Merge pull request #36 from h2o/master

Obtain the 0RTT checks
h2o · Feb 12, 2019 · c356ab8 · c356ab8
2 parents 32dca9a + a834170
commit c356ab8
Show file tree

Hide file tree

Showing 9 changed files with 155 additions and 6 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -11,20 +11,27 @@ matrix:
         apt:
           sources: ['ubuntu-toolchain-r-test']
           packages: ['gcc-8']
+      before_install: &bs_linux
+        - sudo apt-get install faketime libscope-guard-perl libtest-tcp-perl
     - name: Linux (clang)
       os: linux
       compiler: clang
+      before_install: *bs_linux
     - name: macOS (Xcode)
       os: osx
       env:
-          - CMAKE_OPTS=" -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
+        - CMAKE_OPTS=" -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
+      before_install: &bs_macos
+        - curl -L https://cpanmin.us | sudo perl - App::cpanminus
+        - sudo cpanm --notest Scope::Guard
+        - sudo cpanm --notest Test::TCP
+        - brew install libfaketime
     - name: macOS (Xcode 10.1/clang-10)
       os: osx
       osx_image: xcode10.1
       env:
-          - CMAKE_OPTS=" -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
-
-before_install:
+        - CMAKE_OPTS=" -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
+      before_install: *bs_macos
 
 script:
   - cmake ${CMAKE_OPTS} .

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -60,7 +60,7 @@ ELSE ()
     MESSAGE(WARNING "Disabling OpenSSL support (requires 1.0.1 or newer)")
 ENDIF ()
 
-ADD_CUSTOM_TARGET(check prove --exec '' -v ${CMAKE_CURRENT_BINARY_DIR}/*.t WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} DEPENDS ${TEST_EXES})
+ADD_CUSTOM_TARGET(check env BINARY_DIR=${CMAKE_CURRENT_BINARY_DIR} prove --exec '' -v ${CMAKE_CURRENT_BINARY_DIR}/*.t t/*.t WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} DEPENDS ${TEST_EXES} cli)
 
 IF (CMAKE_SYSTEM_NAME STREQUAL "Linux")
      SET(CMAKE_C_FLAGS "-D_GNU_SOURCE -pthread ${CMAKE_C_FLAGS}")

diff --git a/lib/picotls.c b/lib/picotls.c
@@ -3253,7 +3253,10 @@ static int try_psk_handshake(ptls_t *tls, size_t *psk_index, int *accept_early_d
             continue;
         *accept_early_data = 0;
         if (ch->psk.early_data_indication) {
+            /* accept early-data if abs(diff) between the reported age and the actual age is within += 10 seconds */
             int64_t delta = (now - issue_at) - (identity->obfuscated_ticket_age - age_add);
+            if (delta < 0)
+                delta = -delta;
             if (delta <= PTLS_EARLY_DATA_MAX_DELAY)
                 *accept_early_data = 1;
         }

diff --git a/picotls.xcodeproj/project.pbxproj b/picotls.xcodeproj/project.pbxproj
@@ -240,6 +240,7 @@
 		E949EF272073629300511ECA /* minicrypto-pem.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "minicrypto-pem.c"; sourceTree = "<group>"; };
 		E97577002212405300D1EF74 /* ffx.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ffx.h; sourceTree = "<group>"; };
 		E97577022212405D00D1EF74 /* ffx.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ffx.c; sourceTree = "<group>"; };
+		E97577072213148800D1EF74 /* e2e.t */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.perl; path = e2e.t; sourceTree = "<group>"; };
 		E992F79A20E99A6B0008154D /* esni.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = esni.c; sourceTree = "<group>"; };
 		E992F7A920E99A7C0008154D /* picotls-esni */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "picotls-esni"; sourceTree = BUILT_PRODUCTS_DIR; };
 		E99B75DE1F5CDDB500CF503E /* asn1.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = asn1.c; sourceTree = "<group>"; };
@@ -415,6 +416,7 @@
 			isa = PBXGroup;
 			children = (
 				106530FE1DAD8A3C005B2C60 /* cli.c */,
+				E97577072213148800D1EF74 /* e2e.t */,
 				106530E91D9B7C13005B2C60 /* picotls.c */,
 				1059003D1DC8D4E300FB4085 /* minicrypto.c */,
 				106530C51D9B1A98005B2C60 /* openssl.c */,

