c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename project to quicnprotochat

Browse Source
This commit is contained in:
Christian Nennemann
2026-02-21 23:37:40 +01:00
parent c9d295c510
commit 3bf3ab23e2
32 changed files with 3370 additions and 1132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
crates/quicnprotochat-client/Cargo.toml Normal file
View File

@@ -0,0 +1,48 @@
[package]
name = "quicnprotochat-client"
version = "0.1.0"
edition = "2021"
description = "CLI client for quicnprotochat."
license = "MIT"
[[bin]]
name = "quicnprotochat"
path = "src/main.rs"
[dependencies]
quicnprotochat-core = { path = "../quicnprotochat-core" }
quicnprotochat-proto = { path = "../quicnprotochat-proto" }
openmls_rust_crypto = { workspace = true }
# Serialisation + RPC
capnp = { workspace = true }
capnp-rpc = { workspace = true }
# Async
tokio = { workspace = true }
tokio-util = { workspace = true }
futures = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
bincode = { workspace = true }
# Error handling
anyhow = { workspace = true }
thiserror = { workspace = true }
# Crypto — for fingerprint verification in fetch-key subcommand
sha2 = { workspace = true }
quinn = { workspace = true }
quinn-proto = { workspace = true }
rustls = { workspace = true }
# Logging
tracing = { workspace = true }
tracing-subscriber = { workspace = true }
# CLI
clap = { workspace = true }
[dev-dependencies]
# Integration tests use quicnprotochat-core, quicnprotochat-proto, and capnp-rpc directly.
dashmap = { workspace = true }

1019
crates/quicnprotochat-client/src/main.rs Normal file
View File

File diff suppressed because it is too large Load Diff

269
crates/quicnprotochat-client/tests/auth_service.rs Normal file
View File

@@ -0,0 +1,269 @@
//! Integration test: M2 Authentication Service — KeyPackage upload + fetch.
//!
//! All tests run inside a single `tokio::task::LocalSet` so that `spawn_local`
//! can be used for capnp-rpc tasks (which are `!Send` due to internal `Rc` use).
use std::{collections::VecDeque, sync::Arc};
use capnp::capability::Promise;
use capnp_rpc::{rpc_twoparty_capnp::Side, twoparty, RpcSystem};
use dashmap::DashMap;
use quicnprotochat_core::{
generate_key_package, handshake_initiator, handshake_responder, IdentityKeypair, NoiseKeypair,
};
use quicnprotochat_proto::auth_capnp::authentication_service;
use sha2::{Digest, Sha256};
use tokio::net::{TcpListener, TcpStream};
use tokio_util::compat::{TokioAsyncReadCompatExt, TokioAsyncWriteCompatExt};
// ── Types ─────────────────────────────────────────────────────────────────────
type Store = Arc<DashMap<Vec<u8>, VecDeque<Vec<u8>>>>;
// ── Inline AS server implementation ──────────────────────────────────────────
struct TestAuthService {
store: Store,
}
impl authentication_service::Server for TestAuthService {
fn upload_key_package(
&mut self,
params: authentication_service::UploadKeyPackageParams,
mut results: authentication_service::UploadKeyPackageResults,
) -> Promise<(), capnp::Error> {
let p = match params.get() {
Ok(v) => v,
Err(e) => return Promise::err(e),
};
let ik = match p.get_identity_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let pkg = match p.get_package() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let fp: Vec<u8> = Sha256::digest(&pkg).to_vec();
self.store.entry(ik).or_default().push_back(pkg);
results.get().set_fingerprint(&fp);
Promise::ok(())
}
fn fetch_key_package(
&mut self,
params: authentication_service::FetchKeyPackageParams,
mut results: authentication_service::FetchKeyPackageResults,
) -> Promise<(), capnp::Error> {
let ik = match params.get() {
Ok(p) => match p.get_identity_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
},
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let pkg = self
.store
.get_mut(&ik)
.and_then(|mut q| q.pop_front())
.unwrap_or_default();
results.get().set_package(&pkg);
Promise::ok(())
}
}
// ── Test helpers ──────────────────────────────────────────────────────────────
/// Spawn a server that accepts `n_connections` and returns the bound address.
