From 57b11beafe48a45107878938b7733f5b06b82aa0 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Tue, 2 Apr 2024 13:20:30 -0700 Subject: [PATCH 01/14] ci: update quic-interop-runner pinned commit --- .github/interop/required.json | 19 ++++ .github/interop/runner.patch | 179 ++++++++++++++-------------------- .github/workflows/qns.yml | 2 +- scripts/interop/run | 2 +- 4 files changed, 94 insertions(+), 108 deletions(-) diff --git a/.github/interop/required.json b/.github/interop/required.json index 33dfbaf316..542b48c9a8 100644 --- a/.github/interop/required.json +++ b/.github/interop/required.json @@ -9,6 +9,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client", "server" @@ -55,6 +56,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], @@ -100,6 +102,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client" ], @@ -143,6 +146,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], @@ -184,6 +188,7 @@ ], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -211,6 +216,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "client", "server" @@ -255,6 +261,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -296,6 +303,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -331,6 +339,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -354,6 +363,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [ @@ -385,6 +395,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -419,6 +430,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -445,6 +457,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -480,6 +493,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -506,6 +520,7 @@ "client", "server" ], + "msquic": [], "mvfst": [], "neqo": [ "client", @@ -545,6 +560,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [ "client" @@ -575,6 +591,7 @@ "lsquic": [ "client" ], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [ @@ -603,6 +620,7 @@ "aioquic": [], "kwik": [], "lsquic": [], + "msquic": [], "mvfst": [], "neqo": [], "ngtcp2": [], @@ -625,6 +643,7 @@ "client", "server" ], + "msquic": [], "mvfst": [ "server" ], diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 24e824138f..f2625cfbf1 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,26 +1,17 @@ diff --git a/certs.sh b/certs.sh -index b26b2f8..1547dae 100755 +index 603dade..7a50f7a 100755 --- a/certs.sh +++ b/certs.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - set -e - -@@ -52,8 +52,8 @@ cp $CERTDIR/ca_$CHAINLEN.key $CERTDIR/priv.key +@@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates - for i in $(seq $CHAINLEN -1 1); do - cat $CERTDIR/cert_$i.pem >> $CERTDIR/cert.pem -- rm $CERTDIR/cert_$i.pem $CERTDIR/ca_$i.key -+ rm -f $CERTDIR/cert_$i.pem $CERTDIR/ca_$i.key + for i in $(seq "$CHAINLEN" -1 1); do + cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem +- rm "$CERTDIR"/cert_"$i".pem "$CERTDIR"/ca_"$i".key ++ rm -f "$CERTDIR"/cert_"$i".pem "$CERTDIR"/ca_"$i".key done --rm $CERTDIR/*.srl $CERTDIR/ca_0.key $CERTDIR/cert.csr -+rm -f $CERTDIR/*.srl $CERTDIR/ca_0.key $CERTDIR/cert.csr - - + rm -f "$CERTDIR"/*.srl "$CERTDIR"/ca_0.key "$CERTDIR"/cert.csr diff --git a/docker-compose.yml b/docker-compose.yml -index 7541cae..ba1b4da 100644 +index 496d7aa..42822d6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "2.4" @@ -32,7 +23,7 @@ index 7541cae..ba1b4da 100644 container_name: sim hostname: sim stdin_open: true -@@ -40,6 +40,7 @@ services: +@@ -41,6 +41,7 @@ services: - SSLKEYLOGFILE=/logs/keys.log - QLOGDIR=/logs/qlog/ - TESTCASE=$TESTCASE_SERVER @@ -40,7 +31,7 @@ index 7541cae..ba1b4da 100644 - VERSION=$VERSION depends_on: - sim -@@ -68,6 +69,7 @@ services: +@@ -69,6 +70,7 @@ services: - SSLKEYLOGFILE=/logs/keys.log - QLOGDIR=/logs/qlog/ - TESTCASE=$TESTCASE_CLIENT @@ -49,34 +40,10 @@ index 7541cae..ba1b4da 100644 - VERSION=$VERSION depends_on: diff --git a/implementations.json b/implementations.json -index 9150551..fc21610 100644 +index 09e2fdd..72513c8 100644 --- a/implementations.json +++ b/implementations.json -@@ -9,11 +9,6 @@ - "url": "https://github.com/ngtcp2/ngtcp2", - "role": "both" - }, -- "quant": { -- "image": "ntap/quant:interop", -- "url": "https://github.com/NTAP/quant", -- "role": "both" -- }, - "mvfst": { - "image": "lnicco/mvfst-qns:latest", - "url": "https://github.com/facebookincubator/mvfst", -@@ -49,11 +44,6 @@ - "url": "https://quic.nginx.org/", - "role": "server" - }, -- "msquic": { -- "image": "ghcr.io/microsoft/msquic/qns:main", -- "url": "https://github.com/microsoft/msquic", -- "role": "both" -- }, - "chrome": { - "image": "martenseemann/chrome-quic-interop-runner", - "url": "https://github.com/marten-seemann/chrome-quic-interop-runner", -@@ -79,8 +69,13 @@ +@@ -74,8 +74,13 @@ "url": "https://github.com/quinn-rs/quinn", "role": "both" }, @@ -86,16 +53,16 @@ index 9150551..fc21610 100644 + "role": "both" + }, "s2n-quic": { -- "image": "public.ecr.aws/s2n/s2n-quic-qns:latest", +- "image": "ghcr.io/aws/s2n-quic/s2n-quic-qns:latest", + "image": "aws/s2n-quic-qns:latest", "url": "https://github.com/aws/s2n-quic", "role": "both" - } + }, diff --git a/interop.py b/interop.py -index 4dea51d..3239567 100644 +index 8f2769b..5a20a80 100644 --- a/interop.py +++ b/interop.py -@@ -124,6 +124,7 @@ class InteropRunner: +@@ -123,6 +123,7 @@ class InteropRunner: cmd = ( "CERTS=" + certs_dir.name + " " "TESTCASE_CLIENT=" + random_string(6) + " " @@ -103,7 +70,7 @@ index 4dea51d..3239567 100644 "SERVER_LOGS=/dev/null " "CLIENT_LOGS=" + client_log_dir.name + " " "WWW=" + www_dir.name + " " -@@ -148,6 +149,7 @@ class InteropRunner: +@@ -150,6 +151,7 @@ class InteropRunner: cmd = ( "CERTS=" + certs_dir.name + " " "TESTCASE_SERVER=" + random_string(6) + " " @@ -111,7 +78,7 @@ index 4dea51d..3239567 100644 "SERVER_LOGS=" + server_log_dir.name + " " "CLIENT_LOGS=/dev/null " "WWW=" + www_dir.name + " " -@@ -344,6 +346,7 @@ class InteropRunner: +@@ -373,6 +375,7 @@ class InteropRunner: "CERTS=" + testcase.certs_dir() + " " "TESTCASE_SERVER=" + testcase.testname(Perspective.SERVER) + " " "TESTCASE_CLIENT=" + testcase.testname(Perspective.CLIENT) + " " @@ -119,56 +86,55 @@ index 4dea51d..3239567 100644 "WWW=" + testcase.www_dir() + " " "DOWNLOADS=" + testcase.download_dir() + " " "SERVER_LOGS=" + server_log_dir.name + " " -@@ -456,9 +459,14 @@ class InteropRunner: +@@ -490,9 +493,14 @@ class InteropRunner: logging.debug(values) res = MeasurementResult() res.result = TestResult.SUCCEEDED - res.details = "{:.0f} (± {:.0f}) {}".format( -- statistics.mean(values), statistics.stdev(values), test.unit() -- ) + if len(values) == 1: + res.details = "{:.0f} {}".format( + values[0], test.unit() + ) + else: + res.details = "{:.0f} (± {:.0f}) {}".format( -+ statistics.mean(values), statistics.stdev(values), test.unit() + statistics.mean(values), statistics.stdev(values), test.unit() +- ) + ) return res def run(self): -@@ -474,23 +482,26 @@ class InteropRunner: - client, - self._implementations[client]["image"], - ) -- if not ( -- self._check_impl_is_compliant(server) -- and self._check_impl_is_compliant(client) -- ): -- logging.info("Not compliant, skipping") -- continue +@@ -507,23 +515,26 @@ class InteropRunner: + client, + self._implementations[client]["image"], + ) +- if not ( +- self._check_impl_is_compliant(server) +- and self._check_impl_is_compliant(client) +- ): +- logging.info("Not compliant, skipping") +- continue -+ transfer_succeeded = True - # run the test cases - for testcase in self._tests: - status = self._run_testcase(server, client, testcase) - self.test_results[server][client][testcase] = status - if status == TestResult.FAILED: - nr_failed += 1 -+ if testcase == testcases.TestCaseTransfer: -+ transfer_succeeded = False ++ transfer_succeeded = True + # run the test cases + for testcase in self._tests: + status = self._run_testcase(server, client, testcase) + self.test_results[server][client][testcase] = status + if status == TestResult.FAILED: + nr_failed += 1 ++ if testcase == testcases.TestCaseTransfer: ++ transfer_succeeded = False - # run the measurements - for measurement in self._measurements: -- res = self._run_measurement(server, client, measurement) -+ if transfer_succeeded: -+ res = self._run_measurement(server, client, measurement) -+ else: -+ logging.debug("Skipping measurements as Transfer testcase was unsuccessful") -+ res = MeasurementResult() -+ res.result = TestResult.UNSUPPORTED -+ res.details = "Skipping measurements as Transfer testcase was unsuccessful" - self.measurement_results[server][client][measurement] = res + # run the measurements + for measurement in self._measurements: +- res = self._run_measurement(server, client, measurement) ++ if transfer_succeeded: ++ res = self._run_measurement(server, client, measurement) ++ else: ++ logging.debug("Skipping measurements as Transfer testcase was unsuccessful") ++ res = MeasurementResult() ++ res.result = TestResult.UNSUPPORTED ++ res.details = "Skipping measurements as Transfer testcase was unsuccessful" + self.measurement_results[server][client][measurement] = res self._print_results() diff --git a/pull.py b/pull.py @@ -197,21 +163,21 @@ index 131cf94..ce5960d 100644 +pyshark==0.5.2 \ No newline at end of file diff --git a/run.py b/run.py -index fbd9515..aa8d6ed 100755 +index 4564681..3a28eec 100755 --- a/run.py +++ b/run.py -@@ -136,4 +136,4 @@ def main(): +@@ -165,4 +165,4 @@ def main(): if __name__ == "__main__": - sys.exit(main()) + main() diff --git a/testcases.py b/testcases.py -index 6d7ecfb..d7c323c 100644 +index df0fac5..91f0261 100644 --- a/testcases.py +++ b/testcases.py -@@ -90,6 +90,10 @@ class TestCase(abc.ABC): - """ The name of testcase presented to the endpoint Docker images""" +@@ -97,6 +97,10 @@ class TestCase(abc.ABC): + """The name of testcase presented to the endpoint Docker images""" return self.name() + @staticmethod @@ -220,17 +186,17 @@ index 6d7ecfb..d7c323c 100644 + @staticmethod def scenario() -> str: - """ Scenario for the ns3 simulator """ -@@ -1181,7 +1185,7 @@ class TestCasePortRebinding(TestCaseTransfer): + """Scenario for the ns3 simulator""" +@@ -1207,7 +1211,7 @@ class TestCasePortRebinding(TestCaseTransfer): @staticmethod def scenario() -> str: - """ Scenario for the ns3 simulator """ + """Scenario for the ns3 simulator""" - return "rebind --delay=15ms --bandwidth=10Mbps --queue=25 --first-rebind=1s --rebind-freq=5s" + return "rebind --delay=15ms --bandwidth=10Mbps --queue=25 --first-rebind=2s --rebind-freq=5s" - + def check(self) -> TestResult: if not self._keylog_file(): -@@ -1203,54 +1207,26 @@ class TestCasePortRebinding(TestCaseTransfer): +@@ -1229,56 +1233,26 @@ class TestCasePortRebinding(TestCaseTransfer): logging.info("Server saw only a single client port in use; test broken?") return TestResult.FAILED @@ -238,9 +204,11 @@ index 6d7ecfb..d7c323c 100644 - num_migrations = 0 - for p in tr_server: - cur = ( -- getattr(p["ipv6"], "dst") -- if "IPV6" in str(p.layers) -- else getattr(p["ip"], "dst"), +- ( +- getattr(p["ipv6"], "dst") +- if "IPV6" in str(p.layers) +- else getattr(p["ip"], "dst") +- ), - int(getattr(p["udp"], "dstport")), - ) - if last is None: @@ -293,9 +261,9 @@ index 6d7ecfb..d7c323c 100644 if hasattr(p["quic"], "path_response.data") ) ) -@@ -1532,6 +1508,10 @@ class MeasurementGoodput(Measurement): - def testname(p: Perspective): - return "transfer" +@@ -1296,6 +1270,10 @@ class TestCaseAddressRebinding(TestCasePortRebinding): + def name(): + return "rebind-addr" + @staticmethod + def test_type() -> str: @@ -303,8 +271,8 @@ index 6d7ecfb..d7c323c 100644 + @staticmethod def abbreviation(): - return "G" -@@ -1542,7 +1522,7 @@ class MeasurementGoodput(Measurement): + return "BA" +@@ -1575,7 +1553,7 @@ class MeasurementGoodput(Measurement): @staticmethod def repetitions() -> int: @@ -313,8 +281,7 @@ index 6d7ecfb..d7c323c 100644 def get_paths(self): self._files = [self._generate_random_file(self.FILESIZE)] -@@ -1610,8 +1590,8 @@ TESTCASES = [ - TestCaseChaCha20, +@@ -1646,7 +1624,7 @@ TESTCASES = [ TestCaseMultiplexing, TestCaseRetry, TestCaseResumption, @@ -323,7 +290,7 @@ index 6d7ecfb..d7c323c 100644 TestCaseHTTP3, TestCaseBlackhole, TestCaseKeyUpdate, -@@ -1622,12 +1602,11 @@ TESTCASES = [ +@@ -1657,12 +1635,11 @@ TESTCASES = [ TestCaseHandshakeCorruption, TestCaseTransferCorruption, TestCaseIPv6, diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml index 975050ec76..8766148244 100644 --- a/.github/workflows/qns.yml +++ b/.github/workflows/qns.yml @@ -15,7 +15,7 @@ env: RUST_BACKTRACE: 1 # This kept breaking builds so we're pinning for now. We should do our best to keep # up with the changes, though. - INTEROP_RUNNER_REF: e73ec56cdf5423fa6b1576a2b5fec5eb2171ec5d + INTEROP_RUNNER_REF: 4be6491794a08899f295dc5cdf9eeba8e9fa5431 # This should be updated when updating wesleyrosenblum/quic-network-simulator NETWORK_SIMULATOR_REF: sha256:20abe0bed8c0e39e1d8750507b24295f7c978bdd7e05fa6f3a5afed4b76dc191 IPERF_ENDPOINT_REF: sha256:cb50cc8019d45d9cad5faecbe46a3c21dd5e871949819a5175423755a9045106 diff --git a/scripts/interop/run b/scripts/interop/run index 963cf68923..b9f42362c2 100755 --- a/scripts/interop/run +++ b/scripts/interop/run @@ -22,7 +22,7 @@ if [ ! -d $INTEROP_DIR ]; then git clone https://github.com/marten-seemann/quic-interop-runner $INTEROP_DIR # make sure to keep this up to date with