mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-04 20:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity
uquic/integrationtests/self/handshake_test.go
Marten Seemann 979ab75b3b require ALPN during the TLS handshake
2019-06-02 14:58:37 +08:00

283 lines
8.2 KiB
Go
Raw Blame History

package self_test
import (
"crypto/tls"
"fmt"
"net"
"time"
quic "github.com/lucas-clemente/quic-go"
"github.com/lucas-clemente/quic-go/integrationtests/tools/israce"
"github.com/lucas-clemente/quic-go/internal/protocol"
"github.com/lucas-clemente/quic-go/internal/qerr"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
type versioner interface {
GetVersion() protocol.VersionNumber
}
var _ = Describe("Handshake tests", func() {
var (
server quic.Listener
serverConfig *quic.Config
acceptStopped chan struct{}
tlsServerConf *tls.Config
)
BeforeEach(func() {
server = nil
acceptStopped = make(chan struct{})
serverConfig = &quic.Config{}
tlsServerConf = getTLSConfig()
})
AfterEach(func() {
if server != nil {
server.Close()
<-acceptStopped
}
})
runServer := func() quic.Listener {
var err error
// start the server
server, err = quic.ListenAddr("localhost:0", tlsServerConf, serverConfig)
Expect(err).ToNot(HaveOccurred())
go func() {
defer GinkgoRecover()
defer close(acceptStopped)
for {
if _, err := server.Accept(); err != nil {
return
}
}
}()
return server
}
if !israce.Enabled {
Context("Version Negotiation", func() {
var supportedVersions []protocol.VersionNumber
BeforeEach(func() {
supportedVersions = protocol.SupportedVersions
protocol.SupportedVersions = append(protocol.SupportedVersions, []protocol.VersionNumber{7, 8, 9, 10}...)
})
AfterEach(func() {
protocol.SupportedVersions = supportedVersions
})
It("when the server supports more versions than the client", func() {
// the server doesn't support the highest supported version, which is the first one the client will try
// but it supports a bunch of versions that the client doesn't speak
serverConfig.Versions = []protocol.VersionNumber{7, 8, protocol.SupportedVersions[0], 9}
server := runServer()
defer server.Close()
sess, err := quic.DialAddr(
fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
nil,
)
Expect(err).ToNot(HaveOccurred())
Expect(sess.(versioner).GetVersion()).To(Equal(protocol.SupportedVersions[0]))
Expect(sess.Close()).To(Succeed())
})
It("when the client supports more versions than the server supports", func() {
// the server doesn't support the highest supported version, which is the first one the client will try
// but it supports a bunch of versions that the client doesn't speak
serverConfig.Versions = supportedVersions
server := runServer()
defer server.Close()
conf := &quic.Config{
Versions: []protocol.VersionNumber{7, 8, 9, protocol.SupportedVersions[0], 10},
}
sess, err := quic.DialAddr(
fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
conf,
)
Expect(err).ToNot(HaveOccurred())
Expect(sess.(versioner).GetVersion()).To(Equal(protocol.SupportedVersions[0]))
Expect(sess.Close()).To(Succeed())
})
})
}
Context("Certifiate validation", func() {
for _, v := range protocol.SupportedVersions {
version := v
Context(fmt.Sprintf("using %s", version), func() {
var clientConfig *quic.Config
BeforeEach(func() {
serverConfig.Versions = []protocol.VersionNumber{version}
clientConfig = &quic.Config{
Versions: []protocol.VersionNumber{version},
}
})
JustBeforeEach(func() {
runServer()
})
It("accepts the certificate", func() {
_, err := quic.DialAddr(
fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
clientConfig,
)
Expect(err).ToNot(HaveOccurred())
})
It("errors if the server name doesn't match", func() {
_, err := quic.DialAddr(
fmt.Sprintf("127.0.0.1:%d", server.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
clientConfig,
)
Expect(err).To(MatchError("CRYPTO_ERROR: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs"))
})
It("fails the handshake if the client fails to provide the requested client cert", func() {
tlsServerConf.ClientAuth = tls.RequireAndVerifyClientCert
sess, err := quic.DialAddr(
fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
clientConfig,
)
// Usually, the error will occur after the client already finished the handshake.
