Add test for handling NEW_CONNECTION_ID frame

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20892)

4 files changed, 190 insertions, 2 deletions

diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index cd24d5c59e..8e15587bec 100644
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -397,3 +397,10 @@ int ossl_quic_tserver_stream_has_peer_reset_stream(QUIC_TSERVER *srv,
 
     return qs->peer_reset_stream;
 }
+
+int ossl_quic_tserver_set_new_local_cid(QUIC_TSERVER *srv,
+                                        const QUIC_CONN_ID *conn_id)
+{
+    /* Replace existing local connection ID in the QUIC_CHANNEL */
+    return ossl_quic_channel_replace_local_cid(srv->ch, conn_id);
+}
diff --git a/test/build.info b/test/build.info
index 4f1d19e516..277b631a26 100644
--- a/test/build.info
+++ b/test/build.info
@@ -75,7 +75,8 @@ IF[{- !$disabled{tests} -}]
   ENDIF
 
   IF[{- !$disabled{quic} -}]
-    PROGRAMS{noinst}=priority_queue_test event_queue_test quicfaultstest quicapitest
+    PROGRAMS{noinst}=priority_queue_test event_queue_test quicfaultstest quicapitest \
+                     quic_newcid_test
   ENDIF
 
   IF[{- !$disabled{comp} && (!$disabled{brotli} || !$disabled{zstd} || !$disabled{zlib}) -}]
@@ -822,6 +823,10 @@ IF[{- !$disabled{tests} -}]
       SOURCE[quicapitest]=quicapitest.c helpers/ssltestlib.c helpers/quictestlib.c
       INCLUDE[quicapitest]=../include ../apps/include
       DEPEND[quicapitest]=../libcrypto.a ../libssl.a libtestutil.a
+
+      SOURCE[quic_newcid_test]=quic_newcid_test.c helpers/ssltestlib.c helpers/quictestlib.c
+      INCLUDE[quic_newcid_test]=../include ../apps/include ..
+      DEPEND[quic_newcid_test]=../libcrypto.a ../libssl.a libtestutil.a
     ENDIF
 
