Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an appendix containing test vectors for "Initial". #1573

Closed
wants to merge 6 commits into from
Closed

Add an appendix containing test vectors for "Initial". #1573

wants to merge 6 commits into from

Conversation

rpaulo
Copy link
Contributor

@rpaulo rpaulo commented Jul 17, 2018

I'm also working on a PNE appendix.

ping @ekr @huitema

@masaori335
Copy link

I tried @ekr's test vector on the list and this test vector. My code passed with ekr's test vector, but failed with this test vector.
I got below values. ("initial secret" is same, but others are not same)

initial secret : a572b0245af1eddf5c61c6e3f7f9304ca66bfb4caaf76567d5cb8dd1dc4e820b

client in secret: 9f536457f32a1e0ae864bcb3caf1235110630e1d1fb33835bd054170f99bf7dc
key: f2928f2614ad6c20b9bd008e9c89631c
iv: ab950b0198637978cf44aab9
pn: 68c3f64e2d6634412b8e3294628d76f1

server in secret: b087dcd7478dda8a858fbf3d605c888586c0a3a9875423ad4f114f0ba38e5a2e
key: f56817d0fc595cfc0a2b0bcfb18735ec
iv: 3205035a3c937c902ee4f4d6
pn: a313c86d1373ecbccb3294b14974226c

I doubt that there is a bug around HKDF-Expand-Label implementation. Because the "info" parameter of HKDF-Expand is changed in draft-13. If understand correctly, it's HkdfLabel (defined in TLS 1.3) and it has context<0..255> field. Without the context field, I got exact same values of this test vector.

QUIC draft-12

struct {
    uint16 length = Length;
    opaque label<6..255> = "QUIC " + Label;
} QhkdfExpandInfo;

TLS 1.3 (QUIC draft-13)

struct {
    uint16 length = Length;
    opaque label<7..255> = "tls13 " + Label;
    opaque context<0..255> = Context;
} HkdfLabel;

@rpaulo
Copy link
Contributor Author

rpaulo commented Jul 20, 2018
edited
Loading

That makes sense, thanks for testing. I can try to get @ekr's vectors into this PR and include the PNE vectors

EDIT: actually that might not be the best idea since we wanted to change the SNI to something more sensible before putting it in the spec. I'll use this PR to update the vectors and leave PNE to a different PR.

huitema
huitema reviewed Jul 26, 2018
View reviewed changes
draft-ietf-quic-tls.md
IV: 27 92 24 e5 85 fd 84 e9 e0 70 ea 9a
~~~


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, having something like that in the spec would be useful. We need an independent verification before publishing these values.

Also, having the PN key is fine, but we probably need a complete packet example to ensure that the nonce is properly extracted and the PN properly decrypted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, I think that it would be better to start with the test vector in EKR's message "PNE Test Vector" sent on the quic list on 7/18/2018.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@huitema my objective was to have the PN key in this section and then use it for PNE but this PR was just for initial test vectors. I agree we need independent verification before we publish.

martinthomson
martinthomson requested changes Aug 15, 2018
View reviewed changes
Copy link
Member

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that these are incorrect.

draft-ietf-quic-tls.md Outdated

~~~
quic client in: 00 20 0e 71 75 69 63 20 63 6c 69 65 6e 74 20
69 6e
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These labels all omit the trailing zero octet for the context.

@martinthomson martinthomson added editorial An issue that does not affect the design of the protocol; does not require consensus. -transport labels Aug 15, 2018
@huitema
Copy link
Contributor

huitema commented Aug 15, 2018

I think we would be better off with the test vector that EKR published. I use it as unit test in Picoquic, and the implementation works against Quicly, NGTCP2 and NGX.