diff --git a/t/assets/hello.txt b/t/assets/hello.txt
@@ -0,0 +1 @@
+hello
diff --git a/t/assets/server.crt b/t/assets/server.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwtIMk8g
+VGVzdCBDQTAeFw0xNDEyMTAxOTMzMDVaFw0yNDEyMDcxOTMzMDVaMBsxGTAXBgNV
+BAMTEDEyNy4wLjAuMS54aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDvNmF5nimH3wlp50E2/2SqxUD0JKaF3r2QFz1kB9UUwDhVDCms6PdkavF/
+bQcHcWS+oa97D1miBQXo2Ns+6Z6JQ5sak/bVjnBxiU8vhqiOWvAwH947E4Km5HJB
+NFJJ7WEM+90kAFB2ayEM/llIQEt1RKCs2fgpaEgOMWPUAdcgyp6pNd60W5GA3Md2
+1tdDH5RYGKzYHqpkm6pICtvaaxU4LwPmA3Oc8+VDDsVt08Jos1dJvoacjQTS6PpC
+ZiUDD2zqeSA//PGN8WV2o81SmsZwSpPCYBvxVW13tdsA1ivO5tng2fr9ZesKtXFZ
+SaH/tKmB3Br8jg2vUke/0cfIvbP/AgMBAAGjgY0wgYowCQYDVR0TBAIwADAsBglg
+hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O
+BBYEFJXhddVQ68vtPvxoHWHsYkLnu3+4MDAGA1UdIwQpMCehGqQYMBYxFDASBgNV
+BAMTC0gyTyBUZXN0IENBggkAmqS1V7DvzbYwDQYJKoZIhvcNAQELBQADggEBAJQ2
+uvzL/lZnrsF4cvHhl/mg+s/RjHwvqFRrxOWUeWu2BQOGdd1Izqr8ZbF35pevPkXe
+j3zQL4Nf8OxO/gx4w0165KL4dYxEW7EaxsDQUI2aXSW0JNSvK2UGugG4+E4aT+9y
+cuBCtfWbL4/N6IMt2QW17B3DcigkreMoZavnnqRecQWkOx4nu0SmYg1g2QV4kRqT
+nvLt29daSWjNhP3dkmLTxn19umx26/JH6rqcgokDfHHO8tlDbc9JfyxYH01ZP2Ps
+esIiGa/LBXfKiPXxyHuNVQI+2cMmIWYf+Eu/1uNV3K55fA8806/FeklcQe/vvSCU
+Vw6RN5S/14SQnMYWr7E=
+-----END CERTIFICATE-----
diff --git a/t/assets/server.key b/t/assets/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7zZheZ4ph98JaedBNv9kqsVA9CSmhd69kBc9ZAfVFMA4VQwp
+rOj3ZGrxf20HB3FkvqGvew9ZogUF6NjbPumeiUObGpP21Y5wcYlPL4aojlrwMB/e
+OxOCpuRyQTRSSe1hDPvdJABQdmshDP5ZSEBLdUSgrNn4KWhIDjFj1AHXIMqeqTXe
+tFuRgNzHdtbXQx+UWBis2B6qZJuqSArb2msVOC8D5gNznPPlQw7FbdPCaLNXSb6G
+nI0E0uj6QmYlAw9s6nkgP/zxjfFldqPNUprGcEqTwmAb8VVtd7XbANYrzubZ4Nn6
+/WXrCrVxWUmh/7Spgdwa/I4Nr1JHv9HHyL2z/wIDAQABAoIBAEVPf2zKrAPnVwXt
+cJLr6xIj908GM43EXS6b3TjXoCDUFT5nOMgV9GCPMAwY3hmE/IjTtlG0v+bXB8BQ
+3S3caQgio5VO3A1CqUfsXhpKLRqaNM/s2+pIG+oZdRV5gIJVGnK1o3yj7qxxG/F0
+3Q+3OWXwDZIn0eTFh2M9YkxygA/KtkREZWv8Q8qZpdOpJSBYZyGE97Jqy/yGc+DQ
+Vpoa9B8WwnIdUn47TkZfsbzqGIYZxatJQDC1j7Y+F8So7zBbUhpz7YqATQwf5Efm
+K2xwvlwfdwykq6ffEr2M/Xna0220G2JZlGq3Cs2X9GT9Pt9OS86Bz+EL46ELo0tZ
+yfHQe/kCgYEA+zh4k2be6fhQG+ChiG3Ue5K/kH2prqyGBus61wHnt8XZavqBevEy
+4pdmvJ6Q1Ta9Z2YCIqqNmlTdjZ6B35lvAK8YFITGy0MVV6K5NFYVfhALWCQC2r3B
+6uH39FQ0mDo3gS5ZjYlUzbu67LGFnyX+pyMr2oxlhI1fCY3VchXQAOsCgYEA88Nt
+CwSOaZ1fWmyNAgXEAX1Jx4XLFYgjcA/YBXW9gfQ0AfufB346y53PsgjX1lB+Bbcg
+cY/o5W7F0b3A0R4K5LShlPCq8iB2DC+VnpKwTgo8ylh+VZCPy2BmMK0jrrmyqWeg
+PzwgP0lp+7l/qW8LDImeYi8nWoqd6f1ye4iJdD0CgYEAlIApJljk5EFYeWIrmk3y
+EKoKewsNRqfNAkICoh4KL2PQxaAW8emqPq9ol47T5nVZOMnf8UYINnZ8EL7l3psA
+NtNJ1Lc4G+cnsooKGJnaUo6BZjTDSzJocsPoopE0Fdgz/zS60yOe8Y5LTKcTaaQ4
+B+yOe74KNHSs/STOS4YBUskCgYAIqaRBZPsOo8oUs5DbRostpl8t2QJblIf13opF
+v2ZprN0ASQngwUqjm8sav5e0BQ5Fc7mSb5POO36KMp0ckV2/vO+VFGxuyFqJmlNN
+3Fapn1GDu1tZ/RYvGxDmn/CJsA26WXVnaeKXfStoB7KSueCBpI5dXOGgJRbxjtE3
+tKV13QKBgQCtmLtTJPJ0Z+9n85C8kBonk2MCnD9JTYWoDQzNMYGabthzSqJqcEek
+dvhr82XkcHM+r6+cirjdQr4Qj7/2bfZesHl5XLvoJDB1YJIXnNJOELwbktrJrXLc
+dJ+MMvPvBAMah/tqr2DqgTGfWLDt9PJiCJVsuN2kD9toWHV08pY0Og==
+-----END RSA PRIVATE KEY-----
diff --git a/t/cli.c b/t/cli.c
@@ -180,7 +180,7 @@ static int handle_connection(int sockfd, ptls_context_t *ctx, const char *server
                 ptls_buffer_pushv(&ptbuf, bytebuf, ioret);
                 if (state == IN_HANDSHAKE) {
                     size_t send_amount = 0;
-                    if (hsprop->client.max_early_data_size != NULL) {
+                    if (server_name != NULL && hsprop->client.max_early_data_size != NULL) {
                         size_t max_can_be_sent = *hsprop->client.max_early_data_size;
                         if (max_can_be_sent > ptbuf.off)
                             max_can_be_sent = ptbuf.off;

