From 81cc32b846c9fe2ea32613287e57a6a0db7bbb9a Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Fri, 1 Dec 2017 18:11:01 +0000 Subject: [PATCH] Make bogo advertise and test only for draft 22 Current bogo tests for draft18, patch that to use draft22. Patch from https://boringssl-review.googlesource.com/c/boringssl/+/23704/2 Upstream commit e1068b76bd1d7f6ea06c90faa523ad8d562ec11b ("Test RSA premaster unpad better.") added another version-specific test, disable that since no protection is implemented. --- config.json | 3 +- vendor/bogo-draft22.diff | 79 +++++++++++++++++++ .../boringssl/ssl/test/runner/runner.go | 40 +--------- 3 files changed, 84 insertions(+), 38 deletions(-) create mode 100644 vendor/bogo-draft22.diff diff --git a/config.json b/config.json index 7ed02ed..df9ecc1 100644 --- a/config.json +++ b/config.json @@ -8,7 +8,8 @@ "*-NoTickets-*": "Session IDs not supported", "*-AES256-SHA384-*": "AES256-CBC-SHA384 not supported", - "BadRSAClientKeyExchange-4": "See comment in processClientKeyExchange", + "BadRSAClientKeyExchange-4": "case RSABadValueWrongVersion1 - See comment in processClientKeyExchange", + "BadRSAClientKeyExchange-5": "case RSABadValueWrongVersion2 - See comment in processClientKeyExchange", "GREASE-Server-TLS13": "TODO", "DuplicateExtensionServer-*": "TODO", diff --git a/vendor/bogo-draft22.diff b/vendor/bogo-draft22.diff new file mode 100644 index 0000000..10f2eef --- /dev/null +++ b/vendor/bogo-draft22.diff @@ -0,0 +1,79 @@ +diff --git a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go +index 8700af2..6084f42 100644 +--- a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go ++++ b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go +@@ -540,6 +540,7 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr + if test.tls13Variant != 0 { + config.TLS13Variant = test.tls13Variant + } ++ config.TLS13Variant = TLS13Draft22 + + conn = &timeoutConn{conn, *idleTimeout} + +@@ -1297,20 +1298,6 @@ var tlsVersions = []tlsVersion{ + hasDTLS: true, + versionDTLS: VersionDTLS12, + }, +- { +- name: "TLS13", +- version: VersionTLS13, +- excludeFlag: "-no-tls13", +- versionWire: tls13DraftVersion, +- tls13Variant: TLS13Default, +- }, +- { +- name: "TLS13Draft21", +- version: VersionTLS13, +- excludeFlag: "-no-tls13", +- versionWire: tls13Draft21Version, +- tls13Variant: TLS13Draft21, +- }, + { + name: "TLS13Draft22", + version: VersionTLS13, +@@ -1318,27 +1305,6 @@ var tlsVersions = []tlsVersion{ + versionWire: tls13Draft22Version, + tls13Variant: TLS13Draft22, + }, +- { +- name: "TLS13Experiment", +- version: VersionTLS13, +- excludeFlag: "-no-tls13", +- versionWire: tls13ExperimentVersion, +- tls13Variant: TLS13Experiment, +- }, +- { +- name: "TLS13Experiment2", +- version: VersionTLS13, +- excludeFlag: "-no-tls13", +- versionWire: tls13Experiment2Version, +- tls13Variant: TLS13Experiment2, +- }, +- { +- name: "TLS13Experiment3", +- version: VersionTLS13, +- excludeFlag: "-no-tls13", +- versionWire: tls13Experiment3Version, +- tls13Variant: TLS13Experiment3, +- }, + } + + func allVersions(protocol protocol) []tlsVersion { +@@ -5485,7 +5451,7 @@ func addVersionNegotiationTests() { + config: Config{ + MaxVersion: VersionTLS13, + Bugs: ProtocolBugs{ +- SendServerSupportedExtensionVersion: tls13DraftVersion, ++ SendServerSupportedExtensionVersion: tls13Draft22Version, + }, + }, + shouldFail: true, +@@ -5499,7 +5465,7 @@ func addVersionNegotiationTests() { + name: "IgnoreClientVersionOrder", + config: Config{ + Bugs: ProtocolBugs{ +- SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion}, ++ SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version}, + }, + }, + expectedVersion: VersionTLS13, diff --git a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go index 8700af2..6084f42 100644 --- a/vendor/github.com/google/boringssl/ssl/test/runner/runner.go +++ b/vendor/github.com/google/boringssl/ssl/test/runner/runner.go @@ -540,6 +540,7 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr if test.tls13Variant != 0 { config.TLS13Variant = test.tls13Variant } + config.TLS13Variant = TLS13Draft22 conn = &timeoutConn{conn, *idleTimeout} @@ -1297,20 +1298,6 @@ var tlsVersions = []tlsVersion{ hasDTLS: true, versionDTLS: VersionDTLS12, }, - { - name: "TLS13", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13DraftVersion, - tls13Variant: TLS13Default, - }, - { - name: "TLS13Draft21", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13Draft21Version, - tls13Variant: TLS13Draft21, - }, { name: "TLS13Draft22", version: VersionTLS13, @@ -1318,27 +1305,6 @@ var tlsVersions = []tlsVersion{ versionWire: tls13Draft22Version, tls13Variant: TLS13Draft22, }, - { - name: "TLS13Experiment", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13ExperimentVersion, - tls13Variant: TLS13Experiment, - }, - { - name: "TLS13Experiment2", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13Experiment2Version, - tls13Variant: TLS13Experiment2, - }, - { - name: "TLS13Experiment3", - version: VersionTLS13, - excludeFlag: "-no-tls13", - versionWire: tls13Experiment3Version, - tls13Variant: TLS13Experiment3, - }, } func allVersions(protocol protocol) []tlsVersion { @@ -5485,7 +5451,7 @@ func addVersionNegotiationTests() { config: Config{ MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ - SendServerSupportedExtensionVersion: tls13DraftVersion, + SendServerSupportedExtensionVersion: tls13Draft22Version, }, }, shouldFail: true, @@ -5499,7 +5465,7 @@ func addVersionNegotiationTests() { name: "IgnoreClientVersionOrder", config: Config{ Bugs: ProtocolBugs{ - SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion}, + SendSupportedVersions: []uint16{VersionTLS12, tls13Draft22Version}, }, }, expectedVersion: VersionTLS13,