Here are the values that I tested, based on EKR's message:


/*
 * test copied from EKR test vector
 */

static uint8_t draft13_test_input_packet[] = {
    0xff, 0xff, 0x00, 0x00, 0x0d, 0x50, 0x06, 0xb8, 0x58, 0xec,
    0x6f, 0x80, 0x45, 0x2b, 0x00, 0x44, 0xef, 0xa5, 0xd8, 0xd3,
    0x07, 0xc2, 0x97, 0x3f, 0xa0, 0xd6, 0x3f, 0xd9, 0xb0, 0x3a,
    0x4e, 0x16, 0x3b, 0x99, 0x0d, 0xd7, 0x78, 0x89, 0x4a, 0x9e,
    0xdc, 0x8e, 0xac, 0xfb, 0xe4, 0xaa, 0x6f, 0xbf, 0x4a, 0x22,
    0xec, 0x7f, 0x90, 0x6b, 0x5e, 0x8b, 0x8a, 0xe1, 0x2e, 0x5f,
    0xcc, 0x79, 0x24, 0xdf, 0xee, 0xe8, 0x13, 0x84, 0x2b, 0xb2,
    0x14, 0x9b, 0x80, 0x5e, 0x55, 0x89, 0x50, 0x84, 0xe8, 0x39,
    0x32, 0x00, 0xbb, 0x3f, 0xc6, 0x18, 0xaf, 0x7d, 0x08, 0x28,
    0x14, 0x85, 0xd9, 0x14, 0xce, 0x42, 0x30, 0x3f, 0x5d, 0x77,
    0x2b, 0x20, 0x05, 0x08, 0xa0, 0xc0, 0x02, 0x53, 0xe3, 0x32,
    0xe3, 0x6a, 0x84, 0xf6, 0x57, 0x32, 0x1a, 0xc4, 0xc8, 0xe2,
    0xcc, 0x8a, 0x11, 0x7e, 0x95, 0x87, 0x1f, 0x12, 0xb1, 0xf3,
    0x6b, 0xe8, 0xc4, 0xb7, 0x6f, 0xa4, 0x33, 0xdc, 0x4d, 0x31,
    0x42, 0xe6, 0x54, 0x7f, 0x45, 0x98, 0xbf, 0x4b, 0x19, 0x21,
    0x30, 0xae, 0xa6, 0xfc, 0x20, 0xda, 0x51, 0x58, 0xb2, 0x16,
    0x2b, 0x5a, 0x89, 0x99, 0x57, 0xda, 0x05, 0xde, 0xd5, 0xc7,
    0x09, 0x07, 0x29, 0x8f, 0xd8, 0x85, 0x84, 0x7f, 0x22, 0xa1,
    0xec, 0xb0, 0xa8, 0x14, 0xfe, 0x01, 0x70, 0xe2, 0x3c, 0xad,
    0x20, 0xaf, 0x64, 0xf0, 0x5c, 0xc1, 0x3c, 0x74, 0xe9, 0x18,
    0x24, 0x10, 0x1a, 0xfd, 0xcf, 0x5f, 0x15, 0x32, 0xfc, 0x2f,
    0xde, 0x93, 0x6a, 0x3a, 0x15, 0x9f, 0x76, 0x28, 0x3a, 0x26,
    0xc7, 0x38, 0xf7, 0x78, 0xc7, 0x6e, 0x6c, 0xa4, 0x1f, 0xa7,
    0xf1, 0x34, 0x40, 0x1d, 0x39, 0x02, 0x7f, 0xd8, 0x1d, 0xe1,
    0x7a, 0x80, 0x21, 0xa9, 0xc0, 0xaa, 0xa9, 0xb4, 0x47, 0x8f,
    0xe5, 0xc0, 0x64, 0x79, 0x41, 0x61, 0x8f, 0x3b, 0xee, 0x41,
    0x0c, 0xaf, 0x94, 0xc2, 0x48, 0xd2, 0xa6, 0x4b, 0x5e, 0x45,
    0x84, 0x5c, 0xd7, 0x7d, 0xe1, 0x3a, 0x5e, 0xd9, 0x40, 0x34,
    0xd2, 0xbc, 0x5f, 0x45, 0x78, 0x87, 0x35, 0x19, 0x93, 0xc1,
    0xec, 0xfa, 0x34, 0xfd, 0x0c, 0x65, 0x8f, 0xea, 0x3f, 0x80,