///
/// Must be called from within a `LocalSet` context so that the internal
/// `spawn_local` calls are associated with the correct LocalSet.
async fn spawn_server(
n_connections: usize,
keypair: Arc<NoiseKeypair>,
store: Store,
) -> std::net::SocketAddr {
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
tokio::task::spawn_local(async move {
for _ in 0..n_connections {
let (stream, _) = listener.accept().await.unwrap();
let kp = Arc::clone(&keypair);
let st = Arc::clone(&store);
tokio::task::spawn_local(async move {
serve_one(stream, kp, st).await;
});
}
});
addr
}
/// Handle a single Noise + capnp-rpc server connection.
async fn serve_one(stream: TcpStream, keypair: Arc<NoiseKeypair>, store: Store) {
let transport = handshake_responder(stream, &keypair).await.unwrap();
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Server,
Default::default(),
);
let svc: authentication_service::Client = capnp_rpc::new_client(TestAuthService { store });
let rpc = RpcSystem::new(Box::new(network), Some(svc.client));
tokio::task::spawn_local(rpc).await.ok();
}
/// Connect and return a client stub. Must run inside a LocalSet.
async fn connect_client(addr: std::net::SocketAddr) -> authentication_service::Client {
let kp = NoiseKeypair::generate();
let stream = TcpStream::connect(addr).await.unwrap();
let transport = handshake_initiator(stream, &kp).await.unwrap();
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Client,
Default::default(),
);
let mut rpc = RpcSystem::new(Box::new(network), None);
let client: authentication_service::Client = rpc.bootstrap(Side::Server);
tokio::task::spawn_local(rpc);
client
}
// ── Tests ─────────────────────────────────────────────────────────────────────
/// Alice uploads a KeyPackage; Bob fetches it. Fingerprints must match.
#[tokio::test]
async fn upload_then_fetch_fingerprints_match() {
let local = tokio::task::LocalSet::new();
local
.run_until(async move {
let store: Store = Arc::new(DashMap::new());
let server_kp = Arc::new(NoiseKeypair::generate());
// Server accepts 2 connections: one for Alice (upload), one for Bob (fetch).
let addr = spawn_server(2, Arc::clone(&server_kp), Arc::clone(&store)).await;
tokio::time::sleep(std::time::Duration::from_millis(10)).await;
// Alice: generate KeyPackage and upload it.
let alice_identity = IdentityKeypair::generate();
let (tls_bytes, local_fp) = generate_key_package(&alice_identity).unwrap();
let alice = connect_client(addr).await;
let mut req = alice.upload_key_package_request();
req.get()
.set_identity_key(&alice_identity.public_key_bytes());
req.get().set_package(&tls_bytes);
let resp = req.send().promise.await.unwrap();
let server_fp = resp.get().unwrap().get_fingerprint().unwrap().to_vec();
assert_eq!(local_fp, server_fp, "server fingerprint must match local");
// Bob: fetch Alice's package by her identity key.
let bob = connect_client(addr).await;
let mut req2 = bob.fetch_key_package_request();
req2.get()
.set_identity_key(&alice_identity.public_key_bytes());
let resp2 = req2.send().promise.await.unwrap();
let fetched = resp2.get().unwrap().get_package().unwrap().to_vec();
assert!(!fetched.is_empty(), "fetched package must not be empty");
assert_eq!(
fetched, tls_bytes,
"fetched bytes must match uploaded bytes"
);
let fetched_fp: Vec<u8> = Sha256::digest(&fetched).to_vec();
assert_eq!(
fetched_fp, local_fp,
"fetched fingerprint must match uploaded"
);
})
.await;
}
/// Fetching a non-existent key returns empty bytes.
#[tokio::test]
async fn fetch_nonexistent_key_returns_empty() {
let local = tokio::task::LocalSet::new();
local
.run_until(async move {
let store: Store = Arc::new(DashMap::new());
let server_kp = Arc::new(NoiseKeypair::generate());
let addr = spawn_server(1, server_kp, store).await;
tokio::time::sleep(std::time::Duration::from_millis(10)).await;
let client = connect_client(addr).await;
let mut req = client.fetch_key_package_request();
req.get().set_identity_key(&[0xAAu8; 32]);
let resp = req.send().promise.await.unwrap();
let pkg = resp.get().unwrap().get_package().unwrap().to_vec();
assert!(pkg.is_empty(), "unknown identity must return empty package");
})
.await;
}
/// Uploading two packages and fetching twice returns them in FIFO order.