the interop workflow cd $INTEROP_DIR - git checkout e73ec56cdf5423fa6b1576a2b5fec5eb2171ec5d + git checkout 4be6491794a08899f295dc5cdf9eeba8e9fa5431 git apply --3way ../../.github/interop/runner.patch cd ../../ fi From 3fe6a1472c9b11bd6228fb7f71fd5cf7cb8bcbd5 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Tue, 2 Apr 2024 15:02:35 -0700 Subject: [PATCH 02/14] fix patch --- .github/interop/runner.patch | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index f2625cfbf1..ca439960b9 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -59,7 +59,7 @@ index 09e2fdd..72513c8 100644 "role": "both" }, diff --git a/interop.py b/interop.py -index 8f2769b..5a20a80 100644 +index 8f2769b..7af0657 100644 --- a/interop.py +++ b/interop.py @@ -123,6 +123,7 @@ class InteropRunner: @@ -91,14 +91,15 @@ index 8f2769b..5a20a80 100644 res = MeasurementResult() res.result = TestResult.SUCCEEDED - res.details = "{:.0f} (± {:.0f}) {}".format( +- statistics.mean(values), statistics.stdev(values), test.unit() +- ) + if len(values) == 1: + res.details = "{:.0f} {}".format( + values[0], test.unit() + ) + else: + res.details = "{:.0f} (± {:.0f}) {}".format( - statistics.mean(values), statistics.stdev(values), test.unit() -- ) ++ statistics.mean(values), statistics.stdev(values), test.unit() + ) return res From 347b4bde6283098ec4cc97d1e650a1ecaff64451 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Tue, 2 Apr 2024 16:07:27 -0700 Subject: [PATCH 03/14] add default stddev column --- .github/interop/runner.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index ca439960b9..596bd52f85 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -59,7 +59,7 @@ index 09e2fdd..72513c8 100644 "role": "both" }, diff --git a/interop.py b/interop.py -index 8f2769b..7af0657 100644 +index 8f2769b..2ab8475 100644 --- a/interop.py +++ b/interop.py @@ -123,6 +123,7 @@ class InteropRunner: @@ -94,7 +94,7 @@ index 8f2769b..7af0657 100644 - statistics.mean(values), statistics.stdev(values), test.unit() - ) + if len(values) == 1: -+ res.details = "{:.0f} {}".format( ++ res.details = "{:.0f} (± 0.0) {}".format( + values[0], test.unit() + ) + else: From 7c492b616dccd5fc4ce6371bab982fe963430d0c Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Tue, 2 Apr 2024 18:15:27 -0700 Subject: [PATCH 04/14] try converting key to pkcs8 --- .github/interop/runner.patch | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 596bd52f85..114468c6e2 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,8 +1,15 @@ diff --git a/certs.sh b/certs.sh -index 603dade..7a50f7a 100755 +index 603dade..aafdfe1 100755 --- a/certs.sh +++ b/certs.sh -@@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key +@@ -52,9 +52,13 @@ done + mv "$CERTDIR"/cert_0.pem "$CERTDIR"/ca.pem + cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key + ++# convert key to PKCS#8 ++openssl pkcs8 -in "$CERTDIR"/priv.key -topk8 -nocrypt -out enckey.pem ++mv enckey.pem "$CERTDIR"/priv.key ++ # combine certificates for i in $(seq "$CHAINLEN" -1 1); do cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem @@ -59,7 +66,7 @@ index 09e2fdd..72513c8 100644 "role": "both" }, diff --git a/interop.py b/interop.py -index 8f2769b..2ab8475 100644 +index 8f2769b..7af0657 100644 --- a/interop.py +++ b/interop.py @@ -123,6 +123,7 @@ class InteropRunner: @@ -94,7 +101,7 @@ index 8f2769b..2ab8475 100644 - statistics.mean(values), statistics.stdev(values), test.unit() - ) + if len(values) == 1: -+ res.details = "{:.0f} (± 0.0) {}".format( ++ res.details = "{:.0f} {}".format( + values[0], test.unit() + ) + else: From 64d82c0f96633702250725a628bad7b067a279b2 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Tue, 2 Apr 2024 22:21:02 -0700 Subject: [PATCH 05/14] add sec1 parsing to rustls --- .github/interop/runner.patch | 22 ++++++++++++---------- quic/s2n-quic-rustls/src/certificate.rs | 2 ++ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 114468c6e2..c2a1c5d432 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,15 +1,8 @@ diff --git a/certs.sh b/certs.sh -index 603dade..aafdfe1 100755 +index 603dade..7a50f7a 100755 --- a/certs.sh +++ b/certs.sh -@@ -52,9 +52,13 @@ done - mv "$CERTDIR"/cert_0.pem "$CERTDIR"/ca.pem - cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key - -+# convert key to PKCS#8 -+openssl pkcs8 -in "$CERTDIR"/priv.key -topk8 -nocrypt -out enckey.pem -+mv enckey.pem "$CERTDIR"/priv.key -+ +@@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates for i in $(seq "$CHAINLEN" -1 1); do cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem @@ -66,7 +59,7 @@ index 09e2fdd..72513c8 100644 "role": "both" }, diff --git a/interop.py b/interop.py -index 8f2769b..7af0657 100644 +index 8f2769b..ddc290a 100644 --- a/interop.py +++ b/interop.py @@ -123,6 +123,7 @@ class InteropRunner: @@ -85,6 +78,15 @@ index 8f2769b..7af0657 100644 "SERVER_LOGS=" + server_log_dir.name + " " "CLIENT_LOGS=/dev/null " "WWW=" + www_dir.name + " " +@@ -240,7 +242,7 @@ class InteropRunner: + results.append(colored(measurement.abbreviation(), "grey")) + elif res.result == TestResult.FAILED: + results.append(colored(measurement.abbreviation(), "red")) +- row[server] = "\n".join(results) ++ row[server] = "\n".join(results) + t.field_names = [""] + [column for column, _ in columns.items()] + for client, results in rows.items(): + row = [client] @@ -373,6 +375,7 @@ class InteropRunner: "CERTS=" + testcase.certs_dir() + " " "TESTCASE_SERVER=" + testcase.testname(Perspective.SERVER) + " " diff --git a/quic/s2n-quic-rustls/src/certificate.rs b/quic/s2n-quic-rustls/src/certificate.rs index 1f8f5771a0..be825684be 100644 --- a/quic/s2n-quic-rustls/src/certificate.rs +++ b/quic/s2n-quic-rustls/src/certificate.rs @@ -135,6 +135,8 @@ mod pem { parse_key!(pkcs8_private_keys, PrivateKeyDer::Pkcs8); // attempt to parse RSA key. Returns early if a key is found parse_key!(rsa_private_keys, PrivateKeyDer::Pkcs1); + // attempt to parse a SEC1-encoded EC key. Returns early if a key is found + parse_key!(ec_private_keys, PrivateKeyDer::Sec1); Err(Error::General( "could not load any valid private keys".to_string(), From db785c38f7e416d4e0b04215aeaaf4d1108faac2 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 00:06:50 -0700 Subject: [PATCH 06/14] fix patch --- .github/interop/runner.patch | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index c2a1c5d432..f5e63bffc8 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -59,7 +59,7 @@ index 09e2fdd..72513c8 100644 "role": "both" }, diff --git a/interop.py b/interop.py -index 8f2769b..ddc290a 100644 +index 8f2769b..df430a9 100644 --- a/interop.py +++ b/interop.py @@ -123,6 +123,7 @@ class InteropRunner: @@ -78,16 +78,15 @@ index 8f2769b..ddc290a 100644 "SERVER_LOGS=" + server_log_dir.name + " " "CLIENT_LOGS=/dev/null " "WWW=" + www_dir.name + " " -@@ -240,7 +242,7 @@ class InteropRunner: - results.append(colored(measurement.abbreviation(), "grey")) - elif res.result == TestResult.FAILED: - results.append(colored(measurement.abbreviation(), "red")) -- row[server] = "\n".join(results) -+ row[server] = "\n".join(results) - t.field_names = [""] + [column for column, _ in columns.items()] - for client, results in rows.items(): - row = [client] -@@ -373,6 +375,7 @@ class InteropRunner: +@@ -217,7 +219,6 @@ class InteropRunner: + t = prettytable.PrettyTable() + t.hrules = prettytable.ALL + t.vrules = prettytable.ALL +- t.field_names = [""] + rows = {} + columns = {} + for client, server in self._client_server_pairs: +@@ -373,6 +374,7 @@ class InteropRunner: "CERTS=" + testcase.certs_dir() + " " "TESTCASE_SERVER=" + testcase.testname(Perspective.SERVER) + " " "TESTCASE_CLIENT=" + testcase.testname(Perspective.CLIENT) + " " @@ -95,7 +94,7 @@ index 8f2769b..ddc290a 100644 "WWW=" + testcase.www_dir() + " " "DOWNLOADS=" + testcase.download_dir() + " " "SERVER_LOGS=" + server_log_dir.name + " " -@@ -490,9 +493,14 @@ class InteropRunner: +@@ -490,9 +492,14 @@ class InteropRunner: logging.debug(values) res = MeasurementResult() res.result = TestResult.SUCCEEDED @@ -113,7 +112,7 @@ index 8f2769b..ddc290a 100644 return res def run(self): -@@ -507,23 +515,26 @@ class InteropRunner: +@@ -507,23 +514,26 @@ class InteropRunner: client, self._implementations[client]["image"], ) From bb867f487907c452b426841330f974882b312121 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 08:39:14 -0700 Subject: [PATCH 07/14] create larger certs --- .github/interop/runner.patch | 38 +++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index f5e63bffc8..21a2fab4ef 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,7 +1,43 @@ diff --git a/certs.sh b/certs.sh -index 603dade..7a50f7a 100755 +index 603dade..1cb6c06 100755 --- a/certs.sh +++ b/certs.sh +@@ -13,8 +13,8 @@ CHAINLEN=$2 + mkdir -p "$CERTDIR" || true + + # Generate Root CA and certificate +-openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_0.key +-openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ ++openssl ecparam -name secp521r1 -genkey -out "$CERTDIR"/ca_0.key ++openssl req -x509 -sha512 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ + -out "$CERTDIR"/cert_0.pem \ + -subj "/O=interop runner Root Certificate Authority/" \ + -config cert_config.txt \ +@@ -28,7 +28,7 @@ for i in $(seq 1 "$CHAINLEN"); do + SUBJ="interop runner leaf" + fi + +- openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_"$i".key ++ openssl ecparam -name secp521r1 -genkey -out "$CERTDIR"/ca_"$i".key + openssl req -out "$CERTDIR"/cert.csr -new -key "$CERTDIR"/ca_"$i".key -nodes \ + -subj "/O=$SUBJ/" \ + 2> /dev/null +@@ -36,13 +36,13 @@ for i in $(seq 1 "$CHAINLEN"); do + # Sign the certificate + j=$((i-1)) + if [[ $i < "$CHAINLEN" ]]; then +- openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ ++ openssl x509 -req -sha512 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ + -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ + -extfile cert_config.txt \ + -extensions v3_ca \ + 2> /dev/null + else +- openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ ++ openssl x509 -req -sha512 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ + -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ + -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \ + 2> /dev/null @@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates for i in $(seq "$CHAINLEN" -1 1); do From ded7c16f3c2a22176ef2c4bdef8697182ce3f27a Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 09:52:53 -0700 Subject: [PATCH 08/14] use sha384 --- .github/interop/runner.patch | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 21a2fab4ef..35d3590482 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,5 +1,5 @@ diff --git a/certs.sh b/certs.sh -index 603dade..1cb6c06 100755 +index 603dade..85b590e 100755 --- a/certs.sh +++ b/certs.sh @@ -13,8 +13,8 @@ CHAINLEN=$2 @@ -9,7 +9,7 @@ index 603dade..1cb6c06 100755 -openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_0.key -openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ +openssl ecparam -name secp521r1 -genkey -out "$CERTDIR"/ca_0.key -+openssl req -x509 -sha512 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ ++openssl req -x509 -sha384 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ -out "$CERTDIR"/cert_0.pem \ -subj "/O=interop runner Root Certificate Authority/" \ -config cert_config.txt \ @@ -27,14 +27,14 @@ index 603dade..1cb6c06 100755 j=$((i-1)) if [[ $i < "$CHAINLEN" ]]; then - openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -+ openssl x509 -req -sha512 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ ++ openssl x509 -req -sha384 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ -extfile cert_config.txt \ -extensions v3_ca \ 2> /dev/null else - openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -+ openssl x509 -req -sha512 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ ++ openssl x509 -req -sha384 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \ 2> /dev/null From 541f35530596f7a8d211db2022a717589ca5c5c1 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 10:51:15 -0700 Subject: [PATCH 09/14] use sha384 and secp384r1 --- .github/interop/runner.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 35d3590482..0b5dc5a688 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,5 +1,5 @@ diff --git a/certs.sh b/certs.sh -index 603dade..85b590e 100755 +index 603dade..c32782b 100755 --- a/certs.sh +++ b/certs.sh @@ -13,8 +13,8 @@ CHAINLEN=$2 @@ -8,7 +8,7 @@ index 603dade..85b590e 100755 # Generate Root CA and certificate -openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_0.key -openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ -+openssl ecparam -name secp521r1 -genkey -out "$CERTDIR"/ca_0.key ++openssl ecparam -name secp384r1 -genkey -out "$CERTDIR"/ca_0.key +openssl req -x509 -sha384 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ -out "$CERTDIR"/cert_0.pem \ -subj "/O=interop runner Root Certificate Authority/" \ @@ -18,7 +18,7 @@ index 603dade..85b590e 100755 fi - openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_"$i".key -+ openssl ecparam -name secp521r1 -genkey -out "$CERTDIR"/ca_"$i".key ++ openssl ecparam -name secp384r1 -genkey -out "$CERTDIR"/ca_"$i".key openssl req -out "$CERTDIR"/cert.csr -new -key "$CERTDIR"/ca_"$i".key -nodes \ -subj "/O=$SUBJ/" \ 2> /dev/null From 6f2331b619f7aa933b46b1bf8c6a98f0564db12e Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 11:34:16 -0700 Subject: [PATCH 10/14] add SAN to cert --- .github/interop/runner.patch | 50 ++++++++++-------------------------- 1 file changed, 13 insertions(+), 37 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 0b5dc5a688..7c9ba2fafb 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,43 +1,19 @@ +diff --git a/cert_config.txt b/cert_config.txt +index 9ef33b9..3130e16 100644 +--- a/cert_config.txt ++++ b/cert_config.txt +@@ -8,3 +8,7 @@ keyUsage=critical, keyCertSign + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer:always + basicConstraints=critical,CA:TRUE,pathlen:100 ++subjectAltName = @alt_names ++ ++[alt_names] ++DNS.1 = QGHetXUtpDSqKeHHGmUYhaKjvzKZzqxxgWBwfupLguKzqZTLiuyzzfGLNLuvuAdRDdjyXzLvyegRJbNLxqmmSukiGhzfJEviPCNUuvigcLjkyuUhyEyYpcRVCkDJuwGEXbdVbwNnAULfHYznSmZpGNLcuGGqpfnFEnJkPxPrvTSDeFPkQheuYRRwSvGqzPaqcKvBgAKrrTrgZuzMYXjQLcEXXHVMhYvwLCBaDPXXCjyTVwJctKHvMhTrdnEJTKa diff --git a/certs.sh b/certs.sh -index 603dade..c32782b 100755 +index 603dade..7a50f7a 100755 --- a/certs.sh +++ b/certs.sh -@@ -13,8 +13,8 @@ CHAINLEN=$2 - mkdir -p "$CERTDIR" || true - - # Generate Root CA and certificate --openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_0.key --openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ -+openssl ecparam -name secp384r1 -genkey -out "$CERTDIR"/ca_0.key -+openssl req -x509 -sha384 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ - -out "$CERTDIR"/cert_0.pem \ - -subj "/O=interop runner Root Certificate Authority/" \ - -config cert_config.txt \ -@@ -28,7 +28,7 @@ for i in $(seq 1 "$CHAINLEN"); do - SUBJ="interop runner leaf" - fi - -- openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_"$i".key -+ openssl ecparam -name secp384r1 -genkey -out "$CERTDIR"/ca_"$i".key - openssl req -out "$CERTDIR"/cert.csr -new -key "$CERTDIR"/ca_"$i".key -nodes \ - -subj "/O=$SUBJ/" \ - 2> /dev/null -@@ -36,13 +36,13 @@ for i in $(seq 1 "$CHAINLEN"); do - # Sign the certificate - j=$((i-1)) - if [[ $i < "$CHAINLEN" ]]; then -- openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -+ openssl x509 -req -sha384 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ - -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ - -extfile cert_config.txt \ - -extensions v3_ca \ - 2> /dev/null - else -- openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ -+ openssl x509 -req -sha384 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ - -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ - -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \ - 2> /dev/null @@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates for i in $(seq "$CHAINLEN" -1 1); do From a769ba8c45e6547437f0c945f25e13f09180dbf3 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 12:07:00 -0700 Subject: [PATCH 11/14] add another SAN to cert --- .github/interop/runner.patch | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 7c9ba2fafb..947ebc53e0 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,8 +1,8 @@ diff --git a/cert_config.txt b/cert_config.txt -index 9ef33b9..3130e16 100644 +index 9ef33b9..d8b8dd8 100644 --- a/cert_config.txt +++ b/cert_config.txt -@@ -8,3 +8,7 @@ keyUsage=critical, keyCertSign +@@ -8,3 +8,8 @@ keyUsage=critical, keyCertSign subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=critical,CA:TRUE,pathlen:100 @@ -10,6 +10,8 @@ index 9ef33b9..3130e16 100644 + +[alt_names] +DNS.1 = QGHetXUtpDSqKeHHGmUYhaKjvzKZzqxxgWBwfupLguKzqZTLiuyzzfGLNLuvuAdRDdjyXzLvyegRJbNLxqmmSukiGhzfJEviPCNUuvigcLjkyuUhyEyYpcRVCkDJuwGEXbdVbwNnAULfHYznSmZpGNLcuGGqpfnFEnJkPxPrvTSDeFPkQheuYRRwSvGqzPaqcKvBgAKrrTrgZuzMYXjQLcEXXHVMhYvwLCBaDPXXCjyTVwJctKHvMhTrdnEJTKa ++DNS.2 = WjyzJAxdbakAnQZkuMPFFRzEZtqziRwukLVcfnKvEQELVmdEnuFjKLtvDnhwwqNWhXgiHVqVQmVDTQMqCdUymBnmCZgbnqURVErcCRRLzMpDRDTfqXmUwjhnMgPqqdSxWXvqBRhevKMgJWibajdgaRSagYYZPmfdccGDXxuSvJRHEkkZhMZiixvWXQYppMVciRHESwjHmrTkhLtXmzCRSuccbLZmYKCqWYrjCCLfPzPnmnVNwWBtkpJMJqWjvbb +\ No newline at end of file diff --git a/certs.sh b/certs.sh index 603dade..7a50f7a 100755 --- a/certs.sh From d4d185a0b37db6ab5c785d0043d8e1ab3bda893a Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 12:07:34 -0700 Subject: [PATCH 12/14] add another SAN to cert --- .github/interop/runner.patch | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 947ebc53e0..1e9cf48e23 