    0x86, 0xd2, 0x68, 0x08, 0xee, 0xf9, 0x76, 0x26, 0x2e, 0xcf,
    0x0a, 0xd6, 0x46, 0xb6, 0x27, 0x94, 0x55, 0x11, 0xdd, 0xe8,
    0x3e, 0x26, 0x60, 0x9c, 0xd5, 0xcf, 0xd7, 0xed, 0x9f, 0x62,
    0x07, 0xd7, 0x66, 0x18, 0xb4, 0x4c, 0x48, 0xbf, 0x62, 0x3b,
    0xf4, 0x20, 0xdc, 0x7c, 0x12, 0x7e, 0x5d, 0x5f, 0x52, 0x9f,
    0x08, 0x3b, 0x71, 0xa1, 0x7b, 0x17, 0xda, 0x32, 0x9b, 0xfc,
    0x38, 0xa7, 0x4b, 0xf8, 0xcf, 0xcf, 0x31, 0x5c, 0x7c, 0x07,
    0x0b, 0x71, 0xeb, 0xfa, 0xe3, 0xab, 0x35, 0x13, 0x41, 0xa7,
    0x67, 0xad, 0xfd, 0xd9, 0xe5, 0x7c, 0x73, 0x8f, 0x5d, 0xe9,
    0xda, 0x53, 0x71, 0x1e, 0x88, 0x6d, 0x14, 0x72, 0x31, 0x0b,
    0x91, 0x7a, 0x1c, 0x97, 0x98, 0xe3, 0xe9, 0xb1, 0x3c, 0x7c,
    0x74, 0xbe, 0xb8, 0xd1, 0xb8, 0x23, 0x45, 0xbe, 0xa1, 0x34,
    0x94, 0x15, 0x67, 0x9a, 0x9c, 0x64, 0xb0, 0x43, 0x3b, 0x68,
    0xc8, 0x71, 0xae, 0x08, 0x09, 0x2a, 0x1f, 0x61, 0x06, 0xbc,
    0x06, 0x33, 0x7c, 0xd3, 0x43, 0x86, 0x6e, 0xe8, 0x18, 0x5c,
    0x03, 0xfc, 0xf3, 0xbb, 0x06, 0x66, 0x45, 0x3f, 0x84, 0x79,
    0x05, 0x54, 0x71, 0x99, 0x41, 0x4c, 0x1e, 0x57, 0x53, 0x57,
    0x47, 0xbe, 0x61, 0xcd, 0xf6, 0x77, 0x83, 0x78, 0xf1, 0x21,
    0xd6, 0x8d, 0xf0, 0x18, 0x1e, 0xe9, 0xe8, 0xd9, 0x93, 0x2c,
    0x1c, 0x59, 0x3c, 0x0f, 0x8c, 0x0a, 0x1a, 0xf0, 0xf5, 0x26,
    0x2b, 0x86, 0x20, 0x50, 0x02, 0xdc, 0xed, 0x9e, 0xcd, 0xae,
    0xe2, 0xd0, 0xaa, 0x07, 0xdd, 0x4c, 0x14, 0xf9, 0x85, 0x71,
    0xe4, 0xbe, 0xa7, 0x2f, 0x84, 0x74, 0xf6, 0x36, 0x97, 0x04,
    0x3e, 0x93, 0x6e, 0xbb, 0x2b, 0xf9, 0x71, 0x6e, 0xd0, 0xef,
    0xbd, 0xc1, 0x30, 0x05, 0xa7, 0x5c, 0xee, 0x3a, 0x49, 0xba,
    0xbc, 0x61, 0xb9, 0x67, 0x77, 0x64, 0x51, 0x0e, 0xb1, 0x98,
    0x28, 0xdf, 0x4e, 0x10, 0xfb, 0x38, 0xb7, 0x9a, 0x1e, 0xfb,
    0xf0, 0x4c, 0xc2, 0xd5, 0x71, 0x94, 0x9d, 0x54, 0x03, 0xf7,
    0x97, 0x36, 0x17, 0x43, 0xdc, 0xc5, 0xe3, 0xbf, 0x3b, 0x43,
    0x96, 0xf7, 0xae, 0x1a, 0x3a, 0xff, 0xbc, 0x9f, 0x72, 0xe5,
    0x40, 0xd9, 0x20, 0x36, 0x39, 0x70, 0x30, 0x7e, 0x07, 0x25,
    0xfa, 0x83, 0x8d, 0x61, 0x18, 0x03, 0x25, 0x1a, 0x4a, 0x08,
    0xcc, 0xca, 0x19, 0x83, 0xd5, 0xb2, 0x9a, 0x58, 0x37, 0x58,