#[tokio::test]
async fn packages_consumed_in_fifo_order() {
let local = tokio::task::LocalSet::new();
local
.run_until(async move {
let store: Store = Arc::new(DashMap::new());
// Pre-populate the store directly.
let key = vec![0x01u8; 32];
store
.entry(key.clone())
.or_default()
.extend([vec![1u8, 2, 3], vec![4u8, 5, 6]]);
let server_kp = Arc::new(NoiseKeypair::generate());
// Server accepts 2 connections for the 2 fetches.
let addr = spawn_server(2, server_kp, Arc::clone(&store)).await;
tokio::time::sleep(std::time::Duration::from_millis(10)).await;
let client1 = connect_client(addr).await;
let mut req1 = client1.fetch_key_package_request();
req1.get().set_identity_key(&key);
let pkg1 = req1
.send()
.promise
.await
.unwrap()
.get()
.unwrap()
.get_package()
.unwrap()
.to_vec();
assert_eq!(
pkg1,
vec![1u8, 2, 3],
"first fetch must return first package"
);
let client2 = connect_client(addr).await;
let mut req2 = client2.fetch_key_package_request();
req2.get().set_identity_key(&key);
let pkg2 = req2
.send()
.promise
.await
.unwrap()
.get()
.unwrap()
.get_package()
.unwrap()
.to_vec();
assert_eq!(
pkg2,
vec![4u8, 5, 6],
"second fetch must return second package"
);
})
.await;
}

433
crates/quicnprotochat-client/tests/mls_group.rs Normal file
View File

@@ -0,0 +1,433 @@
//! Integration test: full MLS group flow via Authentication Service + Delivery Service.
//!
//! Steps:
//! - Start in-process AS and DS (Noise_XX + capnp-rpc) on a LocalSet.
//! - Alice and Bob generate KeyPackages and upload to AS.
//! - Alice fetches Bob's KeyPackage, creates a group, and invites Bob.
//! - Welcome + application messages traverse the Delivery Service.
//! - Both sides decrypt and confirm plaintext payloads.
use std::{collections::VecDeque, sync::Arc, time::Duration};
use anyhow::Context;
use capnp::capability::Promise;
use capnp_rpc::{rpc_twoparty_capnp::Side, twoparty, RpcSystem};
use dashmap::DashMap;
use quicnprotochat_core::{
handshake_initiator, handshake_responder, GroupMember, IdentityKeypair, NoiseKeypair,
};
use quicnprotochat_proto::{auth_capnp::authentication_service, delivery_capnp::delivery_service};
use sha2::{Digest, Sha256};
use tokio::net::{TcpListener, TcpStream};
use tokio_util::compat::{TokioAsyncReadCompatExt, TokioAsyncWriteCompatExt};
type KeyPackageStore = Arc<DashMap<Vec<u8>, VecDeque<Vec<u8>>>>;
type DeliveryStore = Arc<DashMap<Vec<u8>, VecDeque<Vec<u8>>>>;
/// Full Alice↔Bob MLS round-trip against live AS + DS.
