From 6b3165928f36f5aae5799b3e5b5e47b274412c75 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Thu, 18 May 2017 22:10:26 +0800 Subject: [PATCH 1/2] add tests measuring how many RTTs a handshake takes --- .../handshake/handshaketests_suite_test.go | 13 +++ integrationtests/handshake/rtt.go | 102 ++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 integrationtests/handshake/handshaketests_suite_test.go create mode 100644 integrationtests/handshake/rtt.go diff --git a/integrationtests/handshake/handshaketests_suite_test.go b/integrationtests/handshake/handshaketests_suite_test.go new file mode 100644 index 000000000..066e40dc4 --- /dev/null +++ b/integrationtests/handshake/handshaketests_suite_test.go @@ -0,0 +1,13 @@ +package handshaketests + +import ( + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + "testing" +) + +func TestHandshakes(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Handshake integration tests") +} diff --git a/integrationtests/handshake/rtt.go b/integrationtests/handshake/rtt.go new file mode 100644 index 000000000..da43678d4 --- /dev/null +++ b/integrationtests/handshake/rtt.go @@ -0,0 +1,102 @@ +package handshaketests + +import ( + "crypto/tls" + "fmt" + "time" + + quic "github.com/lucas-clemente/quic-go" + "github.com/lucas-clemente/quic-go/integrationtests/proxy" + "github.com/lucas-clemente/quic-go/protocol" + "github.com/lucas-clemente/quic-go/qerr" + "github.com/lucas-clemente/quic-go/testdata" + "github.com/lucas-clemente/quic-go/utils" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Handshake integration tets", func() { + var ( + proxy *quicproxy.QuicProxy + server quic.Listener + serverConfig *quic.Config + testStartedAt time.Time + ) + + rtt := 300 * time.Millisecond + + BeforeEach(func() { + serverConfig = &quic.Config{TLSConfig: testdata.GetTLSConfig()} + }) + + AfterEach(func() { + Expect(proxy.Close()).To(Succeed()) + Expect(server.Close()).To(Succeed()) + }) + + runServerAndProxy := func() { + var err error + // start the server + server, err = quic.ListenAddr("localhost:0", serverConfig) + Expect(err).ToNot(HaveOccurred()) + // start the proxy + proxy, err = quicproxy.NewQuicProxy("localhost:0", quicproxy.Opts{ + RemoteAddr: server.Addr().String(), + DelayPacket: func(_ quicproxy.Direction, _ protocol.PacketNumber) time.Duration { return rtt / 2 }, + }) + Expect(err).ToNot(HaveOccurred()) + + testStartedAt = time.Now() + + go func() { + for { + _, _ = server.Accept() + } + }() + } + + expectDurationInRTTs := func(num int) { + testDuration := time.Now().Sub(testStartedAt) + expectedDuration := time.Duration(num) * rtt + Expect(testDuration).To(SatisfyAll( + BeNumerically(">=", expectedDuration), + BeNumerically("<", expectedDuration+rtt/3), + )) + } + + It("fails when there's no matching version, after 1 RTT", func() { + Expect(len(protocol.SupportedVersions)).To(BeNumerically(">", 1)) + serverConfig.Versions = protocol.SupportedVersions[:1] + runServerAndProxy() + clientConfig := &quic.Config{ + Versions: protocol.SupportedVersions[1:2], + } + _, err := quic.DialAddr(proxy.LocalAddr().String(), clientConfig) + Expect(err).To(HaveOccurred()) + Expect(err.(qerr.ErrorCode)).To(Equal(qerr.InvalidVersion)) + expectDurationInRTTs(1) + }) + + // 1 RTT for verifying the source address + // 1 RTT to become secure + // 1 RTT to become forward-secure + It("is forward-secure after 3 RTTs", func() { + runServerAndProxy() + _, err := quic.DialAddr(proxy.LocalAddr().String(), &quic.Config{TLSConfig: &tls.Config{InsecureSkipVerify: true}}) + Expect(err).ToNot(HaveOccurred()) + expectDurationInRTTs(3) + }) + + // 1 RTT for verifying the source address + // 1 RTT to become secure + // TODO (marten-seemann): enable this test (see #625) + PIt("is secure after 2 RTTs", func() { + utils.SetLogLevel(utils.LogLevelDebug) + runServerAndProxy() + _, err := quic.DialAddrNonFWSecure(proxy.LocalAddr().String(), &quic.Config{TLSConfig: &tls.Config{InsecureSkipVerify: true}}) + fmt.Println("#### is non fw secure ###") + Expect(err).ToNot(HaveOccurred()) + expectDurationInRTTs(2) + }) +}) From f2ada4eef1ec7645833c436fb8dd2da63b745954 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Sat, 27 May 2017 18:53:28 +0800 Subject: [PATCH 2/2] add tests using the source address validation --- integrationtests/handshake/rtt.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/integrationtests/handshake/rtt.go b/integrationtests/handshake/rtt.go index da43678d4..e26c2d364 100644 --- a/integrationtests/handshake/rtt.go +++ b/integrationtests/handshake/rtt.go @@ -3,6 +3,7 @@ package handshaketests import ( "crypto/tls" "fmt" + "net" "time" quic "github.com/lucas-clemente/quic-go" @@ -99,4 +100,24 @@ var _ = Describe("Handshake integration tets", func() { Expect(err).ToNot(HaveOccurred()) expectDurationInRTTs(2) }) + + It("is forward-secure after 2 RTTs when the server doesn't require an STK", func() { + serverConfig.AcceptSTK = func(_ net.Addr, _ *quic.STK) bool { + return true + } + runServerAndProxy() + _, err := quic.DialAddr(proxy.LocalAddr().String(), &quic.Config{TLSConfig: &tls.Config{InsecureSkipVerify: true}}) + Expect(err).ToNot(HaveOccurred()) + expectDurationInRTTs(2) + }) + + It("doesn't complete the handshake when the server never accepts the STK", func() { + serverConfig.AcceptSTK = func(_ net.Addr, _ *quic.STK) bool { + return false + } + runServerAndProxy() + _, err := quic.DialAddr(proxy.LocalAddr().String(), &quic.Config{TLSConfig: &tls.Config{InsecureSkipVerify: true}}) + Expect(err).To(HaveOccurred()) + Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(qerr.CryptoTooManyRejects)) + }) })