qcp 0.8.3

Secure remote file copy utility which uses the QUIC protocol over UDP
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326

//! Security testing - Man-in-the-Middle (MITM) attacks
// (c) 2025 Ross Younger

use std::{
    net::{Ipv4Addr, SocketAddr},
    time::Duration,
};

use rustls_pki_types::CertificateDer;
use tokio::time::timeout;
use x509_certificate::EcdsaCurve;

use qcp::{
    Configuration,
    protocol::{
        compat::Feature,
        control::{Compatibility, ConnectionType},
    },
    transport::ThroughputMode,
    util::Credentials,
};
use qcp::{
    control::create_endpoint,
    protocol::{DataTag, control::CredentialsType},
};

/// This simulates the scenario where either a rogue client attempts to connect to a server,
/// or there is a Man in the Middle attack going on.
///
/// * `modify_certs_fn` (closure type `F`): This closure is called with the original client
///   and server certificates. It is expected to return the same tuple, but may modify or replace
///   either of them. These certificates are passed to the QUIC endpoints as the `peer_cert` parameter.
///
/// * `check_fn` (closure type `G`): This closure is called with the results of the client and server
///   QUIC connection attempts. It is expected to assert that the connections are in the expected state.
async fn run_endpoint_connection<F, G>(
    modify_certs_fn: F,
    check_fn: G,
    compat: Compatibility,
) -> anyhow::Result<()>
where
    F: FnOnce(&Credentials, &Credentials) -> (CertificateDer<'static>, CertificateDer<'static>),
    G: FnOnce(
        anyhow::Result<quinn::Connection>,
        anyhow::Result<quinn::Connection>,
    ) -> anyhow::Result<()>,
{
    let client_credentials = Credentials::generate()?;
    let server_credentials = Credentials::generate()?;
    // CLOSURE 1: Mess with the certificates.
    let (cli_cert_messed, srv_cert_messed) =
        modify_certs_fn(&client_credentials, &server_credentials);

    let cli_cert_messed = if compat.supports(Feature::CMSG_SMSG_2) {
        CredentialsType::RawPublicKey.with_bytes(cli_cert_messed)
    } else {
        CredentialsType::X509.with_bytes(cli_cert_messed)
    };
    let srv_cert_messed = if compat.supports(Feature::CMSG_SMSG_2) {
        CredentialsType::RawPublicKey.with_bytes(srv_cert_messed)
    } else {
        CredentialsType::X509.with_bytes(srv_cert_messed)
    };

    let (server_endpoint, _) = create_endpoint(
        &server_credentials,
        &cli_cert_messed,
        ConnectionType::Ipv4,
        Configuration::system_default(),
        ThroughputMode::Both,
        true,
        compat,
    )?;
    let conn_addr = server_endpoint.local_addr()?;
    eprintln!("Server bound to {conn_addr:?}");
    let conn_addr = SocketAddr::new(Ipv4Addr::LOCALHOST.into(), conn_addr.port());
    let srv_name = server_credentials.hostname.clone();

    let (client_endpoint, _) = create_endpoint(
        &client_credentials,
        &srv_cert_messed,
        ConnectionType::Ipv4,
        Configuration::system_default(),
        ThroughputMode::Both,
        false,
        compat,
    )?;
    eprintln!("Client bound to {:?}", client_endpoint.local_addr()?);

    let srv_hdl = tokio::spawn(async move {
        eprintln!("SERVER: accepting");
        let connecting = timeout(Duration::from_secs(5), server_endpoint.accept())
            .await?
            .ok_or(anyhow::anyhow!("server ended"))
            .and_then(|i| Ok(i.accept()?));

        if let Ok(c) = connecting {
            Ok(c.await?)
        } else {
            anyhow::bail!("server accept failed");
        }
        // a successful result is Ok(Connection { ... })
    });
    let cli_hdl = tokio::spawn(async move {
        eprintln!("CLIENT: connecting to {conn_addr:?}");
        timeout(
            Duration::from_secs(5),
            client_endpoint.connect(conn_addr, &srv_name)?,
        )
        .await
        .map_err(|_| anyhow::anyhow!("client connect timed out"))?
        .map_err(|e| anyhow::anyhow!("client connect failed: {e}"))
        // a successful result is Ok(Connection { ... })
    });

    tokio::pin!(srv_hdl, cli_hdl);
    let res = tokio::join!(srv_hdl, cli_hdl);
    let (srv_res, cli_res) = res;
    // simply unwrap the potential join errors as we don't care about those
    let srv_res = srv_res.unwrap();
    let cli_res = cli_res.unwrap();

    // CLOSURE 2: reason about the results
    check_fn(cli_res, srv_res)
}

// X509 ---------------------------------------------------------------------

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_x509_ok() {
    // Base case for the scenario. No messing with the certs => all is OK
    run_endpoint_connection(
        |cli, srv| (cli.certificate().to_owned(), srv.certificate().to_owned()),
        |cli_res, srv_res| {
            assert!(cli_res.is_ok());
            assert!(srv_res.is_ok());
            Ok(())
        },
        Compatibility::Level(1),
    )
    .await
    .unwrap();
}