#[tokio::test]
async fn mls_group_end_to_end_round_trip() -> anyhow::Result<()> {
let local = tokio::task::LocalSet::new();
local
.run_until(async move {
let server_keypair = Arc::new(NoiseKeypair::generate());
let kp_store: KeyPackageStore = Arc::new(DashMap::new());
let ds_store: DeliveryStore = Arc::new(DashMap::new());
let as_addr =
spawn_as_server(2, Arc::clone(&server_keypair), Arc::clone(&kp_store)).await;
let ds_addr =
spawn_ds_server(2, Arc::clone(&server_keypair), Arc::clone(&ds_store)).await;
tokio::time::sleep(Duration::from_millis(10)).await;
let alice_id = Arc::new(IdentityKeypair::generate());
let bob_id = Arc::new(IdentityKeypair::generate());
let mut alice = GroupMember::new(Arc::clone(&alice_id));
let mut bob = GroupMember::new(Arc::clone(&bob_id));
let alice_kp = alice.generate_key_package()?;
let bob_kp = bob.generate_key_package()?;
let alice_as = connect_as(as_addr, &NoiseKeypair::generate()).await?;
let bob_as = connect_as(as_addr, &NoiseKeypair::generate()).await?;
upload_key_package(&alice_as, &alice_id.public_key_bytes(), &alice_kp).await?;
upload_key_package(&bob_as, &bob_id.public_key_bytes(), &bob_kp).await?;
let fetched_bob_kp = fetch_key_package(&alice_as, &bob_id.public_key_bytes()).await?;
anyhow::ensure!(
!fetched_bob_kp.is_empty(),
"AS must return Bob's KeyPackage"
);
alice.create_group(b"m3-integration")?;
let (_commit, welcome) = alice.add_member(&fetched_bob_kp)?;
let alice_ds = connect_ds(ds_addr, &NoiseKeypair::generate()).await?;
let bob_ds = connect_ds(ds_addr, &NoiseKeypair::generate()).await?;
enqueue(&alice_ds, &bob_id.public_key_bytes(), &welcome).await?;
let welcome_payloads = fetch_all(&bob_ds, &bob_id.public_key_bytes()).await?;
let welcome_bytes = welcome_payloads
.first()
.cloned()
.context("welcome must be present")?;
bob.join_group(&welcome_bytes)?;
let ct_ab = alice.send_message(b"hello bob")?;
enqueue(&alice_ds, &bob_id.public_key_bytes(), &ct_ab).await?;
let bob_msgs = fetch_all(&bob_ds, &bob_id.public_key_bytes()).await?;
let ab_plaintext = bob
.receive_message(bob_msgs.first().context("missing alice→bob payload")?)?
.context("alice→bob must be application message")?;
assert_eq!(ab_plaintext, b"hello bob");
let ct_ba = bob.send_message(b"hello alice")?;
enqueue(&bob_ds, &alice_id.public_key_bytes(), &ct_ba).await?;
let alice_msgs = fetch_all(&alice_ds, &alice_id.public_key_bytes()).await?;
let ba_plaintext = alice
.receive_message(alice_msgs.first().context("missing bob→alice payload")?)?
.context("bob→alice must be application message")?;
assert_eq!(ba_plaintext, b"hello alice");
Ok(())
})
.await
}
// ── Test helpers ────────────────────────────────────────────────────────────
async fn spawn_as_server(
n_connections: usize,
keypair: Arc<NoiseKeypair>,
store: KeyPackageStore,
) -> std::net::SocketAddr {
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
tokio::task::spawn_local(async move {
for _ in 0..n_connections {
let (stream, _) = listener.accept().await.unwrap();
let kp = Arc::clone(&keypair);
let st = Arc::clone(&store);
tokio::task::spawn_local(async move {
serve_as_connection(stream, kp, st).await;
});
}
});
addr
}
async fn serve_as_connection(
stream: TcpStream,
keypair: Arc<NoiseKeypair>,
store: KeyPackageStore,
) {
let transport = handshake_responder(stream, &keypair).await.unwrap();
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Server,
Default::default(),
);
let service: authentication_service::Client = capnp_rpc::new_client(AuthService { store });
RpcSystem::new(Box::new(network), Some(service.client))
.await
.ok();
}
async fn spawn_ds_server(
n_connections: usize,
keypair: Arc<NoiseKeypair>,
store: DeliveryStore,
) -> std::net::SocketAddr {
let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
