Mercurial > hg > nginx-tests

view quic_retry.t @ 1965:84f4d4930835

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: relaxed mail_imap_ssl.t cipher matching. Previously, exact match between cipher name in the log and the one from IO::Socket:SSL was needed, which might not be the case if nginx and Net::SSLeay are compiled with different SSL libraries, notably LibreSSL (which uses names like AEAD-AES256-GCM-SHA384 till 3.5.0), and OpenSSL or BoringSSL (which use TLS_AES_256_GCM_SHA384). In particular, this affects macOS, where Net::SSLeay compiled with LibreSSL 3.3.6 is shipped with the OS, while nginx is likely to be compiled with OpenSSL. Fix is to not require exact match but instead accept properly looking names as checked by a regular expression, similarly to how it is already tested in ssl.t and stream_ssl_variables.t.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 06 May 2024 00:01:40 +0300
parents 24482e311749
children a095b971fbcc
line wrap: on
line source

#!/usr/bin/perl

# (C) Sergey Kandaurov
# (C) Nginx, Inc.

# Tests for QUIC address validation.

###############################################################################

use warnings;
use strict;

use Test::More;

BEGIN { use FindBin; chdir($FindBin::Bin); }

use lib 'lib';
use Test::Nginx;
use Test::Nginx::HTTP3;

###############################################################################

select STDERR; $| = 1;
select STDOUT; $| = 1;

my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
	->has_daemon('openssl')->plan(8)
	->write_file_expand('nginx.conf', <<'EOF');

%%TEST_GLOBALS%%

daemon off;

events {
}

http {
    %%TEST_GLOBALS_HTTP%%

    ssl_certificate_key localhost.key;
    ssl_certificate localhost.crt;
    quic_retry on;

    keepalive_timeout 3s;

    server {
        listen       127.0.0.1:%%PORT_8980_UDP%% quic;
        server_name  localhost;

        location / { }
    }
}

EOF

$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF

my $d = $t->testdir();

foreach my $name ('localhost') {
	system('openssl req -x509 -new '
		. "-config $d/openssl.conf -subj /CN=$name/ "
		. "-out $d/$name.crt -keyout $d/$name.key "
		. ">>$d/openssl.out 2>&1") == 0
		or die "Can't create certificate for $name: $!\n";
}

$t->run();

###############################################################################

my ($s, $sid, $frames, $frame);

$s = Test::Nginx::HTTP3->new(8980);
$sid = $s->new_stream();
$frames = $s->read(all => [{ sid => $sid, fin => 1 }, { type => 'NEW_TOKEN' }]);

($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}->{':status'}, 403, 'retry success');

is(unpack("H*", $s->retry_tag()), unpack("H*", $s->retry_verify_tag()),
	'retry integrity tag');

($frame) = grep { $_->{type} eq "NEW_TOKEN" } @$frames;
ok(my $new_token = $frame->{token}, 'new token received');
ok(my $retry_token = $s->retry_token(), 'retry token received');

# connection with new token

$s = Test::Nginx::HTTP3->new(8980, token => $new_token);
$sid = $s->new_stream();
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);

($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}->{':status'}, 403, 'new token success');

# connection with retry token, port won't match

$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);

($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
is($frame->{error}, 11, 'retry token invalid');

# connection with retry token, corrupted

TODO: {
local $TODO = 'not yet' unless $t->has_version('1.25.2');

substr($retry_token, 32) ^= "\xff";
$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1);
$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]);

($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames;
is($frame->{error}, 11, 'retry token decrypt error');

}

# resending client Initial packets after receiving a Retry packet
# to simulate server Initial packet loss triggering its retransmit,
# used to create extra nginx connections before 8f7e6d8c061e,
# caught by CRYPTO stream mismatch among server Initial packets

TODO: {
local $TODO = 'not yet' unless $t->has_version('1.25.3');

$s = new_connection_resend();
$sid = $s->new_stream();

eval {
	# would die on "bad inner" sanity check
	$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
};

($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}->{':status'}, 403, 'resend initial');

}

###############################################################################

# expanded handshake version to send repetitive Initial packets

sub new_connection_resend {
	$s = Test::Nginx::HTTP3->new(8980, probe => 1);
	$s->{socket}->sysread($s->{buf}, 65527);
	# read token and updated connection IDs
	(undef, undef, $s->{token}) = $s->decrypt_retry($s->{buf});
	# apply connection IDs for new Initial secrets
	$s->retry(probe => 1);
	# send the second Initial packet
	$s->initial();
	# the rest of handshake, advancing key schedule
	$s->handshake();
	return $s;
}

###############################################################################