/// Replaces the certificate with a new self-signed one.
///
/// This simulates a Man-in-the-Middle attack in either direction,
/// or an unauthorised client trying to connect to the QCP server endpoint.
fn replace_certificate(der: &CertificateDer<'static>) -> Vec<u8> {
    use x509_certificate::{KeyAlgorithm, X509Certificate, X509CertificateBuilder};
    // It's a self signed cert, we don't need to worry about chains.
    let parsed = X509Certificate::from_der(der).unwrap();
    //eprintln!("PARSED: {parsed:#?}");

    let mut builder = X509CertificateBuilder::default();
    let _ = builder
        .subject()
        .append_common_name_utf8_string(&parsed.subject_common_name().unwrap());
    let (newcert, _keypair) = builder
        .create_with_random_keypair(KeyAlgorithm::Ecdsa(EcdsaCurve::Secp256r1))
        .unwrap();

    //eprintln!("NEWCERT: {newcert:#?}");
    newcert.encode_der().unwrap()
}

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_client_x509_mismatch() {
    // mess with the client certificate: client doesn't care, but server refuses it
    run_endpoint_connection(
        |cli, srv| {
            (
                replace_certificate(cli.certificate()).into(),
                srv.certificate().to_owned(),
            )
        },
        |cli_res, srv_res| {
            assert!(cli_res.is_ok());
            assert!(srv_res.is_err());
            let err = srv_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Server result: {err}");
            Ok(())
        },
        Compatibility::Level(1),
    )
    .await
    .unwrap();
}

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_server_x509_mismatch() {
    // mess with the server certificate: client refuses to connect AND server reports that the client aborted
    run_endpoint_connection(
        |cli, srv| {
            (
                cli.certificate().to_owned(),
                replace_certificate(srv.certificate()).into(),
            )
        },
        |cli_res, srv_res| {
            assert!(cli_res.is_err());
            let err = cli_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Client result: {err}");

            assert!(srv_res.is_err());
            let err = srv_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Server result: {err}");
            Ok(())
        },
        Compatibility::Level(1),
    )
    .await
    .unwrap();
}

// RPK ---------------------------------------------------------------------

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_rpk_ok() {
    // Base case for the scenario. No messing with the certs => all is OK
    run_endpoint_connection(
        |cli, srv| {
            (
                cli.as_raw_public_key().unwrap().cert[0].clone(),
                srv.as_raw_public_key().unwrap().cert[0].clone(),
            )
        },
        |cli_res, srv_res| {
            assert!(cli_res.inspect_err(|e| eprintln!("{e}")).is_ok());
            assert!(srv_res.inspect_err(|e| eprintln!("{e}")).is_ok());
            Ok(())
        },
        Compatibility::Level(3),
    )
    .await
    .unwrap();
}

/// Replaces the certificate (which is really an RFC7250 Raw Public Key) with a different one.
///
/// This simulates a Man-in-the-Middle attack in either direction,
/// or an unauthorised client trying to connect to the QCP server endpoint.
fn replace_rpk() -> CertificateDer<'static> {
    let creds = Credentials::generate().unwrap();
    let rpk = creds.as_raw_public_key().unwrap();
    rpk.cert[0].clone()
}

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_client_rpk_mismatch() {
    // mess with the client certificate: client doesn't care, but server refuses it
    run_endpoint_connection(
        |_cli, srv| {
            (
                replace_rpk(),
                srv.as_raw_public_key().unwrap().cert[0].clone(),
            )
        },
        |cli_res, srv_res| {
            assert!(cli_res.inspect_err(|e| eprintln!("{e}")).is_ok());
            assert!(srv_res.is_err());
            let err = srv_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Server result: {err}");
            Ok(())
        },
        Compatibility::Level(3),
    )
    .await
    .unwrap();
}

#[cfg_attr(
    all(target_os = "windows", target_env = "gnu"),
    ignore = "Doesn't work with the mingw cross-compile test runner"
)]
#[tokio::test]
async fn test_server_rpk_mismatch() {
    // mess with the server certificate: client refuses to connect AND server reports that the client aborted
    run_endpoint_connection(
        |cli, _srv| {
            (
                cli.as_raw_public_key().unwrap().cert[0].clone(),
                replace_rpk(),
            )
        },
        |cli_res, srv_res| {
            assert!(cli_res.is_err());
            let err = cli_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Client result: {err}");

            assert!(srv_res.is_err());
            let err = srv_res.unwrap_err();
            assert!(err.to_string().contains("invalid peer certificate"));
            eprintln!("Server result: {err}");
            Ok(())
        },
        Compatibility::Level(3),
    )
    .await
    .unwrap();
}