let addr = listener.local_addr().unwrap();
tokio::task::spawn_local(async move {
for _ in 0..n_connections {
let (stream, _) = listener.accept().await.unwrap();
let kp = Arc::clone(&keypair);
let st = Arc::clone(&store);
tokio::task::spawn_local(async move {
serve_ds_connection(stream, kp, st).await;
});
}
});
addr
}
async fn serve_ds_connection(stream: TcpStream, keypair: Arc<NoiseKeypair>, store: DeliveryStore) {
let transport = handshake_responder(stream, &keypair).await.unwrap();
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Server,
Default::default(),
);
let service: delivery_service::Client = capnp_rpc::new_client(DeliveryService { store });
RpcSystem::new(Box::new(network), Some(service.client))
.await
.ok();
}
async fn connect_as(
addr: std::net::SocketAddr,
noise_keypair: &NoiseKeypair,
) -> anyhow::Result<authentication_service::Client> {
let stream = TcpStream::connect(addr)
.await
.with_context(|| format!("could not connect to AS at {addr}"))?;
let transport = handshake_initiator(stream, noise_keypair)
.await
.context("Noise handshake to AS failed")?;
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Client,
Default::default(),
);
let mut rpc = RpcSystem::new(Box::new(network), None);
let client: authentication_service::Client = rpc.bootstrap(Side::Server);
tokio::task::spawn_local(rpc);
Ok(client)
}
async fn connect_ds(
addr: std::net::SocketAddr,
noise_keypair: &NoiseKeypair,
) -> anyhow::Result<delivery_service::Client> {
let stream = TcpStream::connect(addr)
.await
.with_context(|| format!("could not connect to DS at {addr}"))?;
let transport = handshake_initiator(stream, noise_keypair)
.await
.context("Noise handshake to DS failed")?;
let (reader, writer) = transport.into_capnp_io();
let network = twoparty::VatNetwork::new(
reader.compat(),
writer.compat_write(),
Side::Client,
Default::default(),
);
let mut rpc = RpcSystem::new(Box::new(network), None);
let client: delivery_service::Client = rpc.bootstrap(Side::Server);
tokio::task::spawn_local(rpc);
Ok(client)
}
async fn upload_key_package(
as_client: &authentication_service::Client,
identity_key: &[u8],
package: &[u8],
) -> anyhow::Result<()> {
let mut req = as_client.upload_key_package_request();
req.get().set_identity_key(identity_key);
req.get().set_package(package);
let resp = req
.send()
.promise
.await
.context("upload_key_package RPC failed")?;
let server_fp = resp
.get()
.context("upload_key_package: bad response")?
.get_fingerprint()
.context("upload_key_package: missing fingerprint")?
.to_vec();
let local_fp: Vec<u8> = Sha256::digest(package).to_vec();
anyhow::ensure!(server_fp == local_fp, "fingerprint mismatch");
Ok(())
}
async fn fetch_key_package(
as_client: &authentication_service::Client,
identity_key: &[u8],
) -> anyhow::Result<Vec<u8>> {
let mut req = as_client.fetch_key_package_request();
req.get().set_identity_key(identity_key);
let resp = req
.send()
.promise
.await
.context("fetch_key_package RPC failed")?;
let pkg = resp
.get()
.context("fetch_key_package: bad response")?
.get_package()
.context("fetch_key_package: missing package")?
.to_vec();
Ok(pkg)
}
async fn enqueue(
ds_client: &delivery_service::Client,
recipient_key: &[u8],
payload: &[u8],
) -> anyhow::Result<()> {
let mut req = ds_client.enqueue_request();
req.get().set_recipient_key(recipient_key);
req.get().set_payload(payload);
req.send().promise.await.context("enqueue RPC failed")?;
Ok(())
}
async fn fetch_all(
ds_client: &delivery_service::Client,
recipient_key: &[u8],
) -> anyhow::Result<Vec<Vec<u8>>> {
let mut req = ds_client.fetch_request();
req.get().set_recipient_key(recipient_key);
let resp = req.send().promise.await.context("fetch RPC failed")?;
let list = resp
.get()
.context("fetch: bad response")?