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,5 +1,5 @@ diff --git a/cert_config.txt b/cert_config.txt -index 9ef33b9..d8b8dd8 100644 +index 9ef33b9..b80f533 100644 --- a/cert_config.txt +++ b/cert_config.txt @@ -8,3 +8,8 @@ keyUsage=critical, keyCertSign @@ -11,7 +11,6 @@ index 9ef33b9..d8b8dd8 100644 +[alt_names] +DNS.1 = QGHetXUtpDSqKeHHGmUYhaKjvzKZzqxxgWBwfupLguKzqZTLiuyzzfGLNLuvuAdRDdjyXzLvyegRJbNLxqmmSukiGhzfJEviPCNUuvigcLjkyuUhyEyYpcRVCkDJuwGEXbdVbwNnAULfHYznSmZpGNLcuGGqpfnFEnJkPxPrvTSDeFPkQheuYRRwSvGqzPaqcKvBgAKrrTrgZuzMYXjQLcEXXHVMhYvwLCBaDPXXCjyTVwJctKHvMhTrdnEJTKa +DNS.2 = WjyzJAxdbakAnQZkuMPFFRzEZtqziRwukLVcfnKvEQELVmdEnuFjKLtvDnhwwqNWhXgiHVqVQmVDTQMqCdUymBnmCZgbnqURVErcCRRLzMpDRDTfqXmUwjhnMgPqqdSxWXvqBRhevKMgJWibajdgaRSagYYZPmfdccGDXxuSvJRHEkkZhMZiixvWXQYppMVciRHESwjHmrTkhLtXmzCRSuccbLZmYKCqWYrjCCLfPzPnmnVNwWBtkpJMJqWjvbb -\ No newline at end of file diff --git a/certs.sh b/certs.sh index 603dade..7a50f7a 100755 --- a/certs.sh From 792624c12a4f920aa643b64bfdfb50327c49b428 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 12:40:17 -0700 Subject: [PATCH 13/14] use all 1s and 2s in the SAN --- .github/interop/runner.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 1e9cf48e23..293045844e 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,5 +1,5 @@ diff --git a/cert_config.txt b/cert_config.txt -index 9ef33b9..b80f533 100644 +index 9ef33b9..c7d4348 100644 --- a/cert_config.txt +++ b/cert_config.txt @@ -8,3 +8,8 @@ keyUsage=critical, keyCertSign @@ -9,8 +9,8 @@ index 9ef33b9..b80f533 100644 +subjectAltName = @alt_names + +[alt_names] -+DNS.1 = QGHetXUtpDSqKeHHGmUYhaKjvzKZzqxxgWBwfupLguKzqZTLiuyzzfGLNLuvuAdRDdjyXzLvyegRJbNLxqmmSukiGhzfJEviPCNUuvigcLjkyuUhyEyYpcRVCkDJuwGEXbdVbwNnAULfHYznSmZpGNLcuGGqpfnFEnJkPxPrvTSDeFPkQheuYRRwSvGqzPaqcKvBgAKrrTrgZuzMYXjQLcEXXHVMhYvwLCBaDPXXCjyTVwJctKHvMhTrdnEJTKa -+DNS.2 = WjyzJAxdbakAnQZkuMPFFRzEZtqziRwukLVcfnKvEQELVmdEnuFjKLtvDnhwwqNWhXgiHVqVQmVDTQMqCdUymBnmCZgbnqURVErcCRRLzMpDRDTfqXmUwjhnMgPqqdSxWXvqBRhevKMgJWibajdgaRSagYYZPmfdccGDXxuSvJRHEkkZhMZiixvWXQYppMVciRHESwjHmrTkhLtXmzCRSuccbLZmYKCqWYrjCCLfPzPnmnVNwWBtkpJMJqWjvbb ++DNS.1 = 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 ++DNS.2 = 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 diff --git a/certs.sh b/certs.sh index 603dade..7a50f7a 100755 --- a/certs.sh From 662772c93ace104185c714f5164c6007b8805ab7 Mon Sep 17 00:00:00 2001 From: Wesley Rosenblum Date: Wed, 3 Apr 2024 13:06:41 -0700 Subject: [PATCH 14/14] use https://github.com/quic-interop/quic-interop-runner/pull/376 --- .github/interop/runner.patch | 41 +++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/interop/runner.patch b/.github/interop/runner.patch index 293045844e..6bac111789 100644 --- a/.github/interop/runner.patch +++ b/.github/interop/runner.patch @@ -1,21 +1,32 @@ -diff --git a/cert_config.txt b/cert_config.txt -index 9ef33b9..c7d4348 100644 ---- a/cert_config.txt -+++ b/cert_config.txt -@@ -8,3 +8,8 @@ keyUsage=critical, keyCertSign - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints=critical,CA:TRUE,pathlen:100 -+subjectAltName = @alt_names -+ -+[alt_names] -+DNS.1 = 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 -+DNS.2 = 222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222 diff --git a/certs.sh b/certs.sh -index 603dade..7a50f7a 100755 +index 603dade..320f1c0 100755 --- a/certs.sh +++ b/certs.sh -@@ -55,6 +55,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key +@@ -21,6 +21,14 @@ openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \ + -extensions v3_ca \ + 2> /dev/null + ++ # Inflate certificate for the amplification test ++ fakedns="" ++ if [ "$CHAINLEN" != "1" ]; then ++ for i in $(seq 1 20); do ++ fakedns="$fakedns,DNS:$(LC_CTYPE=C tr -dc 0-9A-Za-z < /dev/urandom | head -c 250)" ++ done ++ fi ++ + for i in $(seq 1 "$CHAINLEN"); do + # Generate a CSR + SUBJ="interop runner intermediate $i" +@@ -44,7 +52,7 @@ for i in $(seq 1 "$CHAINLEN"); do + else + openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \ + -CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \ +- -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \ ++ -extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46$fakedns") \ + 2> /dev/null + fi + done +@@ -55,6 +63,6 @@ cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key # combine certificates for i in $(seq "$CHAINLEN" -1 1); do cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem