Mercurial > hg > nginx-tests
annotate quic_key_update.t @ 1938:e1059682aeef
Tests: fixed ClientHello with resending Initial QUIC packets.
Previously it was rebuilt each time using distinct ClientHello.random
resulting in different CRYPTO payload. As such, it led to TLS digest
hash and derived secrets mismatch when resending Initial packet. Now
ClientHello is built once and reused when resending Initial packets.
Additionally, this required to preserve a generated secret value used
in shared secret calculation as part of TLS key schedule. Previously
it was regenerated when receiving a Retry packet, but this won't work
with reused ClientHello as the resulting shared secrets won't match.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 30 Aug 2023 02:22:58 +0400 |
| parents | afe4af958e53 |
| children |
| rev | line source |
|---|---|
|
1930
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for QUIC key update. |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx::HTTP3; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/) |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 ->has_daemon('openssl')->plan(3); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 %%TEST_GLOBALS%% |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 daemon off; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 events { |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 http { |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 %%TEST_GLOBALS_HTTP%% |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 ssl_certificate_key localhost.key; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_certificate localhost.crt; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 server { |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 listen 127.0.0.1:%%PORT_8980_UDP%% quic; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 server_name localhost; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 location / { } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 EOF |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 $t->write_file('openssl.conf', <<EOF); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 [ req ] |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 default_bits = 2048 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 encrypt_key = no |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 distinguished_name = req_distinguished_name |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 [ req_distinguished_name ] |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 EOF |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 my $d = $t->testdir(); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 foreach my $name ('localhost') { |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 system('openssl req -x509 -new ' |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 . "-out $d/$name.crt -keyout $d/$name.key " |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 . ">>$d/openssl.out 2>&1") == 0 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 or die "Can't create certificate for $name: $!\n"; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 $t->run(); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 ############################################################################### |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 |
| 1931 | 76 my $s = Test::Nginx::HTTP3->new(); |
|
1930
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 ok(get($s), 'request'); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 # sets the Key Phase bit |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 $s->key_update(); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 ok(get($s), 'key update 1'); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 # clears the Key Phase bit |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 $s->key_update(); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 ok(get($s), 'key update 2'); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
89 ############################################################################### |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
90 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
91 sub get { |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
92 my ($s) = @_; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
93 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
94 grep { $_->{type} eq "HEADERS" } @$frames; |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
95 } |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
96 |
|
0e8b5b442b1d
Tests: basic QUIC key update tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 ############################################################################### |