.get_payloads()
.context("fetch: missing payloads")?;
let mut payloads = Vec::with_capacity(list.len() as usize);
for i in 0..list.len() {
payloads.push(list.get(i).context("fetch: payload read failed")?.to_vec());
}
Ok(payloads)
}
// ── Inline service implementations ─────────────────────────────────────────-
struct AuthService {
store: KeyPackageStore,
}
impl authentication_service::Server for AuthService {
fn upload_key_package(
&mut self,
params: authentication_service::UploadKeyPackageParams,
mut results: authentication_service::UploadKeyPackageResults,
) -> Promise<(), capnp::Error> {
let params = match params.get() {
Ok(p) => p,
Err(e) => return Promise::err(e),
};
let ik = match params.get_identity_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let pkg = match params.get_package() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let fp: Vec<u8> = Sha256::digest(&pkg).to_vec();
self.store.entry(ik).or_default().push_back(pkg);
results.get().set_fingerprint(&fp);
Promise::ok(())
}
fn fetch_key_package(
&mut self,
params: authentication_service::FetchKeyPackageParams,
mut results: authentication_service::FetchKeyPackageResults,
) -> Promise<(), capnp::Error> {
let ik = match params.get() {
Ok(p) => match p.get_identity_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
},
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let pkg = self
.store
.get_mut(&ik)
.and_then(|mut q| q.pop_front())
.unwrap_or_default();
results.get().set_package(&pkg);
Promise::ok(())
}
}
struct DeliveryService {
store: DeliveryStore,
}
impl delivery_service::Server for DeliveryService {
fn enqueue(
&mut self,
params: delivery_service::EnqueueParams,
_results: delivery_service::EnqueueResults,
) -> Promise<(), capnp::Error> {
let params = match params.get() {
Ok(p) => p,
Err(e) => return Promise::err(e),
};
let recipient = match params.get_recipient_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let payload = match params.get_payload() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
self.store.entry(recipient).or_default().push_back(payload);
Promise::ok(())
}
fn fetch(
&mut self,
params: delivery_service::FetchParams,
mut results: delivery_service::FetchResults,
) -> Promise<(), capnp::Error> {
let recipient = match params.get() {
Ok(p) => match p.get_recipient_key() {
Ok(v) => v.to_vec(),
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
},
Err(e) => return Promise::err(capnp::Error::failed(format!("{e}"))),
};
let messages: Vec<Vec<u8>> = self
.store
.get_mut(&recipient)
.map(|mut q| q.drain(..).collect())
.unwrap_or_default();
let mut list = results.get().init_payloads(messages.len() as u32);
for (i, msg) in messages.iter().enumerate() {
list.set(i as u32, msg);
}
Promise::ok(())
}
}

201
crates/quicnprotochat-client/tests/noise_transport.rs Normal file
View File

@@ -0,0 +1,201 @@
//! M1 integration test: Noise_XX handshake + Ping/Pong round-trip.
//!
//! Both the server-side and client-side logic run in the same Tokio runtime
//! using `tokio::spawn`. The test verifies:
//!
//! 1. The Noise_XX handshake completes from both sides.
//! 2. A Ping sent by the client arrives as a Ping on the server side.
//! 3. The server's Pong arrives correctly on the client side.
//! 4. Mutual authentication: each peer's observed remote static key matches the
//! other peer's actual public key (the core security property of XX).
use std::sync::Arc;
use tokio::net::TcpListener;
use quicnprotochat_core::{handshake_initiator, handshake_responder, NoiseKeypair};
use quicnprotochat_proto::{MsgType, ParsedEnvelope};
/// Completes a full Noise_XX handshake and Ping/Pong exchange, then verifies
/// mutual authentication by comparing observed vs. actual static public keys.
#[tokio::test]
async fn noise_xx_ping_pong_round_trip() {
let server_keypair = Arc::new(NoiseKeypair::generate());
let client_keypair = NoiseKeypair::generate();
// Bind the listener *before* spawning so the port is ready when the client
// calls connect — no sleep or retry needed.
let listener = TcpListener::bind("127.0.0.1:0")
.await
.expect("failed to bind test listener");
let server_addr = listener.local_addr().expect("failed to get local addr");
// ── Server task ───────────────────────────────────────────────────────────
//
// Handles exactly one connection: completes the handshake, asserts that it
// receives a Ping, sends a Pong, then returns the client's observed key.
let server_kp = Arc::clone(&server_keypair);
let server_task = tokio::spawn(async move {
let (stream, _peer) = listener.accept().await.expect("server accept failed");
let mut transport = handshake_responder(stream, &server_kp)
.await
.expect("server Noise_XX handshake failed");
let env = transport
.recv_envelope()
.await
.expect("server recv_envelope failed");
match env.msg_type {
MsgType::Ping => {}
_ => panic!("server expected Ping, received a different message type"),
}
transport
.send_envelope(&ParsedEnvelope {
msg_type: MsgType::Pong,
group_id: vec![],
sender_id: vec![],
payload: vec![],
timestamp_ms: 0,
})
.await
.expect("server send_envelope failed");
// Return the client's public key as authenticated by the server.