    0xbe, 0x63, 0x34, 0x3e, 0x88, 0xf5, 0x59, 0x1d, 0x88, 0x5b,
    0x8a, 0xf6, 0x95, 0xf3, 0x3a, 0xdb, 0xdd, 0x0d, 0x94, 0x1d,
    0x26, 0x02, 0x87, 0xe3, 0x2e, 0xf5, 0xa9, 0x8f, 0xd5, 0x5a,
    0xc1, 0x37, 0x21, 0x10, 0x21, 0xfd, 0xc2, 0x3b, 0x5d, 0x7a,
    0x54, 0x69, 0xf5, 0x78, 0xbf, 0x7a, 0xff, 0x65, 0x29, 0x11,
    0x79, 0x96, 0xf9, 0xeb, 0xab, 0x5e, 0x6d, 0xc7, 0xb0, 0x47,
    0xb3, 0x56, 0x33, 0x2f, 0xea, 0x82, 0xfd, 0xd6, 0x20, 0xeb,
    0x86, 0xf3, 0xc1, 0xd3, 0x85, 0x5c, 0x8b, 0x80, 0x75, 0xda,
    0x59, 0xa7, 0x66, 0x2f, 0x4a, 0x11, 0xb9, 0x77, 0xd9, 0x96,
    0xb8, 0xb3, 0xc7, 0x65, 0x7a, 0xd4, 0xa8, 0x2a, 0x20, 0xa7,
    0xf7, 0x6c, 0xe3, 0x76, 0xc0, 0x32, 0x00, 0x86, 0xed, 0x02,
    0x9d, 0xd6, 0x15, 0x39, 0x93, 0x07, 0x98, 0x31, 0x13, 0xcc,
    0x0a, 0xa9, 0x73, 0xec, 0xba, 0x69, 0x1e, 0x7e, 0x4c, 0xdc,
    0x80, 0xae, 0xfa, 0x7e, 0x8c, 0x83, 0x47, 0xba, 0xba, 0x05,
    0x0e, 0xac, 0xa7, 0xdc, 0x35, 0xa2, 0x1a, 0xa8, 0x54, 0xe5,
    0x31, 0xdc, 0x77, 0x58, 0xd7, 0xd1, 0x0b, 0x8c, 0x8e, 0x42,
    0xc1, 0xbe, 0x3b, 0xbf, 0x26, 0x6d, 0x05, 0x5a, 0xc2, 0x5c,
    0x37, 0x27, 0x9e, 0xbe, 0xfa, 0x28, 0xbb, 0xe8, 0x9a, 0x34,
    0xad, 0x1a, 0xb3, 0xd2, 0x3d, 0x7a, 0x66, 0xd1, 0xc2, 0x16,
    0xa5, 0x76, 0x50, 0xe6, 0xec, 0x9f, 0xc8, 0xba, 0x7a, 0xdf,
    0xb3, 0x8e, 0x57, 0xf2, 0x0c, 0x46, 0x71, 0x66, 0xc8, 0xfe,
    0x79, 0x44, 0xe6, 0x7f, 0x82, 0x13, 0x81, 0x60, 0x00, 0x20,
    0x04, 0x81, 0x2c, 0x78, 0xba, 0x4b, 0x5f, 0x0d, 0xa9, 0x17,
    0xda, 0x4c, 0xc1, 0x4c, 0xf8, 0xfc, 0x10, 0xdb, 0xa3, 0xf5,
    0x33, 0xfa, 0xcb, 0x11, 0xef, 0x06, 0xd8, 0xb8, 0xf1, 0x78,
    0xea, 0x9c, 0x5e, 0x8a, 0xcb, 0xbc, 0xa7, 0xb7, 0xf0, 0xe1,
    0xf6, 0xb7, 0xa7, 0x0e, 0xc2, 0xd5, 0x10, 0x8c, 0xc4, 0x11,
    0x78, 0x05, 0x62, 0x95, 0x79, 0x3b, 0xed, 0x35, 0x7a, 0xcc,
    0xbb, 0x03, 0xc0, 0x58, 0x2d, 0xc6, 0x9b, 0xc7, 0x7a, 0x34,
    0x03, 0x0f, 0x38, 0xcc, 0xe2, 0x56, 0xc5, 0xa9, 0xce, 0xc6,
    0xe8, 0x62, 0x14, 0x6e, 0x3f, 0x04, 0x63, 0xf1, 0x0d, 0xd5,
    0x83, 0x32, 0x57, 0xd0, 0xa0, 0x35, 0x91, 0x66, 0xa7, 0xe2,
