Left-pad a V2ClientHello's random, not right-pad.

The comment has it right, but the rewritten code was wrong.

Change-Id: I450193c39fb62eae32aae090a3834dd83db53421
Reviewed-on: https://boringssl-review.googlesource.com/2444
Reviewed-by: Adam Langley <agl@google.com>

ssl/s23_srvr.c

@@ -390,7 +390,7 @@ err:
 static int ssl23_get_v2_client_hello(SSL *s)
 	{
 	uint8_t *p;
-	size_t i;
+	size_t rand_len;
 	int n = 0;
 
 	CBS v2_client_hello, cipher_specs, session_id, challenge;
@@ -449,8 +449,10 @@ static int ssl23_get_v2_client_hello(SSL *s)
 	/* The client_random is the V2ClientHello challenge. Truncate or
 	 * left-pad with zeros as needed. */
 	memset(random, 0, SSL3_RANDOM_SIZE);
-	i = (CBS_len(&challenge) > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : CBS_len(&challenge);
-	memcpy(random, CBS_data(&challenge), i);
+	rand_len = CBS_len(&challenge);
+	if (rand_len > SSL3_RANDOM_SIZE)
+		rand_len = SSL3_RANDOM_SIZE;
+	memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge), rand_len);
 
 	/* Write out an equivalent SSLv3 ClientHello. */
 	if (!CBB_init_fixed(&client_hello, (uint8_t *)s->init_buf->data, s->init_buf->max))

ssl/test/runner/handshake_client.go

@@ -198,12 +198,14 @@ NextCipherSuite:
 
 	var helloBytes []byte
 	if c.config.Bugs.SendV2ClientHello {
+		// Test that the peer left-pads random.
+		hello.random[0] = 0
 		v2Hello := &v2ClientHelloMsg{
 			vers:         hello.vers,
 			cipherSuites: hello.cipherSuites,
 			// No session resumption for V2ClientHello.
 			sessionId: nil,
-			challenge: hello.random,
+			challenge: hello.random[1:],
 		}
 		helloBytes = v2Hello.marshal()
 		c.writeV2Record(helloBytes)