Mercurial > hg > nginx-tests
annotate quic_ciphers.t @ 1935:6bafe9419126
Tests: allowed ssl_curve.t to run on BoringSSL.
Recently BoringSSL has got SSL_get_negotiated_group(),
which makes $ssl_curve to return the expected value.
While here, converted SSL library check into TODO.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 24 Aug 2023 14:59:26 +0400 |
parents | 161dc73812b3 |
children |
rev | line source |
---|---|
1911
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for various TLSv1.3 ciphers in QUIC. |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 BEGIN { use FindBin; chdir($FindBin::Bin); } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 use lib 'lib'; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use Test::Nginx; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx::HTTP3; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 my $t = Test::Nginx->new()->has(qw/http http_v3 cryptx/) |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 ->has_daemon('openssl')->plan(5); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
28 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 $t->write_file_expand('nginx.conf', <<'EOF'); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 %%TEST_GLOBALS%% |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 daemon off; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 events { |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 http { |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 %%TEST_GLOBALS_HTTP%% |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 ssl_certificate_key localhost.key; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 ssl_certificate localhost.crt; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 server { |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 listen 127.0.0.1:%%PORT_8980_UDP%% quic; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
46 server_name localhost; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
47 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 location / { |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 add_header x-cipher $ssl_cipher; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 add_header x-ciphers $ssl_ciphers; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
53 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 EOF |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
56 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 $t->write_file('openssl.conf', <<EOF); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 [ req ] |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 default_bits = 2048 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
60 encrypt_key = no |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
61 distinguished_name = req_distinguished_name |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
62 [ req_distinguished_name ] |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
63 EOF |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
64 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
65 my $d = $t->testdir(); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
66 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
67 foreach my $name ('localhost') { |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
68 system('openssl req -x509 -new ' |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
69 . "-config $d/openssl.conf -subj /CN=$name/ " |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
70 . "-out $d/$name.crt -keyout $d/$name.key " |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
71 . ">>$d/openssl.out 2>&1") == 0 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
72 or die "Can't create certificate for $name: $!\n"; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
74 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
75 $t->write_file('index.html', ''); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
76 $t->run(); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
77 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
78 ############################################################################### |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
79 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
80 is(get("\x13\x01"), 'TLS_AES_128_GCM_SHA256', 'TLS_AES_128_GCM_SHA256'); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
81 is(get("\x13\x02"), 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384'); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
82 is(get("\x13\x03"), 'TLS_CHACHA20_POLY1305_SHA256', |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
83 'TLS_CHACHA20_POLY1305_SHA256'); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
84 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
85 # TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
86 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
87 is(get("\x13\x02\x13\x01"), 'TLS_AES_256_GCM_SHA384', 'ciphers many'); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
88 |
1916
6ab08c255dd3
Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1912
diff
changeset
|
89 # prefer TLS_AES_128_CCM_SHA256 with fallback to GCM, |
6ab08c255dd3
Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1912
diff
changeset
|
90 # the cipher is enabled by default in some distributions |
1912
f61d1b4ac638
Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1911
diff
changeset
|
91 |
1919
161dc73812b3
Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1916
diff
changeset
|
92 TODO: { |
161dc73812b3
Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1916
diff
changeset
|
93 todo_skip 'not yet', 1 unless $t->has_version('1.25.2'); |
161dc73812b3
Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1916
diff
changeset
|
94 |
1916
6ab08c255dd3
Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1912
diff
changeset
|
95 like(get("\x13\x04\x13\x01"), qr/TLS_AES_128_[GC]CM_SHA256/, |
1912
f61d1b4ac638
Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1911
diff
changeset
|
96 'TLS_AES_128_CCM_SHA256'); |
1911
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
97 |
1919
161dc73812b3
Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1916
diff
changeset
|
98 } |
161dc73812b3
Tests: keep QUIC TODOs for a while.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1916
diff
changeset
|
99 |
1911
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
100 ############################################################################### |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
101 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
102 sub get { |
1916
6ab08c255dd3
Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1912
diff
changeset
|
103 my ($ciphers) = @_; |
6ab08c255dd3
Tests: removed quic_ciphers.t TODO, CCM cipher now supported.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1912
diff
changeset
|
104 my $s = Test::Nginx::HTTP3->new(8980, ciphers => $ciphers); |
1911
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
105 my $frames = $s->read(all => [{ sid => $s->new_stream(), fin => 1 }]); |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
106 |
1912
f61d1b4ac638
Tests: unbreak quic_ciphers.t with AEAD_AES_128_CCM enabled.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1911
diff
changeset
|
107 my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
1911
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
108 return $frame->{headers}->{'x-cipher'}; |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
109 } |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
110 |
2c5ae1e75db4
Tests: tests for TLSv1.3 ciphers in QUIC connections.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 ############################################################################### |