Mercurial > hg > nginx-tests

annotate h3_ssl_early_data.t @ 1938:e1059682aeef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: fixed ClientHello with resending Initial QUIC packets. Previously it was rebuilt each time using distinct ClientHello.random resulting in different CRYPTO payload. As such, it led to TLS digest hash and derived secrets mismatch when resending Initial packet. Now ClientHello is built once and reused when resending Initial packets. Additionally, this required to preserve a generated secret value used in shared secret calculation as part of TLS key schedule. Previously it was regenerated when receiving a Retry packet, but this won't work with reused ClientHello as the resulting shared secrets won't match.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 30 Aug 2023 02:22:58 +0400
parents 22f45bf99a9e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1917
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Tests for TLS early data with HTTP/3.
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 ###############################################################################
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 use warnings;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use strict;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 use Test::More;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
16
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 use lib 'lib';
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18 use Test::Nginx;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 use Test::Nginx::HTTP3;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21 ###############################################################################
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23 select STDERR; $| = 1;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24 select STDOUT; $| = 1;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
27 ->has_daemon('openssl')->plan(5)
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
28 ->write_file_expand('nginx.conf', <<'EOF');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
30 %%TEST_GLOBALS%%
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
32 daemon off;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
33
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
34 events {
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35 }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37 http {
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38 %%TEST_GLOBALS_HTTP%%
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40 ssl_certificate_key localhost.key;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41 ssl_certificate localhost.crt;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
42 ssl_early_data on;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
43
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44 add_header X-Session $ssl_session_reused always;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45 add_header X-Early $ssl_early_data always;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
47 server {
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48 listen 127.0.0.1:%%PORT_8980_UDP%% quic;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
49 server_name localhost;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50 }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51 }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
52
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
53 EOF
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55 $t->write_file('openssl.conf', <<EOF);
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56 [ req ]
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 default_bits = 2048
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58 encrypt_key = no
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
59 distinguished_name = req_distinguished_name
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
60 [ req_distinguished_name ]
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
61 EOF
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
62
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
63 my $d = $t->testdir();
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
64
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
65 foreach my $name ('localhost') {
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
66 system('openssl req -x509 -new '
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
67 . "-config $d/openssl.conf -subj /CN=$name/ "
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
68 . "-out $d/$name.crt -keyout $d/$name.key "
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
69 . ">>$d/openssl.out 2>&1") == 0
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
70 or die "Can't create certificate for $name: $!\n";
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73 $t->run();
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
74
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
75 ###############################################################################
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
76
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
77 my $s = Test::Nginx::HTTP3->new(8980);
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
78 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
79
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
80 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
81 is($frame->{headers}->{'x-session'}, '.', 'new session');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
82
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
83 local $TODO = 'no TLSv1.3 sessions in LibreSSL' if $t->has_module('LibreSSL');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
84
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
85 my $psk_list = $s->{psk_list};
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
86
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87 $s = Test::Nginx::HTTP3->new(8980, psk_list => $psk_list, early_data => {});
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
88
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
89 TODO: {
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
90 local $TODO = 'no 0-RTT in OpenSSL compat layer'
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
91 unless $t->has_module('OpenSSL [.0-9]+\+quic')
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
92 or $t->has_module('BoringSSL')
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
93 or $t->has_module('LibreSSL');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
94
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
95 $frames = $s->read(all => [{ sid => 0, fin => 1 }]);
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
96 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
97 is($frame->{headers}->{'x-session'}, 'r', 'reused session 0rtt');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
98 is($frame->{headers}->{'x-early'}, '1', 'reused session is early');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
99
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
100 }
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
101
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
102 $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
103 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
104 is($frame->{headers}->{'x-session'}, 'r', 'reused session 1rtt');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
105 is($frame->{headers}->{'x-early'}, undef, 'reused session not early');
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
106
24fea64f233f Tests: TLS early data tests with HTTP/3.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
107 ###############################################################################