     SOURCE[dhtest]=dhtest.c
diff --git a/test/quic_newcid_test.c b/test/quic_newcid_test.c
new file mode 100644
index 0000000000..69f39bc833
--- /dev/null
+++ b/test/quic_newcid_test.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/ssl.h>
+#include "helpers/quictestlib.h"
+#include "internal/quic_error.h"
+#include "testutil.h"
+
+static char *cert = NULL;
+static char *privkey = NULL;
+
+/*
+ * Inject NEW_CONNECTION_ID frame
+ */
+static int add_ncid_frame_cb(QTEST_FAULT *fault, QUIC_PKT_HDR *hdr,
+                             unsigned char *buf, size_t len, void *cbarg)
+{
+    static size_t done = 0;
+    /*
+     * We inject NEW_CONNECTION_ID frame to trigger change of the DCID.
+     * The connection id length must be 8, otherwise the tserver won't be
+     * able to receive packets with this new id.
+     */
+    static unsigned char new_conn_id_frame[] = {
+        0x18,                           /* Type */
+        0x01,                           /* Sequence Number */
+        0x01,                           /* Retire Prior To */
+        0x08,                           /* Connection ID Length */
+        0x33, 0x44, 0x55, 0x66, 0xde, 0xad, 0xbe, 0xef, /* Connection ID */
+        0xab, 0xcd, 0xef, 0x01, 0x12, 0x32, 0x23, 0x45, /* Stateless Reset Token */
+        0x56, 0x06, 0x08, 0x89, 0xa1, 0xb2, 0xc3, 0xd4
+    };
+
+    /* We only ever add the unknown frame to one packet */
+    if (done++)
+        return 1;
+
+    return qtest_fault_prepend_frame(fault, new_conn_id_frame,
+                                     sizeof(new_conn_id_frame));
+}
+
+static int test_ncid_frame(void)
+{
+    int testresult = 0;
+    SSL_CTX *cctx = SSL_CTX_new(OSSL_QUIC_client_method());
+    QUIC_TSERVER *qtserv = NULL;
+    SSL *cssl = NULL;
+    char *msg = "Hello World!";
+    size_t msglen = strlen(msg);
+    unsigned char buf[80];
+    size_t byteswritten;
+    size_t bytesread;
+    QTEST_FAULT *fault = NULL;
+    static const QUIC_CONN_ID conn_id = {
+        0x08,
+        {0x33, 0x44, 0x55, 0x66, 0xde, 0xad, 0xbe, 0xef}
+    };
+
+    if (!TEST_ptr(cctx))
+        goto err;
+
+    if (!TEST_true(qtest_create_quic_objects(NULL, cctx, cert, privkey, 1,
+                                             &qtserv, &cssl, &fault)))
+        goto err;
+
+    if (!TEST_true(qtest_create_quic_connection(qtserv, cssl)))
+        goto err;
+
+    if (!TEST_int_eq(SSL_write(cssl, msg, msglen), msglen))
+        goto err;
+
+    ossl_quic_tserver_tick(qtserv);
+    if (!TEST_true(ossl_quic_tserver_read(qtserv, buf, sizeof(buf), &bytesread)))
+        goto err;
+
+    /*
+     * We assume the entire message is read from the server in one go. In
+     * theory this could get fragmented but its a small message so we assume
+     * not.
+     */
+    if (!TEST_mem_eq(msg, msglen, buf, bytesread))
+        goto err;
+
+    /*
+     * Write a message from the server to the client and add
+     * a NEW_CONNECTION_ID frame.
+     */
+    if (!TEST_true(qtest_fault_set_packet_plain_listener(fault,
+                                                         add_ncid_frame_cb,
+                                                         NULL)))
+        goto err;
+    if (!TEST_true(ossl_quic_tserver_set_new_local_cid(qtserv, &conn_id)))
+        goto err;
+    if (!TEST_true(ossl_quic_tserver_write(qtserv, (unsigned char *)msg, msglen,
+                                           &byteswritten)))
+        goto err;
+
+    if (!TEST_size_t_eq(msglen, byteswritten))
+        goto err;
+
+    ossl_quic_tserver_tick(qtserv);
+    if (!TEST_true(SSL_tick(cssl)))
+        goto err;
+
+    if (!TEST_int_eq(SSL_read(cssl, buf, sizeof(buf)), msglen))
+        goto err;
+
+    if (!TEST_mem_eq(msg, msglen, buf, bytesread))
+        goto err;
+
+    if (!TEST_int_eq(SSL_write(cssl, msg, msglen), msglen))
+        goto err;
+
+    ossl_quic_tserver_tick(qtserv);
+    if (!TEST_true(ossl_quic_tserver_read(qtserv, buf, sizeof(buf), &bytesread)))
+        goto err;
+
+    if (!TEST_mem_eq(msg, msglen, buf, bytesread))
+        goto err;
+
+    testresult = 1;
+ err:
+    qtest_fault_free(fault);
+    SSL_free(cssl);
+    ossl_quic_tserver_free(qtserv);
+    SSL_CTX_free(cctx);
+    return testresult;
+}
+
+OPT_TEST_DECLARE_USAGE("certsdir\n")
+
+int setup_tests(void)
+{
+    char *certsdir = NULL;
+
+    if (!test_skip_common_options()) {
+        TEST_error("Error parsing test options\n");
+        return 0;
+    }
+
+    if (!TEST_ptr(certsdir = test_get_argument(0)))
+        return 0;
+
+    cert = test_mk_file_path(certsdir, "servercert.pem");
+    if (cert == NULL)
+        goto err;
+
+    privkey = test_mk_file_path(certsdir, "serverkey.pem");
+    if (privkey == NULL)
+        goto err;
+
+    ADD_TEST(test_ncid_frame);
+
+    return 1;
+
+ err:
+    OPENSSL_free(cert);
+    OPENSSL_free(privkey);
+    return 0;
+}
+
+void cleanup_tests(void)
+{
+    OPENSSL_free(cert);
+    OPENSSL_free(privkey);
+}
diff --git a/test/recipes/90-test_quicfaults.t b/test/recipes/90-test_quicfaults.t
index f4bd8ea9b7..addac8fc0a 100644
--- a/test/recipes/90-test_quicfaults.t
+++ b/test/recipes/90-test_quicfaults.t
@@ -20,7 +20,10 @@ use lib bldtop_dir('.');
 plan skip_all => "QUIC protocol is not supported by this OpenSSL build"
     if disabled('quic');
 
-plan tests => 1;
+plan tests => 2;
 
 ok(run(test(["quicfaultstest", srctop_dir("test", "certs")])),
    "running quicfaultstest");
+
+ok(run(test(["quic_newcid_test", srctop_dir("test", "certs")])),
+   "running quic_newcid_test");