forked from quic-go/quic-go
119 lines
3.1 KiB
Go
119 lines
3.1 KiB
Go
package crypto
|
|
|
|
import (
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/lucas-clemente/quic-go/protocol"
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
)
|
|
|
|
var _ = Describe("Source Address Tokens", func() {
|
|
It("should generate the encryption key", func() {
|
|
Expect(deriveKey([]byte("TESTING"))).To(Equal([]byte{0xee, 0x71, 0x18, 0x9, 0xfd, 0xb8, 0x9a, 0x79, 0x19, 0xfc, 0x5e, 0x1a, 0x97, 0x20, 0xb2, 0x6}))
|
|
})
|
|
|
|
Context("tokens", func() {
|
|
It("serializes", func() {
|
|
ip := []byte{127, 0, 0, 1}
|
|
token := &sourceAddressToken{ip: ip, timestamp: 0xdeadbeef}
|
|
Expect(token.serialize()).To(Equal([]byte{
|
|
0xef, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00, 0x00,
|
|
127, 0, 0, 1,
|
|
}))
|
|
})
|
|
|
|
It("reads", func() {
|
|
token, err := parseToken([]byte{
|
|
0xef, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00, 0x00,
|
|
127, 0, 0, 1,
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
Expect(token.ip).To(Equal(net.IP{127, 0, 0, 1}))
|
|
Expect(token.timestamp).To(Equal(uint64(0xdeadbeef)))
|
|
})
|
|
|
|
It("rejects tokens of wrong size", func() {
|
|
_, err := parseToken(nil)
|
|
Expect(err).To(MatchError("invalid STK length: 0"))
|
|
})
|
|
})
|
|
|
|
Context("source", func() {
|
|
var (
|
|
source *stkSource
|
|
secret []byte
|
|
ip4 net.IP
|
|
ip6 net.IP
|
|
)
|
|
|
|
BeforeEach(func() {
|
|
var err error
|
|
|
|
ip4 = net.ParseIP("1.2.3.4")
|
|
Expect(ip4).NotTo(BeEmpty())
|
|
ip6 = net.ParseIP("2001:0db8:0000:0000:0000:ff00:0042:8329")
|
|
Expect(ip6).NotTo(BeEmpty())
|
|
|
|
secret = []byte("TESTING")
|
|
sourceI, err := NewStkSource(secret)
|
|
source = sourceI.(*stkSource)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
It("should generate new tokens", func() {
|
|
token, err := source.NewToken(ip4)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
Expect(token).ToNot(BeEmpty())
|
|
})
|
|
|
|
It("should generate and verify ipv4 tokens", func() {
|
|
stk, err := source.NewToken(ip4)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
Expect(stk).ToNot(BeEmpty())
|
|
err = source.VerifyToken(ip4, stk)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
It("should generate and verify ipv6 tokens", func() {
|
|
stk, err := source.NewToken(ip6)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
Expect(stk).ToNot(BeEmpty())
|
|
err = source.VerifyToken(ip6, stk)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
It("should reject empty tokens", func() {
|
|
err := source.VerifyToken(ip4, nil)
|
|
Expect(err).To(HaveOccurred())
|
|
})
|
|
|
|
It("should reject invalid tokens", func() {
|
|
err := source.VerifyToken(ip4, []byte("foobar"))
|
|
Expect(err).To(HaveOccurred())
|
|
})
|
|
|
|
It("should reject outdated tokens", func() {
|
|
stk, err := encryptToken(source.aead, &sourceAddressToken{
|
|
ip: ip4,
|
|
timestamp: uint64(time.Now().Unix() - protocol.STKExpiryTimeSec - 1),
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
err = source.VerifyToken(ip4, stk)
|
|
Expect(err).To(MatchError("STK expired"))
|
|
})
|
|
|
|
It("should reject tokens with wrong IP addresses", func() {
|
|
otherIP := net.ParseIP("4.3.2.1")
|
|
stk, err := encryptToken(source.aead, &sourceAddressToken{
|
|
ip: otherIP,
|
|
timestamp: uint64(time.Now().Unix()),
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
err = source.VerifyToken(ip4, stk)
|
|
Expect(err).To(MatchError("invalid ip in STK"))
|
|
})
|
|
})
|
|
})
|