    0x02, 0x7d, 0x98, 0xea, 0xf2, 0x6c, 0xf0, 0xd5, 0xa4, 0xa0,
    0x5f, 0x6e, 0xf8, 0xb7, 0x42, 0xf5, 0xd3, 0x14, 0xa3, 0x1d,
    0xee, 0xea, 0xbe, 0x4e, 0xbc, 0x31, 0x06, 0x54, 0x7e, 0x79,
    0xc6, 0xcb, 0x93, 0x31, 0x05, 0xd9, 0x07, 0xb4, 0xc8, 0xc6,
    0x04, 0x43, 0xe9, 0x7a, 0x15, 0x46, 0x94, 0xba, 0xb5, 0xed,
    0xfc, 0x78, 0x1a, 0x43, 0x86, 0x75, 0xb9, 0xde, 0x6e, 0xd0,
    0x3c, 0x77, 0xf5, 0x14, 0x58, 0xea, 0xb6, 0x1c, 0xa2, 0xe8,
    0x0a, 0xc0, 0x2c, 0xc8, 0xc0, 0x37, 0xd8, 0xfb, 0x3c, 0xf1,
    0x29, 0xd7, 0x10, 0x7f, 0x61, 0x8d, 0x66, 0x03, 0x2c, 0xc0,
    0x22, 0x38, 0xa2, 0x11, 0xf7, 0x8b, 0xfa, 0x44, 0xe7, 0xc1,
    0xbb, 0xcf, 0xcc, 0x62, 0x77, 0x71, 0xc1, 0x88, 0xd1, 0xb3,
    0x71, 0x3c, 0xe5, 0xe7, 0x5c, 0xd2, 0x32, 0x5a, 0x0a, 0x2b,
    0xa0, 0x82, 0x68, 0xca, 0xd1, 0x3b, 0x27, 0xd9, 0x76, 0x96,
    0xef, 0x67, 0x8b, 0x59, 0x2d, 0x0a, 0xc8, 0x0a, 0xd1, 0xba,
    0xcb, 0x4a, 0x1b, 0xa7, 0x5b, 0xea, 0x8c, 0x47, 0x7f, 0x39,
    0xfc, 0x32, 0xc2, 0xaa, 0x20, 0xf3, 0x52, 0xbb, 0x0d, 0xa1,
    0xc4, 0x9b, 0x7d, 0x39, 0x27, 0xbc, 0xd9, 0xdf, 0xaf, 0x22,
    0x92, 0x37, 0x08, 0x1d, 0x5f, 0xa0, 0x89, 0x24, 0xfe, 0xfd,
    0x92, 0x3f, 0xf0, 0xac, 0x6b, 0xaa, 0xd6, 0x86, 0x4b, 0x7c,
    0x10, 0xdc, 0x73, 0x37, 0x9a, 0x5e, 0xbd, 0x9e, 0x46, 0x78,
    0xa0, 0xc2, 0x65, 0x17, 0x65, 0x6e, 0x8e, 0x51, 0xfc, 0xa2,
    0xa5, 0x1a, 0x33, 0xfb, 0x2c, 0xdd, 0x5d, 0x76, 0xd1, 0x26,
    0x74, 0xc2, 0x40, 0xba, 0x9a, 0x48, 0x93, 0xc1, 0xaf, 0x69,
    0xb8, 0xf2, 0xc4, 0xad, 0xf3, 0x7c, 0x4a, 0x47, 0x55, 0x1e,
    0xb2, 0x00, 0x6a, 0x73, 0x2f, 0x6b, 0x3b, 0x2f, 0x33, 0x8c,
    0x07, 0x8e, 0xde, 0x33, 0x94, 0x6d, 0xfe, 0x4a, 0x55, 0xbf,
    0x64, 0x4d, 0x3b, 0x98, 0x84, 0x86, 0x93, 0xad, 0xa1, 0xfc,
    0xb6, 0xfc, 0x16, 0xca, 0xc3, 0x39, 0xee, 0x65, 0xc2, 0x4d,
    0xc6, 0x4b, 0x0a, 0xe9, 0x20, 0x05, 0x35, 0x4a, 0xf0, 0x0a,
    0xde, 0x71, 0xe6, 0xc5, 0xe2, 0xef, 0xd8, 0x5c, 0x46, 0x13,
    0x1d, 0x94, 0x8f, 0xf1, 0x40, 0x96, 0xb0, 0xf0, 0x6a, 0x41,
    0xd8, 0x3c, 0x85, 0x22, 0xf3, 0x0b, 0xeb, 0x4e, 0xaa, 0xf4,
    0xa6, 0xf9, 0x08, 0xfe, 0x2a, 0x6e, 0xe7, 0x54, 0xc8, 0x96
};

