Make bogo advertise and test only for draft 22

Current bogo tests for draft18, patch that to use draft22. Patch from https://boringssl-review.googlesource.com/c/boringssl/+/23704/2 Upstream commit e1068b76bd1d7f6ea06c90faa523ad8d562ec11b ("Test RSA premaster unpad better.") added another version-specific test, disable that since no protection is implemented.
2017-12-01 18:11:01 +00:00 · 2017-12-01 18:11:01 +00:00 · 631e73e16f
commit 631e73e16f
parent e2b91783a7
3 changed files with 84 additions and 38 deletions
--- a/config.json
+++ b/config.json
@ -10,7 +10,8 @@
 		"*-AES256-SHA256-*": "AES256-CBC-SHA256 not supported",
 		"*-AES256-SHA384-*": "AES256-CBC-SHA384 not supported",

-		"BadRSAClientKeyExchange-4": "See comment in processClientKeyExchange",
+		"BadRSAClientKeyExchange-4": "case RSABadValueWrongVersion1 - See comment in processClientKeyExchange",
+		"BadRSAClientKeyExchange-5": "case RSABadValueWrongVersion2 - See comment in processClientKeyExchange",

 		"GREASE-Server-TLS13": "TODO",
 		"DuplicateExtensionServer-*": "TODO",
--- a/vendor/bogo-draft22.diff
+++ b/vendor/bogo-draft22.diff
@ -0,0 +1,79 @@
+diff --git a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go
+index 8700af2..6084f42 100644
+--- a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go
+++ b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go
+@@ -540,6 +540,7 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr
+ 	if test.tls13Variant != 0 {
+ 		config.TLS13Variant = test.tls13Variant
+ 	}
+	config.TLS13Variant = TLS13Draft22
+ 
+ 	conn = &timeoutConn{conn, *idleTimeout}
+ 
+@@ -1297,20 +1298,6 @@ var tlsVersions = []tlsVersion{
+ 		hasDTLS:     true,
+ 		versionDTLS: VersionDTLS12,
+ 	},
+-	{
+-		name:         "TLS13",
+-		version:      VersionTLS13,
+-		excludeFlag:  "-no-tls13",
+-		versionWire:  tls13DraftVersion,
+-		tls13Variant: TLS13Default,
+-	},
+-	{
+-		name:         "TLS13Draft21",
+-		version:      VersionTLS13,
+-		excludeFlag:  "-no-tls13",
+-		versionWire:  tls13Draft21Version,
+-		tls13Variant: TLS13Draft21,
+-	},
+ 	{
+ 		name:         "TLS13Draft22",
+ 		version:      VersionTLS13,
+@@ -1318,27 +1305,6 @@ var tlsVersions = []tlsVersion{
+ 		versionWire:  tls13Draft22Version,
+ 		tls13Variant: TLS13Draft22,
+ 	},
+-	{
+-		name:         "TLS13Experiment",
+-		version:      VersionTLS13,
+-		excludeFlag:  "-no-tls13",
+-		versionWire:  tls13ExperimentVersion,
+-		tls13Variant: TLS13Experiment,
+-	},
+-	{
+-		name:         "TLS13Experiment2",
+-		version:      VersionTLS13,
+-		excludeFlag:  "-no-tls13",
+-		versionWire:  tls13Experiment2Version,
+-		tls13Variant: TLS13Experiment2,
+-	},
+-	{
+-		name:         "TLS13Experiment3",
+-		version:      VersionTLS13,
+-		excludeFlag:  "-no-tls13",
+-		versionWire:  tls13Experiment3Version,
+-		tls13Variant: TLS13Experiment3,
+-	},
+ }
+ 
+ func allVersions(protocol protocol) []tlsVersion {
+@@ -5485,7 +5451,7 @@ func addVersionNegotiationTests() {
+ 		config: Config{
+ 			MaxVersion: VersionTLS13,
+ 			Bugs: ProtocolBugs{
+-				SendServerSupportedExtensionVersion: tls13DraftVersion,
+				SendServerSupportedExtensionVersion: tls13Draft22Version,
+ 			},
+ 		},
+ 		shouldFail:    true,
+@@ -5499,7 +5465,7 @@ func addVersionNegotiationTests() {
+ 		name:     "IgnoreClientVersionOrder",
+ 		config: Config{
+ 			Bugs: ProtocolBugs{
+-				SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
+				SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version},
+ 			},
+ 		},
+ 		expectedVersion: VersionTLS13,
--- a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go
+++ b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go
@ -540,6 +540,7 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr
 	if test.tls13Variant != 0 {
 		config.TLS13Variant = test.tls13Variant
 	}
+	config.TLS13Variant = TLS13Draft22

 	conn = &timeoutConn{conn, *idleTimeout}

@ -1297,20 +1298,6 @@ var tlsVersions = []tlsVersion{
 		hasDTLS:     true,
 		versionDTLS: VersionDTLS12,
 	},
-	{
-		name:         "TLS13",
-		version:      VersionTLS13,
-		excludeFlag:  "-no-tls13",
-		versionWire:  tls13DraftVersion,
-		tls13Variant: TLS13Default,
-	},
-	{
-		name:         "TLS13Draft21",
-		version:      VersionTLS13,
-		excludeFlag:  "-no-tls13",
-		versionWire:  tls13Draft21Version,
-		tls13Variant: TLS13Draft21,
-	},
 	{
 		name:         "TLS13Draft22",
 		version:      VersionTLS13,
@ -1318,27 +1305,6 @@ var tlsVersions = []tlsVersion{
 		versionWire:  tls13Draft22Version,
 		tls13Variant: TLS13Draft22,
 	},
-	{
-		name:         "TLS13Experiment",
-		version:      VersionTLS13,
-		excludeFlag:  "-no-tls13",
-		versionWire:  tls13ExperimentVersion,
-		tls13Variant: TLS13Experiment,
-	},
-	{
-		name:         "TLS13Experiment2",
-		version:      VersionTLS13,
-		excludeFlag:  "-no-tls13",
-		versionWire:  tls13Experiment2Version,
-		tls13Variant: TLS13Experiment2,
-	},
-	{
-		name:         "TLS13Experiment3",
-		version:      VersionTLS13,
-		excludeFlag:  "-no-tls13",
-		versionWire:  tls13Experiment3Version,
-		tls13Variant: TLS13Experiment3,
-	},
 }

 func allVersions(protocol protocol) []tlsVersion {
@ -5485,7 +5451,7 @@ func addVersionNegotiationTests() {
 		config: Config{
 			MaxVersion: VersionTLS13,
 			Bugs: ProtocolBugs{
-				SendServerSupportedExtensionVersion: tls13DraftVersion,
+				SendServerSupportedExtensionVersion: tls13Draft22Version,
 			},
 		},
 		shouldFail:    true,
@ -5499,7 +5465,7 @@ func addVersionNegotiationTests() {
 		name:     "IgnoreClientVersionOrder",
 		config: Config{
 			Bugs: ProtocolBugs{
-				SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
+				SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version},
 			},
 		},
 		expectedVersion: VersionTLS13,