# HG changeset patch # User Sergey Kandaurov # Date 1687276880 -14400 # Node ID 15131dd931a09b9afb43e82ace8de13be7d72aa2 # Parent afbf4c06c0149c0069055eeaa48d3d0f84f5d183 Tests: QUIC address validation tests. While here, fixed establishing connection after receiving a Retry packet, broken after conversion to HTTP3 package. diff --git a/lib/Test/Nginx/HTTP3.pm b/lib/Test/Nginx/HTTP3.pm --- a/lib/Test/Nginx/HTTP3.pm +++ b/lib/Test/Nginx/HTTP3.pm @@ -39,7 +39,7 @@ sub new { ); $self->{repeat} = 0; - $self->{token} = ''; + $self->{token} = $extra{token} || ''; $self->{psk_list} = $extra{psk_list} || []; $self->{sni} = exists $extra{sni} ? $extra{sni} : 'localhost'; @@ -56,23 +56,7 @@ sub new { $self->{buf} = ''; $self->init(); - $self->init_key_schedule(); - $self->initial(); - return $self if $extra{probe}; - $self->handshake() or return; - - # RFC 9204, 4.3.1. Set Dynamic Table Capacity - - my $buf = pack("B*", '001' . ipack(5, $extra{capacity} || 400)); - $self->{encoder_offset} = length($buf) + 1; - $buf = "\x08\x02\x02" . $buf; - - # RFC 9114, 6.2.1. Control Streams - - $buf = "\x0a\x06\x03\x00\x04\x00" . $buf; - $self->{control_offset} = 3; - - $self->raw_write($buf); + $self->retry(%extra) or return; return $self; } @@ -99,12 +83,10 @@ sub init { . "\x9a\xe6\xa4\xc8\x0c\xad\xcc\xbb\x7f\x0a"; $self->{ncid} = []; $self->{early_data} = $early_data; - - $self->retry(); } sub retry { - my ($self) = @_; + my ($self, %extra) = @_; my $prk = Crypt::KeyDerivation::hkdf_extract($self->{dcid}, $self->{salt}, 'SHA256'); @@ -114,6 +96,24 @@ sub retry { $self->set_traffic_keys('tls13 client in', 'SHA256', 32, 0, 'w', $prk); $self->set_traffic_keys('tls13 server in', 'SHA256', 32, 0, 'r', $prk); + + $self->init_key_schedule(); + $self->initial(); + return $self if $extra{probe}; + $self->handshake() or return; + + # RFC 9204, 4.3.1. Set Dynamic Table Capacity + + my $buf = pack("B*", '001' . ipack(5, $extra{capacity} || 400)); + $self->{encoder_offset} = length($buf) + 1; + $buf = "\x08\x02\x02" . $buf; + + # RFC 9114, 6.2.1. Control Streams + + $buf = "\x0a\x06\x03\x00\x04\x00" . $buf; + $self->{control_offset} = 3; + + $self->raw_write($buf); } sub init_key_schedule { @@ -1803,15 +1803,27 @@ sub decrypt_retry { my $tag = substr($buf, -16); my $pseudo = pack("C", length($self->{odcid})) . $self->{odcid} . substr($buf, 0, -16); - return ($tag, retry_verify_tag($pseudo), $token); + $self->{retry} = { token => $token, tag => $tag, pseudo => $pseudo }; + return $tag, '', $token; +} + +sub retry_token { + my ($self) = @_; + return $self->{retry}{token}; +} + +sub retry_tag { + my ($self) = @_; + return $self->{retry}{tag}; } sub retry_verify_tag { + my ($self) = @_; my $key = "\xbe\x0c\x69\x0b\x9f\x66\x57\x5a" . "\x1d\x76\x6b\x54\xe3\x68\xc8\x4e"; my $nonce = "\x46\x15\x99\xd3\x5d\x63\x2b\xf2\x23\x98\x25\xbb"; my (undef, $tag) = Crypt::AuthEnc::GCM::gcm_encrypt_authenticate('AES', - $key, $nonce, shift, ''); + $key, $nonce, $self->{retry}{pseudo}, ''); return $tag; } @@ -2040,7 +2052,7 @@ again: $self->{buf} = ''; goto again; } - goto retry if $self->{token}; + $self->retry(), return if $self->{token}; $self->handle_frames(parse_frames($plaintext), $level); @data = $self->parse_stream(); return @data if @data; @@ -2101,7 +2113,7 @@ sub read_tls_message { (my $level, my $plaintext, $$buf, $self->{token}) = $self->decrypt_aead($$buf); return if !defined $plaintext; - goto retry if $self->{token}; + $self->retry(), return 1 if $self->{token}; $self->handle_frames(parse_frames($plaintext), $level); return 1 if $type->($self); } diff --git a/quic_retry.t b/quic_retry.t new file mode 100644 --- /dev/null +++ b/quic_retry.t @@ -0,0 +1,118 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Nginx, Inc. + +# Tests for QUIC address validation. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; +use Test::Nginx::HTTP3; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/) + ->has_daemon('openssl')->plan(7) + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + quic_retry on; + + server { + listen 127.0.0.1:%%PORT_8980_UDP%% quic; + server_name localhost; + + location / { } + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config $d/openssl.conf -subj /CN=$name/ " + . "-out $d/$name.crt -keyout $d/$name.key " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->run(); + +############################################################################### + +my ($s, $sid, $frames, $frame); + +$s = Test::Nginx::HTTP3->new(8980); +$sid = $s->new_stream(); +$frames = $s->read(all => [{ sid => $sid, fin => 1 }, { type => 'NEW_TOKEN' }]); + +($frame) = grep { $_->{type} eq "HEADERS" } @$frames; +is($frame->{headers}->{':status'}, 403, 'retry success'); + +is(unpack("H*", $s->retry_tag()), unpack("H*", $s->retry_verify_tag()), + 'retry integrity tag'); + +($frame) = grep { $_->{type} eq "NEW_TOKEN" } @$frames; +ok(my $new_token = $frame->{token}, 'new token received'); +ok(my $retry_token = $s->retry_token(), 'retry token received'); + +# connection with new token + +$s = Test::Nginx::HTTP3->new(8980, token => $new_token); +$sid = $s->new_stream(); +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); + +($frame) = grep { $_->{type} eq "HEADERS" } @$frames; +is($frame->{headers}->{':status'}, 403, 'new token success'); + +# connection with retry token, port won't match + +$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1); +$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]); + +($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames; +is($frame->{error}, 11, 'retry token invalid'); + +# connection with retry token, corrupted + +substr($retry_token, 32) ^= "\xff"; +$s = Test::Nginx::HTTP3->new(8980, token => $retry_token, probe => 1); +$frames = $s->read(all => [{ type => 'CONNECTION_CLOSE' }]); + +($frame) = grep { $_->{type} eq "CONNECTION_CLOSE" } @$frames; +is($frame->{error}, 11, 'retry token decrypt error'); + +###############################################################################