC address validation tests. Sergey Kandaurov <pluknet@nginx.com> parents: diff changeset	123 ###############################################################################

Mercurial > hg > nginx-tests

annotate quic_retry.t @ 1933:9bafe7cddd3c