Mercurial > hg > nginx-tests

annotate quic_ciphers.t @ 1938:e1059682aeef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tests: fixed ClientHello with resending Initial QUIC packets. Previously it was rebuilt each time using distinct ClientHello.random resulting in different CRYPTO payload. As such, it led to TLS digest hash and derived secrets mismatch when resending Initial packet. Now ClientHello is built once and reused when resending Initial packets. Additionally, this required to preserve a generated secret value used in shared secret calculation as part of TLS key schedule. Previously it was regenerated when receiving a Retry packet, but this won't work with reused ClientHello as the resulting shared secrets won't match.
author Sergey Kandaurov <pluknet@nginx.com>
date Wed, 30 Aug 2023 02:22:58 +0400
parents 161dc73812b3
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1911
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
1 #!/usr/bin/perl
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
2
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
3 # (C) Sergey Kandaurov
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
4 # (C) Nginx, Inc.
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
5
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
6 # Tests for various TLSv1.3 ciphers in QUIC.
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
7
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
8 ###############################################################################
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
9
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
10 use warnings;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
11 use strict;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
12
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
13 use Test::More;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
14
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
15 BEGIN { use FindBin; chdir($FindBin::Bin); }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
16
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
17 use lib 'lib';
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
18 use Test::Nginx;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
19 use Test::Nginx::HTTP3;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
20
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
21 ###############################################################################
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
22
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
23 select STDERR; $| = 1;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
24 select STDOUT; $| = 1;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
25
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/)
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
27 ->has_daemon('openssl')->plan(5);
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
28
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
29 $t->write_file_expand('nginx.conf', <<'EOF');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
30
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
31 %%TEST_GLOBALS%%
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
32
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
33 daemon off;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
34
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
35 events {
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
36 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
37
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
38 http {
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
39 %%TEST_GLOBALS_HTTP%%
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
40
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
41 ssl_certificate_key localhost.key;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
42 ssl_certificate localhost.crt;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
43
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
44 server {
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
45 listen 127.0.0.1:%%PORT_8980_UDP%% quic;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
46 server_name localhost;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
47
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
48 location / {
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
49 add_header x-cipher $ssl_cipher;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
50 add_header x-ciphers $ssl_ciphers;
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
51 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
52 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
53 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
54
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
55 EOF
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
56
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
57 $t->write_file('openssl.conf', <<EOF);
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
58 [ req ]
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
59 default_bits = 2048
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
60 encrypt_key = no
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
61 distinguished_name = req_distinguished_name
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
62 [ req_distinguished_name ]
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
63 EOF
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
64
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
65 my $d = $t->testdir();
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
66
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
67 foreach my $name ('localhost') {
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
68 system('openssl req -x509 -new '
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
69 . "-config $d/openssl.conf -subj /CN=$name/ "
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
70 . "-out $d/$name.crt -keyout $d/$name.key "
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
71 . ">>$d/openssl.out 2>&1") == 0
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
72 or die "Can't create certificate for $name: $!\n";
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
73 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
74
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
75 $t->write_file('index.html', '');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
76 $t->run();
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
77
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
78 ###############################################################################
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
79
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
80 is(get("\x13\x01"), 'TLS_AES_128_GCM_SHA256', 'TLS_AES_128_GCM_SHA256');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
81 is(get("\x13\x02"), 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
82 is(get("\x13\x03"), 'TLS_CHACHA20_POLY1305_SHA256',
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
83 'TLS_CHACHA20_POLY1305_SHA256');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
84
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
85 # TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
86
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
87 is(get("\x13\x02\x13\x01"), 'TLS_AES_256_GCM_SHA384', 'ciphers many');
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
88
1916
6ab08c255dd3 Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1912
diff changeset
89 # prefer TLS_AES_128_CCM_SHA256 with fallback to GCM,
6ab08c255dd3 Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1912
diff changeset
90 # the cipher is enabled by default in some distributions
1912
f61d1b4ac638 Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1911
diff changeset
91
1919
161dc73812b3 Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1916
diff changeset
92 TODO: {
161dc73812b3 Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1916
diff changeset
93 todo_skip 'not yet', 1 unless $t->has_version('1.25.2');
161dc73812b3 Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1916
diff changeset
94
1916
6ab08c255dd3 Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1912
diff changeset
95 like(get("\x13\x04\x13\x01"), qr/TLS_AES_128_[GC]CM_SHA256/,
1912
f61d1b4ac638 Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1911
diff changeset
96 'TLS_AES_128_CCM_SHA256');
1911
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
97
1919
161dc73812b3 Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1916
diff changeset
98 }
161dc73812b3 Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1916
diff changeset
99
1911
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
100 ###############################################################################
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
101
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
102 sub get {
1916
6ab08c255dd3 Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1912
diff changeset
103 my ($ciphers) = @_;
6ab08c255dd3 Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1912
diff changeset
104 my $s = Test::Nginx::HTTP3->new(8980, ciphers => $ciphers);
1911
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
105 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]);
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
106
1912
f61d1b4ac638 Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents: 1911
diff changeset
107 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
1911
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
108 return $frame->{headers}->{'x-cipher'};
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
109 }
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
110
2c5ae1e75db4 Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff changeset
111 ###############################################################################