static uint32_t draft13_test_vn = 0xff00000d;

static picoquic_connection_id_t draft13_test_cnx_id = { 
    { 0x06, 0xb8, 0x58, 0xec, 0x6f, 0x80, 0x45, 0x2b }, 8 };

static uint8_t draft13_test_salt[] = {
    0x9c, 0x10, 0x8f, 0x98, 0x52, 0x0a, 0x5c, 0x5c, 0x32, 0x96,
    0x8e, 0x95, 0x0e, 0x8a, 0x2c, 0x5f, 0xe0, 0x6d, 0x6c, 0x38
};

static uint8_t draft13_test_server_initial_secret[] = {
    0x7e, 0x0a, 0xba, 0x2c, 0x4b, 0x97, 0x42, 0xd0, 0xd1, 0x30,
    0xbc, 0x73, 0x18, 0x62, 0x2a, 0xd3, 0xb4, 0x4a, 0xca, 0x1f,
    0x09, 0xab, 0xb1, 0x9b, 0x3f, 0x39, 0x4c, 0xd7, 0xe2, 0x0f,
    0x4b, 0xe0
};

static uint8_t draft13_test_server_key[] = {
    0x26, 0x08, 0x0e, 0x60, 0xd2, 0x88, 0xdb, 0x7d, 0xf8, 0x16,
    0xa1, 0xcb, 0x0b, 0xc6, 0xc7, 0xf4
};

static uint8_t draft13_test_server_iv[] = {
    0xb9, 0xfd, 0xc5, 0xb4, 0x48, 0xaf, 0x3e, 0x02, 0x34, 0x22,
    0x44, 0x3b
};

static uint8_t draft13_test_server_pn[] = {
    0x00, 0xba, 0xbb, 0xe1, 0xbe, 0x0f, 0x0c, 0x66, 0x18, 0x18,
    0x8b, 0x4f, 0xcc, 0xa5, 0x7a, 0x96
};

