protocol: add AEAD encryption negotiation to v2 wire control channel (#5304)

pkg/util/net/conn_test.go

@@ -0,0 +1,118 @@
+// Copyright 2026 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package net
+
+import (
+	"bytes"
+	"io"
+	stdnet "net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/fatedier/frp/pkg/proto/wire"
+)
+
+func TestNewAEADCryptoReadWriterRoundTrip(t *testing.T) {
+	clientConn, serverConn := stdnet.Pipe()
+	defer clientConn.Close()
+	defer serverConn.Close()
+
+	key := []byte("token")
+	transcriptHash := bytes.Repeat([]byte{0x11}, 32)
+	clientRW, err := NewAEADCryptoReadWriter(
+		clientConn,
+		key,
+		AEADCryptoRoleClient,
+		wire.AEADAlgorithmXChaCha20Poly1305,
+		transcriptHash,
+	)
+	require.NoError(t, err)
+	serverRW, err := NewAEADCryptoReadWriter(
+		serverConn,
+		key,
+		AEADCryptoRoleServer,
+		wire.AEADAlgorithmXChaCha20Poly1305,
+		transcriptHash,
+	)
+	require.NoError(t, err)
+
+	clientErrCh := make(chan error, 1)
+	go func() {
+		if _, err := clientRW.Write([]byte("ping")); err != nil {
+			clientErrCh <- err
+			return
+		}
+		buf := make([]byte, len("pong"))
+		_, err := io.ReadFull(clientRW, buf)
+		clientErrCh <- err
+	}()
+
+	buf := make([]byte, len("ping"))
+	_, err = io.ReadFull(serverRW, buf)
+	require.NoError(t, err)
+	require.Equal(t, "ping", string(buf))
+	_, err = serverRW.Write([]byte("pong"))
+	require.NoError(t, err)
+	require.NoError(t, <-clientErrCh)
+}
+
+func TestNewAEADCryptoReadWriterRejectsDifferentTranscript(t *testing.T) {
+	clientConn, serverConn := stdnet.Pipe()
+	defer clientConn.Close()
+	defer serverConn.Close()
+	require.NoError(t, clientConn.SetDeadline(time.Now().Add(time.Second)))
+	require.NoError(t, serverConn.SetDeadline(time.Now().Add(time.Second)))
+
+	key := []byte("token")
+	clientRW, err := NewAEADCryptoReadWriter(
+		clientConn,
+		key,
+		AEADCryptoRoleClient,
+		wire.AEADAlgorithmAES256GCM,
+		bytes.Repeat([]byte{0x22}, 32),
+	)
+	require.NoError(t, err)
+	serverRW, err := NewAEADCryptoReadWriter(
+		serverConn,
+		key,
+		AEADCryptoRoleServer,
+		wire.AEADAlgorithmAES256GCM,
+		bytes.Repeat([]byte{0x33}, 32),
+	)
+	require.NoError(t, err)
+
+	writeErrCh := make(chan error, 1)
+	go func() {
+		_, err := clientRW.Write([]byte("ping"))
+		writeErrCh <- err
+	}()
+
+	buf := make([]byte, len("ping"))
+	_, err = io.ReadFull(serverRW, buf)
+	require.Error(t, err)
+	require.NoError(t, <-writeErrCh)
+}
+
+func TestDeriveAEADControlKeysUsesDistinctDirections(t *testing.T) {
+	clientToServerKey, serverToClientKey, err := deriveAEADControlKeys(
+		[]byte("token"),
+		wire.AEADAlgorithmXChaCha20Poly1305,
+		bytes.Repeat([]byte{0x44}, 32),
+	)
+	require.NoError(t, err)
+	require.NotEqual(t, clientToServerKey, serverToClientKey)
+}