From 6e4abe2d07716fbc674dad8bc7623c76d1619876 Mon Sep 17 00:00:00 2001 From: "Henry D. Case" Date: Mon, 25 Jun 2018 18:22:15 +0100 Subject: [PATCH] TLSv1.3 draft-23: align tests * Changes tests so that they pass with draft-23 * BoringSSL interoperability: uses code at most recent commit. It uses "-tls13-variant draft23" flag to indicate compatibility with draft23 * NSS interoperability: Uses release 3.35 * PicoTLS interoperability: blocked. Doesn't seem to implement draft23 * Uses updated bogo from https://github.com/henrydcase/crypto-tls-bogo-shim --- _dev/Makefile | 2 +- _dev/bogo/Dockerfile | 13 ++++++++----- _dev/boring/Dockerfile | 17 +++++++++++++---- _dev/boring/run.sh | 4 ++-- _dev/boring/server.sh | 6 +++--- _dev/interop_test_runner | 26 ++++++++++++++------------ _dev/tris-localserver/server.go | 1 + _dev/tris-testclient/client.go | 1 + _dev/tstclnt/Dockerfile | 5 ++++- 9 files changed, 47 insertions(+), 28 deletions(-) diff --git a/_dev/Makefile b/_dev/Makefile index 5c582a8..02a4191 100644 --- a/_dev/Makefile +++ b/_dev/Makefile @@ -23,7 +23,7 @@ INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1)) TARGET_TEST_COMPAT=boring picotls tstclnt # Some target-specific constants -BORINGSSL_REVISION=1530ef3e +BORINGSSL_REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris ############### diff --git a/_dev/bogo/Dockerfile b/_dev/bogo/Dockerfile index 097e831..210751a 100644 --- a/_dev/bogo/Dockerfile +++ b/_dev/bogo/Dockerfile @@ -10,8 +10,8 @@ RUN apk add --update \ ENV CGO_ENABLED=0 -RUN git clone https://github.com/FiloSottile/crypto-tls-bogo-shim \ - /go/src/github.com/FiloSottile/crypto-tls-bogo-shim +RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \ + /go/src/github.com/henrydcase/crypto-tls-bogo-shim # Draft 18 with client-tests branch #ARG REVISION=3f5e87d6a1931b6f6930e4eadb7b2d0b2aa7c588 @@ -20,10 +20,13 @@ RUN git clone https://github.com/FiloSottile/crypto-tls-bogo-shim \ #ARG REVISION=81cc32b846c9fe2ea32613287e57a6a0db7bbb9a # Draft 22 with draft22-client branch (client-tests + draft22) -ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734 +# ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734 -RUN cd /go/src/github.com/FiloSottile/crypto-tls-bogo-shim && \ +# Draft 23 +ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5 + +RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \ git checkout $REVISION -WORKDIR /go/src/github.com/FiloSottile/crypto-tls-bogo-shim +WORKDIR /go/src/github.com/henrydcase/crypto-tls-bogo-shim CMD ["make", "run"] diff --git a/_dev/boring/Dockerfile b/_dev/boring/Dockerfile index 72a7cd7..bf712df 100644 --- a/_dev/boring/Dockerfile +++ b/_dev/boring/Dockerfile @@ -34,15 +34,24 @@ RUN mkdir boringssl/build # ARG REVISION=89917a5 # Draft 18 -#ARG REVISION=9b885c5 +# ARG REVISION=9b885c5 # Draft 18, but with "bssl server -loop -www" support and build fix -ARG REVISION=40b24c8154 +# ARG REVISION=40b24c8154 # Draft 21 -#ARG REVISION=cd8470f +# ARG REVISION=cd8470f # Draft 22 -ARG REVISION=1530ef3e +# ARG REVISION=1530ef3e + +# Draft 23 +# ARG REVISION=cb15cfda29c0c60d8d74145b17c93b43a7667837 + +# Draft 28 +# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30 + +# Latest +ARG REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a RUN cd boringssl && git fetch RUN cd boringssl && git checkout $REVISION diff --git a/_dev/boring/run.sh b/_dev/boring/run.sh index 15530d0..2db0dcd 100755 --- a/_dev/boring/run.sh +++ b/_dev/boring/run.sh @@ -2,7 +2,7 @@ set -e /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ - -tls13-variant draft22 -session-out /session -connect "$@" < /httpreq.txt + -tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ - -tls13-variant draft22 -session-in /session -connect "$@" < /httpreq.txt + -tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt diff --git a/_dev/boring/server.sh b/_dev/boring/server.sh index 0311a97..bfff483 100755 --- a/_dev/boring/server.sh +++ b/_dev/boring/server.sh @@ -6,21 +6,21 @@ set -x bssl server \ -key rsa.pem \ -min-version tls1.2 -max-version tls1.3 \ - -tls13-draft22-variant \ + -tls13-variant draft23 \ -accept 1443 -loop -www 2>&1 & # ECDSA bssl server \ -key ecdsa.pem \ -min-version tls1.2 -max-version tls1.3 \ - -tls13-draft22-variant \ + -tls13-variant draft23 \ -accept 2443 -loop -www 2>&1 & # Require client authentication (with ECDSA) bssl server \ -key ecdsa.pem \ -min-version tls1.2 -max-version tls1.3 \ - -tls13-draft22-variant \ + -tls13-variant draft23 \ -accept 6443 -loop -www \ -require-any-client-cert -debug 2>&1 & diff --git a/_dev/interop_test_runner b/_dev/interop_test_runner index fb503b2..d2ab0c4 100755 --- a/_dev/interop_test_runner +++ b/_dev/interop_test_runner @@ -46,13 +46,13 @@ class RegexSelfTest(unittest.TestCase): ''' Ensures that those regexe's actually work ''' LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff" - LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nsomestuff" + LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff" - LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff" - LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 22) _o/\nHello TLS 1.3 (draft 22) [resumed] _o/\nsomestuff" - LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 22) [resumed] _o/\nsomestuff" - LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT] _o/\nsomestuff" - LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 22) [resumed] [0-RTT confirmed] _o/\nsomestuff" + LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff" + LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff" + LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" + LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" + LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff" def test_regexes(self): self.assertIsNotNone( @@ -212,12 +212,14 @@ class InteropServer_BoringSSL( unittest.TestCase ): CLIENT_NAME = "tls-tris:boring" -class InteropServer_PicoTLS( - InteropServer, - ServerNominalMixin, - ServerZeroRttMixin, - unittest.TestCase - ): CLIENT_NAME = "tls-tris:picotls" +# PicoTLS doesn't seem to implement draft-23 correctly. It will +# be enabled when draft-28 is implemented. +# class InteropServer_PicoTLS( +# InteropServer, +# ServerNominalMixin, +# ServerZeroRttMixin, +# unittest.TestCase +# ): CLIENT_NAME = "tls-tris:picotls" class InteropServer_NSS( InteropServer, diff --git a/_dev/tris-localserver/server.go b/_dev/tris-localserver/server.go index eeb55f4..8389843 100644 --- a/_dev/tris-localserver/server.go +++ b/_dev/tris-localserver/server.go @@ -43,6 +43,7 @@ var tlsVersionToName = map[uint16]string{ tls.VersionTLS13Draft18: "1.3 (draft 18)", tls.VersionTLS13Draft21: "1.3 (draft 21)", tls.VersionTLS13Draft22: "1.3 (draft 22)", + tls.VersionTLS13Draft23: "1.3 (draft 23)", } func NewServer() *server { diff --git a/_dev/tris-testclient/client.go b/_dev/tris-testclient/client.go index 5f1a0e7..43fd1e7 100644 --- a/_dev/tris-testclient/client.go +++ b/_dev/tris-testclient/client.go @@ -17,6 +17,7 @@ var tlsVersionToName = map[uint16]string{ tls.VersionTLS12: "1.2", tls.VersionTLS13: "1.3", tls.VersionTLS13Draft18: "1.3 (draft 18)", + tls.VersionTLS13Draft23: "1.3 (draft 23)", } var cipherSuiteIdToName = map[uint16]string{ diff --git a/_dev/tstclnt/Dockerfile b/_dev/tstclnt/Dockerfile index 0242e13..708e112 100644 --- a/_dev/tstclnt/Dockerfile +++ b/_dev/tstclnt/Dockerfile @@ -21,7 +21,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1 # ARG REVISION=e61c0f657100 # Draft 22 -ARG REVISION=88c3f3fa581b +#ARG REVISION=88c3f3fa581b + +# Draft 23 +ARG REVISION=16c622c9e1cc RUN cd nss && hg pull RUN cd nss && hg checkout -C $REVISION