diff --git a/t/e2e.t b/t/e2e.t
@@ -0,0 +1,89 @@
+#! /usr/bin/perl
+
+use strict;
+use warnings;
+use Digest::MD5 qw(md5_hex);
+use File::Temp qw(tempdir);
+use Net::EmptyPort qw(check_port empty_port);
+use POSIX ":sys_wait_h";
+use Scope::Guard qw(scope_guard);
+use Test::More;
+use Time::HiRes qw(sleep);
+
+$ENV{BINARY_DIR} ||= ".";
+my $cli = "$ENV{BINARY_DIR}/cli";
+my $port = empty_port();
+my $tempdir = tempdir(CLEANUP => 1);
+
+subtest "hello" => sub {
+    my $guard = spawn_server(qw(-i t/assets/hello.txt));
+    subtest "full-handshake" => sub {
+        my $resp = `$cli 127.0.0.1 $port 2> /dev/null`;
+        is $resp, "hello";
+    };
+    subtest "resumption" => sub {
+        for (1..10) {
+            my $resp = `$cli -s $tempdir/session 127.0.0.1 $port 2> /dev/null`;
+            is $resp, "hello";
+        }
+    };
+};
+
+unlink "$tempdir/session";
+
+subtest "early-data" => sub {
+    subtest "success" => sub {
+        my $guard = spawn_server(qw(-i t/assets/hello.txt -l), "$tempdir/events");
+        my $resp = `$cli -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        $resp = `$cli -e -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        like slurp_file("$tempdir/events"), qr/^CLIENT_EARLY_TRAFFIC_SECRET /m;
+        $resp = `$cli -e -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        is 2, (() = slurp_file("$tempdir/events") =~ /^CLIENT_EARLY_TRAFFIC_SECRET /mg);
+        # check +15 seconds jitter
+        $resp = `faketime -f +15 $cli -e -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        is 2, (() = slurp_file("$tempdir/events") =~ /^CLIENT_EARLY_TRAFFIC_SECRET /mg);
+        # re-fetch the ticket
+        unlink "$tempdir/session";
+        $resp = `$cli -e -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        is 2, (() = slurp_file("$tempdir/events") =~ /^CLIENT_EARLY_TRAFFIC_SECRET /mg);
+        # check -15 seconds jitter
+        $resp = `faketime -f -15 $cli -e -s $tempdir/session 127.0.0.1 $port`;
+        is $resp, "hello";
+        is 2, (() = slurp_file("$tempdir/events") =~ /^CLIENT_EARLY_TRAFFIC_SECRET /mg);
+    };
+};
+
+done_testing;
+
+sub spawn_server {
+    my @cmd = ($cli, "-k", "t/assets/server.key", "-c", "t/assets/server.crt", @_, "127.0.0.1", $port);
+    my $pid = fork;
+    die "fork failed:$!"
+        unless defined $pid;
+    if ($pid == 0) {
+        exec @cmd;
+        die "failed to exec $cmd[0]:$?";
+    }
+    while (!check_port($port)) {
+        sleep 0.1;
+    }
+    return scope_guard(sub {
+        kill 9, $pid;
+        while (waitpid($pid, 0) != $pid) {}
+    });
+}
+
+sub slurp_file {
+    my $fn = shift;
+    open my $fh, "<", $fn
+        or die "failed to open file:$fn:$!";
+    do {
+        local $/;
+        <$fh>;
+    };
+}