static uint8_t draft13_test_client_initial_secret[] = {
    0x82, 0xa7, 0x35, 0x72, 0xe7, 0xcb, 0x89, 0x52, 0x3b, 0x68,
    0xc3, 0x9e, 0xaa, 0x83, 0x25, 0x40, 0x4f, 0x86, 0x49, 0x8c,
    0x8e, 0x24, 0x37, 0xdf, 0xdc, 0xe1, 0x0f, 0x9c, 0x34, 0x28,
    0x1a, 0x3d
};

static uint8_t draft13_test_client_key[] = {
    0xa7, 0x99, 0x43, 0x56, 0x6c, 0x41, 0x34, 0x2f, 0x2b, 0xc3,
    0xde, 0x6b, 0x7c, 0x15, 0x39, 0xdf
};

static uint8_t draft13_test_client_iv[] = {
    0x84, 0xeb, 0x95, 0x4f, 0xfe, 0x16, 0x1c, 0x38, 0x75, 0x91,
    0x9f, 0x5f
};

static uint8_t draft13_test_client_pn[] = {
    0x5c, 0x0f, 0x64, 0x72, 0xa1, 0x56, 0x58, 0x04, 0x7a, 0x3c,
    0xc1, 0xf1, 0x54, 0x78, 0xdc, 0xf4
};

@martinthomson
Copy link
Member

I have the same test vector in https://gist.github.com/martinthomson/7f4b615070254644f4c5335014980cbc - the only problem I can see is that it is very big. (The other problem being that it isn't in a PR yet, but that's a fixable problem.)

@huitema
Copy link
Contributor

huitema commented Aug 16, 2018

Yes, it may well be that including a "real" packet as a test vector is a bad idea. If we do that, then we will need to update the version number (bytes 2 to 5) from 0xff, 0x00, 0x00, 0x0d to 0xff, 0x00, 0x00, 0x0E for draft 14, and so on for each draft. This does not affect the computation of AEAD and PNE keys, as they are only a function of the salt and connection ID, but it does affect the sample used for PNE in the example.

Suppose that instead of a full packet we had a truncated packet, with just enough bytes to get the PNE sample. We will lose the capability of doing a full test "up to packet decoding", but in my experience that's not a very big deal. Implementations can use different unit tests for verifying the implementation of AEAD. But for that loss we get a big gain: we can update the test vector by just flipping the version bits, without having to worry about the rest.

Unless we change the salt or the algorithm of course. But then if we do that we know that we have to change the whole test vector no matter what.

@martinthomson
Copy link
Member

I have a much smaller example in the script I linked. That is a mere 98 octets of payload. It has an ACK frame and a valid ServerHello. It's not as easy to feed into a stack, though.

The alternative is to build the much-requested ACK frame example and just encrypt a packet with that in it.

Whatever we build, the example needs to be rebuilt as we update things (like the fixed salt).

@kazuho
Copy link
Member

kazuho commented Aug 16, 2018
edited
Loading

I think using client's Initial is beneficial because you can test the construction of AEAD keys.

If the size of the test vectors and the need to update them for every revision of the draft (prior to publishing it!) are problemsome, we can list the vectors in a separate document, as @martinthomson has done for TLS :-) https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-vectors/

@rpaulo
Copy link
Contributor Author

rpaulo commented Nov 20, 2018

I'm aware they are about to change again, but at least this should be correct now for -15 drafts. I can update these vectors once @martinthomson PR is merged. (Looks like the consensus right now is to move to "tls13 " and to add a QUIC version in the context field.)

@martinthomson martinthomson mentioned this pull request Dec 31, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@huitema huitema huitema left review comments

@martinthomson martinthomson martinthomson requested changes

Assignees
No one assigned
Labels
-transport editorial An issue that does not affect the design of the protocol; does not require consensus.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rpaulo @masaori335 @huitema @martinthomson @kazuho