// However, there's a race condition here. The server's CONNECTION_CLOSE might be
// received before the session is returned, so we might already get the error while dialing.
if err == nil {
errChan := make(chan error)
go func() {
defer GinkgoRecover()
_, err := sess.AcceptStream()
errChan <- err
}()
Eventually(errChan).Should(Receive(&err))
}
Expect(err).To(MatchError("CRYPTO_ERROR: tls: bad certificate"))
})
It("uses the ServerName in the tls.Config", func() {
tlsConf := getTLSClientConfig()
tlsConf.ServerName = "localhost"
_, err := quic.DialAddr(
fmt.Sprintf("127.0.0.1:%d", server.Addr().(*net.UDPAddr).Port),
tlsConf,
clientConfig,
)
Expect(err).ToNot(HaveOccurred())
})
})
}
})
Context("rate limiting", func() {
var (
server quic.Listener
pconn net.PacketConn
)
dial := func() (quic.Session, error) {
remoteAddr := fmt.Sprintf("localhost:%d", server.Addr().(*net.UDPAddr).Port)
raddr, err := net.ResolveUDPAddr("udp", remoteAddr)
Expect(err).ToNot(HaveOccurred())
return quic.Dial(
pconn,
raddr,
remoteAddr,
getTLSClientConfig(),
nil,
)
}
BeforeEach(func() {
serverConfig.AcceptToken = func(addr net.Addr, token *quic.Token) bool {
if token != nil {
Expect(token.IsRetryToken).To(BeFalse())
}
return true
}
var err error
// start the server, but don't call Accept
server, err = quic.ListenAddr("localhost:0", getTLSConfig(), serverConfig)
Expect(err).ToNot(HaveOccurred())
// prepare a (single) packet conn for dialing to the server
laddr, err := net.ResolveUDPAddr("udp", "localhost:0")
Expect(err).ToNot(HaveOccurred())
pconn, err = net.ListenUDP("udp", laddr)
Expect(err).ToNot(HaveOccurred())
})
AfterEach(func() {
Expect(server.Close()).To(Succeed())
Expect(pconn.Close()).To(Succeed())
})
It("rejects new connection attempts if connections don't get accepted", func() {
for i := 0; i < protocol.MaxAcceptQueueSize; i++ {
sess, err := dial()
Expect(err).ToNot(HaveOccurred())
defer sess.Close()
}
time.Sleep(25 * time.Millisecond) // wait a bit for the sessions to be queued
_, err := dial()
Expect(err).To(HaveOccurred())
Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(qerr.ServerBusy))
// now accept one session, freeing one spot in the queue
_, err = server.Accept()
Expect(err).ToNot(HaveOccurred())
// dial again, and expect that this dial succeeds
sess, err := dial()
Expect(err).ToNot(HaveOccurred())
defer sess.Close()
time.Sleep(25 * time.Millisecond) // wait a bit for the session to be queued
_, err = dial()
Expect(err).To(HaveOccurred())
Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(qerr.ServerBusy))
})
It("removes closed connections from the accept queue", func() {
firstSess, err := dial()
Expect(err).ToNot(HaveOccurred())
for i := 1; i < protocol.MaxAcceptQueueSize; i++ {
sess, err := dial()
Expect(err).ToNot(HaveOccurred())
defer sess.Close()
}
time.Sleep(25 * time.Millisecond) // wait a bit for the sessions to be queued
_, err = dial()
Expect(err).To(HaveOccurred())
Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(qerr.ServerBusy))
// Now close the one of the session that are waiting to be accepted.
// This should free one spot in the queue.
Expect(firstSess.Close())
time.Sleep(25 * time.Millisecond)
// dial again, and expect that this dial succeeds
_, err = dial()
Expect(err).ToNot(HaveOccurred())
time.Sleep(25 * time.Millisecond) // wait a bit for the session to be queued
_, err = dial()
Expect(err).To(HaveOccurred())
Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(qerr.ServerBusy))
})
})
})
Reference in a new issue View git blame Copy permalink