From b0fd18a250df1dff72bc4c4e6eb4f1ce179eb133 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum <55108558+WesleyRosenblum@users.noreply.github.com> Date: Wed, 3 Apr 2024 14:10:47 -0700 Subject: [PATCH] ci: update quic-interop-runner pinned commit (#2172) * ci: update quic-interop-runner pinned commit * fix patch * add default stddev column * try converting key to pkcs8 * add sec1 parsing to rustls * fix patch * create larger certs * use sha384 * use sha384 and secp384r1 * add SAN to cert * add another SAN to cert * add another SAN to cert * use all 1s and 2s in the SAN * use https://github.com/quic-interop/quic-interop-runner/pull/376 --- .github/interop/required.json | 19 +++ .github/interop/runner.patch | 204 ++++++++++++------------ .github/workflows/qns.yml | 2 +- quic/s2n-quic-rustls/src/certificate.rs | 2 + scripts/interop/run | 2 +- 5 files changed, 125 insertions(+), 104 deletions(-) diff --git a/.github/interop/required.json b/.github/interop/required.json index 33dfbaf316..542b48c9a8 100644 --- a/.github/interop/required.json +++ b/.github/interop/required.json @@ -9,6 +9,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client", "server" @@ -55,6 +56,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], @@ -100,6 +102,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client" ], @@ -143,6 +146,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], @@ -184,6 +188,7 @@ ], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -211,6 +216,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client", "server" @@ -255,6 +261,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -296,6 +303,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -331,6 +339,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -354,6 +363,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [ @@ -385,6 +395,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -419,6 +430,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -445,6 +457,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -480,6 +493,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -506,6 +520,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -545,6 +560,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -575,6 +591,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [ @@ -603,6 +620,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -625,6 +643,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 24e824138f..6bac111789 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,26 +1,41 @@ diff --git a/certs.sh b/certs.sh -index b26b2f8..1547dae 100755 +index 603dade..320f1c0 100755 --- a/certs.sh +++ b/certs.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - set -e +@@ -21,6 +21,14 @@ openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ + -extensions v3_ca \ + 2> /dev/null -@@ -52,8 +52,8 @@ cp $CERTDIR/ca_$CHAINLEN.key $CERTDIR/priv.key ++ # Inflate certificate for the amplification test ++ fakedns="" ++ if [ "$CHAINLEN" != "1" ]; then ++ for i in $(seq 1 20); do ++ fakedns="$fakedns,DNS:$(LC_CTYPE=C tr -dc 0-9A-Za-z < /dev/urandom | head -c 250)" ++ done ++ fi ++ + for i in $(seq 1 "$CHAINLEN"); do + # Generate a CSR + SUBJ="interop runner intermediate $i" +@@ -44,7 +52,7 @@ for i in $(seq 1 "$CHAINLEN"); do + else + openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ + -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ +- -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \ ++ -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46$fakedns") \ + 2> /dev/null + fi + done +@@ -55,6 +63,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates - for i in $(seq $CHAINLEN -1 1); do - cat $CERTDIR/cert_$i.pem >> $CERTDIR/cert.pem -- rm $CERTDIR/cert_$i.pem $CERTDIR/ca_$i.key -+ rm -f $CERTDIR/cert_$i.pem $CERTDIR/ca_$i.key + for i in $(seq "$CHAINLEN" -1 1); do + cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem +- rm "$CERTDIR"/cert_"$i".pem "$CERTDIR"/ca_"$i".key ++ rm -f "$CERTDIR"/cert_"$i".pem "$CERTDIR"/ca_"$i".key done --rm $CERTDIR/*.srl $CERTDIR/ca_0.key $CERTDIR/cert.csr -+rm -f $CERTDIR/*.srl $CERTDIR/ca_0.key $CERTDIR/cert.csr - - + rm -f "$CERTDIR"/*.srl "$CERTDIR"/ca_0.key "$CERTDIR"/cert.csr diff --git a/docker-compose.yml b/docker-compose.yml -index 7541cae..ba1b4da 100644 +index 496d7aa..42822d6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.4" @@ -32,7 +47,7 @@ index 7541cae..ba1b4da 100644 container_name: sim hostname: sim stdin_open: true -@@ -40,6 +40,7 @@ services: +@@ -41,6 +41,7 @@ services: - SSLKEYLOGFILE=/logs/keys.log - QLOGDIR=/logs/qlog/ - TESTCASE=$TESTCASE_SERVER @@ -40,7 +55,7 @@ index 7541cae..ba1b4da 100644 - VERSION=$VERSION depends_on: - sim -@@ -68,6 +69,7 @@ services: +@@ -69,6 +70,7 @@ services: - SSLKEYLOGFILE=/logs/keys.log - QLOGDIR=/logs/qlog/ - TESTCASE=$TESTCASE_CLIENT @@ -49,34 +64,10 @@ index 7541cae..ba1b4da 100644 - VERSION=$VERSION depends_on: diff --git a/implementations.json b/implementations.json -index 9150551..fc21610 100644 +index 09e2fdd..72513c8 100644 --- a/implementations.json +++ b/implementations.json -@@ -9,11 +9,6 @@ - "url": "https://github.com/ngtcp2/ngtcp2", - "role": "both" - }, -- "quant": { -- "image": "ntap/quant:interop", -- "url": "https://github.com/NTAP/quant", -- "role": "both" -- }, - "mvfst": { - "image": "lnicco/mvfst-qns:latest", - "url": "https://github.com/facebookincubator/mvfst", -@@ -49,11 +44,6 @@ - "url": "https://quic.nginx.org/", - "role": "server" - }, -- "msquic": { -- "image": "ghcr.io/microsoft/msquic/qns:main", -- "url": "https://github.com/microsoft/msquic", -- "role": "both" -- }, - "chrome": { - "image": "martenseemann/chrome-quic-interop-runner", - "url": "https://github.com/marten-seemann/chrome-quic-interop-runner", -@@ -79,8 +69,13 @@ +@@ -74,8 +74,13 @@ "url": "https://github.com/quinn-rs/quinn", "role": "both" }, @@ -86,16 +77,16 @@ index 9150551..fc21610 100644 + "role": "both" + }, "s2n-quic": { -- "image": "public.ecr.aws/s2n/s2n-quic-qns:latest", +- "image": "ghcr.io/aws/s2n-quic/s2n-quic-qns:latest", + "image": "aws/s2n-quic-qns:latest", "url": "https://github.com/aws/s2n-quic", "role": "both" - } + }, diff --git a/interop.py b/interop.py -index 4dea51d..3239567 100644 +index 8f2769b..df430a9 100644 --- a/interop.py +++ b/interop.py -@@ -124,6 +124,7 @@ class InteropRunner: +@@ -123,6 +123,7 @@ class InteropRunner: cmd = ( "CERTS=" + certs_dir.name + " " "TESTCASE_CLIENT=" + random_string(6) + " " @@ -103,7 +94,7 @@ index 4dea51d..3239567 100644 "SERVER_LOGS=/dev/null " "CLIENT_LOGS=" + client_log_dir.name + " " "WWW=" + www_dir.name + " " -@@ -148,6 +149,7 @@ class InteropRunner: +@@ -150,6 +151,7 @@ class InteropRunner: cmd = ( "CERTS=" + certs_dir.name + " " "TESTCASE_SERVER=" + random_string(6) + " " @@ -111,7 +102,15 @@ index 4dea51d..3239567 100644 "SERVER_LOGS=" + server_log_dir.name + " " "CLIENT_LOGS=/dev/null " "WWW=" + www_dir.name + " " -@@ -344,6 +346,7 @@ class InteropRunner: +@@ -217,7 +219,6 @@ class InteropRunner: + t = prettytable.PrettyTable() + t.hrules = prettytable.ALL + t.vrules = prettytable.ALL +- t.field_names = [""] + rows = {} + columns = {} + for client, server in self._client_server_pairs: +@@ -373,6 +374,7 @@ class InteropRunner: "CERTS=" + testcase.certs_dir() + " " "TESTCASE_SERVER=" + testcase.testname(Perspective.SERVER) + " " "TESTCASE_CLIENT=" + testcase.testname(Perspective.CLIENT) + " " @@ -119,7 +118,7 @@ index 4dea51d..3239567 100644 "WWW=" + testcase.www_dir() + " " "DOWNLOADS=" + testcase.download_dir() + " " "SERVER_LOGS=" + server_log_dir.name + " " -@@ -456,9 +459,14 @@ class InteropRunner: +@@ -490,9 +492,14 @@ class InteropRunner: logging.debug(values) res = MeasurementResult() res.result = TestResult.SUCCEEDED @@ -137,38 +136,38 @@ index 4dea51d..3239567 100644 return res def run(self): -@@ -474,23 +482,26 @@ class InteropRunner: - client, - self._implementations[client]["image"], - ) -- if not ( -- self._check_impl_is_compliant(server) -- and self._check_impl_is_compliant(client) -- ): -- logging.info("Not compliant, skipping") -- continue +@@ -507,23 +514,26 @@ class InteropRunner: + client, + self._implementations[client]["image"], + ) +- if not ( +- self._check_impl_is_compliant(server) +- and self._check_impl_is_compliant(client) +- ): +- logging.info("Not compliant, skipping") +- continue -+ transfer_succeeded = True - # run the test cases - for testcase in self._tests: - status = self._run_testcase(server, client, testcase) - self.test_results[server][client][testcase] = status - if status == TestResult.FAILED: - nr_failed += 1 -+ if testcase == testcases.TestCaseTransfer: -+ transfer_succeeded = False ++ transfer_succeeded = True + # run the test cases + for testcase in self._tests: + status = self._run_testcase(server, client, testcase) + self.test_results[server][client][testcase] = status + if status == TestResult.FAILED: + nr_failed += 1 ++ if testcase == testcases.TestCaseTransfer: ++ transfer_succeeded = False - # run the measurements - for measurement in self._measurements: -- res = self._run_measurement(server, client, measurement) -+ if transfer_succeeded: -+ res = self._run_measurement(server, client, measurement) -+ else: -+ logging.debug("Skipping measurements as Transfer testcase was unsuccessful") -+ res = MeasurementResult() -+ res.result = TestResult.UNSUPPORTED -+ res.details = "Skipping measurements as Transfer testcase was unsuccessful" - self.measurement_results[server][client][measurement] = res + # run the measurements + for measurement in self._measurements: +- res = self._run_measurement(server, client, measurement) ++ if transfer_succeeded: ++ res = self._run_measurement(server, client, measurement) ++ else: ++ logging.debug("Skipping measurements as Transfer testcase was unsuccessful") ++ res = MeasurementResult() ++ res.result = TestResult.UNSUPPORTED ++ res.details = "Skipping measurements as Transfer testcase was unsuccessful" + self.measurement_results[server][client][measurement] = res self._print_results() diff --git a/pull.py b/pull.py @@ -197,21 +196,21 @@ index 131cf94..ce5960d 100644 +pyshark==0.5.2 \ No newline at end of file diff --git a/run.py b/run.py -index fbd9515..aa8d6ed 100755 +index 4564681..3a28eec 100755 --- a/run.py +++ b/run.py -@@ -136,4 +136,4 @@ def main(): +@@ -165,4 +165,4 @@ def main(): if __name__ == "__main__": - sys.exit(main()) + main() diff --git a/testcases.py b/testcases.py -index 6d7ecfb..d7c323c 100644 +index df0fac5..91f0261 100644 --- a/testcases.py +++ b/testcases.py -@@ -90,6 +90,10 @@ class TestCase(abc.ABC): - """ The name of testcase presented to the endpoint Docker images""" +@@ -97,6 +97,10 @@ class TestCase(abc.ABC): + """The name of testcase presented to the endpoint Docker images""" return self.name() + @staticmethod @@ -220,17 +219,17 @@ index 6d7ecfb..d7c323c 100644 + @staticmethod def scenario() -> str: - """ Scenario for the ns3 simulator """ -@@ -1181,7 +1185,7 @@ class TestCasePortRebinding(TestCaseTransfer): + """Scenario for the ns3 simulator""" +@@ -1207,7 +1211,7 @@ class TestCasePortRebinding(TestCaseTransfer): @staticmethod def scenario() -> str: - """ Scenario for the ns3 simulator """ + """Scenario for the ns3 simulator""" - return "rebind --delay=15ms --bandwidth=10Mbps --queue=25 --first-rebind=1s --rebind-freq=5s" + return "rebind --delay=15ms --bandwidth=10Mbps --queue=25 --first-rebind=2s --rebind-freq=5s" - + def check(self) -> TestResult: if not self._keylog_file(): -@@ -1203,54 +1207,26 @@ class TestCasePortRebinding(TestCaseTransfer): +@@ -1229,56 +1233,26 @@ class TestCasePortRebinding(TestCaseTransfer): logging.info("Server saw only a single client port in use; test broken?") return TestResult.FAILED @@ -238,9 +237,11 @@ index 6d7ecfb..d7c323c 100644 - num_migrations = 0 - for p in tr_server: - cur = ( -- getattr(p["ipv6"], "dst") -- if "IPV6" in str(p.layers) -- else getattr(p["ip"], "dst"), +- ( +- getattr(p["ipv6"], "dst") +- if "IPV6" in str(p.layers) +- else getattr(p["ip"], "dst") +- ), - int(getattr(p["udp"], "dstport")), - ) - if last is None: @@ -293,9 +294,9 @@ index 6d7ecfb..d7c323c 100644 if hasattr(p["quic"], "path_response.data") ) ) -@@ -1532,6 +1508,10 @@ class MeasurementGoodput(Measurement): - def testname(p: Perspective): - return "transfer" +@@ -1296,6 +1270,10 @@ class TestCaseAddressRebinding(TestCasePortRebinding): + def name(): + return "rebind-addr" + @staticmethod + def test_type() -> str: @@ -303,8 +304,8 @@ index 6d7ecfb..d7c323c 100644 + @staticmethod def abbreviation(): - return "G" -@@ -1542,7 +1522,7 @@ class MeasurementGoodput(Measurement): + return "BA" +@@ -1575,7 +1553,7 @@ class MeasurementGoodput(Measurement): @staticmethod def repetitions() -> int: @@ -313,8 +314,7 @@ index 6d7ecfb..d7c323c 100644 def get_paths(self): self._files = [self._generate_random_file(self.FILESIZE)] -@@ -1610,8 +1590,8 @@ TESTCASES = [ - TestCaseChaCha20, +@@ -1646,7 +1624,7 @@ TESTCASES = [ TestCaseMultiplexing, TestCaseRetry, TestCaseResumption, @@ -323,7 +323,7 @@ index 6d7ecfb..d7c323c 100644 TestCaseHTTP3, TestCaseBlackhole, TestCaseKeyUpdate, -@@ -1622,12 +1602,11 @@ TESTCASES = [ +@@ -1657,12 +1635,11 @@ TESTCASES = [ TestCaseHandshakeCorruption, TestCaseTransferCorruption, TestCaseIPv6, diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 975050ec76..8766148244 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -15,7 +15,7 @@ env: RUST_BACKTRACE: 1 # This kept breaking builds so we're pinning for now. We should do our best to keep # up with the changes, though. - INTEROP_RUNNER_REF: e73ec56cdf5423fa6b1576a2b5fec5eb2171ec5d + INTEROP_RUNNER_REF: 4be6491794a08899f295dc5cdf9eeba8e9fa5431 # This should be updated when updating wesleyrosenblum/quic-network-simulator NETWORK_SIMULATOR_REF: sha256:20abe0bed8c0e39e1d8750507b24295f7c978bdd7e05fa6f3a5afed4b76dc191 IPERF_ENDPOINT_REF: sha256:cb50cc8019d45d9cad5faecbe46a3c21dd5e871949819a5175423755a9045106 diff --git a/quic/s2n-quic-rustls/src/certificate.rs b/quic/s2n-quic-rustls/src/certificate.rs index 1f8f5771a0..be825684be 100644 --- a/quic/s2n-quic-rustls/src/certificate.rs +++ b/quic/s2n-quic-rustls/src/certificate.rs @@ -135,6 +135,8 @@ mod pem { parse_key!(pkcs8_private_keys, PrivateKeyDer::Pkcs8); // attempt to parse RSA key. Returns early if a key is found parse_key!(rsa_private_keys, PrivateKeyDer::Pkcs1); + // attempt to parse a SEC1-encoded EC key. Returns early if a key is found + parse_key!(ec_private_keys, PrivateKeyDer::Sec1); Err(Error::General( "could not load any valid private keys".to_string(), diff --git a/scripts/interop/run b/scripts/interop/run index 963cf68923..b9f42362c2 100755 --- a/scripts/interop/run +++ b/scripts/interop/run @@ -22,7 +22,7 @@ if [ ! -d $INTEROP_DIR ]; then git clone https://github.com/marten-seemann/quic-interop-runner $INTEROP_DIR # make sure to keep this up to date with the interop workflow cd $INTEROP_DIR - git checkout e73ec56cdf5423fa6b1576a2b5fec5eb2171ec5d + git checkout 4be6491794a08899f295dc5cdf9eeba8e9fa5431 git apply --3way ../../.github/interop/runner.patch cd ../../ fi