transport
.remote_static_public_key()
.expect("server: no remote static key after completed XX handshake")
.to_vec()
});
// ── Client side ───────────────────────────────────────────────────────────
let stream = tokio::net::TcpStream::connect(server_addr)
.await
.expect("client connect failed");
let mut transport = handshake_initiator(stream, &client_keypair)
.await
.expect("client Noise_XX handshake failed");
// Capture the server's public key as authenticated by the client.
let server_key_seen_by_client = transport
.remote_static_public_key()
.expect("client: no remote static key after completed XX handshake")
.to_vec();
transport
.send_envelope(&ParsedEnvelope {
msg_type: MsgType::Ping,
group_id: vec![],
sender_id: vec![],
payload: vec![],
timestamp_ms: 1_700_000_000_000,
})
.await
.expect("client send_envelope failed");
let pong = tokio::time::timeout(std::time::Duration::from_secs(5), transport.recv_envelope())
.await
.expect("timed out waiting for Pong — server task likely panicked")
.expect("client recv_envelope failed");
match pong.msg_type {
MsgType::Pong => {}
_ => panic!("client expected Pong, received a different message type"),
}
// ── Mutual authentication assertions ──────────────────────────────────────
let client_key_seen_by_server = server_task
.await
.expect("server task panicked — see output above");
// The server authenticated the client's static public key correctly.
assert_eq!(
client_key_seen_by_server,
client_keypair.public_bytes().to_vec(),
"server's authenticated view of client key does not match client's actual public key"
);
// The client authenticated the server's static public key correctly.
assert_eq!(
server_key_seen_by_client,
server_keypair.public_bytes().to_vec(),
"client's authenticated view of server key does not match server's actual public key"
);
}
/// A second independent connection on the same server must also succeed,
/// confirming that the server keypair reuse across connections is correct.
#[tokio::test]
async fn two_sequential_connections_both_authenticate() {
let server_keypair = Arc::new(NoiseKeypair::generate());
let listener = TcpListener::bind("127.0.0.1:0").await.expect("bind failed");
let server_addr = listener.local_addr().expect("local_addr failed");
let server_kp = Arc::clone(&server_keypair);
tokio::spawn(async move {
for _ in 0..2_u8 {
let (stream, _) = listener.accept().await.expect("accept failed");
let kp = Arc::clone(&server_kp);
tokio::spawn(async move {
let mut t = handshake_responder(stream, &kp)
.await
.expect("server handshake failed");
let env = t.recv_envelope().await.expect("recv failed");
match env.msg_type {
MsgType::Ping => {}
_ => panic!("expected Ping"),
}
t.send_envelope(&ParsedEnvelope {
msg_type: MsgType::Pong,
group_id: vec![],
sender_id: vec![],
payload: vec![],
timestamp_ms: 0,
})
.await
.expect("server send failed");
});
}
});
for _ in 0..2_u8 {
let kp = NoiseKeypair::generate();
let stream = tokio::net::TcpStream::connect(server_addr)
.await
.expect("connect failed");
let mut t = handshake_initiator(stream, &kp)
.await
.expect("client handshake failed");
t.send_envelope(&ParsedEnvelope {
msg_type: MsgType::Ping,
group_id: vec![],
sender_id: vec![],
payload: vec![],
timestamp_ms: 0,
})
.await
.expect("client send failed");
let pong = tokio::time::timeout(std::time::Duration::from_secs(5), t.recv_envelope())
.await
.expect("timeout")
.expect("recv failed");
match pong.msg_type {
MsgType::Pong => {}
_ => panic!("expected Pong"),
}
// Each client sees the *same* server public key (key reuse across connections).
let seen = t
.remote_static_public_key()
.expect("no remote key")
.to_vec();
assert_eq!(seen, server_keypair.public_bytes().to_vec());
}
}